SSL for Admin ISPCONFIG 3

#4

Hi @BarbaraEster,

Have you follow all the steps from the HowToForge guide?

Enabling SSL For ISPConfig 3 Control Panel (Port 8080)

If you haven’t enabled SSL during ISPConfig setup i.e. for its control panel at port 8080, enable it by typing ispconfig_update.sh in the terminal and select yes for SSL.

Checking SSL For ISPConfig 3 Control Panel (Port 8080)

Check your browser to confirm by opening ISPConfig control panel at port 8080. Note that you might get some warning at this stage since the created SSL files are self-signed but the browser will confirm that your ISPConfig has SSL enabled or otherwise.

Securing ISPConfig Website With Let’s Encrypt SSL

If the above is done, go back to ISPConfig panel > Sites > Website > Website Name , then click SSL and Let’s Encrypt check buttons and save - to create Let’s Encrypt SSL files and enable them for your server site. If successful your server site shall now be using this Let’s Encrypt SSL files but not your ISPConfig 8080 page. If unsuccessful, you will not be able to proceed further, so do check its log file for a clue.

Only after following the steps will you be able to proceed with that cat ispserver.{key,crt} > ispserver.pem step according to their documentation.

There appears to be a script that will do this process for you, though I cannot comment on it because I have never used it. https://github.com/ahrasis/LE4ISPC

1 Like
#5

Enabling SSL For ISPConfig 3 Control Panel (Port 8080)

YES

Checking SSL For ISPConfig 3 Control Panel (Port 8080)

YES

Securing ISPConfig Website With Let’s Encrypt SSL

YES

I return here per this motive, the SSL work in site normal. When this command i have this error:

In command > root@server:/usr/local/ispconfig/interface/ssl# cat ispserver.{key,crt} > ispserver.pem
cat: ispserver.key: No such file or directory

Thx.

Whats is logic for this work? The files and patch right. I did not undanstand prossed.

Thx!

#6

Command again>>>

root@server:/usr/local/ispconfig/interface/ssl# mv ispserver.crt ispserver.crt-(date +"%y%m%d%H%M%S").bak root@server:/usr/local/ispconfig/interface/ssl# mv ispserver.key ispserver.key-(date +"%y%m%d%H%M%S").bak
root@server:/usr/local/ispconfig/interface/ssl# mv ispserver.pem ispserver.pem-(date +"%y%m%d%H%M%S").bak mv: cannot stat 'ispserver.pem': No such file or directory root@server:/usr/local/ispconfig/interface/ssl# ln -s /etc/letsencrypt/live/(hostname -f)/fullchain.pem ispserver.crt
root@server:/usr/local/ispconfig/interface/ssl# ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
root@server:/usr/local/ispconfig/interface/ssl# cat ispserver.{key,crt} > ispserver.pem
cat: ispserver.key: No such file or directory
cat: ispserver.crt: No such file or directory
root@server:/usr/local/ispconfig/interface/ssl#

#7

It seems like the tutorial is trying to be too clever with the commands like

ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key

They are assuming that your server has been set up to be named after its public DNS name, but that’s actually not a very common default nowadays (although perhaps ISPCONFIG itself tries to do this in some circumstances?). So they assume that running hostname -f will return the same name that was used to name the certificate, which is probably not true on your server at all.

Could you show us the output of running sudo certbot certificates?

1 Like
#8

Hello Very thanks for help. my apologies for long time to answer.

The output command:

root@server:/# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: on3w-isp.tk
Domains: on3w-isp.tk
Expiry Date: 2019-11-20 13:50:12+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/on3w-isp.tk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/on3w-isp.tk/privkey.pem

root@server:/#

#9

Thanks!

My suggestion would be that you go back to following the tutorial, but wherever it says

/etc/letsencrypt/live/$(hostname -f)

you would instead write

/etc/letsencrypt/live/on3w-isp.tk

The tutorial assumed that your server would know of its own DNS domain name, but it doesn’t, which isn’t particularly unusual. Therefore, writing it in explicitly should fix the instructions from the tutorial.

When you try again, if any of the commands from the tutorial responds with any message, you can show us that message so we can understand if anything went wrong. But I think it will probably work with the modification that I suggested above.

1 Like
#10

Hello Thx for help, i follow the tutorial and chance commands with domain>>

ln -s /etc/letsencrypt/live/on3w-isp.tk/fullchain.pem ispserver.crt

ln -s /etc/letsencrypt/live/on3w-isp.tk/privkey.pem ispserver.key

/etc/letsencrypt/archive/on3w-isp.tk/ IN_MODIFY ./etc/init.d/le_ispc_pem.sh

and i dont have anyway error in process.

But in finish tutorial, i acess domain and not work with ssl.

look>> https://server.on3w-isp.tk:8080/ and http://server.on3w-isp.tk:8080/ i have broken of html.

Have something error?

Thx!!!

#11

About this script>> LE4ISPC

I dont install, i understand that is other service for help this. Or this do party for continue?

Thx!

