There are 4 files generated by letsencrypt:
cert1.pem
chain1.pem
fullchain1.pem
privkey1.pem
but
ISPconfig requires some other formats/files:
csr file, crt file, pem file
called SSL Key, SSL Request, SSL Certificate, SSL Bundle.
Is there some conversion tool for these formats or I missed something?
How an I use letsencrypt certificates with ISPconfig? I didn’t found any usefull docs about this.
csr crt and pem files are all the same format but with different contents
Inserted files contents in input fields, but ispconfig saved them with .err extension.
I putted cert contents unchanged with -----BEGIN PRIVATE KEY----- … -----END PRIVATE KEY-----.
Is it the right way?
OS: Debian Wheezy
ISPconfig: 3.0.5.4p8
Everything up to date.
That should do the trick…
But what do you mean with “saved them with .err extension”? ISPConfig is a browser based server configuration tool, right? “Saving” sounds like something it should do in the background and not bother the user with that kind of stuff… Or do you get a real error message? And if so, what was it? Perhaps some screenshots? (Don’t forget to obfuscate the contents of your private key if you do post screenshots!!!)
I'm not sure why this software asks for the SSL Request and I agree that it should not be needed, but if you really do need it, the Let's Encrypt client generates these internally during the certificate request process and archives them in the /etc/letsencrypt/csr directory. There is no clear way to see which CSR file was associated with which certificate request from the name, although if you've just made a successful certificate request, the most recent CSR file corresponds to that request. You can also view their contents with a command line like
openssl req -in 0025_csr-letsencrypt.pem -text -noout
Also, there is no single definite meaning for “SSL Bundle”. It’s possible that it’s actually fullchain.pem; Some software wants a different kind of “bundle”, which would be a combination of privkey.pem and cert.pem (or perhaps cert.pem and fullchain.pem) into a single file.
Can you find any more detail about what ISPconfig is expecting, like what it means by “bundle” and whether it’s OK for these files to be in PEM format? Is there anyone who’s posted samples of the kind of files ISPconfig would accept?
I’ve used ISPconfig.
You can leave the “SSL Request” blank ( that’s only really used if you are self generating within the ISPconfig system).
Basically, in apache2, these become;
SSLCertificateFile = the contents of the SSL Certificate box
SSLCertificateKeyFile = the contents of the SSL Key box
SSLCACertificateFile = the contents of the Bundle box
see on ispconfig forum
For the intermediate cert? 
Because SSLCACertificate file should be used only for client certificate authentication..
I’m not saying anything about the logic or correctness of it 
I’m just saying that I did a clean install of ISPconfig, installed a certificate by pasting into the various boxes, and looked where it placed them / what ISPconfig did with it
Yeah, I understood it was a ISPConfig thing… Nevertheless, it’s probably not correct
Yeah, in this thread, this link:
http://evolvedigital.co.uk/how-to-get-letsencrypt-working-with-ispconfig-3/
solved everything.
When you have certs generated like me, start at point 8).
$ ls -lA /etc/letsencrypt/live/example.com/
total 0
lrwxrwxrwx 1 root root 49 Nov 11 10:27 cert.pem -> ../../archive/example.com/cert1.pem
lrwxrwxrwx 1 root root 50 Nov 11 10:27 chain.pem -> ../../archive/example.com/chain1.pem
lrwxrwxrwx 1 root root 54 Nov 11 10:27 fullchain.pem -> ../../archive/example.com/fullchain1.pem
lrwxrwxrwx 1 root root 52 Nov 11 10:27 privkey.pem -> ../../archive/example.com/privkey1.pem
In ISPConfig go to:
Websites -> example.com -> Domain
Check the SSL checkbox and Save
In ISPConfig go to:
Websites -> example.com -> SSL
Enter values in the State, Locality, Organisation, Organisation Unit, Country fields and then at the bottom of the page under SSL Action select Create Certificate and click Save.
You might have to wait a minute for ISPConfig to generate it’s own certificates but eventually you should be able to see them here:
$ ls -lA /var/www/example.com/ssl/
total 16
-rw-r--r-- 1 root root 1330 Nov 11 13:22 example.com.crt
-rw-r--r-- 1 root root 1119 Nov 11 13:22 example.com.csr
-r-------- 1 root root 1675 Nov 11 13:22 example.com.key
-r-------- 1 root root 1743 Nov 11 13:22 example.com.key.org
Use this:
$ mv /var/www/example.com/ssl/example.com.crt /var/www/example.com/ssl/example.com.crt.old
$ mv /var/www/example.com/ssl/example.com.key /var/www/example.com/ssl/example.com.key.old
$ ln -s /etc/letsencrypt/live/example.com/fullchain.pem /var/www/example.com/ssl/example.com.crt
$ ln -s /etc/letsencrypt/live/example.com/privkey.pem /var/www/example.com/ssl/example.com.key
$ ln -s /etc/letsencrypt/live/example.com/chain.pem /var/www/example.com/ssl/example.com.pem
The LetsEncrypt fullchain.pem certificate contains the domain specific cert AND the CA Root cert, i.e it contains the ‘full chain’.
Finally restart Apache again:
$ service apache2 restart
Do not forget to update text input fields in ispconfig with example.com.crt and example.com.key contents.
SSL Key -> example.com.key file file contents.
SSL Certificate -> example.com.crt file contents.
SSL Request -> leave unchanged!
/usr/local/ispconfig/server/conf/vhost.conf.master:
Backup and find mod_ssl part and modify with bellow changes:
....
<IfModule mod_ssl.c>
<tmpl_if name='ssl_enabled'>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.crt
SSLCertificateKeyFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.key
SSLCertificateChainFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.pem
....
Thank you all for spending time.
I’m glad it’s working out. If it’s made copies rather than symbolic links, you might also want to think about what to do when you need to renew the cert (in 2-3 months from now).
an other think, ISPconfig store SSL cert on is DB.
are you sure if you tool/resync/resync Websites it don’t overwrite your symlink with data stored on DB ?
It is included in my reply.
See: “Do not forget to update text input fields in ispconfig with example.com.crt and example.com.key contents.” part 
…and u will do this every 90 days?
waste of time, there are a script on ISPconfig forum , already merged on 3.1 version.
Where is this script?
Because ISPCONFIG and his management of Let’s Encrypt and SSL certs let me thinking about it’s correctness…