free-ssl-certificates-use-lets-encrypt-with-ispconfig/
Opened this issue · 40 comments
Free SSL certificates: use Let’s Encrypt with ISPConfig 3 | Tom Lankhorst
As you might have noticed this site uses HTTPS. Obtaining SSL certificates was always a bit of a hassle. Finding a certificate authority, doing regular payment, renewals and installing the certificate on your server. Let’s Encrypt is an initiative to provide a better way of enabling encryption on websites. It is open, automated and above all: it offers free SSL certificates. Learn to use Let’s Encrypt on an ISPConfig 3.0 server. I assume you already have an ISPConfig server up and running. You might have a number of sites that use plain HTTP of HTTPS that you want to secure with free SSL certificates. That’s good, we’re going to do the following: Obtaining certbot Requesting free SSL certificates Configur
https://tomlankhorst.nl/free-ssl-certificates-use-lets-encrypt-with-ispconfig/
Original author: dimitri visser @dimitri_visser
Original date: 2016-08-20T11:21:22Z
Nice article! Here it works now thanks to your advice ;-) Just 1 thing.
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
It's better to write it like this:
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
forcing the http header to be: 301 Moved Permanently
Else it will give a "not found" header.
Original date: 2016-08-20T12:28:05Z
Thanks Dimitri! I've added the redirect HTTP status code. I'm going to update this part of the article slightly by recommending to use the 'redirect to HTTPS' option on the Redirect tab of ISPconfig. It seems that ISPc adds the same type of statement to the Apache website configuration but it is a bit more elegant to use built-in functionality ofcourse...
Original author: Steffan Noord @steffannoord
Original date: 2016-08-29T11:23:35Z
great post whas looking for this
just wondering why didnt you go for the API version?
https://github.com/sjau/le2...
https://www.howtoforge.com/...
Original author: Michael Burns
Original date: 2016-08-31T16:28:04Z
This was extremely helpful. Thanks!
I noticed that the symbolic link examples above are created to point to /var/letsencrypt/..., not /etc/letsencrypt. Is that intentional?
I used /etc/letsencrypt instead since that is where the certificates are placed when created and renewed.
Original date: 2016-09-02T08:28:38Z
I am using the command-line tool for LE (certbot) to create certificates for other services as well (FTP, Jira, Monit, etc.). I wanted all the certificates to be created in the same manner and a transparent way of linking the ISPConfig certificates to the LE certificates.
Original author: Sebastián Fuentes @bastienff
Original date: 2016-11-21T17:21:22Z
The first time we have to add the keys manually to ispconfig ssl tab, but afterward, how isp automate the renewal? i mean, the certs it self change when the renewal process is done, ispconfig will detect the changes of the files by it self? or we do have to add again the cert content manually to ispconfig ssl tab?
Original date: 2016-11-21T19:21:24Z
You will create symlinks to the certificates using 'ln -s'. This ensures the certs are updated when certbot updates them.
Original author: Donny
Original date: 2016-12-11T21:19:21Z
If i understand right, letsencrypt has been renamed to certbot.
How does this affect the renew script?
Original author: Saeid Ghazagh @saeidghazagh
Original date: 2017-01-04T23:45:18Z
Hi Tom/All,
I just see this discussion right now after 5 months and it's really good as I had a same question specially on renew part for a long time.
My question is that, at the time you wrote this article, the ISPConfig was in beta release of version 3.1.
Now that the full version is released (3.1.1p1 at the moment), I see that most of the things handled within ISPConfig itself.
So the ISPConfig generates the certificates and also the symbolic links to Let's encrypt folder keeping the certificate files.
Actually all my sites all working fine so far.
The only question remained for me is renewal of certificates!!!
Do we still need to add the scripts you suggested to crontab manually to run it at interval we need?
I do not know if ISPConfig can renew the certificates by itself or not.
Can you please advise?
P.S: The file "letsencrypt-auto" seems that is not available in already installed version of my letsencrypt . I search through letsencrypt installation folder and this file does not exist!!!
I know the GIT has this file but why not on installed version of letsencrypt on Ubuntu 16.04.1 server
Many thanks
Original date: 2017-01-05T09:34:59Z
I will update the post shortly including the recent changes in ISPConfig. ISPConfig should be able to update the certificates itself. You can check the ispconfig log file to make sure.
Original author: Saeid Ghazagh @saeidghazagh
Original date: 2017-01-05T09:37:30Z
Yes, I have asked from ISPConfig developers in forum and they mentioned that the ISPConfig will update the certificates by itself.
That would be fantastic if you explain about the new certificate renewal in ISPConfig.
More interested to know how it does that.
Many thanks again...
