ISPConfig/Let's Encrypt: Unterschied zwischen den Versionen
Keine Bearbeitungszusammenfassung |
|||
Zeile 1: | Zeile 1: | ||
This tutorial shows how to create and configure a free Let's encrypt SSL certificate for the ISPconfig interface (port 8080), the email system (Postfix and Dovecot/Courier), the FTP server (pure-ftpd) and Monit. The commands in this tutorial have been tested on Ubuntu 16.04, they should work for Debian as well. Certain modifications may be necessary to make it work on CentOS. Help on this guide is available in this [https://www.howtoforge.com/community/threads/securing-ispconfig-3-control-panel-port-8080-with-lets-encrypt-free-ssl.75554/ forum thread]. | This tutorial shows how to create and configure a free Let's encrypt SSL certificate for the ISPconfig interface (port 8080), the email system (Postfix and Dovecot/Courier), the FTP server (pure-ftpd) and Monit. | ||
* The commands in this tutorial have been tested on Ubuntu 16.04, they should work for Debian as well. Certain modifications may be necessary to make it work on CentOS. Help on this guide is available in this [https://www.howtoforge.com/community/threads/securing-ispconfig-3-control-panel-port-8080-with-lets-encrypt-free-ssl.75554/ forum thread]. | |||
== Creating A Website Using ISPConfig Server Hostname FQDN == | == Creating A Website Using ISPConfig Server Hostname FQDN == | ||
Create a site for your server in ISPConfig panel via '''''Sites > Website > Add new website'''''. Remember! This is your server website and as such it must contain your server fully qualified domain name (FQDN). I will refer to it as `hostname -f` in this guide. | Create a site for your server in ISPConfig panel via '''''Sites > Website > Add new website'''''. | ||
* Remember! This is your server website and as such it must contain your server fully qualified domain name (FQDN). | |||
* I will refer to it as `hostname -f` in this guide. | |||
hostname -f | hostname -f | ||
Hopefully, it will work without any changes to your server as well. | Hopefully, it will work without any changes to your server as well. | ||
== Accessing ISPConfig Website Online == | == Accessing ISPConfig Website Online == | ||
Check if your server site is ready and accessible online as Let's Encrypt needs to verify your website is accessible before issuing SSL key, certificate and chain file for your server site. You also have to create its DNS zone and allow it to properly propagate as Let's Encrypt needs to verify it too. | Check if your server site is ready and accessible online as Let's Encrypt needs to verify your website is accessible before issuing SSL key, certificate and chain file for your server site. | ||
* You also have to create its DNS zone and allow it to properly propagate as Let's Encrypt needs to verify it too. | |||
== Enabling SSL For ISPConfig 3 Control Panel (Port 8080) == | == Enabling SSL For ISPConfig 3 Control Panel (Port 8080) == | ||
If you haven't enabled SSL during ISPConfig setup i.e. for its control panel at port 8080, enable it by typing ispconfig_update.sh in the terminal and select yes for SSL. We don't need this to be a proper key nor do we want to keep it but we want to work faster, thus we can simply enter for all of its fields. When you finished this, the self-signed SSL should already be enabled for your ISPConfig. | If you haven't enabled SSL during ISPConfig setup i.e. | ||
* for its control panel at port 8080, enable it by typing ispconfig_update.sh in the terminal and select yes for SSL. | |||
* We don't need this to be a proper key nor do we want to keep it but we want to work faster, thus we can simply enter for all of its fields. | |||
* When you finished this, the self-signed SSL should already be enabled for your ISPConfig. | |||
== Checking SSL For ISPConfig 3 Control Panel (Port 8080) == | == Checking SSL For ISPConfig 3 Control Panel (Port 8080) == | ||
Check your browser to confirm by opening ISPConfig control panel at port 8080. Note that you might get some warning at this stage since the created SSL files are self-signed but the browser will confirm that your ISPConfig has SSL enabled or otherwise. | Check your browser to confirm by opening ISPConfig control panel at port 8080. | ||
* Note that you might get some warning at this stage since the created SSL files are self-signed but the browser will confirm that your ISPConfig has SSL enabled or otherwise. | |||
== Securing ISPConfig Website With Let's Encrypt SSL == | == Securing ISPConfig Website With Let's Encrypt SSL == | ||
