Let’s Encrypt SSL on ISPConfig
Setup Let’s Encrypt SSL certificate support on ISPConfig 3.0.
===
Let’s Encrypt on ISPConfig 3.0
ISPConfig version 3.1 is just around a corner, but they were so late that I had to install some support on already preinstalled 3.0 servers. They were all running latest Ubuntu Server 15.10.
Install Let’s Encrypt
You only need Git installed as you probably have.
Getting started with Let’s Encrypt SSL Certificates on Ubuntu
# @see: https://letsencrypt.readthedocs.org/en/latest/using.html
#
cd ~root
git clone https://github.com/letsencrypt/letsencrypt.git letsencrypt
cd letsencrypt
#
We must stop nginx temporarily. When asked for domains, just enter both with and without www.
service nginx stop
./letsencrypt-auto certonly --renew-by-default --standalone --email email@gmail.com -d domain.com -d www.domain.com -d server.domain.com
service nginx start
But much better is without stopping the server, by using plugin webroot:
./letsencrypt-auto certonly --renew-by-default --email email@gmail.com --webroot -w /var/www/html/ -d server.domain.com
Certificates will be saved somewhere in folder /etc/letsencrypt/live/
.
These certs we will use to secure our ISPConfig server. To do that, the simplest way is to just backup and then swap old self-signed certificates with the symlinked new ones.
mkdir /usr/local/ispconfig/interface/ssl/self-signed_originals
mv /usr/local/ispconfig/interface/ssl/isp* /usr/local/ispconfig/interface/ssl/self-signed_originals
ln -s /etc/letsencrypt/live/server.domain.com/fullchain.pem /usr/local/ispconfig/interface/ssl/ispserver.crt
ln -s /etc/letsencrypt/live/server.domain.com/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key
Install ISPConfig support
If we want to add support of Let’s Encrypt certificates to all websites hosted virtualy on our ISPConfig server, we need to use a plugin alexalouit/ISPConfig-letsencrypt
cd ~root
git clone https://github.com/alexalouit/ISPConfig-letsencrypt.git
cd ISPConfig-letsencrypt
php -q install.php
There is one more thing to do before system can work properly. We need to allow an access the one folder in every site we want to support Let’s Encrypt.
# Required for Let's Encrypt SSL
#
location ^~ /.well-known/acme-challenge/ {
default_type text/plain;
}
but sometimes I had to put whole this:
# Let's Encrypt SSL
#
location ^~ /.well-known/acme-challenge/ {
root /usr/local/ispconfig/interface/acme/;
default_type text/plain;
allow all;
}
How to use
Now you will have a so-much-needed option in control panel. Note that you still have to use standard ISPConfig procedures of creating and saving SSL certificates.
Set Auto-Subdomain to www. as otherwise it will NOT work for both on non-www and www domain.
Procedure that worked for me: first create a certificate (don’t select wildcard domain) and only after that check Let’ Encrypt option. Also, don’t forget do first disable all special SSL options that you have in your nginx configuration for that domain.
Debug
All certificates will reside inside /etc/letsencrypt/live/
folder, and
logfile is /var/log/letsencrypt/letsencrypt.log
.
You should be able to revoke certificate and then clean-up on three places:
rm -rf /etc/letsencrypt/live/domain.com/
rm -rf /etc/letsencrypt/archive/domain.com/
rm /etc/letsencrypt/renewal/domain.com.conf