HowTo (Obsolete) use LetsEncrypt for the i-MSCP control panel and services

**UncleSam** · Sep 25th 2016

WARNING The procedure described below is not supported by i-MSCP team and should be reserved to i-MSCP experts WARNING

WARNING:

In the LetsEncrypt plugin version 2.0.0, a new feature is introduced which make this documentation obsolete! So if you are using it - please stop to use it after you applied to LetsEncrypt plugin in version 2.0.0 or newer. To do so please execute the before update start script (7.1) before enabling service and panel certs - but do not use the finish part!!! After that be sure to not restart/reload the services, the plugin is knowing when they need be restarted/reloaded.

Hello,

with this howto you are able to use certificates from LetsEncrypt for the admin panel and the services: nginx, postfix, dovecot and proftpd.

Versions:

Display Spoiler

Requirements:

I-MSCP Serie 1.3.x with enabled SSL for panel and services
i-MSCP LetsEncrypt plugin

Tested on:

Ubuntu 16.04 LTS x64
I-MSCP 1.3.3

As Ninos said in this post this feature is planned for newer releases but needs I-MSCP version 1.4.0 - so this is just a documentation how to do it till there is an official solution.

~~Use at your own risk!~~ Stop using it (see first warnings!)

1. Introduction

I-MSCP manage two different certificates for the control panel and for the services. They are located in here:

Control panel: /etc/imscp/admin.domain.tld.pem
Services: /etc/imscp/imscp_services.pm

As you can see the service SSL certificate has a fixed name and the control panel SSL certificate depends on the URL of your control panel. For this tutorial/documentation/howto, we assume that the control panel is located at admin.domain.tld - so please replace all admin.domain.tld entries with your own URL (which you set by installing I-MSCP - or which you are using to access the panel via https://admin.domain.tld:8443.

For the services we assume they all are located using srv.domain.tld. So replace srv.domain.tld with your own URL.

If the address of your admin panel matches the one from your services you have to do some steps only once (e.g. creation of certs).

2. Creation of SSL certificates

First of all, we need to generate some SSL certificates. This has to be done by the LetsEncrypt plugin. All you need to do is to create the domains/subdomains through the control panel and enable LetsEncrypt for them, even if you do not use them. We need it to be created by the LetsEncrypt plugin because it is generating the needed pem certificate files and it is also managing the update of those certificates.

So in our example we need to create:

Domain: domain.tld
- Subdomain: admin.domain.tld
- Subdomain: srv.domain.tld

After we created these domains we also enable LetsEncrypt certificate creation for both.

3. Backup

For security reasons please create a backup of both certificates (see "1. Introduction" where to find them).

4. Symlinking

To always use the latest certificate we create a symlink for both certificate files. To store this symlink we first need to remove the old files (be sure you have a backup, if not you have to run the reconfiguration of I-MSCP to generate a new certificate):

Shell-Script

# rm /etc/imscp/admin.domain.tld.pem# rm /etc/imscp/imscp_services.pem

The prepared LetsEncrypt SSL certificates are prepared by the plugin as pem files inside the directory /var/www/imscp/gui/data/certs. So we now create a link to our original SSL certificate files. This ensures that we always point to the newest cert file (be sure to replace admin.domain.tld and srv.domain.tld):

Shell-Script

# ln -s /var/www/imscp/gui/data/certs/admin.domain.tld.pem /etc/imscp/admin.domain.tld.pem# ln -s /var/www/imscp/gui/data/certs/srv.domain.tld.pem /etc/imscp/imscp_services.pem

Now we need to change the file permissions to match the previouse permissions:

Shell-Script

# chown -h root:imscp /etc/imscp/admin.domain.tld.pem# chown -h root:imscp /etc/imscp/imscp_services.pem

5. Service reloading

Now we need to reload each service to apply the certificate changes:

Shell-Script

# service nginx restart# service proftpd reload# service dovecot reload# service postfix reload

6. Automatically reload all services on certificate updates

As in "5. Service reloading" section described we always need to reload the services on SSL certificate changes. So we need to change some configuration settings for the LetsEncrypt plugin which is able to do this for us.
Open the /var/www/imscp/gui/plugins/LetsEncrypt/config.php file in your favorite editor and add an additional line at the certbot_cmd_create_options:

Code: /var/www/imscp/gui/plugins/LetsEncrypt/config.php

--post-hook service nginx reload && service postfix reload && service dovecot reload && service proftpd reload

In my case it looks like that:
2016-09-25_02h44_43.png

Last step is to go in the control panel and reload the plugins. As long as you are not reloading the configuration, the changes are not applied.

7. Updating I-MSCP

During the update procedure I-MSCP tries to set permissions again on our linked certificate files which will fail. If you move the linked files to another folder the certs are missing, I-MSCP is checking that and is showing you the page to configure the certs again. To avoid that I wrote two little scripts which needs to be executed before you start an update and after the update finished successfully.