If the above is done, go back to '''''ISPConfig panel > Sites > Website > Website Name''''', then click '''SSL''' and '''Let's Encrypt''' check buttons and save - to create Let's Encrypt SSL files and enable them for your server site. If successful your server site shall now be using this Let's Encrypt SSL files but not your ISPConfig 8080 page. If unsuccessful, you will not be able to proceed further, so do check its log file for a clue. | If the above is done, go back to '''''ISPConfig panel > Sites > Website > Website Name''''', then click '''SSL''' and '''Let's Encrypt''' check buttons and save - to create Let's Encrypt SSL files and enable them for your server site. | ||
* If successful your server site shall now be using this Let's Encrypt SSL files but not your ISPConfig 8080 page. | |||
* If unsuccessful, you will not be able to proceed further, so do check its log file for a clue. | |||
== Changing ISPConfig 3 Control Panel (Port 8080) == | == Changing ISPConfig 3 Control Panel (Port 8080) == | ||
If LE SSL is already working, then go to your server terminal, go root via sudo su and use the following command to backup and replace the created self-signed SSL files with Let's Encrypt SSL files. | If LE SSL is already working, then go to your server terminal, go root via sudo su and use the following command to backup and replace the created self-signed SSL files with Let's Encrypt SSL files. | ||
cd /usr/local/ispconfig/interface/ssl/ | cd /usr/local/ispconfig/interface/ssl/ | ||
mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak | mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak | ||
Zeile 32: | Zeile 35: | ||
* Also note the last line where ispserver.pem is created by combining files, thuswise, it will not be automatically renewed by Let's Encrypt unlike other files which we merely symlinked them, thus, we will deal with this in the last part of this guide. | * Also note the last line where ispserver.pem is created by combining files, thuswise, it will not be automatically renewed by Let's Encrypt unlike other files which we merely symlinked them, thus, we will deal with this in the last part of this guide. | ||
* Note also that you either type in `hostname -f` or server1.example.com as the result is the same because `hostname -f`is server1.example.com. | * Note also that you either type in `hostname -f` or server1.example.com as the result is the same because `hostname -f`is server1.example.com. | ||
== Using The Same Let's Encrypt SSL Certs For Other Major Services == | == Using The Same Let's Encrypt SSL Certs For Other Major Services == | ||
As additional tips, based on Securing Your ISPConfig 3 Installation you may want to use symlink to ispserver.key or .crt or .pem instead of directly pointing your postfix, dovecot, courier, pure-FTPd and monit to Let's Encrypt SSL files. For dovecot, if it is already using postfix SSL files, it is safe for you to ignore it. In details you only need to do the followings: | As additional tips, based on Securing Your ISPConfig 3 Installation you may want to use symlink to ispserver.key or .crt or .pem instead of directly pointing your postfix, dovecot, courier, pure-FTPd and monit to Let's Encrypt SSL files. | ||
* For dovecot, if it is already using postfix SSL files, it is safe for you to ignore it. | |||
* In details you only need to do the followings: | |||
=== For Postfix === | === For Postfix === | ||
cd /etc/postfix/ | cd /etc/postfix/ | ||
Zeile 44: | Zeile 47: | ||
service postfix restart | service postfix restart | ||
service dovecot restart | service dovecot restart | ||
=== For dovecot: (* Note this shouldn't exist together with courier) === | === For dovecot: (* Note this shouldn't exist together with courier) === | ||
Check if this code exist by using nano /etc/dovecot/dovecot.conf | Check if this code exist by using nano /etc/dovecot/dovecot.conf | ||
Zeile 51: | Zeile 53: | ||
ssl_key = </etc/postfix/smtpd.key | ssl_key = </etc/postfix/smtpd.key | ||
[...] | [...] | ||
Leave them as they are if they exist. Otherwise, fix them. In any event, run service dovecot restart is already covered above. | Leave them as they are if they exist. | ||
* Otherwise, fix them. | |||
* In any event, run service dovecot restart is already covered above. | |||
=== For courier: (* Note this shouldn't exist together with dovecot) === | === For courier: (* Note this shouldn't exist together with dovecot) === | ||
cd /etc/courier/ | cd /etc/courier/ | ||
Zeile 63: | Zeile 66: | ||
service courier-pop-ssl stop | service courier-pop-ssl stop | ||
service courier-pop-ssl start | service courier-pop-ssl start | ||
=== For pure-FTPd: === | === For pure-FTPd: === | ||
