Free SSL certificates: use Let’s Encrypt with ISPConfig 3

View of the Chrome Certificate info pane for tomlankhorst.nlAs you might have noticed this site uses HTTPS. Obtaining SSL certificates was always a bit of a hassle. Finding a certificate authority, doing regular payment, renewals and installing the certificate on your server. Let’s Encrypt is an initiative to provide a better way of enabling encryption on websites. It is open, automated and above all: it offers free SSL certificates. Learn to use Let’s Encrypt on an ISPConfig 3.0 server.

I assume you already have an ISPConfig server up and running. You might have a number of sites that use plain HTTP of HTTPS that you want to secure with free SSL certificates. That’s good, we’re going to do the following:

  1. Obtaining certbot
  2. Requesting free SSL certificates
  3. Configuring SSL in ISPConfig
  4. Enabling automatic periodical renewal

Note: ISPConfig 3.1.1 features automatic installation of Let’s Encrypt certificates. This article was written for ISPConfig 3.0 but still applies to ISPConfig 3.1 as an alternative way (with more control) to integrate ISPConfig with Let’s Encrypt. If you are using the built-in Let’s Encrypt support it is not necessary to run the update script listed in this article. 

Obtaining letsencrypt certbot

First of all, obtain the certbot helper scripts and binaries. Certbot is the name of what previously was called the letsencrypt application.

Method 1: Clone the Git repository

If you do not have Git installed, either do it now or use the second method.

Installing git in Ubuntu/Debian

Installing git in CentOS/RedHat

When the installation is completed, navigate to a folder to put the certbot files into, for example, your home-folder.

Method 2: Download the zipped repository

Download and extract the files. You can do this easily using the command line if you have wget and zip utilities available:

Requesting free SSL certificates

We are going to request a certificate for our website wow-doge.com with subdomain amaze.wow-doge.com.

No some real magic is going to happen: the certbot-auto script will setup all requirements and when it is finished it will ask you how to validate the selected domain. Choosing ‘Apache Web Server’ is the easiest but placing files in the webroot works as well.

letsencrypt asking how to validate to retrieve your free SSL certificates.

The magic has happened: Certbot has created all necessary keys and your free SSL certificates files.  We are going to configure ISPConfig to use the certificate.

Configuring SSL in ISPConfig

Open the ISPConfig control-panel, go to sites, open the relevant website and enable the SSL checkbox.

Enabling the SSL checkbox

Now go the the SSL tab. We need to copy the obtained certificates and keys to these fields:

SSL Key: privkey.pem
Execute cat /etc/letsencrypt/live/wowdoge.com/privkey.pem  and copy the contents to the field in ISPConfig.

SSL Certificate: cert.pem
Execute cat etc/letsencrypt/live/wowdoge.com/cert.pem  and copy the contents to the field in ISPConfig.

SSL Bundle: chain.pem
Execute cat /etc/letsencrypt/live/wowdoge.com/chain.pem  and copy the contents to the field in ISPConfig.

Adding SSL certificates and keysImportant: Select SSL Action ‘Save Certificate’

Finally, have Apache redirect HTTP requests to HTTPS.

Method 1: Go to the Options tab and put the following in the Apache Directives field.

Method 2: Go to Redirect tab and check Rewrite HTTP to HTTPS

Now the server is configured for this specific certificate. Select save and wait a minute or so for the configuration to become active.

Important: Let’s Encrypt certificates are only a couple of months valid and should be automatically renewed. See the next section for more info. 

Happy Chrome

Enabling automatic periodical renewal

Certificates issued by Certbot have relatively short validity. Renewing a certificate however is easy. When a certificate is renewed it will be placed under /etc/letsencrypt/domain.com . We do not want to copy the certificates and keys every time we have to renew. Luckily there is an easy solution to this.

We are going to create symbolic links to help ISPConfig use the certificates directly generated in the /etc/letsencrypt directory. Go to the SSL directory of your site and create the following links (you might need to do this as super-user, sudo):

Note: first just copy-paste the certificates and keys into ISPConfig. This is required for ISPConfig to configure the Apache correctly.

Create a renew-script, this is based on Let’s Encrypt example:

Save it in for example your home-directory as renew-letsencrypt.sh and make it executable:

Now periodically call this script using CRON as root:

Add the following line to call the renewal script every firstServer of the month at 4-o-clock.

Save your crontab and you’re ready to go!

Conclusion

That’s it! I am currently running multiple websites using Let’s Encrypt without any problems at all. Their free SSL certificates are trusted by almost all modern browsers and a lot of other applications that use SSL encryption.

Sponsored content 




Frequently Asked Questions

OSError: Command /home/user/…./bin/python2.7 – setuptools pkg_resources pip wheel failed with error code 1

This error seems to happen when the localization codes are not set in your environment. Set them once by executing:

Set them forever by adding these lines to your shell initialization script (.zshrc, .bashrc).

