The Perfect Server
The goal was to build an easy to maintain server. The description found here was used. I bought a copy of the manual for ISPconfig3 in the past. It is not very useful though... Thre are very few real examples, just a walk thru of all menu items. In March 2019 the complete description for 18.04.2 (including the basic minimal server) was followed. The installation was done on a HP-6000 desktop. See: here
General Impression with 18.04
SSL for the server itself and other applications (phpmyadmin) is still tedious. Several self signed certs are generated which can be replaced later with real CAcert or LetsEncrypt certs.
- During installation several self-signed certificates are generated. They can be replaced by real (CAcert) server certs. Done this (see the wiki page about certificates). The path to the self-signed certs in the ispconfig.vhost must be corrected to point to the CAcert certs. The CAcert certificate/key were placed in the default location /etc/ssl/private.
The ispconfig.vhost should have these lines:
SSLCertificateFile /etc/ssl/private/<certname>.crt SSLCertificateKeyFile /etc/ssl/private/<certname>.key
LetsEncrypt is said to be fully integrated in ISPconfig 3.1.x. but I could not figure out how... To function ALL url of a site MUST be reachable (with and without "www."). This inculdes the domain itself with auto "www". It is possible to use LetsEngrypt (Certbot) standalone. Use the option "certonly". Follow this recipe by Tom Lankhorst. As fas as I understand renewal is taken care of by LetsEncrypt and needs not to be done by the website. The renew cronjob crashed and made all sites and apache crash too.
I prefer to use letsencrypt/certbot-auto as a standalone application dropping all certs in the standard directory structure. From there the certs can coupled to the websites (and to the server itself).
ISPconfig uses self-signed certs located in /usr/local/ispconfig/interfacce/ssl. By replacing the certs with a symlink to the letsencrypt data store /etc/letsencrypt/<domain>/live/<certs>, ISPconfig (and postfixadmin, roundcube and myphpadmin) can be reached via ssl as https://ubuntu.vandenbussche.nl:8080/.
Alle websites generated with ISPconfig store there SSL certs in /var/www/<domain>/ssl. By replacing them with symlinks to the Letsencrypt data store, these sites can be brought under ssl. See the Tom Lankhorst recipe.
- The personal certs were installed to be able to login with ssh (PuTTY).
- The upload_max_filesize and post_max_size are a bit low for phpmyadmin (2 and 8 Mb); I changed them to 50M in php.ini for apache2.
- The /etc/vim/vimrc was modified for dark background.
- Configuration of /etc/network/interfaces was modified for fixed address and IPv6.
- ISPconfig seems more strict w.r.t. user names and database names. The client number is used as prologue. This means that the config of webs might need changes. Example: database verbruik is now called c3verbruik. Database user egbert is now c3egbert.
- When ISPConfig updates have been applied, check the ssl_* settings in the mail vhost, for postfix and for dovecot. look here. The paths to the correct certs might need modification:
root@ubuntu# ls -l /usr/local/ispconfig/interface/ssl total 20 -rwxr-x--- 1 root root 45 May 30 21:25 empty.dir lrwxrwxrwx 1 root root 59 Mar 14 21:03 ispserver.crt -> /etc/letsencrypt/live/ubuntu.vandenbussche.nl/fullchain.pem -rwxr-x--- 1 root root 2057 Sep 5 2016 ispserver.crt.bak -rwxr-x--- 1 root root 1720 Sep 5 2016 ispserver.csr lrwxrwxrwx 1 root root 57 Mar 14 21:04 ispserver.key -> /etc/letsencrypt/live/ubuntu.vandenbussche.nl/privkey.pem -rwxr-x--- 1 root root 3243 Sep 5 2016 ispserver.key.bak -rwxr-x--- 1 root root 3311 Sep 5 2016 ispserver.key.secure
- To get phpmyadmin work with SSL (HTTPS), use the site-url:8080/phpmyadmin.
- same for roundcube: site-url:8080/roundcube.
- pure-ftp might need a tweak to allow the client to show more than 9998 files. Add a file /etc/pure-ftpd/conf/LimitRecursion with "99999 10" in it. This allows for 99999 visible files, max 10 levels deep.