cd /etc/ssl/private/mv pure-ftpd.pem pure-ftpd.pem-$(date +"%y%m%d%H%M%S").bakln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pure-ftpd.pemchmod 600 pure-ftpd.pemservice pure-ftpd-mysql restart | cd /etc/ssl/private/mv pure-ftpd.pem pure-ftpd.pem-$(date +"%y%m%d%H%M%S").bakln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pure-ftpd.pemchmod 600 pure-ftpd.pemservice pure-ftpd-mysql restart | ||
=== For monit: (If you have it installed in your server) === | === For monit: (If you have it installed in your server) === | ||
nano /etc/monit/monitrc | nano /etc/monit/monitrc | ||
Add the above symlink to ispserver.pem we created for pure-ftpd in here as well: | Add the above symlink to ispserver.pem we created for pure-ftpd in here as well: | ||
[...] | [...] | ||
Zeile 77: | Zeile 77: | ||
allow admin:'secretpassword' | allow admin:'secretpassword' | ||
[...] | [...] | ||
And restart monit: | And restart monit: | ||
service monit restart | service monit restart | ||
== Create Auto Renewal Script For Your ISPConfig Pem File (ispserver.pem) == | == Create Auto Renewal Script For Your ISPConfig Pem File (ispserver.pem) == | ||
* In this last step, which I haven't found in any guide so far, is the automatic update of ispserver.pem as earlier hinted. | * In this last step, which I haven't found in any guide so far, is the automatic update of ispserver.pem as earlier hinted. | ||
Zeile 88: | Zeile 86: | ||
apt install -y incron | apt install -y incron | ||
nano /etc/init.d/le_ispc_pem.sh | nano /etc/init.d/le_ispc_pem.sh | ||
Add this in the le_ispc_pem.sh: | Add this in the le_ispc_pem.sh: | ||
#!/bin/sh | #!/bin/sh | ||
Zeile 109: | Zeile 106: | ||
service postfix restart | service postfix restart | ||
service dovecot restart | service dovecot restart | ||
service nginx restart* Note some people do not install monit, so they can safely remove it. Do adjust the above script accordingly. | service nginx restart* Note some people do not install monit, so they can safely remove it. | ||
* Do adjust the above script accordingly. | |||
* For multi-server setup, do refer to post #203 and add the given scp code in here to automate future update. | |||
We then make it executable, add root as an allowed user for incrontab and then edit incrontab file: | We then make it executable, add root as an allowed user for incrontab and then edit incrontab file: | ||
chmod +x /etc/init.d/le_ispc_pem.sh | chmod +x /etc/init.d/le_ispc_pem.sh | ||
echo "root" >> /etc/incron.allow | echo "root" >> /etc/incron.allow | ||
incrontab -e | incrontab -e | ||
Add this line in it incrontab: | Add this line in it incrontab: | ||
/etc/letsencrypt/archive/$(hostname -f)/ IN_MODIFY ./etc/init.d/le_ispc_pem.sh | /etc/letsencrypt/archive/$(hostname -f)/ IN_MODIFY ./etc/init.d/le_ispc_pem.sh | ||
== Restarting Your Services == | |||
== Restarting | I think that is about it for Securing Your Server With Let's Encrypt. | ||
I think that is about it for Securing Your Server With Let's Encrypt. You may want to restart your web server afterwards. | * You may want to restart your web server afterwards. | ||
service nginx restart | service nginx restart | ||
Remember: if you are using apache, change nginx to apache2 accordingly. | Remember: if you are using apache, change nginx to apache2 accordingly. | ||
== LE4ISPC == | == LE4ISPC == | ||
As an alternative, you might want to use [https://github.com/ahrasis/LE4ISPC LE4ISPC script] created for this purpose which supports both nginx and apache2 from ISPConfig up to pure-ftpd above except for monit. Before using it, you should already have completed the above steps (1-5) and have : | As an alternative, you might want to use [https://github.com/ahrasis/LE4ISPC LE4ISPC script] created for this purpose which supports both nginx and apache2 from ISPConfig up to pure-ftpd above except for monit. | ||
* Before using it, you should already have completed the above steps (1-5) and have : | |||
# Created the website for your server via ISPConfig; | # Created the website for your server via ISPConfig; | ||
# The website accessible online | # The website accessible online | ||
# ISPConfig SSL enabled (via installation or update) | # ISPConfig SSL enabled (via installation or update) | ||
# LE SSL successfully enabled for the website. | # LE SSL successfully enabled for the website. |
Version vom 24. November 2019, 17:06 Uhr
This tutorial shows how to create and configure a free Let's encrypt SSL certificate for the ISPconfig interface (port 8080), the email system (Postfix and Dovecot/Courier), the FTP server (pure-ftpd) and Monit.
