{"id":2868,"date":"2018-02-13T16:47:40","date_gmt":"2018-02-13T13:47:40","guid":{"rendered":"https:\/\/www.howtoforge.com\/tutorial\/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate\/"},"modified":"2018-02-13T16:47:40","modified_gmt":"2018-02-13T13:47:40","slug":"securing-ispconfig-3-1-with-a-free-lets-encrypt-ssl-certificate","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/securing-ispconfig-3-1-with-a-free-lets-encrypt-ssl-certificate\/","title":{"rendered":"Securing ISPConfig 3.1 With a Free Let’s Encrypt SSL Certificate"},"content":{"rendered":"
\"\"<\/div>\n

Author:\u00a0ahrasis<\/a><\/p>\n

This tutorial shows how to create and configure a free Let’s encrypt SSL certificate for the ISPconfig interface (port 8080), the email system (Postfix and Dovecot\/Courier), the FTP server (pure-ftpd) and Monit. The commands\u00a0in this tutorial have been tested on Ubuntu 16.04, they should work for Debian as well. Certain modifications may be necessary to make it work on CentOS.<\/p>\n

Help on this guide is available in this forum thread<\/a>.<\/p>\n

Creating A Website Using ISPConfig Server Hostname FQDN<\/h2>\n

Create a site for your server in ISPConfig panel via Sites > Website > Add new website<\/strong><\/em>. Remember! This is your server website and as such it must contain your server fully qualified domain name (FQDN). I will refer to it as `hostname -f` in this guide.<\/p>\n

hostname -f<\/span><\/p>\n

Hopefully, it will work without any changes to your server as well.<\/p>\n

Accessing ISPConfig Website Online<\/h2>\n

Check if your server site is ready and accessible online as Let’s Encrypt needs to verify your website is accessible before issuing SSL key, certificate and chain file for your server site. You also have to create its DNS zone and allow it to properly propagate as Let’s Encrypt needs to verify it too.<\/p>\n

Enabling SSL For ISPConfig 3 Control Panel (Port 8080)<\/h2>\n

If you haven’t enabled SSL during ISPConfig setup i.e. for its control panel at port 8080, enable it by typing ispconfig_update.sh in the terminal and select yes for SSL. We don’t need this to be a proper key nor do we want to keep it but we want to work faster, thus we can simply enter for all of its fields. When you finished this, the self-signed SSL should already be enabled for your ISPConfig.<\/p>\n

Checking SSL For ISPConfig 3 Control Panel (Port 8080)<\/h2>\n

Check your browser to confirm by opening ISPConfig control panel at port 8080. Note that you might get some warning at this stage since the created SSL files are self-signed but the browser will confirm that your ISPConfig has SSL enabled or otherwise.<\/p>\n

Securing ISPConfig Website With Let’s Encrypt SSL<\/h2>\n

If the above is done, go back to ISPConfig panel > Sites > Website > Website Name<\/em><\/strong>, then click SSL<\/strong> and Let’s Encrypt<\/strong> check buttons and save – to create Let’s Encrypt SSL files and enable them for your server site. If successful your server site shall now be using this Let’s Encrypt SSL files but not your ISPConfig 8080 page. If unsuccessful, you will not be able to proceed further, so do check its log file for a clue.<\/p>\n

Changing ISPConfig 3 Control Panel (Port 8080)<\/h2>\n

If LE SSL is already working, then go to your server terminal, go root via sudo su and use the following command to backup and replace the created self-signed SSL files with Let’s Encrypt SSL files.<\/p>\n

cd \/usr\/local\/ispconfig\/interface\/ssl\/
mv ispserver.crt ispserver.crt-$(date +”%y%m%d%H%M%S”).bak
mv ispserver.key ispserver.key-$(date +”%y%m%d%H%M%S”).bak
mv ispserver.pem ispserver.pem-$(date +”%y%m%d%H%M%S”).bak
ln -s \/etc\/letsencrypt\/live\/$(hostname -f)\/fullchain.pem ispserver.crt
ln -s \/etc\/letsencrypt\/live\/$(hostname -f)\/privkey.pem ispserver.key
cat ispserver.{key,crt} > ispserver.pem
chmod 600 ispserver.pem<\/p>\n