Original author: Egbert Jan van den Bussche
Original date: 2017-01-24T10:45:42Z
Thanks Tom. I still cannot get the build-in verion to work (ISPconfig 3.1.1p1) Certbot itself as standalone (your description) works fine. I noticed that the certs were created with www.www.speldorado-delft.nl.key/crt. I asked certbot for -d www.speldorado-delft.nl. In ISP config I've created the website with full name as domain (www....) and set the auto prefix to none. I still wonder it that was wise... or that it confuses the creation of certs.
Egbert Jan, NL.
Original author: Peter @bestclassified
Original date: 2017-02-13T18:58:59Z
Hi, After the installation of certbot, apache won't start up anymore. How can I completely remove it?
Original date: 2017-02-13T19:09:01Z
What do the logs say?
Original author: Peter @bestclassified
Original date: 2017-02-13T19:15:13Z
I've had error at the certbot installation process.
Since then, I'm not able to start apache at all. All sites included ispconfig are down
Original author: Peter @bestclassified
Original date: 2017-02-13T19:30:18Z
Thank you for your prompt reply!
Original date: 2017-02-13T19:48:03Z
There seems to be an invalid site config left in your apache configuration directory. Must have been a leftover from the Apache plugin trying to create a temporary doc-root.
I think the config is in /etc/apache2/sites-enabled...
Next time, start a stand-alone webserver [opt. 3] (after temporarily stopping Apache).
Btw, opening the log in notepad++ or something instead of notepad would help printing the line endings.
Original date: 2017-02-13T19:50:58Z
Excuse me for my late reply. Typically one would not include the www. subdomain in the site domain. You could then select www. as auto-subdomain and have SSL certs on both .domain.com and www.domain.com.
You might be able to change the domain-name but I'm not sure how ISPConfig handles this. Copying your files to a new site might be another option of course.
Original author: Peter @bestclassified
Original date: 2017-02-13T19:59:01Z
Thank you! Next time I will use notepad++. So what's the solution now? Wouldn't be a certbot removal the proper solution for this the issue? I don't really dare modifying the config files, especially when I don't even know which file is the correct one. Since I'm not an expert - I just recently bought my own server and I'm still learning - I think I'd cause more harm than good.
Original date: 2017-02-13T21:35:39Z
Well, Apache complains about a folder being non existent. You have to remove the config file that causes this trouble. What's the output of:
grep -ri "tls_sni_01_page" /etc/apache2/
And whats the output of
sudo apachectl -S
Original author: Peter @bestclassified
Original date: 2017-02-13T21:41:24Z
Thank you for the reply. I'll give it a shot. In the meantime emptied logs to see what's new and after a reboot, apache error log says:
[Mon Feb 13 22:24:26.164681 2017] [ssl:emerg] [pid 2975] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/ispconfig/httpd/osclass.bestclassified.org/... for more information
So I've looked into the other log file which says:
[Mon Feb 13 22:33:07.559135 2017] [ssl:emerg] [pid 3807] AH02238: Unable to configure RSA server private key
[Mon Feb 13 22:33:07.559220 2017] [ssl:emerg] [pid 3807] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
So I think it's gotta be something with the SSL.
Original date: 2017-02-13T21:56:38Z
Your cert is invalid. Do you actually allow traffic on port 443?
Remove the certs and SSL lines from your osclass.bestclassified.org site (like: /etc/apache2/sites-available/osclass.bestclassified.org)
Original author: Peter @bestclassified
Original date: 2017-02-13T22:31:47Z
Great. I have now removed the SSL lines and the websites are back up. But I just don't understand what was the problem exactly. I mean okay, the cert was invalid, but why?
Original date: 2017-02-13T22:42:28Z
The cert was invalid because let's encrypt didn't send you a valid one in the first place. They weren't able to contact your site on port 443 (https) at the domain you provided. This is required to validate ownership. The strange thing in my opinion is that your configuration was not reverted.
Original author: Peter @bestclassified
Original date: 2017-02-13T22:56:11Z
I have no idea. It is possible that somehow the server is misconfigured. Probably. Like I said it's the very first time I have my own server managed on my own. I'm not that brave to try out other settings yet. I was happy that I could manage to set up the basics and run my project on this server. I'll probably buy another one to learn a bit.
And I think I'm gonna skip this step for now. The only reason I wanted SSL is because some applications that I planned to use, require secure connection.
But hey Tom, thank you for your valuable time and I appreciate your help. Great article by the way. Thanks for everything!
Original author: Peter @bestclassified
Original date: 2017-02-13T23:39:07Z
Good news. I couldn't give up. I had to try one more time and it was successfully installed this time. Hell, don't know what was the problem first time but it worked now.
Thank you, Tom!
Original author: Egbert Jan van den Bussche
Original date: 2017-06-01T20:20:02Z
Just spend the whole day searching why the cron job crashed with the OS-Error thing (FAQ above), taking down apache and 5 sites on my test server... Should I include the exports in the cronjob or in a global bashrc?
