SSL how to for ISPconfig 3 with Letsencrypt

Discussion in 'General' started by SamTzu, Nov 16, 2016.


Who's the man?

  1. You

    4 vote(s)
  2. Me

    3 vote(s)
  1. SamTzu

    SamTzu Active Member

    Ok. I have spent the last 3 days to get this to work so you best gimme some kudos :)

    Create new sites on ISPconfig 3.1 "perfect server" (in this example we call these new web sites, and and enable Let's Encrypt SSL on these sites. You can use the default www. as alias on (but remember to disable www. alias on any other web site that will use the ( root domain address like for instance Why? Because you can't have two or more websites with same address ie. Make sure your DNS servers have these new addresses configured. (You can use 'tail /var/log/letsencrypt/letsencrypt.log' to check for errors.)
    (If you don't know how to use symbolic links this how-to is not for you)

    Define Apache2 to use the new SSL certificate with default SSL connections.
    Comment out these two certificate lines and add the new certificate paths.
    #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
    SSLCertificateChainFile /etc/letsencrypt/live/

    Define ISPconfig to use the new SSL certificate with symbolic links.
    ispserver.crt -> /etc/letsencrypt/live/
    ispserver.key -> /etc/letsencrypt/live/

    Define Postfix to use the new SSL certificate in /etc/postfix/
    smtpd_tls_cert_file = /etc/letsencrypt/live/
    smtpd_tls_key_file = /etc/letsencrypt/live/
    smtpd_tls_CAfile = /etc/letsencrypt/live/

    Define Dovecot to use the new SSL certificate in /etc/dovecot/dovecot.conf.
    ssl_cert = </etc/letsencrypt/live/
    ssl_key = </etc/letsencrypt/live/

    Enjoy your working SSL certificates for Postfix, SMTP(s), IMAP(s), ISPConfig, phpMyAdmin and Apache.
    Who's the man?
    Last edited: Mar 20, 2018
  2. PermaNoob

    PermaNoob Member

    Quick question: I don't use dns on my servers, I use my domain registrar's dns. Is that going to cause a problem with Let's Encrypt?
  3. sjau

    sjau Local Meanie Moderator

    No, you just have to make sure that there are A or CNAME entries in your zone file.
    PermaNoob likes this.
  4. PermaNoob

    PermaNoob Member

  5. GhostRider

    GhostRider New Member

    The path is not good, the certificates are incremented with each renewal ... 1 ... 2 ... 3 .....
    it's : /etc/letsencrypt/live/
  6. SamTzu

    SamTzu Active Member

    Thanx GhostRider. I will fix the tutorial to point /live/ folder symlinks.
  7. SamTzu

    SamTzu Active Member

    Now who wants to figure out how to use these certs with PureFTP?
  8. SamTzu

    SamTzu Active Member

    And how to make Dovecot POP(s) to use a separate certificate?
  9. sjau

    sjau Local Meanie Moderator

    seperate certificate for dovecot?
  10. kerrsmith

    kerrsmith Member

  11. SamTzu

    SamTzu Active Member

    @sjau Dovecot has also POP(s) service. Not just IMAP(s). Both should have their own certs defined in the conf.
  12. SamTzu

    SamTzu Active Member

    @kerrsmith Nothing new on those threads. The pure-ftp cert fix seems interesting but does not seem to improve situation.
  13. sjau

    sjau Local Meanie Moderator

    still, why seperate certs? If you have pop.domain.tld and imap.domain.tld they can be both in one cert.
  14. kerrsmith

    kerrsmith Member

    I only use POP and SMTP for my mail server which is why I only included those in my example I linked to, you can of course add any others in you require and they all end up in the same certificate.

    I am not sure why your FTP attempts are not working, does anything helpful show up in the error logs when you try to connect? Are you connecting using FTPS rather then SFTP as they work differently, also it should be Explicit FTP over TLS. I only ask this as the "server's host key is unknown" error sounds a bit like an SSH error message.
  15. sjau

    sjau Local Meanie Moderator

    then you have to create a SAN cert yourself for those services...
  16. SamTzu

    SamTzu Active Member

    @kerrsmith Correct. I was talking about sFTP. Difficult to get rid of that error message.
  17. nikolaosp

    nikolaosp Member

    Thanks for your work mate, however I have a quick question, I have created a website with a letsencrypt cert that I used in postfix. However, after restart postfix I noticed that I see a certificate for another site in my server that is not evern in the domain but on a domain by itself.

    Any ideas?

    EDIT: Sorry for being such a noob but it appears I had not set correctly the parameters for the certificate. All is well and thanks again for your work
    Last edited: Jan 10, 2017
  18. SamTzu

    SamTzu Active Member

    :) This is the "Advanced Course for Linux".
  19. For the pure-ftp you need to merge private key and the full chain together, i'm using a cron job to merge them every month ;-)

    cat /etc/letsencrypt/live/ /etc/letsencrypt/live/ > /etc/ssl/private/srv010.letsencrypt.keyandfullchain.pem
    And I have a symlink from /etc/ssl/private/pure-ftpd.pem -> srv010.letsencrypt.keyandfullchain.pem
  20. Sidenote: you can also use vhost aliases instead of full websites.
    That way only one certificate is generated with all the different domains ;-)

Share This Page