Perfect Server

From Egbert's Wiki

Perfect Server

See: Perfect Server to build the initial server from a minimal Ubuntu 18.04 distribution.

phpMyAdmin

The distro is a bit outdated. This gives errors in combination with php 7.2. Solution is to manually install phpMyAdmin 4.8.x over 4.6.6. Instructions here.

Advise

Start-off with just making ISPconfig to work. Adding LetsEncrypt certificates can be a bit confusing. ISPconfig uses self-signed certs and should work from the box although browsers will complain. I found FireFox more coöperative than Chrome. YMMV.

Architecture

Base is the perfect server upto the installation of LetsEncrypt. All Websites/databases/vhosts/etc. are created with ISPconfig. Configuration is in the usual places: /etc/apache2/... but all editing is done bij the ISPconfig scripts.

  • The websites are in /var/www/<domain>
  • The LetsEncript cert store is in /etc/letsencrypt/archive/<domain>
  • The live certs are in /etc/letsencrypt/live/<domain>.

Setup SSL for the server

ISPconfig runs default with self-signed certificates. One of the first things to do is to use ISPconfig to create a website for ubuntu.vandenbussche.nl.Then use LetsEncrypt to issue a cert for this domain. Follow the Tom Lankhorst recipe to install the LetsEncrypt cert for the server itself. This boiles down to the creation of a few symlinks from the website to the LE cert. In this way the Ubuntu default site will be accessable via SSL when it is copied from /var/www/html to the /var/www/ubuntu.vandenbussche.nl/web. This gives the server a website like any other website. Handy for initial testing.

To secure ISPconfig with this same certificate, the self-signed certs must be replaced by symlinks too. The ISPconfig certs are located in /usr/local/ispconfig/interface/ssl.

root@ubuntu:/usr/local/ispconfig/interface/ssl# ls -l
total 20
-rwxr-x--- 1 root root   45 May 30 21:25 empty.dir
lrwxrwxrwx 1 root root   59 Jun  1 21:51 ispserver.crt -> /etc/letsencrypt/live/ubuntu.vandenbussche.nl/fullchain.pem
-rwxr-x--- 1 root root 2057 Sep  5  2016 ispserver.crt.bak
-rwxr-x--- 1 root root 1720 Sep  5  2016 ispserver.csr
lrwxrwxrwx 1 root root   57 Jun  1 21:49 ispserver.key -> /etc/letsencrypt/live/ubuntu.vandenbussche.nl/privkey.pem
-rwxr-x--- 1 root root 3243 Sep  5  2016 ispserver.key.bak
-rwxr-x--- 1 root root 3311 Sep  5  2016 ispserver.key.secure

The certs in the /etc/letsencrypt/live/<domain>/ directory are symlinks themselves; They do not change when the real certs in /etc/letsencrypt/archive/... are renewed.

There is a way to automate this: here. and here

WARNING: Going for a separate cert from i.e. CAcert, will give problems with the "stapling" of the certs.

Setup SSL for the sites

ISPconfig reserves /var/www/<domain>/ssl to store the certs that were entered in the SSL tab of the website. Since the lifetime of LE certs is only three months, symlinks are used to connect to the place where LE stores the certs. See the Tom Lankhorst recipe again. Result:

root@ubuntu:/var/www/ubuntu.vandenbussche.nl/ssl# ls -l
total 0
lrwxrwxrwx 1 root root 59 Mar 14 20:57 ubuntu.vandenbussche.nl.crt -> /etc/letsencrypt/live/ubuntu.vandenbussche.nl/fullchain.pem
lrwxrwxrwx 1 root root 57 Mar 14 20:58 ubuntu.vandenbussche.nl.key -> /etc/letsencrypt/live/ubuntu.vandenbussche.nl/privkey.pem