unix:letsencrypt:ispconfig
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
Next revision | |||
— | unix:letsencrypt:ispconfig [2016/09/26 01:54] – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== LetsEncrypt and ISPConfig ====== | ||
+ | ISPConfig ([[http:// | ||
+ | |||
+ | The installation script will set up your server(s) and, if you agree, set up self-signed certs for your web/ | ||
+ | |||
+ | ===== Setting up the Apache web server ====== | ||
+ | //certbot// is a pretty decent little installer, and it knows Apache2. It really helps to use the automated tool until you get a chance to figure out all the ins and outs of LetsEncrypt. However, the installer is a little touchy on Debian systems when it tries to install some packages; if your APT sources have errors, you can have more troubles than you need, so you should verify your system beforehand. | ||
+ | |||
+ | ==== Verify your system ==== | ||
+ | I strongly recommend you set up backports before using the installer, and make sure it is all working well. Run the following two commands, and watch //apt-get update// closely for any errors. Fix any errors (by removing repositories or fixing them) before proceeding. | ||
+ | |||
+ | <code bash> | ||
+ | echo "deb http:// | ||
+ | apt-get update | ||
+ | </ | ||
+ | |||
+ | ==== Install certbot and run it ==== | ||
+ | I tend to put optional software in /opt, so we'll create a directory named certbot in /opt, download the installer, then run it. | ||
+ | |||
+ | When you get to the point where it asks which virtual to use, select the virtual with the same name as your actual server. | ||
+ | |||
+ | Also, I chose " | ||
+ | |||
+ | <code bash install_certbot.sh> | ||
+ | mkdir -p / | ||
+ | cd / | ||
+ | wget https:// | ||
+ | chmod a+x certbot-auto | ||
+ | ./ | ||
+ | </ | ||
+ | |||
+ | If you get an error, check out [[unix: | ||
+ | |||
+ | ==== ISPConfig specialized configuration ==== | ||
+ | |||
+ | When you have done the above, certbot will have created a new container for you in / | ||
+ | < | ||
+ | SSLCertificateFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | Include / | ||
+ | SSLCertificateChainFile / | ||
+ | </ | ||
+ | |||
+ | These are the lines you should include in your ISPConfig vhost file for the administrative interface. That file is ispconfig.vhost. Open that file (/ | ||
+ | |||
+ | < | ||
+ | # SSL Configuration | ||
+ | SSLEngine On | ||
+ | SSLProtocol All -SSLv2 -SSLv3 | ||
+ | SSLCertificateFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | Comment out the two certificate file names, and add the information from the certbot install: | ||
+ | < | ||
+ | # SSL Configuration | ||
+ | SSLEngine On | ||
+ | SSLProtocol All -SSLv2 -SSLv3 | ||
+ | |||
+ | # letsencrypt certbot files 20160925 by me | ||
+ | SSLCertificateFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | Include / | ||
+ | SSLCertificateChainFile / | ||
+ | # end of letsencrypt certbot files | ||
+ | |||
+ | # | ||
+ | # | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | certbot is smart enough to know about Debian Apache. Configuration files are created in / | ||
+ | |||
+ | <code bash> | ||
+ | rm / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | You should now be able to access your control panel at http:// | ||
+ | |||
+ | ===== Setting your mail to use the Certs ===== | ||
+ | |||
+ | Setting up the mail servers is very dependent on how the mail servers were configured. Since this article is on ISPConfig, we'll take the default for them, but the same applies to other mail servers. If you want a quick and dirty, simply use the script below. | ||
+ | |||
+ | ==== Generalized Script ==== | ||
+ | |||
+ | The following script works on my installation of ISPConfig. You can simply download this and use it if you are sure the postfix and dovecot certs are in the same place mine are. | ||
+ | |||
+ | Be sure to change // | ||
+ | |||
+ | <code bash mailcerts.sh> | ||
+ | #! /bin/bash | ||
+ | |||
+ | SERVERNAME=server.example.com | ||
+ | |||
+ | # postfix first | ||
+ | mv / | ||
+ | mv / | ||
+ | ln -s / | ||
+ | ln -s / | ||
+ | / | ||
+ | |||
+ | |||
+ | # now, dovecot | ||
+ | mv / | ||
+ | mv / | ||
+ | ln -s / | ||
+ | ln -s / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | ==== How it works ==== | ||
+ | |||
+ | Postfix and Dovecot have the ability to store the certificates in user defined locations. letsencrypt' | ||
+ | * privkey.pem - the key file | ||
+ | * fullchain.pem - the certificate file | ||
+ | |||
+ | These need to be linked to the appropriate files for the server you want to use. | ||
+ | |||
+ | === Postfix === | ||
+ | If you want to locate the certs for Postfix, look in main.cf, or run the following command: | ||
+ | < | ||
+ | grep ' | ||
+ | </ | ||
+ | On our system, this returns | ||
+ | < | ||
+ | smtpd_tls_cert_file = / | ||
+ | smtpd_tls_key_file = / | ||
+ | </ | ||
+ | Which are the files that need to be replaced. I rename them with a .bak suffix, then simply create a symbolic link to the letsencrypt installed. | ||
+ | |||
+ | === Dovecot === | ||
+ | For Dovecot, it is the same, though ISPConfig uses the same file name for the key and the cert, but puts the key in the / | ||
+ | |||
+ | < | ||
+ | egrep -r ' | ||
+ | </ | ||
+ | |||
+ | Again, on our machine it returns | ||
+ | |||
+ | < | ||
+ | ssl_cert = </ | ||
+ | ssl_key = </ | ||
+ | </ | ||
+ | Which are the files which need to be moved, then created as symbolic links. | ||
+ | |||
+ | ===== Citations ===== | ||
+ | * [[https:// | ||
+ | * [[https:// |
unix/letsencrypt/ispconfig.txt · Last modified: 2023/02/02 00:55 by rodolico