Is there a manual for ISPConfig?

The company behind ISPConfig sells a manual for only a couple of dollars.

ISPConfig 3.1: The official manual by the creators of ISPConfig Kindle Edition

 ISPConfig 3.1: The official manual by the creators of ISPConfig

  • dimitri visser

    Nice article! Here it works now thanks to your advice 😉 Just 1 thing.

    RewriteEngine on
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

    It’s better to write it like this:

    RewriteEngine on
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

    forcing the http header to be: 301 Moved Permanently
    Else it will give a “not found” header.

    • Tom

      Thanks Dimitri! I’ve added the redirect HTTP status code. I’m going to update this part of the article slightly by recommending to use the ‘redirect to HTTPS’ option on the Redirect tab of ISPconfig. It seems that ISPc adds the same type of statement to the Apache website configuration but it is a bit more elegant to use built-in functionality ofcourse…

  • Steffan Noord

    great post whas looking for this

    just wondering why didnt you go for the API version?
    https://github.com/sjau/le2ispc
    https://www.howtoforge.com/community/threads/lets-encrypt-2-ispconfig.71348/

    • Tom

      I am using the command-line tool for LE (certbot) to create certificates for other services as well (FTP, Jira, Monit, etc.). I wanted all the certificates to be created in the same manner and a transparent way of linking the ISPConfig certificates to the LE certificates.

  • Sebastián Fuentes

    The first time we have to add the keys manually to ispconfig ssl tab, but afterward, how isp automate the renewal? i mean, the certs it self change when the renewal process is done, ispconfig will detect the changes of the files by it self? or we do have to add again the cert content manually to ispconfig ssl tab?

    • Tom

      You will create symlinks to the certificates using ‘ln -s’. This ensures the certs are updated when certbot updates them.

  • Donny

    If i understand right, letsencrypt has been renamed to certbot.
    How does this affect the renew script?

  • Saeid Ghazagh

    Hi Tom/All,
    I just see this discussion right now after 5 months and it’s really good as I had a same question specially on renew part for a long time.

    My question is that, at the time you wrote this article, the ISPConfig was in beta release of version 3.1.
    Now that the full version is released (3.1.1p1 at the moment), I see that most of the things handled within ISPConfig itself.

    So the ISPConfig generates the certificates and also the symbolic links to Let’s encrypt folder keeping the certificate files.

    Actually all my sites all working fine so far.

    The only question remained for me is renewal of certificates!!!
    Do we still need to add the scripts you suggested to crontab manually to run it at interval we need?
    I do not know if ISPConfig can renew the certificates by itself or not.

    Can you please advise?

    P.S: The file “letsencrypt-auto” seems that is not available in already installed version of my letsencrypt . I search through letsencrypt installation folder and this file does not exist!!!
    I know the GIT has this file but why not on installed version of letsencrypt on Ubuntu 16.04.1 server

    Many thanks

    • Tom

      I will update the post shortly including the recent changes in ISPConfig. ISPConfig should be able to update the certificates itself. You can check the ispconfig log file to make sure.

      • Saeid Ghazagh

        Yes, I have asked from ISPConfig developers in forum and they mentioned that the ISPConfig will update the certificates by itself.

        That would be fantastic if you explain about the new certificate renewal in ISPConfig.
        More interested to know how it does that.

        Many thanks again…

  • Egbert Jan van den Bussche

    Thanks Tom. I still cannot get the build-in verion to work (ISPconfig 3.1.1p1) Certbot itself as standalone (your description) works fine. I noticed that the certs were created with http://www.www.speldorado-delft.nl.key/crt. I asked certbot for -d http://www.speldorado-delft.nl. In ISP config I’ve created the website with full name as domain (www….) and set the auto prefix to none. I still wonder it that was wise… or that it confuses the creation of certs.
    Egbert Jan, NL.

    • Tom

      Excuse me for my late reply. Typically one would not include the www. subdomain in the site domain. You could then select www. as auto-subdomain and have SSL certs on both .domain.com and http://www.domain.com.
      You might be able to change the domain-name but I’m not sure how ISPConfig handles this. Copying your files to a new site might be another option of course.

  • BestClassified

    Hi, After the installation of certbot, apache won’t start up anymore. How can I completely remove it?

    • Tom

      What do the logs say?

      • Peter

        Thank you for your prompt reply! Apach error logs say nothing about this. But I’ve had error at the certbot installation process. See the pic.

        https://uploads.disquscdn.com/images/56c249e07706c4603bc3c43bdf07250d6274c1af654986a0362dbc65c1b61f79.png

        Since then, I’m not able to start apache at all. All sites and ispconfig are down

      • Peter
        • Tom

          There seems to be an invalid site config left in your apache configuration directory. Must have been a leftover from the Apache plugin trying to create a temporary doc-root.
          I think the config is in /etc/apache2/sites-enabled…
          Next time, start a stand-alone webserver [opt. 3] (after temporarily stopping Apache).
          Btw, opening the log in notepad++ or something instead of notepad would help printing the line endings.

