HowTo (Obsolete) use LetsEncrypt for the i-MSCP control panel and services

  • WARNING The procedure described below is not supported by i-MSCP team and should be reserved to i-MSCP experts WARNING


    WARNING:

    In the LetsEncrypt plugin version 2.0.0, a new feature is introduced which make this documentation obsolete! So if you are using it - please stop to use it after you applied to LetsEncrypt plugin in version 2.0.0 or newer. To do so please execute the before update start script (7.1) before enabling service and panel certs - but do not use the finish part!!! After that be sure to not restart/reload the services, the plugin is knowing when they need be restarted/reloaded.


    Hello,


    with this howto you are able to use certificates from LetsEncrypt for the admin panel and the services: nginx, postfix, dovecot and proftpd.


    Versions:


    Requirements:

    • I-MSCP Serie 1.3.x with enabled SSL for panel and services
    • i-MSCP LetsEncrypt plugin

    Tested on:

    • Ubuntu 16.04 LTS x64
    • I-MSCP 1.3.3

    As Ninos said in this post this feature is planned for newer releases but needs I-MSCP version 1.4.0 - so this is just a documentation how to do it till there is an official solution.


    Use at your own risk! Stop using it (see first warnings!)


    1. Introduction

    I-MSCP manage two different certificates for the control panel and for the services. They are located in here:

    • Control panel: /etc/imscp/admin.domain.tld.pem
    • Services: /etc/imscp/imscp_services.pm

    As you can see the service SSL certificate has a fixed name and the control panel SSL certificate depends on the URL of your control panel. For this tutorial/documentation/howto, we assume that the control panel is located at admin.domain.tld - so please replace all admin.domain.tld entries with your own URL (which you set by installing I-MSCP - or which you are using to access the panel via https://admin.domain.tld:8443.


    For the services we assume they all are located using srv.domain.tld. So replace srv.domain.tld with your own URL.


    If the address of your admin panel matches the one from your services you have to do some steps only once (e.g. creation of certs).


    2. Creation of SSL certificates

    First of all, we need to generate some SSL certificates. This has to be done by the LetsEncrypt plugin. All you need to do is to create the domains/subdomains through the control panel and enable LetsEncrypt for them, even if you do not use them. We need it to be created by the LetsEncrypt plugin because it is generating the needed pem certificate files and it is also managing the update of those certificates.


    So in our example we need to create:

    • Domain: domain.tld

      • Subdomain: admin.domain.tld
      • Subdomain: srv.domain.tld

    After we created these domains we also enable LetsEncrypt certificate creation for both.


    3. Backup

    For security reasons please create a backup of both certificates (see "1. Introduction" where to find them).


    4. Symlinking

    To always use the latest certificate we create a symlink for both certificate files. To store this symlink we first need to remove the old files (be sure you have a backup, if not you have to run the reconfiguration of I-MSCP to generate a new certificate):

    Shell-Script
    1. # rm /etc/imscp/admin.domain.tld.pem# rm /etc/imscp/imscp_services.pem

    The prepared LetsEncrypt SSL certificates are prepared by the plugin as pem files inside the directory /var/www/imscp/gui/data/certs. So we now create a link to our original SSL certificate files. This ensures that we always point to the newest cert file (be sure to replace admin.domain.tld and srv.domain.tld):

    Shell-Script
    1. # ln -s /var/www/imscp/gui/data/certs/admin.domain.tld.pem /etc/imscp/admin.domain.tld.pem# ln -s /var/www/imscp/gui/data/certs/srv.domain.tld.pem /etc/imscp/imscp_services.pem

    Now we need to change the file permissions to match the previouse permissions:

    Shell-Script
    1. # chown -h root:imscp /etc/imscp/admin.domain.tld.pem# chown -h root:imscp /etc/imscp/imscp_services.pem


    5. Service reloading

    Now we need to reload each service to apply the certificate changes:

    Shell-Script
    1. # service nginx restart# service proftpd reload# service dovecot reload# service postfix reload


    6. Automatically reload all services on certificate updates

    As in "5. Service reloading" section described we always need to reload the services on SSL certificate changes. So we need to change some configuration settings for the LetsEncrypt plugin which is able to do this for us.
    Open the /var/www/imscp/gui/plugins/LetsEncrypt/config.php file in your favorite editor and add an additional line at the certbot_cmd_create_options:

    Code: /var/www/imscp/gui/plugins/LetsEncrypt/config.php
    1. --post-hook service nginx reload && service postfix reload && service dovecot reload && service proftpd reload


    In my case it looks like that:
    2016-09-25_02h44_43.png



    Last step is to go in the control panel and reload the plugins. As long as you are not reloading the configuration, the changes are not applied.


