ISPconfig with letsencrypt certificates


#1

There are 4 files generated by letsencrypt:

cert1.pem
chain1.pem
fullchain1.pem
privkey1.pem

but

ISPconfig requires some other formats/files:

csr file, crt file, pem file

called SSL Key, SSL Request, SSL Certificate, SSL Bundle.

Is there some conversion tool for these formats or I missed something?

How an I use letsencrypt certificates with ISPconfig? I didn’t found any usefull docs about this.


#2

csr crt and pem files are all the same format but with different contents

  • SSL Key is privkey.pem
  • SSL Request does not exist and is not needed (CSR)
  • SSL Certificate is cert.pem
  • SSL Bundle is chain.pem

#3

Inserted files contents in input fields, but ispconfig saved them with .err extension.

I putted cert contents unchanged with -----BEGIN PRIVATE KEY----- … -----END PRIVATE KEY-----.

Is it the right way?

OS: Debian Wheezy
ISPconfig: 3.0.5.4p8

Everything up to date.


#4

That should do the trick…

But what do you mean with “saved them with .err extension”? ISPConfig is a browser based server configuration tool, right? “Saving” sounds like something it should do in the background and not bother the user with that kind of stuff… Or do you get a real error message? And if so, what was it? Perhaps some screenshots? (Don’t forget to obfuscate the contents of your private key if you do post screenshots!!!)


#5

I’m not sure why this software asks for the SSL Request and I agree that it should not be needed, but if you really do need it, the Let’s Encrypt client generates these internally during the certificate request process and archives them in the /etc/letsencrypt/csr directory. There is no clear way to see which CSR file was associated with which certificate request from the name, although if you’ve just made a successful certificate request, the most recent CSR file corresponds to that request. You can also view their contents with a command line like

openssl req -in 0025_csr-letsencrypt.pem -text -noout


#6

Also, there is no single definite meaning for “SSL Bundle”. It’s possible that it’s actually fullchain.pem; Some software wants a different kind of “bundle”, which would be a combination of privkey.pem and cert.pem (or perhaps cert.pem and fullchain.pem) into a single file.

Can you find any more detail about what ISPconfig is expecting, like what it means by “bundle” and whether it’s OK for these files to be in PEM format? Is there anyone who’s posted samples of the kind of files ISPconfig would accept?


#7

I’ve used ISPconfig.

You can leave the “SSL Request” blank ( that’s only really used if you are self generating within the ISPconfig system).

Basically, in apache2, these become;
SSLCertificateFile = the contents of the SSL Certificate box
SSLCertificateKeyFile = the contents of the SSL Key box
SSLCACertificateFile = the contents of the Bundle box


#8

see on ispconfig forum


#9

For the intermediate cert? :confused:

Because SSLCACertificate file should be used only for client certificate authentication…


#10

I’m not saying anything about the logic or correctness of it :wink: I’m just saying that I did a clean install of ISPconfig, installed a certificate by pasting into the various boxes, and looked where it placed them / what ISPconfig did with it :wink:


#11

Yeah, I understood it was a ISPConfig thing… Nevertheless, it’s probably not correct :wink:


#12

Yeah, in this thread, this link:

http://evolvedigital.co.uk/how-to-get-letsencrypt-working-with-ispconfig-3/

solved everything.

When you have certs generated like me, start at point 8).

  $ ls -lA /etc/letsencrypt/live/example.com/
  total 0
  lrwxrwxrwx 1 root root 49 Nov 11 10:27 cert.pem -> ../../archive/example.com/cert1.pem
  lrwxrwxrwx 1 root root 50 Nov 11 10:27 chain.pem -> ../../archive/example.com/chain1.pem
  lrwxrwxrwx 1 root root 54 Nov 11 10:27 fullchain.pem -> ../../archive/example.com/fullchain1.pem
  lrwxrwxrwx 1 root root 52 Nov 11 10:27 privkey.pem -> ../../archive/example.com/privkey1.pem
  • In ISPConfig go to:
    Websites -> example.com -> Domain
    Check the SSL checkbox and Save

  • In ISPConfig go to:
    Websites -> example.com -> SSL
    Enter values in the State, Locality, Organisation, Organisation Unit, Country fields and then at the bottom of the page under SSL Action select Create Certificate and click Save.

You might have to wait a minute for ISPConfig to generate it’s own certificates but eventually you should be able to see them here:

  $ ls -lA /var/www/example.com/ssl/
  total 16
  -rw-r--r-- 1 root root 1330 Nov 11 13:22 example.com.crt
  -rw-r--r-- 1 root root 1119 Nov 11 13:22 example.com.csr
  -r-------- 1 root root 1675 Nov 11 13:22 example.com.key
  -r-------- 1 root root 1743 Nov 11 13:22 example.com.key.org
  • The next step is to remove the ISPConfig certs and add the symlinks:

Use this:

$ mv /var/www/example.com/ssl/example.com.crt /var/www/example.com/ssl/example.com.crt.old
$ mv /var/www/example.com/ssl/example.com.key /var/www/example.com/ssl/example.com.key.old
$ ln -s /etc/letsencrypt/live/example.com/fullchain.pem /var/www/example.com/ssl/example.com.crt
$ ln -s /etc/letsencrypt/live/example.com/privkey.pem /var/www/example.com/ssl/example.com.key
$ ln -s /etc/letsencrypt/live/example.com/chain.pem /var/www/example.com/ssl/example.com.pem

The LetsEncrypt fullchain.pem certificate contains the domain specific cert AND the CA Root cert, i.e it contains the ‘full chain’.

  • Finally restart Apache again:

    $ service apache2 restart

Do not forget to update text input fields in ispconfig with example.com.crt and example.com.key contents.

SSL Key -> example.com.key file file contents.
SSL Certificate -> example.com.crt file contents.
SSL Request -> leave unchanged!

Do not forget to modify your default template for Apache conf files

/usr/local/ispconfig/server/conf/vhost.conf.master:

Backup and find mod_ssl part and modify with bellow changes:

 ....
 <IfModule mod_ssl.c>
 <tmpl_if name='ssl_enabled'>
 	SSLEngine on
 	SSLProtocol All -SSLv2 -SSLv3
 	SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
 	SSLCertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.crt
 	SSLCertificateKeyFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.key
 	SSLCertificateChainFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.pem
 ....

Thank you all for spending time.


#13

I’m glad it’s working out. If it’s made copies rather than symbolic links, you might also want to think about what to do when you need to renew the cert (in 2-3 months from now).


#14

an other think, ISPconfig store SSL cert on is DB.
are you sure if you tool/resync/resync Websites it don’t overwrite your symlink with data stored on DB ?


#15

It is included in my reply.

See: “Do not forget to update text input fields in ispconfig with example.com.crt and example.com.key contents.” part :slight_smile:


#16

…and u will do this every 90 days?
waste of time, there are a script on ISPconfig forum , already merged on 3.1 version.


#17

Where is this script?
Because ISPCONFIG and his management of Let’s Encrypt and SSL certs let me thinking about it’s correctness…