SSL how to for ISPconfig 3 with Letsencrypt

Discussion in 'General' started by SamTzu, Nov 16, 2016.


Who's the man?

  1. You

    4 vote(s)
  2. Me

    3 vote(s)
  1. SamTzu

    SamTzu Active Member

    I upgraded Postfix and Dovecot (with apt) and during the upgrade both certificate location definitions in both configs were reset to defaults which is /etc/postfix/smtpd.cert & smtpd.key. :(
    This of course caused TLS cert change errors with clients until I changed cert configs back to correct lets-encrypt paths. I think it's also a good idea to sym-link those two files but since Dovecot also resets to point to /etc/postfix/smtpd.cert I think we might need to make it's config immutable? Any ideas?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Do not change the paths in the files, instead change the ssl certs on the original paths or replace them with symlinks to a cert.
  3. I would agree, I have symlinks from the /etc/postfix/smtpd.cert and smtpd.key to the /etc/letsencrypt/live/domain/fullchain.pem and privacy.pem ;-) that way upgrades don't break the certificates
  4. SamTzu

    SamTzu Active Member

    It would be simpler to just use cert rather than both smtp. & imap. certs because for some reason Dovecot automatically resets the cert path in it's conf file back to default postfix smtp cert path every time Dovecot is updated. :(
    I have prevented this with chattr +i /etc/dovecot/dovecot.conf
  5. sjau

    sjau Local Meanie Moderator

    I just use mail.domain.tld nowadays for SMTP and IMAP/POP3... makes things easier IMHO
  6. Sarah Bishop

    Sarah Bishop New Member

    You’ll need to be the root user for these commands to work, otherwise, prefix them with sudo.
    1. Install git
    2. Download LetsEncrypt and change directory
    3. By default LetsEncrypt wants to operate on port 80 which will probably conflict with Apache so instead, we set up mod_proxy and mod_proxy_http so LetsEncrypt can be proxied via another port (in this example I’ll use 9999).
    4. Edit proxy.conf
    5. Add this to the file, if the <IfModule mod_proxy.c>…</IfModule> tags already exist you can re-use them
    6. Restart Apache again
    7. Generate the LetsEncrypt certificates for your domain (change to your domain name)
    8. You should now have some nice new certificates
    9. In ISPConfig go to:
    Websites -> -> Domain
    Check the SSL checkbox and Save
    10. In ISPConfig go to:
    Websites -> -> SSL
    Enter values in the State, Locality, Organisation, Organisation Unit, Country fields and then at the bottom of the page under SSL Action select Create Certificate and click Save.
    11. You might have to wait a minute for ISPConfig
    12. The next step is to remove the ISPConfig certs and add the symlinks
    13. Finally restart Apache again
    14. According to the docs: “The letsencrypt tool will keep track of certificate expiration and renew certificates automatically by default.” but I can’t see anything new in cron.daily or cron.hourly and looking at the user guide it says “Let’s Encrypt is working hard on automating the renewal process. Until the tool is ready, we are sorry for the inconvenience!” Also, while the service is in beta testing they recommend renewing the certificates before they expire (normally after 90 days). So in order to prompt a renewal you can run the same command again.
  7. sjau

    sjau Local Meanie Moderator

    @Sarah Bishop
    ISPC 3.1 and newer has automated Let's Encrypt support for websites integrated. No need to go through those hoops.
  8. SamTzu

    SamTzu Active Member

    Yes. Please ignore Sarah's well meaning post. It just confuses issue. My first post on this thread is still valid.
  9. SamTzu

    SamTzu Active Member

    Updated HowTo to include phpMyAdmin and Apache.
    ahrasis likes this.
  10. SamTzu

    SamTzu Active Member

  11. SamTzu

    SamTzu Active Member

    Have you tried that with Postfix and/or Dovecot?

Share This Page