SSL Certificates - how many under ISPConfig

sjau · Dec 23, 2016

You can find your popular site in the certificate transparency:

https://crt.sh/?Identity=%&iCAID=7395

Seems LE has issued 1.35 millions certs in the last 12 months.

till · Dec 23, 2016

Poliman said: ↑

I mean some popular website like some bank website or information portal etc.
Click to expand...

LE is a free SSL authority, so most people use it because it#s free and not because it is a cert from LE. For a bank or other popular site, it does not matter if an SSL cert costs a few USD and they will probably use an EV cert which shows their name anyway. What matters for a normal user is if an SSL authority is widely accepted in browsers. So if you have worries if an LE cert will work for your users, then certificate compatibility is what really matters: https://letsencrypt.org/docs/certificate-compatibility/

Poliman · Dec 28, 2016

If I would like to change cert which I bought on this from LetsEncrypt should I - as Till said - check SSL and LetsEncrypt SSL checkboxes but from SSL tab need remove each certs, yes?

PS
How long Lets Encrypt cert exists before expire?

Poliman · Jan 13, 2017

till said: ↑

LE is a free SSL authority, so most people use it because it#s free and not because it is a cert from LE. For a bank or other popular site, it does not matter if an SSL cert costs a few USD and they will probably use an EV cert which shows their name anyway. What matters for a normal user is if an SSL authority is widely accepted in browsers. So if you have worries if an LE cert will work for your users, then certificate compatibility is what really matters: https://letsencrypt.org/docs/certificate-compatibility/
Click to expand...

What type of SSL Cert it is? How it looks in browser address bar?

sjau · Jan 13, 2017

It's a DV cert. Valid 90 days. It can be auto-renewed.

Poliman · Jan 13, 2017

Thanks for fast reply. :} Last question - If I would like to change cert which I bought on this from LetsEncrypt should I - as Till said - check SSL and LetsEncrypt SSL checkboxes but from SSL tab need remove each certs which were bought, yes?

Poliman · Jan 23, 2017

till said: ↑

All you have to do is to enable the SSL and Letsencrypt checkbox of a website in ispconfig an you get an officially signed ssl cert which includes all alias and subdmaind and the website domain.

No. First of all, all these things are not ispconfig specific, they apply to any apache and nginx web server with any control panel. The old "classic" SSL is restricted to one SSL cert per IP address and that's what the manual refers to in this sentence you cited. There are newer SSL extensions like SNI which is enabled by default that allow multiple SSL certs per IP, but if SNI works or not depends on the client (web browser) and not ISPConfig. If the web browser supports SNI, then you will see the correct website, if it does not support SNI, then you will see the first website that has SSL enabled on that IP, independent of the domain name. https://en.wikipedia.org/wiki/Server_Name_Indication
Click to expand...

I go to SSL tab and selected action delete certificate, then go to Domain tab and checked Let's Encrypt checkbox. But after I leave Sites tab this checkbox is unchecked. I am affraid that something not working. I should uncheck redirect http to https under Redirect tab too. Besides should I install something to get Let's Encrypt SSL option work? I saw some topics and somewhere were informations about e.x. /etc/letsencrypt directory. I haven't it.

Poliman · Jan 23, 2017

sjau said: ↑
Example of Let's Encrypt Certificate: https://paste.simplylinux.ch -> see the green padlock?
SSL Lab report: https://www.ssllabs.com/ssltest/analyze.html?d=paste.simplylinux.ch&latest

But you use ISPConfig 3.1 meanwhile? That tutorial is for 3.0 and an (old) ubuntu version. Do you still use ubuntu 14.04? When you have upgraded to ISPConfig 3.1 you'll still need to run the step 11 from the Install Howto for Debian that I posted - basically download certbot, make it executable, run it once and abort to create the necessary files and folders.

As said before, the problem is that postfix does not support SNI. Postfix cannot provide a different certificate based on the mail domain. What is possible is to use a SAN cert. One certificate that has different domain names in it as Subject Alternate Names (=SAN). ISPConfig can currently only create a SAN cert for a domain and aliased sub/domains to it as website. But if you have different websites and use different vanity mail domains, then ISPConfig can't create one cert for postfix that contains them all.

In that case, you'll have to request manually such a certificate. As said, I use acme.sh and it's rather simple:
Code:
acme.sh --issue --dns dns_ispconfig -d ispc.domain.tld -d mail.domain.tld -d mail.otherdomain.tld -d mail.xxxdomain.tld
With that I would request a SAN cert which is valid for:
ispc.domain.tld
mail.domain.tld
mail.otherdomain.tld
mail.xxxdomain.tld

You can have up to 100 such entries in a domain with Let's Encrypt.
Click to expand...
I use 14.04 ubuntu and newest version of ISP. I did steps from tutorial You sent but I hadn't screen in console like this with blue background (when I use command ./certbot-auto) but shell console shows question "Which names would you like to activate HTTPS for?" and shows websites on the server (full log):
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: domain.pl
2: www.domain.pl
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):[email protected]

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for domain.pl
tls-sni-01 challenge for www.domain.pl
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
Created an SSL vhost at /etc/apache2/sites-available/domain.pl.vhost-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/domain.pl.vhost-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/domain.pl.vhost-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/domain.pl.vhost-le-ssl.conf
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:69
AH00526: Syntax error on line 73 of /etc/apache2/sites-enabled/domain.pl.vhost-le-ssl.conf:
FastCgiExternalServer: redefinition of previously defined class "/var/www/clients/client1/web1/cgi-bin/php5-fcgi-*-80-domain.pl"

Rolling back to previous server configuration...
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:69
AH00526: Syntax error on line 73 of /etc/apache2/sites-enabled/domain.pl.vhost-le-ssl.conf:
FastCgiExternalServer: redefinition of previously defined class "/var/www/clients/client1/web1/cgi-bin/php5-fcgi-*-80-domain.pl"

IMPORTANT NOTES:
- We were unable to install your certificate, however, we
successfully restored your server to its prior configuration.
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/domain.pl/fullchain.pem. Your cert will
expire on 2017-04-23. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again with the
"certonly" option. To non-interactively renew *all* of your
certificates, run "certbot-auto renew"
- If you lose your account credentials, you can recover through
e-mails sent to [email protected].
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

Log in or Sign up

SSL Certificates - how many under ISPConfig

sjau Local Meanie Moderator

till Super Moderator Staff Member ISPConfig Developer

Poliman Member

Poliman Member

sjau Local Meanie Moderator

Poliman Member

Poliman Member

Poliman Member

Share This Page

Log in or Sign up

SSL Certificates - how many under ISPConfig

sjau Local Meanie Moderator

till Super Moderator Staff Member ISPConfig Developer

Poliman Member

Poliman Member

sjau Local Meanie Moderator

Poliman Member

Poliman Member

Poliman Member

Share This Page

Useful Searches