          • Peter

            Thank you! Next time I will use notepad++. So what’s the solution now? Wouldn’t be a certbot removal the proper solution for this the issue? I don’t really dare modifying the config files, especially when I don’t even know which file is the correct one. Since I’m not an expert – I just recently bought my own server and I’m still learning – I think I’d cause more harm than good.

          • Tom

            Well, Apache complains about a folder being non existent. You have to remove the config file that causes this trouble. What’s the output of:

            grep -ri “tls_sni_01_page” /etc/apache2/

            And whats the output of

            sudo apachectl -S

          • Peter

            Thank you for the reply. I’ll give it a shot. In the meantime emptied logs to see what’s new and after a reboot, apache error log says:

            [Mon Feb 13 22:24:26.164681 2017] [ssl:emerg] [pid 2975] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/ispconfig/httpd/osclass.bestclassified.org/error.log for more information

            So I’ve looked into the other log file which says:

            [Mon Feb 13 22:33:07.559135 2017] [ssl:emerg] [pid 3807] AH02238: Unable to configure RSA server private key
            [Mon Feb 13 22:33:07.559220 2017] [ssl:emerg] [pid 3807] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

            So I think it’s gotta be something with the SSL.

          • Tom

            Your cert is invalid. Do you actually allow traffic on port 443?
            Remove the certs and SSL lines from your osclass.bestclassified.org site (like: /etc/apache2/sites-available/osclass.bestclassified.org)

          • Peter

            Great. I have now removed the SSL lines and the websites are back up. But I just don’t understand what was the problem exactly. I mean okay, the cert was invalid, but why?

          • Tom

            The cert was invalid because let’s encrypt didn’t send you a valid one in the first place. They weren’t able to contact your site on port 443 (https) at the domain you provided. This is required to validate ownership. The strange thing in my opinion is that your configuration was not reverted.

          • Peter

            I have no idea. It is possible that somehow the server is misconfigured. Probably. Like I said it’s the very first time I have my own server managed on my own. I’m not that brave to try out other settings yet. I was happy that I could manage to set up the basics and run my project on this server. I’ll probably buy another one to learn a bit.
            And I think I’m gonna skip this step for now. The only reason I wanted SSL is because some applications that I planned to use, require secure connection.
            But hey Tom, thank you for your valuable time and I appreciate your help. Great article by the way. Thanks for everything!

          • Peter

            Good news. I couldn’t give up. I had to try one more time and it was successfully installed this time. Hell, don’t know what was the problem first time but it worked now.
            Thank you, Tom!

            https://uploads.disquscdn.com/images/6add9cf7eb54455b2268bae6fb89508562b6c5c3dd38d512a68398ff2b8d3493.png

  • Egbert Jan van den Bussche

    Just spend the whole day searching why the cron job crashed with the OS-Error thing (FAQ above), taking down apache and 5 sites on my test server… Should I include the exports in the cronjob or in a global bashrc?
    Finally I found that one single privkey.pem was damaged. I restored it fom backup and all was running again.

    The same cronjob worked fine on the production server but I do not know if the certs were to be renewed. Maybe certbot-auto was already up to date.

  • Joe

    Hi, I wonder if someone can shed some light on my problem. I have ispconfig 3.1 running on ubuntu 16.04 with lets-encrypt installed. have multiple websites I want to secure over ssl. I have enabled lets-encrypt on one site (simple tick box in ispconfig 3.1) and it works perfectly. However, when I try to enable for a second website, seperate domain, I get an error in the browser CERT_COMMON_NAME_INVALID. I run the second domain through an ssl checker and the common names don’t match the second domain? how do I fix this? what have I missed? thanks in advance guys!

    • Tom

      A couple things could be going on but in general it means that Apache or Nginx did not provide the correct certificate with the domain you used. Verify whether you specified the domain name correctly in ISPConfig.

      Check is there is a vhost with the correct domain name:
      grep -R “ServerName” /etc/apache2/sites-enabled

      It might be that there is a site enabled that matches any domain name.

      List sites:
      ls /etc/apache2/sites-enabled

      You can remove symbolic links from this directory. Originals are in /etc/apache2/sites-available

  • fabienne

    Hello, on this page it says : but placing files in the webroot works as well.
    I read that the way to give access to cerbot is to put the following code in the https server section of the sites-available conf file:

    location ~ /.well-known {
    allow all;
    }

    I tried to put it in the nginx directives on the isp-config settings for the website I want to have a certificate for but I still get the 403 response Forbidden.

    Could someone please tell me how to do this? Did anyone have this problem as well?
    Thanks in advance.

    • fabienne

      oh and sorry… I use ISPC 3.0