- The commands in this tutorial have been tested on Ubuntu 16.04, they should work for Debian as well. Certain modifications may be necessary to make it work on CentOS. Help on this guide is available in this forum thread.
Creating A Website Using ISPConfig Server Hostname FQDN
Create a site for your server in ISPConfig panel via Sites > Website > Add new website.
- Remember! This is your server website and as such it must contain your server fully qualified domain name (FQDN).
- I will refer to it as `hostname -f` in this guide.
hostname -f
Hopefully, it will work without any changes to your server as well.
Accessing ISPConfig Website Online
Check if your server site is ready and accessible online as Let's Encrypt needs to verify your website is accessible before issuing SSL key, certificate and chain file for your server site.
- You also have to create its DNS zone and allow it to properly propagate as Let's Encrypt needs to verify it too.
Enabling SSL For ISPConfig 3 Control Panel (Port 8080)
If you haven't enabled SSL during ISPConfig setup i.e.
- for its control panel at port 8080, enable it by typing ispconfig_update.sh in the terminal and select yes for SSL.
- We don't need this to be a proper key nor do we want to keep it but we want to work faster, thus we can simply enter for all of its fields.
- When you finished this, the self-signed SSL should already be enabled for your ISPConfig.
Checking SSL For ISPConfig 3 Control Panel (Port 8080)
Check your browser to confirm by opening ISPConfig control panel at port 8080.
- Note that you might get some warning at this stage since the created SSL files are self-signed but the browser will confirm that your ISPConfig has SSL enabled or otherwise.
Securing ISPConfig Website With Let's Encrypt SSL
If the above is done, go back to ISPConfig panel > Sites > Website > Website Name, then click SSL and Let's Encrypt check buttons and save - to create Let's Encrypt SSL files and enable them for your server site.
- If successful your server site shall now be using this Let's Encrypt SSL files but not your ISPConfig 8080 page.
- If unsuccessful, you will not be able to proceed further, so do check its log file for a clue.
Changing ISPConfig 3 Control Panel (Port 8080)
If LE SSL is already working, then go to your server terminal, go root via sudo su and use the following command to backup and replace the created self-signed SSL files with Let's Encrypt SSL files.
cd /usr/local/ispconfig/interface/ssl/ mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key cat ispserver.{key,crt} > ispserver.pem chmod 600 ispserver.pem* If you haven't created ispserver.pem before, you may ignore the third line which is aimed at renaming the existing one, if any, as a backup.
- ote that we are using Let's Encrypt live folder instead of archive folder.
- Also note the last line where ispserver.pem is created by combining files, thuswise, it will not be automatically renewed by Let's Encrypt unlike other files which we merely symlinked them, thus, we will deal with this in the last part of this guide.
- Note also that you either type in `hostname -f` or server1.example.com as the result is the same because `hostname -f`is server1.example.com.
Using The Same Let's Encrypt SSL Certs For Other Major Services
As additional tips, based on Securing Your ISPConfig 3 Installation you may want to use symlink to ispserver.key or .crt or .pem instead of directly pointing your postfix, dovecot, courier, pure-FTPd and monit to Let's Encrypt SSL files.