Finally I found that one single privkey.pem was damaged. I restored it fom backup and all was running again.
The same cronjob worked fine on the production server but I do not know if the certs were to be renewed. Maybe certbot-auto was already up to date.
Original author: Svilen Arsov @svilenarsov
Original date: 2017-06-21T19:19:32Z
This is not work for me
cd /var/www/wowdoge.com/ssl
ln -sf /etc/letsencrypt/live/wowdoge.com/fullchain.pem wowdoge.com.crt
ln -sf /etc/letsencrypt/live/wowdoge.com/privkey.pem wowdoge.com.key
Work:(for example)
cd /var/www/wowdoge.com/ssl
ln -s /etc/letsencrypt/live/owdoge.com/fullchain.pem wowdoge.com.crt
ln -s /etc/letsencrypt/live/owdoge.com/privkey.pem wowdoge.com.key
ln -s /etc/letsencrypt/live/owdoge.com/chain.pem wowdoge.com.pem
Original author: Joe
Original date: 2017-07-14T09:19:33Z
Hi, I wonder if someone can shed some light on my problem. I have ispconfig 3.1 running on ubuntu 16.04 with lets-encrypt installed. have multiple websites I want to secure over ssl. I have enabled lets-encrypt on one site (simple tick box in ispconfig 3.1) and it works perfectly. However, when I try to enable for a second website, seperate domain, I get an error in the browser CERT_COMMON_NAME_INVALID. I run the second domain through an ssl checker and the common names don't match the second domain? how do I fix this? what have I missed? thanks in advance guys!
Original date: 2017-07-18T07:38:05Z
A couple things could be going on but in general it means that Apache or Nginx did not provide the correct certificate with the domain you used. Verify whether you specified the domain name correctly in ISPConfig.
Check is there is a vhost with the correct domain name:
grep -R "ServerName" /etc/apache2/sites-enabled
It might be that there is a site enabled that matches any domain name.
List sites:
ls /etc/apache2/sites-enabled
You can remove symbolic links from this directory. Originals are in /etc/apache2/sites-available
Original author: fabienne
Original date: 2017-07-25T07:20:25Z
Hello, on this page it says : but placing files in the webroot works as well.
I read that the way to give access to cerbot is to put the following code in the https server section of the sites-available conf file:
location ~ /.well-known {
allow all;
}
I tried to put it in the nginx directives on the isp-config settings for the website I want to have a certificate for but I still get the 403 response Forbidden.
Could someone please tell me how to do this? Did anyone have this problem as well?
Thanks in advance.
Original author: fabienne
Original date: 2017-07-25T07:22:05Z
oh and sorry... I use ISPC 3.0
Original author: Shaa Dea @Shaadea
Original date: 2017-12-17T19:46:47Z
Hi, is there a way to remove the rewrite rule again? I used it for a while, but I don't need it anymore (the shop software I'm using now is doing it already), but after deleting the rule from the directives field in the options tab it's still active. Where can I find and delete it?
Original author: Daniel Young
Original date: 2018-11-12T17:26:14Z
Did as described above worked great. But when I try to do another domain on the server it always give selfed signed or untrusted authority errors (depending on which browser) when going to the https address. The first domain I did still functioning correctly just any additional site I try to install ssl on. Certbot gives success etc, I install the same. Any ideas?
Original date: 2018-11-12T17:47:27Z
Hey Daniel, make sure your virtual hosts (sites) are setup correctly: use the right domain name, use auto *. or www. subdomains. To check, you could temporarily (!) disable HTTPS and validate that the right virtual hosts (sites) appears when browsing to the respective domain names.
Original author: Daniel Young
Original date: 2018-11-12T18:08:42Z
Sites work fine http://. Acts like certs are not installed correctly but am doing just like I did for the first one which is working fine.
Original author: Daniel Young
Original date: 2018-11-12T18:14:32Z
When I go to the https address & look at the cert it shows my servers hostname as the authority not Let's Encrypt so something not pointing correctly. I'll check that the downloaded certbots certs are listing proper authority & go from there I guess. I did get success messages when running certbot to generate the certs.
Original author: Daniel Young
Original date: 2018-11-12T18:41:38Z
SOLVED-- In the Sites setup area in ispconfig I had checked SSI instead of checking SSL. So dumb but glad I found it. Eyesight no so good without my contacts in (look similar). Guess I better wear them more.
Original author: Constance Garcia @jatercalar1997
Original date: 2019-02-28T07:50:39Z
Hello I wanna ċhαt with you😏
https://google.com/#btnI=ru...
My id #609345
Original author: Lead Ninja @leadninja
Original date: 2019-05-30T10:40:57Z
i was searching about lets encrypt and i have found my answer. Get SSL certification in one hour. https://www.fiverr.com/shar...