How to secure our ISPConfig3 control panel and key services with free Let's Encrypt SSL

botond published 2018/12/15, Sat - 23:02 time
Providing ISPConfig control panel, Postfix, Dovecot and PureFTPd services with free Let's Encrypt SSL | Linux portal

Content

 

Introductory

In this specification we use the Let's Encrypt issued by SSL our certificate to secure the certificate on the server ISPConfig Our control panel, and the Postfix, Dovecot and PureFTPd services. We will also prepare our automatic renewal script for these as well.

 

You also need to do some previous installs to complete this tutorial because they are based on these, and I did the following:

 

 

Creating a server web page

If it hadn't happened before, you would have to create the server's primary webpage, the one that domain name is the same as that specified during installation FQDN name. This website must be accessible from the Internet and set up properly DNS you must have a zone, because you need to get the Let's Encrypt SSL certificate for that as described here properly. In this tutorial we will use this certificate to protect the rest of the server.

Once all this is done, we have requested the certificate and the website is available HTTPS, you can move on to the next chapter.

 

Enable SSL for ISPConfig

Those who have enabled SSL for the control panel during ISPConfig installation can skip this section.

However, if you did not enable SSL for the control panel during the installation of ISPConfig (eg on the default port 8080), you can do so afterwards by running the ISPConfig3 update command as root in the terminal:

ispconfig_update.sh

Then it starts ISPConfig update script, which we may already know from previous updates. Go through it as usual, then answer yes to the question "Create a new ISPConfig SSL certificate (yes / no)" in the SSL section, and then you will ask the necessary questions to create a (self-signed) certificate, where you press enter because we do not need an accurate certificate.

All this is required for ISPConfig to generate a certificate for itself and operate in SSL mode, which will be overwritten with an authentic certificate from Let's Encrypt.

Then check if ISPConfig with https on 8080 port (if you have not set up a custom port). Here we get some warnings from the browser (since our certificate is not authentic because we created it ourselves), for example, Chrome won't let you down much, but ignoring these with other browsers should start the control panel.

 

Overwrite the SSL certificate for ISPConfig

So far, there should be:

  • working server website (with any content, only available)
  • to this website we had to enable the Let's Encrypt certificate
  • and ISPConfig must work on the HTTPS protocol on port (default 8080 or set by us) (accessed through the server website).

If all is well, we will now overwrite ISPConfig's own certificate with the one issued to the server's web page.

 

ISPConfig also runs on the same domain as the website we access and for which we also requested the Let's Encrypt certificate. Thus, the question may arise as to why this is necessary. Well, the answer is simple: ISPConfig runs on a separate Virtualhost, where all configurations, including paths to certificate files, are configured separately. Therefore, they must be overwritten with the appropriate files.

 

To do this, perform the following command lines (explanation below the code lines):

cd /usr/local/ispconfig/interface/ssl/
mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
cat ispserver.{key,crt} > ispserver.pem
chmod 600 ispserver.pem

What happens here is to rename the ISPConfig certificate files in the 2-4 queue and create a time-stamped backup of them.

Renaming a .pem file will only take place if you have already created it ispserver.pem file. Otherwise, skip it.

Then from the live directory of Let's Encrypt átlinkeljük the files of our authenticated certificate already operating on the website in place of the ISPConfig files. Then we also create the .pem file, which we get by merging the previous two files (crt and key). This will be relevant later for other services.

In the last line, we remove the permissions of the group and others from the pem file.

 

 

Extend SSL to other web services

In this chapter, we will further link the SSL certificate files extended to ISPConfig to that Web service. It is wiser than switching the paths directly to the above files in different service configurations.

Postfix

To "bind" postfix SSL, issue the following commands (still as root):

cd /etc/postfix/
mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key
service postfix restart

Here's the same thing as above: In the second and third rows, we back up the certificates (also self signed) created when the server was installed, and in the next two rows, we place symlinks in place of the backup files, which are the ISPConfig3 control panel point to the links you made above.

Finally, we restart the postfix daemon.

