ispconfig 3.1 + Lets Encrypt + Postfix / Dovecot + PureFTPD in english

Posted on
ISPConfig 3.1 - Server & Hosting management vom Webbrowser

Solltest du diesen Post auf deutsch lesen wollen, dann klick hier

I’ve seen some visitors coming from foreign countries to this post – and I assume they were a bit disappointed that the post is in German only. So let me have this one put in English 😉

A customer of mine asked me to setup a ISPConfig machine. You know – one with Apache, Mailserver, FTP Server, SSL certificates from Let’s Encrypt and so on.

So – lets get into that.

So I took a Ubuntu 16.04 machine out of the Digital Ocean. (I know its a ref link) Following the nice tutorial on https://www.howtoforge.com The Perfect Server – Ubuntu 16.04 (Xenial Xerus) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3.1) by Till Brehm I’ve setup the system with ease.

Days later the client called me and asked if its may possible to have: the ISPCONFIG interface, Postfix & Dovecot and PureFTPD secured with the Let’s Encrypt certificates.

Sure I said. Not a problem.

Please note – there are many solutions out there for this – so mine isn’t may the best – but its quite easy. My machine is configured like:

  • Servername / Hostname: host01.example.com
  • Postfix Mailservername: host01.example.com
  • ISPConfig Interface: https://host01.expample.com:port

!! IMPORTANT !! Please replace my configuration with yours and do not copy paste it blindly in your terminal. Certificates, created with ISPConfig, are being stored (at least in Ubuntu 16.04) in:

/etc/letsencrypt/live

What ISPConfig does afterwards, is setting a symbolic link to the file.

host01:~# ls -lhA /var/www/example.com/ssl/
lrwxrwxrwx    1 root root        43    Oct 10 10:41    example.com.bundle -> /etc/letsencrypt/live/example.com/chain.pem
lrwxrwxrwx    1 root root        42    Oct 10 10:41    example.com.crt -> /etc/letsencrypt/live/example.com/cert.pem
-r--------          1 root root        6.3K    Oct 10 10:41    example.com.crt.old.20161010104113
lrwxrwxrwx    1 root root        45    Oct 10 10:41    example.com.key -> /etc/letsencrypt/live/example.com/privkey.pem

Now we can use that to get the certificates for the ISPConfig interface, for Postfix and for PureFTPD. Simply login to your ISPConfig admin interface and create a “site” for your hostname and have it create a Let’s Encrypt certificate. But before you begin, backup your current certificates. (Just in case) First secure the Postfix / Dovecot certificate.

mv /etc/postfix/smtpd.cert /etc/postfix/smtpd.cert-bak
mv /etc/postfix/smtpd.key /etc/postfix/smtpd.key-bak

Then backup the PureFTPD certificate

mv /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd.pem-back

And then backup the current ISPConfig interface certificate.

mv /usr/local/ispconfig/interface/ssl/ispserver.bundle /usr/local/ispconfig/interface/ssl/ispserver.bundle-back
mv /usr/local/ispconfig/interface/ssl/ispserver.crt /usr/local/ispconfig/interface/ssl/ispserver.crt-back
mv /usr/local/ispconfig/interface/ssl/ispserver.key /usr/local/ispconfig/interface/ssl/ispserver.key-back

Now – I assume you have created the site for your server in the ISPConfig interface. So we should have the certificate ready in

 /etc/letsencrypt/live/

So we can start with Postfix / Dovecot

ln -s /etc/letsencrypt/live/host01.example.com/privkey.pem /etc/postfix/smtpd.key
ln -s /etc/letsencrypt/live/host01.example.com/fullchain.pem /etc/postfix/smtpd.cert

Thats it. Now restart both services:

service postfix reload
service dovecot reload

And your mailserver should deliver the new created certificate.

For PureFTPD its a bit different. We first have to create one file from the private key, the full chain and the certificate itself. For this simply issue:

cat /etc/letsencrypt/live/host01.example.com/privkey.pem /etc/letsencrypt/live/host01.example.com/fullchain.pem > /etc/ssl/private/pure-ftpd.pem

and restart PureFTPD

service pure-ftpd-mysql restart

and then PureFTPD should also deliver the Let’s Encrypt certificate.

Last but not least we will have the ISPConfig interface to deliver the Let’s Encrypt certificate. To have this set the following links:

ln -s /etc/letsencrypt/live/host01.example.com/chain.pem /usr/local/ispconfig/interface/ssl/ispserver.bundle
ln -s /etc/letsencrypt/live/host01.example.com/cert.pem /usr/local/ispconfig/interface/ssl/ispserver.crt
ln -s /etc/letsencrypt/live/host01.example.com/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key

restart your apache with:

service apache2 restart

And you should be good to go.

Having it all done this way, gives you less headaches concerning the maintenance of the certificates. Since the certificates will be extended by the Let’s Encrypt daemon, you don’t have to worry about extending it.

To make sure the PureFTPD is also put together in the “pure-ftpd.pem” you can just run this command as a cronjob once a day or or once a week:

@daily cat /etc/letsencrypt/live/host01.example.com/privkey.pem /etc/letsencrypt/live/host01.example.com/fullchain.pem > /etc/ssl/private/pure-ftpd.pem && service pure-ftpd-mysql restart > /dev/null 2>&1

to make sure it will also be updated once the certificate has been renewed.

Related Articles
This tutorial is mainly written to help enthusiasts in Kenya to setup their own web server with Digital Ocean and host a WordPress blog on Read more
Und im letzten Teil dieser Anleitung, wird Postfix und Dovecot als Mail Server aufgesetzt. Fail2Ban sichert hier gegen massenhafte Passwort eingaben, Let's Encrypt liefert das Read more
Dieser Teil der Anleitung beinhaltet die Installation des MariaDB Datenbank Servers. Auch hier wird ISPConfig mit Installiert.
Teil 4 der Anleitung umfasst die Installation des sekundären DNS Servers (NS2) auch hier wird das ganze Setup mit ISPConfig abgeschlossen.
In diesem Teil der Anleitung wird der NS1 installiert. Auch hier wird ISPConfig installiert und konfiguriert.

5 thoughts on “ispconfig 3.1 + Lets Encrypt + Postfix / Dovecot + PureFTPD in english

  1. […] case you are a English reader – click this one to get the post in […]

  2. Many Thanks

  3. Fantastic! Something I really needed and thank you very much for your help (and for translating to english)!

    1. My pleasure.
      Glad you like it.

  4. […] on this machine you cannot run a whole ISPConfig 3 server with BIND, MySQL, Postfix, Apache and FTP. But it’s definitely powerful enough when you need to play around with some things. You can […]

Leave a Reply to SuperAdmin Cancel reply

Your email address will not be published. Required fields are marked *