- For dovecot, if it is already using postfix SSL files, it is safe for you to ignore it.
- In details you only need to do the followings:
For Postfix
cd /etc/postfix/ mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key service postfix restart service dovecot restart
For dovecot: (* Note this shouldn't exist together with courier)
Check if this code exist by using nano /etc/dovecot/dovecot.conf
[...] ssl_cert = </etc/postfix/smtpd.cert ssl_key = </etc/postfix/smtpd.key [...]
Leave them as they are if they exist.
- Otherwise, fix them.
- In any event, run service dovecot restart is already covered above.
For courier: (* Note this shouldn't exist together with dovecot)
cd /etc/courier/ mv imapd.pem imapd.pem-$(date +"%y%m%d%H%M%S").bak mv pop3d.pem pop3d.pem-$(date +"%y%m%d%H%M%S").bak ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem imapd.pem ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pop3d.pem service courier-imap-ssl stop service courier-imap-ssl start service courier-pop-ssl stop service courier-pop-ssl start
For pure-FTPd:
cd /etc/ssl/private/mv pure-ftpd.pem pure-ftpd.pem-$(date +"%y%m%d%H%M%S").bakln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pure-ftpd.pemchmod 600 pure-ftpd.pemservice pure-ftpd-mysql restart
For monit: (If you have it installed in your server)
nano /etc/monit/monitrc
Add the above symlink to ispserver.pem we created for pure-ftpd in here as well:
[...] set httpd port 2812 and SSL ENABLE PEMFILE /etc/ssl/private/pure-ftpd.pem allow admin:'secretpassword' [...]
And restart monit:
service monit restart
Create Auto Renewal Script For Your ISPConfig Pem File (ispserver.pem)
- In this last step, which I haven't found in any guide so far, is the automatic update of ispserver.pem as earlier hinted.
- Currently, it have to be manually changed right after Let's Encrypt automatically renewed your server SSL files.
- To avoid overlooking this, you may want to install incron as suggested in the respective incron tutorial and create a script to automatically update your ispserver.pem file, as follows:
Via terminal command, install incron, then create the script file and edit it using nano:
apt install -y incron nano /etc/init.d/le_ispc_pem.sh
Add this in the le_ispc_pem.sh:
#!/bin/sh ### BEGIN INIT INFO # Provides: LE ISPSERVER.PEM AUTO UPDATER # Required-Start: $local_fs $network # Required-Stop: $local_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: LE ISPSERVER.PEM AUTO UPDATER # Description: Update ispserver.pem automatically after ISPC LE SSL certs are renewed. ### END INIT INFO cd /usr/local/ispconfig/interface/ssl/ mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak cat ispserver.{key,crt} > ispserver.pem chmod 600 ispserver.pem chmod 600 /etc/ssl/private/pure-ftpd.pem service pure-ftpd-mysql restart service monit restart service postfix restart service dovecot restart service nginx restart* Note some people do not install monit, so they can safely remove it.
- Do adjust the above script accordingly.
- For multi-server setup, do refer to post #203 and add the given scp code in here to automate future update.
We then make it executable, add root as an allowed user for incrontab and then edit incrontab file:
chmod +x /etc/init.d/le_ispc_pem.sh echo "root" >> /etc/incron.allow incrontab -e
Add this line in it incrontab:
/etc/letsencrypt/archive/$(hostname -f)/ IN_MODIFY ./etc/init.d/le_ispc_pem.sh
Restarting Your Services
I think that is about it for Securing Your Server With Let's Encrypt.
- You may want to restart your web server afterwards.
service nginx restart
Remember: if you are using apache, change nginx to apache2 accordingly.
LE4ISPC
As an alternative, you might want to use LE4ISPC script created for this purpose which supports both nginx and apache2 from ISPConfig up to pure-ftpd above except for monit.
- Before using it, you should already have completed the above steps (1-5) and have :
- Created the website for your server via ISPConfig;
- The website accessible online
- ISPConfig SSL enabled (via installation or update)
- LE SSL successfully enabled for the website.