Dovecot

In the case of Dovecot, we installed everything in the beginning as before server description, Dovecot already uses postfix SSL files. But let's check:

nano /etc/dovecot/dovecot.conf

Here's what the two SSL lines should look like:

[...]
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
[...]

If these two lines do not look like this, then rewrite them to include Dovec in the SSL chain.

Then restart dovecot:

service dovecot restart

Courier

If you have installed Courier on Dovec instead of Dovec, you will need to do the following:

cd /etc/courier/
mv imapd.pem imapd.pem-$(date +"%y%m%d%H%M%S").bak
mv pop3d.pem pop3d.pem-$(date +"%y%m%d%H%M%S").bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem imapd.pem
ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pop3d.pem
service courier-imap-ssl stop
service courier-imap-ssl start
service courier-pop-ssl stop
service courier-pop-ssl start

pureFTP

And PureFTPd requires the following commands:

cd /etc/ssl/private/
mv pure-ftpd.pem pure-ftpd.pem-$(date +"%y%m%d%H%M%S").bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pure-ftpd.pem
chmod 600 pure-ftpd.pem
service pure-ftpd-mysql restart

Monit

Alternatively, if you have Monit server statistics installed at the beginning, open the config file:

nano /etc/monit/monitrc

And add the pem file that we linked earlier (say, do it for PureFTPd):

[...]
set httpd port 2812 and
SSL ENABLE
PEMFILE /etc/ssl/private/pure-ftpd.pem
allow admin:'secretpassword'
[...]

Then restart:

service monit restart

 

 

Creating auto-renewal script for ISPConfig pem file

ISPConfig3 does not automatically renew its own certificate, which protects the interface itself, so the certificates of the services chained to it are not updated. Therefore, we need to take care of this, unless we want to regularly monitor the automatically updated Let’s Encrypt SSL files issued for our website.

For this operation, the incr we will use an event monitor daemon which will run our script for us when a change occurs in the monitored parts of the file system. This is the case when Let's Encrypt ACME client, Certbot renews the SSL certificate used for the server's primary website. By taking the burden off our shoulders, we no longer have to pay attention to when they are refreshed .key and the .crt files.

To do this, install incron first apt-get command:

apt-get install -y incron

Next, create a startup file in /etc/init.d:

nano /etc/init.d/le_ispc_pem.sh

And let's include the following:

#!/bin/sh
### BEGIN INIT INFO
# Provides: LE ISPSERVER.PEM AUTO UPDATER
# Required-Start: $local_fs $network
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: LE ISPSERVER.PEM AUTO UPDATER
# Description: Update ispserver.pem automatically after ISPC LE SSL certs are renewed.
### END INIT INFO
cd /usr/local/ispconfig/interface/ssl/
mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
cat ispserver.{key,crt} > ispserver.pem
chmod 600 ispserver.pem
chmod 600 /etc/ssl/private/pure-ftpd.pem
service pure-ftpd-mysql restart
service monit restart
service postfix restart
service dovecot restart
service apache2 restart

If Monit is not installed, skip the line containing its restart at the end.

As well as ha Apache instead of Nginx as our web server, we will logically replace the apache restart queue with nginx restart.

Save the startup file and make it executable:

chmod +x /etc/init.d/le_ispc_pem.sh

Then add the root user to the incron user (because without it, root can't use it):

echo "root" >> /etc/incron.allow

Then it will incrontab edit the incrontab command:

incrontab -e

 

This will open our default editor (for example, dwarf), and contains a temporary file that will be replaced by the incrontab command when you save it, so you can't edit it directly.

 

Add the following line:

/etc/letsencrypt/archive/$(hostname -f)/ IN_MODIFY ./etc/init.d/le_ispc_pem.sh

 

Important!

Before you save it, make sure that a / etc / letsencrypt / archive / $ (hostname -f) / subdirectory exists!

For example, I have a hostname command only gives the host name, hostname -f and the full server name along with the domain name, so one like this: server1.example.com. In contrast, the Let's Encrypt archive directory only contains the domain names of websites that use SSL, including the subdirectory of the primary website. So for me, the hostname command solution would not work, and I think others may have a similar situation.

All of this may depend on the very beginning of the minimum server installation during the network section how the hostname and domain name were entered.

