ispconfig 3.1 + Lets Encrypt + Postfix / Dovecot + PureFTPD in english

Solltest du diesen Post auf deutsch lesen wollen, dann klick hier

I’ve seen some visitors coming from foreign countries to this post – and I assume they were a bit disappointed that the post is in German only. So let me have this one put in English 😉

A customer of mine asked me to setup a ISPConfig machine. You know – one with Apache, Mailserver, FTP Server, SSL certificates from Let’s Encrypt and so on.

So – lets get into that.

So I took a Ubuntu 16.04 machine out of the Digital Ocean. (I know its a ref link) Following the nice tutorial on https://www.howtoforge.com The Perfect Server – Ubuntu 16.04 (Xenial Xerus) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3.1) by Till Brehm I’ve setup the system with ease.

Days later the client called me and asked if its may possible to have: the ISPCONFIG interface, Postfix & Dovecot and PureFTPD secured with the Let’s Encrypt certificates.

Sure I said. Not a problem.

Please note – there are many solutions out there for this – so mine isn’t may the best – but its quite easy. My machine is configured like:

• Servername / Hostname: host01.example.com
• Postfix Mailservername: host01.example.com
• ISPConfig Interface: https://host01.expample.com:port

!! IMPORTANT !! Please replace my configuration with yours and do not copy paste it blindly in your terminal. Certificates, created with ISPConfig, are being stored (at least in Ubuntu 16.04) in:

/etc/letsencrypt/live

What ISPConfig does afterwards, is setting a symbolic link to the file.

host01:~# ls -lhA /var/www/example.com/ssl/
lrwxrwxrwx    1 root root        43    Oct 10 10:41    example.com.bundle -> /etc/letsencrypt/live/example.com/chain.pem
lrwxrwxrwx    1 root root        42    Oct 10 10:41    example.com.crt -> /etc/letsencrypt/live/example.com/cert.pem
-r--------          1 root root        6.3K    Oct 10 10:41    example.com.crt.old.20161010104113
lrwxrwxrwx    1 root root        45    Oct 10 10:41    example.com.key -> /etc/letsencrypt/live/example.com/privkey.pem

Now we can use that to get the certificates for the ISPConfig interface, for Postfix and for PureFTPD. Simply login to your ISPConfig admin interface and create a “site” for your hostname and have it create a Let’s Encrypt certificate. But before you begin, backup your current certificates. (Just in case)
First secure the Postfix / Dovecot certificate.

mv /etc/postfix/smtpd.cert /etc/postfix/smtpd.cert-bak
mv /etc/postfix/smtpd.key /etc/postfix/smtpd.key-bak

Then backup the PureFTPD certificate

mv /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd.pem-back

And then backup the current ISPConfig interface certificate.

mv /usr/local/ispconfig/interface/ssl/ispserver.bundle /usr/local/ispconfig/interface/ssl/ispserver.bundle-back
mv /usr/local/ispconfig/interface/ssl/ispserver.crt /usr/local/ispconfig/interface/ssl/ispserver.crt-back
mv /usr/local/ispconfig/interface/ssl/ispserver.key /usr/local/ispconfig/interface/ssl/ispserver.key-back

Now – I assume you have created the site for your server in the ISPConfig interface. So we should have the certificate ready in

 /etc/letsencrypt/live/

So we can start with Postfix / Dovecot

ln -s /etc/letsencrypt/live/host01.example.com/privkey.pem /etc/postfix/smtpd.key
ln -s /etc/letsencrypt/live/host01.example.com/fullchain.pem /etc/postfix/smtpd.cert

Thats it. Now restart both services:

service postfix reload
service dovecot reload

And your mailserver should deliver the new created certificate.

For PureFTPD its a bit different. We first have to create one file from the private key, the full chain and the certificate itself. For this simply issue:

cat /etc/letsencrypt/live/host01.example.com/privkey.pem /etc/letsencrypt/live/host01.example.com/fullchain.pem > /etc/ssl/private/pure-ftpd.pem

and restart PureFTPD

service pure-ftpd-mysql restart

and then PureFTPD should also deliver the Let’s Encrypt certificate.

Last but not least we will have the ISPConfig interface to deliver the Let’s Encrypt certificate. To have this set the following links:

ln -s /etc/letsencrypt/live/host01.example.com/chain.pem /usr/local/ispconfig/interface/ssl/ispserver.bundle
ln -s /etc/letsencrypt/live/host01.example.com/cert.pem /usr/local/ispconfig/interface/ssl/ispserver.crt
ln -s /etc/letsencrypt/live/host01.example.com/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key

restart your apache with:

service apache2 restart

And you should be good to go.

Having it all done this way, gives you less headaches concerning the maintenance of the certificates. Since the certificates will be extended by the Let’s Encrypt daemon, you don’t have to worry about extending it.

To make sure the PureFTPD is also put together in the “pure-ftpd.pem” you can just run this command as a cronjob once a day or or once a week:

@daily cat /etc/letsencrypt/live/host01.example.com/privkey.pem /etc/letsencrypt/live/host01.example.com/fullchain.pem > /etc/ssl/private/pure-ftpd.pem && service pure-ftpd-mysql restart > /dev/null 2>&1

to make sure it will also be updated once the certificate has been renewed.