Solltest du diesen Post auf deutsch lesen wollen, dann klick hier
I’ve seen some visitors coming from foreign countries to this post – and I assume they were a bit disappointed that the post is in German only. So let me have this one put in English 😉
So – lets get into that.
So I took a Ubuntu 16.04 machine out of the Digital Ocean. (I know its a ref link) Following the nice tutorial on https://www.howtoforge.com The Perfect Server – Ubuntu 16.04 (Xenial Xerus) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3.1) by Till Brehm I’ve setup the system with ease.
Days later the client called me and asked if its may possible to have: the ISPCONFIG interface, Postfix & Dovecot and PureFTPD secured with the Let’s Encrypt certificates.
Sure I said. Not a problem.
Please note – there are many solutions out there for this – so mine isn’t may the best – but its quite easy. My machine is configured like:
- Servername / Hostname: host01.example.com
- Postfix Mailservername: host01.example.com
- ISPConfig Interface: https://host01.expample.com:port
!! IMPORTANT !! Please replace my configuration with yours and do not copy paste it blindly in your terminal. Certificates, created with ISPConfig, are being stored (at least in Ubuntu 16.04) in:
What ISPConfig does afterwards, is setting a symbolic link to the file.
host01:~# ls -lhA /var/www/example.com/ssl/ lrwxrwxrwx 1 root root 43 Oct 10 10:41 example.com.bundle -> /etc/letsencrypt/live/example.com/chain.pem lrwxrwxrwx 1 root root 42 Oct 10 10:41 example.com.crt -> /etc/letsencrypt/live/example.com/cert.pem -r-------- 1 root root 6.3K Oct 10 10:41 example.com.crt.old.20161010104113 lrwxrwxrwx 1 root root 45 Oct 10 10:41 example.com.key -> /etc/letsencrypt/live/example.com/privkey.pem
Now we can use that to get the certificates for the ISPConfig interface, for Postfix and for PureFTPD. Simply login to your ISPConfig admin interface and create a “site” for your hostname and have it create a Let’s Encrypt certificate. But before you begin, backup your current certificates. (Just in case)
First secure the Postfix / Dovecot certificate.
mv /etc/postfix/smtpd.cert /etc/postfix/smtpd.cert-bak mv /etc/postfix/smtpd.key /etc/postfix/smtpd.key-bak
Then backup the PureFTPD certificate
mv /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd.pem-back
And then backup the current ISPConfig interface certificate.
mv /usr/local/ispconfig/interface/ssl/ispserver.bundle /usr/local/ispconfig/interface/ssl/ispserver.bundle-back mv /usr/local/ispconfig/interface/ssl/ispserver.crt /usr/local/ispconfig/interface/ssl/ispserver.crt-back mv /usr/local/ispconfig/interface/ssl/ispserver.key /usr/local/ispconfig/interface/ssl/ispserver.key-back
Now – I assume you have created the site for your server in the ISPConfig interface. So we should have the certificate ready in
So we can start with Postfix / Dovecot
ln -s /etc/letsencrypt/live/host01.example.com/privkey.pem /etc/postfix/smtpd.key ln -s /etc/letsencrypt/live/host01.example.com/fullchain.pem /etc/postfix/smtpd.cert
Thats it. Now restart both services:
service postfix reload service dovecot reload
And your mailserver should deliver the new created certificate.
For PureFTPD its a bit different. We first have to create one file from the private key, the full chain and the certificate itself. For this simply issue:
cat /etc/letsencrypt/live/host01.example.com/privkey.pem /etc/letsencrypt/live/host01.example.com/fullchain.pem > /etc/ssl/private/pure-ftpd.pem
and restart PureFTPD
service pure-ftpd-mysql restart
and then PureFTPD should also deliver the Let’s Encrypt certificate.
Last but not least we will have the ISPConfig interface to deliver the Let’s Encrypt certificate. To have this set the following links:
ln -s /etc/letsencrypt/live/host01.example.com/chain.pem /usr/local/ispconfig/interface/ssl/ispserver.bundle ln -s /etc/letsencrypt/live/host01.example.com/cert.pem /usr/local/ispconfig/interface/ssl/ispserver.crt ln -s /etc/letsencrypt/live/host01.example.com/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key
restart your apache with:
service apache2 restart
And you should be good to go.
Having it all done this way, gives you less headaches concerning the maintenance of the certificates. Since the certificates will be extended by the Let’s Encrypt daemon, you don’t have to worry about extending it.
To make sure the PureFTPD is also put together in the “pure-ftpd.pem” you can just run this command as a cronjob once a day or or once a week:
@daily cat /etc/letsencrypt/live/host01.example.com/privkey.pem /etc/letsencrypt/live/host01.example.com/fullchain.pem > /etc/ssl/private/pure-ftpd.pem && service pure-ftpd-mysql restart > /dev/null 2>&1
to make sure it will also be updated once the certificate has been renewed.