#12

@BarbaraEster,

Your on3w-isp.tk domain is serving the proper certificate according to this command output.

$ echo | openssl s_client -connect on3w-isp.tk:443 -servername on3w-isp.tk 2> /dev/null | openssl x509 -noout -subject -startdate -enddate
subject=CN = on3w-isp.tk
notBefore=Aug 22 13:50:12 2019 GMT
notAfter=Nov 20 13:50:12 2019 GMT

However, I see that server.on3w-isp.tk is also serving that same certificate which is incorrect. The important bit here is to take note of the subject=CN line compared to the domain you actually issued a certificate for.

$ certs server.on3w-isp.tk | openssl x509 -noout -subject -startdate -enddate
subject=CN = on3w-isp.tk
notBefore=Aug 22 13:50:12 2019 GMT
notAfter=Nov 20 13:50:12 2019 GMT

You may want to retry the entire process as indicated by @schoen SSL for Admin ISPCONFIG 3 but setting the path to /etc/letsencrypt/live/server.on3w-isp.tk instead.

1 Like
#13

hello thanks for help, but not work.
I do update in cert.

with this>>>>

certbot certonly --cert-name on3w-isp.tk -d on3w-isp.tk,server.on3w-isp.tk
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator apache, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

You are updating certificate on3w-isp.tk to include new domain(s):

  • server.on3w-isp.tk

You are also removing previously included domain(s):
(None)

Did you intend to make this change?

(U)pdate cert/©ancel: u
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for server.on3w-isp.tk
Waiting for verification…
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/on3w-isp.tk/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/on3w-isp.tk/privkey.pem
    Your cert will expire on 2019-11-26. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

root@server:/# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: on3w-isp.tk
Domains: on3w-isp.tk server.on3w-isp.tk
Expiry Date: 2019-11-26 18:51:06+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/on3w-isp.tk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/on3w-isp.tk/privkey.pem

And i do the tutorial follow your orient, change for server.@

Command>>> I get error in dovecot and i desable the lines of SSL for continue. And the command $cat ispserver.{key,crt} > ispserver.pem
cat: ispserver.key: No such file or directory

ALL Commands >>>>

cd /usr/local/ispconfig/interface/ssl/
root@server:/usr/local/ispconfig/interface/ssl# mv ispserver.crt ispserver.crt-(date +"%y%m%d%H%M%S").bak root@server:/usr/local/ispconfig/interface/ssl# mv ispserver.key ispserver.key-(date +"%y%m%d%H%M%S").bak
root@server:/usr/local/ispconfig/interface/ssl# mv ispserver.pem ispserver.pem-(date +"%y%m%d%H%M%S").bak root@server:/usr/local/ispconfig/interface/ssl# ln -s /etc/letsencrypt/live/server.on3w-isp.tk/fullchain.pem ispserver.crt root@server:/usr/local/ispconfig/interface/ssl# ln -s /etc/letsencrypt/live/server.on3w-isp.tk/privkey.pem ispserver.key root@server:/usr/local/ispconfig/interface/ssl# cat ispserver.{key,crt} > ispserver.pem cat: ispserver.key: No such file or directory cat: ispserver.crt: No such file or directory root@server:/usr/local/ispconfig/interface/ssl# cat ispserver.{key,crt} > ispserver.pem cat: ispserver.key: No such file or directory cat: ispserver.crt: No such file or directory root@server:/usr/local/ispconfig/interface/ssl# chmod 600 ispserver.pem root@server:/usr/local/ispconfig/interface/ssl# cd /etc/postfix/ root@server:/etc/postfix# mv smtpd.cert smtpd.cert-(date +"%y%m%d%H%M%S").bak
root@server:/etc/postfix# mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
root@server:/etc/postfix# ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
root@server:/etc/postfix# ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key
root@server:/etc/postfix# service postfix restart
root@server:/etc/postfix# service dovecot restart
Job for dovecot.service failed because the control process exited with error code. See “systemctl status dovecot.service” and “journalctl -xe” for details.
root@server:/etc/postfix# systemctl status dovecot.service
● dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2019-08-28 19:57:36 UTC; 12s ago
Docs: man:dovecot(1)
http://wiki2.dovecot.org/
Process: 8934 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
Process: 8942 ExecStart=/usr/sbin/dovecot (code=exited, status=89)
Main PID: 8277 (code=exited, status=0/SUCCESS)