7.1 Before update start

This script moves both linked files temporary to the "/root/" folder and copies a original file back to the cert location I-MSCP needs. If you wanna change that be sure to change it at the finish script below too!

Shell-Script

# mv /etc/imscp/admin.domain.tld.pem /root/admin.domain.tld.pem.lnkbackup# mv /etc/imscp/imscp_services.pem /root/imscp_services.pem.lnkbackup# cp -L /root/admin.domain.tld.pem.lnkbackup /etc/imscp/admin.domain.tld.pem# cp -L /root/imscp_services.pem.lnkbackup /etc/imscp/imscp_services.pem

7.2 Start update

Now start the update of I-MSCP as usual. There should be no question about your SSL configuration.

7.3 After update finished

After the update finished you have to move the link files back to ensure the usage of the latest cert file. This script is deleting the current cert files inside the I-MSCP directory (see "1. Introduction" for paths) and replace them with the linked file which was moved by "7.1 Before update start". Only use this script if you run "7.1 Before update start"!

Shell-Script

# rm /etc/imscp/admin.domain.tld.pem
# rm /etc/imscp/imscp_services.pem
# mv /root/admin.domain.tld.pem.lnkbackup /etc/imscp/admin.domain.tld.pem
# mv /root/imscp_services.pem.lnkbackup /etc/imscp/imscp_services.pem
# service nginx restart
# service proftpd reload
# service dovecot reload
# service postfix reload

8. Check certs

Tools to check if the certs are applied as wanted:

All ports: https://www.digicert.com/util/ (Windows only) - can be used to show certificates on a specific port:
Online mail server check:
- Inbound: https://de.ssl-tools.net/mailservers
- Outboung: https://de.ssl-tools.net/mails (this is going to list the domain part of your e-mail on the page for everyone)
IMAP/POP check: use your favorite E-Mail client and connect using ssl - it should give you a report if there is a ssl error
FileZilla: open a ftp connection by using the prefix "ftpes://" to ensure secure connection (e.g. "ftpes://srv.domain.tld")
Browser for admin panel

Please tell me if you have any questions regarding this documentation.

Feel free to use the "thumbs up" Button

WARNING:

In the LetsEncrypt plugin version 2.0.0, a new feature is introduced which make this documentation obsolete! So if you are using it - please stop to use it after you applied to LetsEncrypt plugin in version 2.0.0 or newer. To do so please execute the before update start script (7.1) before enabling service and panel certs - but do not use the finish part!!! After that be sure to not restart/reload the services, the plugin is knowing when they need be restarted/reloaded.

WARNING The procedure described above is not supported by i-MSCP team and should be reserved to i-MSCP experts WARNING

