Let's Encrypt SSL on ISPConfig

Edit Page

Setup Let’s Encrypt SSL certificate support on ISPConfig 3.0.

===

Let’s Encrypt on ISPConfig 3.0

ISPConfig version 3.1 is just around a corner, but they were so late that I had to install some support on already preinstalled 3.0 servers. They were all running latest Ubuntu Server 15.10.

Install Let’s Encrypt

You only need Git installed as you probably have.

Getting started with Let’s Encrypt SSL Certificates on Ubuntu

# @see: https://letsencrypt.readthedocs.org/en/latest/using.html
#
cd ~root
git clone https://github.com/letsencrypt/letsencrypt.git letsencrypt
cd letsencrypt

# 

We must stop nginx temporarily. When asked for domains, just enter both with and without www.

service nginx stop
./letsencrypt-auto certonly --renew-by-default --standalone --email email@gmail.com -d domain.com -d www.domain.com -d server.domain.com
service nginx start

But much better is without stopping the server, by using plugin webroot:

./letsencrypt-auto certonly --renew-by-default --email email@gmail.com --webroot -w /var/www/html/ -d server.domain.com

Certificates will be saved somewhere in folder /etc/letsencrypt/live/.

These certs we will use to secure our ISPConfig server. To do that, the simplest way is to just backup and then swap old self-signed certificates with the symlinked new ones.

mkdir /usr/local/ispconfig/interface/ssl/self-signed_originals
mv /usr/local/ispconfig/interface/ssl/isp* /usr/local/ispconfig/interface/ssl/self-signed_originals

ln -s /etc/letsencrypt/live/server.domain.com/fullchain.pem /usr/local/ispconfig/interface/ssl/ispserver.crt
ln -s /etc/letsencrypt/live/server.domain.com/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key

Install ISPConfig support

If we want to add support of Let’s Encrypt certificates to all websites hosted virtualy on our ISPConfig server, we need to use a plugin alexalouit/ISPConfig-letsencrypt

cd ~root
git clone https://github.com/alexalouit/ISPConfig-letsencrypt.git
cd ISPConfig-letsencrypt
php -q install.php

There is one more thing to do before system can work properly. We need to allow an access the one folder in every site we want to support Let’s Encrypt.

# Required for Let's Encrypt SSL
#
location ^~ /.well-known/acme-challenge/ {
  default_type text/plain;
}

but sometimes I had to put whole this:

# Let's Encrypt SSL
#
location ^~ /.well-known/acme-challenge/ {
  root /usr/local/ispconfig/interface/acme/;
  default_type text/plain;
  allow all;
}

How to use

Now you will have a so-much-needed option in control panel. Note that you still have to use standard ISPConfig procedures of creating and saving SSL certificates.

Set Auto-Subdomain to www. as otherwise it will NOT work for both on non-www and www domain.

Procedure that worked for me: first create a certificate (don’t select wildcard domain) and only after that check Let' Encrypt option. Also, don’t forget do first disable all special SSL options that you have in your nginx configuration for that domain.

Debug

All certificates will reside inside /etc/letsencrypt/live/ folder, and logfile is /var/log/letsencrypt/letsencrypt.log.

You should be able to revoke certificate and then clean-up on three places:

rm -rf /etc/letsencrypt/live/domain.com/
rm -rf /etc/letsencrypt/archive/domain.com/
rm /etc/letsencrypt/renewal/domain.com.conf
date 01. Jan 0001 | modified 28. May 2021
filename: Lets Encrypt SSL on ISPConfig