LetsEncrypt
LetsEncrypt and ISPconfig
I have severe problems using LetsEncrypt as designed in ISPconfig. I now use a Certbot installation via PPA. Using certbot certonly -d ... works fine. From there Ton Lankhorst's recipe was followed.
General Process
Request a certificate for the website wiki.vandenbussche.nl using the running apache server. If this fails try stopping apache, issue the certbot command again and use the standalone webserver (choice 2).
root@ubuntu:# certbot certonly -d wiki.vandenbussche.nl Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? ------------------------------------------------------------------------------- 1: Apache Web Server plugin - Beta (apache) 2: Spin up a temporary webserver (standalone) 3: Place files in webroot directory (webroot) ------------------------------------------------------------------------------- Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1 Plugins selected: Authenticator apache, Installer None Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for wiki.vandenbussche.nl Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/wiki.vandenbussche.nl/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/wiki.vandenbussche.nl/privkey.pem Your cert will expire on 2018-02-21. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
Restart apache if it was stopped. Certs are now in the /etc/letsencrypt/archive/wiki.vandenbussche.nl/ and links to the actual certs are in /etc/letsencrypt/live/wiki.vandenbussche.nl/.
root@ubuntu:/etc/letsencrypt/live/wiki.vandenbussche.nl# ls -l total 4 -rw-r--r-- 1 root root 543 Nov 23 16:33 README lrwxrwxrwx 1 root root 45 Nov 23 16:33 cert.pem -> ../../archive/wiki.vandenbussche.nl/cert1.pem lrwxrwxrwx 1 root root 46 Nov 23 16:33 chain.pem -> ../../archive/wiki.vandenbussche.nl/chain1.pem lrwxrwxrwx 1 root root 50 Nov 23 16:33 fullchain.pem -> ../../archive/wiki.vandenbussche.nl/fullchain1.pem lrwxrwxrwx 1 root root 48 Nov 23 16:33 privkey.pem -> ../../archive/wiki.vandenbussche.nl/privkey1.pem
Copy the cert, key and chain into the web, SSL tab of ISPconfig then Save. This places the certs in /var/www/wiki.vandenbussche.nl/ssl. Follow Tom Lankhorst's recipe. This will replace the files in the ssl directory by links to the certs in the /etc/letsencrypt/live/wiki.vandenbussche.nl directory.
Before: -rw-r--r-- 1 root root 3515 Nov 23 16:41 wiki.vandenbussche.nl.crt -r-------- 1 root root 1730 Nov 23 16:41 wiki.vandenbussche.nl.key ln -sf /etc/letsencrypt/live/wiki.vandenbussche.nl/fullchain.pem wiki.vandenbussche.nl.crt ln -sf /etc/letsencrypt/live/wiki.vandenbussche.nl/fullchain.key wiki.vandenbussche.nl.key After: lrwxrwxrwx 1 root root 57 Nov 23 16:47 wiki.vandenbussche.nl.crt -> /etc/letsencrypt/live/wiki.vandenbussche.nl/fullchain.pem lrwxrwxrwx 1 root root 57 Nov 23 16:47 wiki.vandenbussche.nl.key -> /etc/letsencrypt/live/wiki.vandenbussche.nl/fullchain.key
This makes that after a renewal (every 90 days), the website will use the new certs.
SSL for ISPconfig itself
To use LetsEncrypt for ISPconfig itself (read: all services that run with /ubuntu.vandenbussche.nl/<service>), a slightly differen approach is needed. ISPconfig refers to (self-signed) certs in its own tree /usr/local/ispconfig/interface/ssl. These must be remapped to the location of the LE certs: /etc/letsencrypt/live/<hostname -f>. A good description was written by Arasis.
As said, for ISPconfig itself is an extra but similar step as for hosted websites needed. The hardcoded self-signed cert are to be replaced with a symbolic link to the LE location. Very logical, indeed. Just like any other secure website created under ISPconfig. This way all web-based services ISPconfig and i.e. phpmyadmin are SSL secured. I run ISPconfig on port 8080: https://ubuntu.vandenbussche.nl:8080/ and phpMyAdmin as https://ubuntu.vandenbussche.nl:8080/phpmyadmin.
cd /var/www/ubuntu.vandenbussche.nl/ssl ln -sf /etc/letsencrypt/live/ubuntu.vandenbussche.nl/fullchain.pem ubuntu.vandenbussche.nl.crt ln -sf /etc/letsencrypt/live/ubuntu.vandenbussche.nl/privkey.pem ubuntu.vandenbussche.nl.key Result: lrwxrwxrwx 1 root root 59 Mar 14 20:57 ubuntu.vandenbussche.nl.crt -> /etc/letsencrypt/live/ubuntu.vandenbussche.nl/fullchain.pem lrwxrwxrwx 1 root root 57 Mar 14 20:58 ubuntu.vandenbussche.nl.key -> /etc/letsencrypt/live/ubuntu.vandenbussche.nl/privkey.pem cd root@ubuntu:/usr/local/ispconfig/interface/ssl mv ispserver.crt ispserver.crt.bak mv ispserver.key ispserver.key.bak Result: lrwxrwxrwx 1 root root 59 Mar 14 21:03 ispserver.crt -> /etc/letsencrypt/live/ubuntu.vandenbussche.nl/fullchain.pem -rwxr-x--- 1 root root 2057 Sep 5 2016 ispserver.crt.bak -rwxr-x--- 1 root root 1720 Sep 5 2016 ispserver.csr lrwxrwxrwx 1 root root 57 Mar 14 21:04 ispserver.key -> /etc/letsencrypt/live/ubuntu.vandenbussche.nl/privkey.pem -rwxr-x--- 1 root root 3243 Sep 5 2016 ispserver.key.bak -rwxr-x--- 1 root root 3311 Sep 5 2016 ispserver.key.secure
This server holds now several certs:
root@ubuntu:/etc/letsencrypt/live# ls -l total 24 drwxr-xr-x 2 root root 4096 Sep 29 00:51 beta.vandenbussche.nl drwxr-xr-x 2 root root 4096 Nov 1 00:53 boemerang.vandenbussche.nl drwxr-xr-x 2 root root 4096 Sep 29 00:51 dev.vandenbussche.nl drwxr-xr-x 2 root root 4096 Sep 29 00:51 speldorado.vandenbussche.nl drwxr-xr-x 2 root root 4096 Sep 29 00:51 ubuntu.vandenbussche.nl drwxr-xr-x 2 root root 4096 Nov 23 16:33 wiki.vandenbussche.nl And in ubuntu.vandenbussche.nl: -rw-r--r-- 1 root root 543 Mar 14 20:42 README lrwxrwxrwx 1 root root 47 Mar 14 20:42 cert.pem -> ../../archive/ubuntu.vandenbussche.nl/cert1.pem lrwxrwxrwx 1 root root 48 Mar 14 20:42 chain.pem -> ../../archive/ubuntu.vandenbussche.nl/chain1.pem lrwxrwxrwx 1 root root 52 Mar 14 20:42 fullchain.pem -> ../../archive/ubuntu.vandenbussche.nl/fullchain1.pem lrwxrwxrwx 1 root root 50 Mar 14 20:42 privkey.pem -> ../../archive/ubuntu.vandenbussche.nl/privkey1.pem