**flames** · Sep 26th 2016

You could try this listener and improve

Perl: 90_letsencrypt_services.pl

# i-MSCP Listener::Letsencrypt::Services listener file
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
#
## This listener changes all services to use a custom SSL certificate file (can be
## combined with Letsencrypt plugin, so the certificate file is automatically updated)
#
package Listener::Letsencrypt::Services;
use strict;
use warnings;
use iMSCP::Debug;
use iMSCP::EventManager;
use Servers::mta;
#
## Configuration variables
#
my $certfileServices = '/var/www/imscp/gui/data/certs/'.$main::imscpConfig{'SERVER_HOSTNAME'}.'.pem';
my $certfilePanel = '/var/www/imscp/gui/data/certs/'.$main::imscpConfig{'BASE_SERVER_VHOST'}.'.pem';
#
## Please, don't edit anything below this line unless you known what you're doing
#
my $em = iMSCP::EventManager->getInstance();
if (-f $certfilePanel) {
# Nginx
if ($main::imscpConfig{'FRONTEND_SERVER'} eq 'nginx') {
$em->register(
'afterFrontEndBuildHttpdVhosts',
sub {
my $file = iMSCP::File->new( filename => '/etc/nginx/sites-available/00_master_ssl.conf' );
my $fileContent = $file->get();
unless (defined $fileContent) {
error( sprintf( 'Could not read %s file', '/etc/nginx/sites-available/00_master_ssl.conf' ) );
return 1;
}
$fileContent =~ s/^(\s+ssl_certificate\s+).*/$1$certfilePanel;/m;
$fileContent =~ s/^(\s+ssl_certificate_key\s+).*/$1$certfilePanel;/m;
my $rs = $file->set( $fileContent );
$rs ||= $file->save();
}
);
}
}
if (-f $certfileServices) {
# Postfix
if ($main::imscpConfig{'MTA_SERVER'} eq 'postfix') {
$em->register(
'afterMtaPostinstall', # afterMtaPostinstall because afterMtaBuildConf fired too early
sub {
my $file = iMSCP::File->new( filename => '/etc/postfix/main.cf' );
my $fileContent = $file->get();
unless (defined $fileContent) {
error( sprintf( 'Could not read %s file', '/etc/postfix/main.cf' ) );
return 1;
}
$fileContent =~ s/^(smtpd_tls_cert_file\s+=\s+).*/$1$certfileServices/m;
$fileContent =~ s/^(smtpd_tls_key_file\s+=\s+).*/$1$certfileServices/m;
my $rs = $file->set( $fileContent );
$rs ||= $file->save();
}
);
}
# Dovecot
if ($main::imscpConfig{'PO_SERVER'} eq 'dovecot') {
$em->register(
'afterPoBuildConf',
sub {
my $file = iMSCP::File->new( filename => '/etc/dovecot/dovecot.conf' );
my $fileContent = $file->get();
unless (defined $fileContent) {
error( sprintf( 'Could not read %s file', '/etc/dovecot/dovecot.conf' ) );
return 1;
}
$fileContent =~ s/^(ssl_cert\s+=\s+<).*/$1$certfileServices/m;
$fileContent =~ s/^(ssl_key\s+=\s+<).*/$1$certfileServices/m;
my $rs = $file->set( $fileContent );
$rs ||= $file->save();
}
);
}
# Courier
if ($main::imscpConfig{'PO_SERVER'} eq 'courier') {
$em->register(
'afterPoBuildConf',
sub {
my $file = iMSCP::File->new( filename => '/etc/courier/imapd-ssl' );
my $fileContent = $file->get();
unless (defined $fileContent) {
error( sprintf( 'Could not read %s file', '/etc/courier/imapd-ssl' ) );
return 1;
}
$fileContent =~ s/^(TLS_CERTFILE=).*/$1$certfileServices/m;
my $rs = $file->set( $fileContent );
$rs ||= $file->save();
$file = iMSCP::File->new( filename => '/etc/courier/pop3d-ssl' );
$fileContent = $file->get();
unless (defined $fileContent) {
error( sprintf( 'Could not read %s file', '/etc/courier/pop3d-ssl' ) );
return 1;
}
$fileContent =~ s/^(TLS_CERTFILE=).*/$1$certfileServices/m;
$rs = $file->set( $fileContent );
$rs ||= $file->save();
}
);
}
# Vsftpd
if ($main::imscpConfig{'FTPD_SERVER'} eq 'vsftpd') {
$em->register(
'afterFtpdBuildConf',
sub {
my $file = iMSCP::File->new( filename => '/etc/vsftpd.conf' );
my $fileContent = $file->get();
unless (defined $fileContent) {
error( sprintf( 'Could not read %s file', '/etc/vsftpd.conf' ) );
return 1;
}
$fileContent =~ s/^(rsa_cert_file=).*/$1$certfileServices/m;
$fileContent =~ s/^(rsa_private_key_file=).*/$1$certfileServices/m;
my $rs = $file->set( $fileContent );
$rs ||= $file->save();
}
);
}
# Proftpd
if ($main::imscpConfig{'FTPD_SERVER'} eq 'proftpd') {
$em->register(
'afterFtpdPostInstall', # afterFtpdPostInstall because afterFtpdBuildConf fired too early
sub {
my $file = iMSCP::File->new( filename => '/etc/proftpd/proftpd.conf' );
my $fileContent = $file->get();
unless (defined $fileContent) {
error( sprintf( 'Could not read %s file', '/etc/proftpd/proftpd.conf' ) );
return 1;
}
$fileContent =~ s/^(\s+TLSRSACertificateFile\s+).*/$1$certfileServices/m;
$fileContent =~ s/^(\s+TLSRSACertificateKeyFile\s+).*/$1$certfileServices/m;
my $rs = $file->set( $fileContent );
$rs ||= $file->save();
}
);
}
}
1;
__END__

Display More

**dimon** · Oct 24th 2016

@flames

proceed your listener files all Steps from @UncleSam?

BR

**flames** · Oct 25th 2016

not all, just the steps how to get a letsencrypt certificates.
istead of the symlinks you can use the listener (but the listener is just a case study to prove the scenario).
UncleSam's way is to prefer! I posted the listener as answer to UncleSam, so he can try and improve. Else I would have made a separate Thread.

in my personal case UncleSam's way was not update safe, because the symlinks were overridden with new self-signed certs. then i created the listener, to get through i-MSCP updates. I need to add, the overriding might be an issue of my custom i-MSCP configuration.

**UncleSam** · Oct 29th 2016

@flames
The solution is update safe for me using the scripts in topic 7

In more detail:
In topic 7 the first script replaces the symlinked files with the original ones they are linked from ("cp -L" is doing this magic). That needs to be done to avoid self signed certificate creation of I-MSCP during update process. If you do not execute this part I-MSCP is not able to find these documents and wants to create new ones (and it fails with an error because it cannot set permissions on that files).

In the second part I remove the scripts and regenerate the symlinks again. So it should work for everyone

HowTo (Obsolete) use LetsEncrypt for the i-MSCP control panel and services

Share

Daily visitors