I have the newest version of ISP (3.1.1.p1) with apache2, postfix, dovecot, mysql. I would like to buy and install SSL certificate (at the moment) on one domain. In the future probably I would like to buy other certificates. So question is - how many SSL Certificates can I install on the Ubuntu Server under ISPConfig? I asked few companies which sell certificates and they answered me that depends from hosting. But how can I check this (it dependes from what)?
It depends on the hardware resources of your server, I guess you should be able to have a few hundred thousand ssl certs on a normal sized server.
Hey Till. Thank You for answer. Server (it's VPS from ovh.com and it can be upgraded if needed) has parameters as below: KVM OpenStack 1 vCore 2,4 GHz 2 GB RAM SSD 10 GB Local Raid 10 So number of SSL Certs depends from power of server, am I right? One more thing - does ISPConfig allows installing ssl certs only for domains in Sites -> Website -> SSL?
why not just use Let's Encrypt? If you followed the perfect howto for setting up the server with ISPC then it's nothing but clicking 2 checkboxes to get a valid ssl cert for a domain. No need to buy except if you want more than just a "DV" cert. What do you mean by installing certs only for domains? You want also to use SSL Certs for the mailserver, ftp server etc?
I hear first time about let's encrypt. I followed the perfect howto setting server with ISP. I need proper certificates not self-signed. Only for domains I mean that have cert on main domain and subdomains for this domain, for example: example com - main domain mail.example.com - for mail server software etc
Let's Encrypt are valid certs and not self-signed. If you did follow the Step 11 in this howto ( https://www.howtoforge.com/tutorial...4-jessie-apache-bind-dovecot-ispconfig-3-1/2/ ) or similar ones for your according installation then all you have to do is check the boxes. It's a bit more complicated to get ssl certs for vanity mail domains because postfix/dovecot doe not support SNI but only SAN. That means you can requet one cert that includes multiple hostnames but this can't be done through the ISPC Webfrontend. I prefer meanwhile acme.sh over the official Let's Encrypt client (certbot) for two simple reasons: - very light and hardly any dependencies (linux shell, curl or wget, openssl) - it can do DNS-01 challenge - meaning it can request new certs by fulfilling a challenge by writing a TXT record to the domain zone file (I created the according ISPC plugin) A small howto for acme.sh with ISPConfig DNS-01 challenge is here: https://www.howtoforge.com/communit...automated-dns-01-challenge-for-ispc-3-1.74850
Let's Encrypt has this same type of certs like other certificate authority (I mean Let's Encrypt has certificates which provides green address bar and padlock?) I used this tutorial https://www.howtoforge.com/perfect-...2-php-mysql-pureftpd-bind-dovecot-ispconfig-3. Do You mean check boxes under ISPconfig - if yes - where can I find it? About this part "That means you can requet one cert that includes multiple hostnames but this can't be done through the ISPC Webfrontend." - does it means I should install it manually via ssh console?
Example of Let's Encrypt Certificate: https://paste.simplylinux.ch -> see the green padlock? SSL Lab report: https://www.ssllabs.com/ssltest/analyze.html?d=paste.simplylinux.ch&latest But you use ISPConfig 3.1 meanwhile? That tutorial is for 3.0 and an (old) ubuntu version. Do you still use ubuntu 14.04? When you have upgraded to ISPConfig 3.1 you'll still need to run the step 11 from the Install Howto for Debian that I posted - basically download certbot, make it executable, run it once and abort to create the necessary files and folders. As said before, the problem is that postfix does not support SNI. Postfix cannot provide a different certificate based on the mail domain. What is possible is to use a SAN cert. One certificate that has different domain names in it as Subject Alternate Names (=SAN). ISPConfig can currently only create a SAN cert for a domain and aliased sub/domains to it as website. But if you have different websites and use different vanity mail domains, then ISPConfig can't create one cert for postfix that contains them all. In that case, you'll have to request manually such a certificate. As said, I use acme.sh and it's rather simple: Code: acme.sh --issue --dns dns_ispconfig -d ispc.domain.tld -d mail.domain.tld -d mail.otherdomain.tld -d mail.xxxdomain.tld With that I would request a SAN cert which is valid for: ispc.domain.tld mail.domain.tld mail.otherdomain.tld mail.xxxdomain.tld You can have up to 100 such entries in a domain with Let's Encrypt.
Yes, I have ISPC 3.1.1p1 under Ubuntu Server 14.04.5 LTS. Can it be configurable under Sites -> Website -> SSL? I am not sure, because I see there possibility to add SSL cert to each domain separately. SNI means - certificate for one domain, SAN means multidomain cert, am I right? PS ISPconfig's manual says: "5.4 How Do I Create An SSL Web Site? To make a web site SSL-capable, please make sure that the SSL checkbox is checked on the web site's Domain tab (please note that you can have only one SSL web site per IP address). Important: you must select a specific IP address from the IP-Address drop-down menu; you must not select the wildcard (*)!" I think it means that I can have only one ssl certificate for domain per one ip address of server when install cert under ISP (I would like to install it under ISPconfig), am I right?
All you have to do is to enable the SSL and Letsencrypt checkbox of a website in ispconfig an you get an officially signed ssl cert which includes all alias and subdmaind and the website domain. No. First of all, all these things are not ispconfig specific, they apply to any apache and nginx web server with any control panel. The old "classic" SSL is restricted to one SSL cert per IP address and that's what the manual refers to in this sentence you cited. There are newer SSL extensions like SNI which is enabled by default that allow multiple SSL certs per IP, but if SNI works or not depends on the client (web browser) and not ISPConfig. If the web browser supports SNI, then you will see the correct website, if it does not support SNI, then you will see the first website that has SSL enabled on that IP, independent of the domain name. https://en.wikipedia.org/wiki/Server_Name_Indication
Do I have to change IPv4 from * (wildcard) to specific IP of the server? By the way I installed ssl (rapid ssl - month free - for testing, but I will try LetsEncrypt) to one domain which I have on ISP (Sites -> Website -> SSL). In my domain vhost file I have line commented "# SSLCipherSuite". Should it be commented out? And last question - after install ssl cert website is accessible under http and https. How to lock http or redirect to https under ISP?
Sorry, I meant to leave it as it is. The SSL cipher suite is normally configured globally, that's why it is not active.
Ok. Really thank you guys for help. I have to read more about LetsEncrypt. I need to know which popular websites use certificates from LetsEncrypt. Do you know maybe some examples?