Aug 28 19:57:36 server.on3w-isp.tk systemd[1]: Stopped Dovecot IMAP/POP3 email server.
Aug 28 19:57:36 server.on3w-isp.tk systemd[1]: Starting Dovecot IMAP/POP3 email server…
Aug 28 19:57:36 server.on3w-isp.tk dovecot[8942]: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 8: ssl_cert: Can’t open file /etc/postfix/smtpd.cert: No such file or directory
Aug 28 19:57:36 server.on3w-isp.tk systemd[1]: dovecot.service: Control process exited, code=exited status=89
Aug 28 19:57:36 server.on3w-isp.tk systemd[1]: Failed to start Dovecot IMAP/POP3 email server.
Aug 28 19:57:36 server.on3w-isp.tk systemd[1]: dovecot.service: Unit entered failed state.
Aug 28 19:57:36 server.on3w-isp.tk systemd[1]: dovecot.service: Failed with result ‘exit-code’.
root@server:/etc/postfix# nano /etc/dovecot/dovecot.conf
root@server:/etc/postfix# service dovecot restart
Job for dovecot.service failed because the control process exited with error code. See “systemctl status dovecot.service” and “journalctl -xe” for details.
root@server:/etc/postfix# nano /etc/dovecot/dovecot.conf
root@server:/etc/postfix# service dovecot restart
root@server:/etc/postfix# systemctl status dovecot.service
● dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2019-08-28 20:00:06 UTC; 8s ago
Docs: man:dovecot(1)
http://wiki2.dovecot.org/
Process: 8934 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
Process: 9334 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS)
Main PID: 9337 (dovecot)
Tasks: 4
Memory: 1.6M
CPU: 16ms
CGroup: /system.slice/dovecot.service
├─9337 /usr/sbin/dovecot
├─9338 dovecot/anvil
├─9339 dovecot/log
└─9341 dovecot/config

Aug 28 20:00:06 server.on3w-isp.tk systemd[1]: Starting Dovecot IMAP/POP3 email server…
Aug 28 20:00:06 server.on3w-isp.tk systemd[1]: dovecot.service: PID file /var/run/dovecot/master.pid not readable (yet?) after start: No such file or directory
Aug 28 20:00:06 server.on3w-isp.tk dovecot[9337]: master: Dovecot v2.2.22 (fe789d2) starting up for imap, pop3 (core dumps disabled)
Aug 28 20:00:06 server.on3w-isp.tk systemd[1]: Started Dovecot IMAP/POP3 email server.

The panel Not work https://server.on3w-isp.tk:8080/login/

#14

And my host in apache rename for 000-… 000-apps.vhost 000-default.conf 000-ispconfig.conf … All Files

#15

And detail, that my https://server.on3w-isp.tk/phpmyadmin/ and normal https://server.on3w-isp.tk i have the SSL work. Just with port 8080 not work nothing. :confused:

#16

and i have this error now>>> systemctl status apache2.service
● apache2.service - LSB: Apache2 web server
Loaded: loaded (/etc/init.d/apache2; bad; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: failed (Result: exit-code) since Wed 2019-08-28 20:46:47 UTC; 3min 35s ago
Docs: man:systemd-sysv-generator(8)
Process: 11805 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS)
Process: 12641 ExecStart=/etc/init.d/apache2 start (code=exited, status=1/FAILURE)

Aug 28 20:46:47 server.on3w-isp.tk apache2[12641]: Output of config test was:
Aug 28 20:46:47 server.on3w-isp.tk apache2[12641]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:73
Aug 28 20:46:47 server.on3w-isp.tk apache2[12641]: AH00526: Syntax error on line 63 of /etc/apache2/sites-enabled/000-ispconfig.vhost:
Aug 28 20:46:47 server.on3w-isp.tk apache2[12641]: SSLCertificateFile: file ‘/etc/letsencrypt/live/on3w-isp.tk/ispserver.crt’ does not exist or is empty
Aug 28 20:46:47 server.on3w-isp.tk apache2[12641]: Action ‘configtest’ failed.
Aug 28 20:46:47 server.on3w-isp.tk apache2[12641]: The Apache error log may have more information.
Aug 28 20:46:47 server.on3w-isp.tk systemd[1]: apache2.service: Control process exited, code=exited status=1
Aug 28 20:46:47 server.on3w-isp.tk systemd[1]: Failed to start LSB: Apache2 web server.
Aug 28 20:46:47 server.on3w-isp.tk systemd[1]: apache2.service: Unit entered failed state.
Aug 28 20:46:47 server.on3w-isp.tk systemd[1]: apache2.service: Failed with result ‘exit-code’.

#17

Resolvido! Resolvido!

1 Like
#18

Hello o am use LE4ISPC and work fone in server admin. the problem with other tuto, is the keys not is valid i am back the backup and o do with LE4ISPC and work, but the phpmyadmin not work. :stuck_out_tongue:

#19

@BarbaraEster
I am so happy for you! :tada:

Phpmyadmin not working is ok, you’ll get there. :slight_smile:

#20

you can help me with this?
I see that sub.dominio.com/phpmyadmin not work
but dominio.com/phpmyadmin work for me. Oo

#21

Can you show me the exact commands you used to issue the certificate for dominio.com with the LE4ISPC tool?

#22

Here>>>

cd /etc/ssl
wget https://raw.githubusercontent.com/ahrasis/LE4ISPC/master/le4ispc.sh --no-check-certificate
chmod +x le4ispc.sh
./le4ispc.sh

and create the cert in >>/etc/letsencrypt/live
ispvultr.tk and server.ispvultr.tk

Thx

#23

I have this files in folders>

cert.pem chain.pem fullchain.pem privkey.pem README