Az original description following exactly the incrontab line in it, but I suggest that you look for / Etc / letsencrypt / archive directory under the server domain name and we use that directory $ (hostname -f) section if the subdirectory cannot be accessed using the above method.

If we do not set the correct subdirectory here, our script may never run if the contents of the incorrectly specified directory do not change.

 

Once we have done this, save and restart Apache:

service apache2 restart

Of course, with Nginx.

 

Actually, here's just the .pem We had to know this "macera" because we get the .pem file from the concatenation of the .key and .crt files, so those that did not require the .pem file for the above service would get the fresh .key and. for crt files. (e.g. postfix and Dovecot) However, all of the others also require a .pem file, which we can only create with a script when we get the fresh files.

 

Conclusion

With this chaining method, we have achieved that both our ISPConfig3 control panel and our various server services continuously benefit from the automatically renewed Let's Encrypt SSL.

It should also be noted that if we use these services externally (FTP, IMAP, etc.), you will always enter the main domain name of the server as the hostname in these services, because the SSL certificate has been issued for this domain name. For example, if you do not enter the server's main domain name for FTP, IMAP, etc. access to Web sites running on the server, the connected client program will report an SSL error because the connection was not made with the domain name to which the certificate was exhibited.

I only describe this because, for example, if we provide hosting to clients, we must also tell them which domain name they can connect to via SSL without error.

 

Related content, useful links, source:

 

Tags
Let's Encrypt
SSL
ISPConfig
control panel
Postfix
Dovecot
courier
pureFTP
monit

Hozzászólások

in the morning

Jan. 2020, 07, 22:18 p.m.

Permalink

1.

The links have not worked since letsencrypt The names in the folder are not in FQDN format, but simply based on the domains (the hostname is good, so FQDN, following the other description during the LAMP server installation, I gave it that way).

Thus, it was not solved by a link, but manually copied into the files. So, of course, not the best solution.

ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key

 

But it works, so by specifying the main domain instead of IP at ISPConfig, FTP, Roundcube, https goes well without a browser warning.

 

2.

Unfortunately, SSL / TLS does not work in mail. That is, the setup was successful, yet if I want to use it in a mail client, it only takes it START TLS way.

And what’s worse is that every email I send to a gmail address goes there in the SPAM folder.

I also tried Freemailos, and he didn't get there at all.

I’ve looked at a lot of descriptions on the subject already, but nothing helped.

I’m starting to look at this now, but it’s brutally long and a little unclear:

http://www.postfix.org/TLS_README.html

 

Is there any good description of this for beginners?

 

 

 

botond

Jan. 2020, 07, 22:19 p.m.

Permalink

For me, too, correspondence goes with StartTLS, but everything works fine. Emails are not spammed.

Could it be that the domain might be blacklisted somewhere?

in the morning

March 2020, 07, Thu - 23:13

Permalink

- But why not SSL / TLS? Does Thunderbird accept the certificate with only one exception?

 

- It is true that not all gmail accounts are included in SPAM, but it is so precarious and gas if some people do not receive the mails e.g. from a CMS.

My own gmail, so it's not about blacklisting.

 

"And there's the newly created freemail account, which I did for testing, and the mail doesn't get there."

in the morning

March 2020, 07, Thu - 23:13

Permalink

- I just made an outlook.hu email address, it goes to SPAM.

He still doesn't arrive in Freemail.

 

- It 's very slow anyway, it only goes away minutes later, although it may be because there is only 1 CPU on the VPS server and 1 GB of RAM.

botond

March 2020, 07, Thu - 23:14

Permalink

By blacklisting, I didn’t mean half of the recipient, but that the domain of the website from which you send the email might be blacklisted. This can happen, for example, if a previously used domain name that was blacklisted was caught, or the SMTP server may have been hacked and spammers sent many emails from the site and may have been blacklisted.

I have websites with multiple domain names on this server, which I have set up accordingly and I have never had a single problem with it. That's why I'm guessing.
In Thunderbird I really have to accept the certificate, this is also the case with me when Let's Encrypt issues the new SSL, but it still works fine for me in everything, also in Start TLS mode.