    7. Updating I-MSCP

    During the update procedure I-MSCP tries to set permissions again on our linked certificate files which will fail. If you move the linked files to another folder the certs are missing, I-MSCP is checking that and is showing you the page to configure the certs again. To avoid that I wrote two little scripts which needs to be executed before you start an update and after the update finished successfully.


    7.1 Before update start


    This script moves both linked files temporary to the "/root/" folder and copies a original file back to the cert location I-MSCP needs. If you wanna change that be sure to change it at the finish script below too!

    Shell-Script
    1. # mv /etc/imscp/admin.domain.tld.pem /root/admin.domain.tld.pem.lnkbackup# mv /etc/imscp/imscp_services.pem /root/imscp_services.pem.lnkbackup# cp -L /root/admin.domain.tld.pem.lnkbackup /etc/imscp/admin.domain.tld.pem# cp -L /root/imscp_services.pem.lnkbackup /etc/imscp/imscp_services.pem

    7.2 Start update


    Now start the update of I-MSCP as usual. There should be no question about your SSL configuration.


    7.3 After update finished


    After the update finished you have to move the link files back to ensure the usage of the latest cert file. This script is deleting the current cert files inside the I-MSCP directory (see "1. Introduction" for paths) and replace them with the linked file which was moved by "7.1 Before update start". Only use this script if you run "7.1 Before update start"!

    Shell-Script
    1. # rm /etc/imscp/admin.domain.tld.pem
    2. # rm /etc/imscp/imscp_services.pem
    3. # mv /root/admin.domain.tld.pem.lnkbackup /etc/imscp/admin.domain.tld.pem
    4. # mv /root/imscp_services.pem.lnkbackup /etc/imscp/imscp_services.pem
    5. # service nginx restart
    6. # service proftpd reload
    7. # service dovecot reload
    8. # service postfix reload

    8. Check certs

    Tools to check if the certs are applied as wanted:

    • All ports: https://www.digicert.com/util/ (Windows only) - can be used to show certificates on a specific port:
    • Online mail server check:

    • IMAP/POP check: use your favorite E-Mail client and connect using ssl - it should give you a report if there is a ssl error
    • FileZilla: open a ftp connection by using the prefix "ftpes://" to ensure secure connection (e.g. "ftpes://srv.domain.tld")
    • Browser for admin panel


    Please tell me if you have any questions regarding this documentation.


    Feel free to use the "thumbs up" Button


    WARNING:

    In the LetsEncrypt plugin version 2.0.0, a new feature is introduced which make this documentation obsolete! So if you are using it - please stop to use it after you applied to LetsEncrypt plugin in version 2.0.0 or newer. To do so please execute the before update start script (7.1) before enabling service and panel certs - but do not use the finish part!!! After that be sure to not restart/reload the services, the plugin is knowing when they need be restarted/reloaded.


    WARNING The procedure described above is not supported by i-MSCP team and should be reserved to i-MSCP experts WARNING

    Edited 6 times, last by UncleSam: See Version Spoiler ().

    Viktor, theemstra, jensen and 6 others like this.
  • You could try this listener and improve


    Viktor, f4Nm1Z9k2P, hatterja and one other like this.
  • not all, just the steps how to get a letsencrypt certificates.
    istead of the symlinks you can use the listener (but the listener is just a case study to prove the scenario).
    UncleSam's way is to prefer! I posted the listener as answer to UncleSam, so he can try and improve. Else I would have made a separate Thread.


    in my personal case UncleSam's way was not update safe, because the symlinks were overridden with new self-signed certs. then i created the listener, to get through i-MSCP updates. I need to add, the overriding might be an issue of my custom i-MSCP configuration.

    Nuxwin and dimon like this.
  • @flames
    The solution is update safe for me using the scripts in topic 7


    In more detail:
    In topic 7 the first script replaces the symlinked files with the original ones they are linked from ("cp -L" is doing this magic). That needs to be done to avoid self signed certificate creation of I-MSCP during update process. If you do not execute this part I-MSCP is not able to find these documents and wants to create new ones (and it fails with an error because it cannot set permissions on that files).


    In the second part I remove the scripts and regenerate the symlinks again. So it should work for everyone :)

    Edited once, last by UncleSam ().

    flames and Nuxwin like this.