Posts by UncleSam

Hi there,

I am unable to use the phpMyAdmin button for automatically login to the selected database using phpMyAdmin. It is always telling me there was an error (sorry I have the german edition, it should be something like "Error occured during authentification.").

Is there anything I can do?

Support information:
OS: Ubuntu 16.04 LTS Linux srv 4.4.0-38-generic #57-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
I-MSCP: 1.3.3
Server implementation: PHP-FPM
Reproduce: press the link (anyone) produce the error

In the LetsEncrypt plugin version 2.0.0, a new feature is introduced which make this documentation obsolete! So if you are using it - please stop to use it after you applied to LetsEncrypt plugin in version 2.0.0 or newer. To do so please execute the before update start script (7.1) before enabling service and panel certs - but do not use the finish part!!! After that be sure to not restart/reload the services, the plugin is knowing when they need be restarted/reloaded.

Hello,

with this howto you are able to use certificates from LetsEncrypt for the admin panel and the services: nginx, postfix, dovecot and proftpd.

Versions:

Requirements:

• I-MSCP Serie 1.3.x with enabled SSL for panel and services
• i-MSCP LetsEncrypt plugin

Tested on:

• Ubuntu 16.04 LTS x64
• I-MSCP 1.3.3

As Ninos said in this post this feature is planned for newer releases but needs I-MSCP version 1.4.0 - so this is just a documentation how to do it till there is an official solution.

Use at your own risk! Stop using it (see first warnings!)

1. Introduction

I-MSCP manage two different certificates for the control panel and for the services. They are located in here:

• Control panel: /etc/imscp/admin.domain.tld.pem
• Services: /etc/imscp/imscp_services.pm

As you can see the service SSL certificate has a fixed name and the control panel SSL certificate depends on the URL of your control panel. For this tutorial/documentation/howto, we assume that the control panel is located at admin.domain.tld - so please replace all admin.domain.tld entries with your own URL (which you set by installing I-MSCP - or which you are using to access the panel via https://admin.domain.tld:8443.

For the services we assume they all are located using srv.domain.tld. So replace srv.domain.tld with your own URL.

If the address of your admin panel matches the one from your services you have to do some steps only once (e.g. creation of certs).

2. Creation of SSL certificates

First of all, we need to generate some SSL certificates. This has to be done by the LetsEncrypt plugin. All you need to do is to create the domains/subdomains through the control panel and enable LetsEncrypt for them, even if you do not use them. We need it to be created by the LetsEncrypt plugin because it is generating the needed pem certificate files and it is also managing the update of those certificates.

So in our example we need to create:

• Domain: domain.tld
  
  
  • Subdomain: admin.domain.tld
  • Subdomain: srv.domain.tld

After we created these domains we also enable LetsEncrypt certificate creation for both.

3. Backup

For security reasons please create a backup of both certificates (see "1. Introduction" where to find them).

4. Symlinking

To always use the latest certificate we create a symlink for both certificate files. To store this symlink we first need to remove the old files (be sure you have a backup, if not you have to run the reconfiguration of I-MSCP to generate a new certificate):

The prepared LetsEncrypt SSL certificates are prepared by the plugin as pem files inside the directory /var/www/imscp/gui/data/certs. So we now create a link to our original SSL certificate files. This ensures that we always point to the newest cert file (be sure to replace admin.domain.tld and srv.domain.tld):

Now we need to change the file permissions to match the previouse permissions:

5. Service reloading

Now we need to reload each service to apply the certificate changes:

6. Automatically reload all services on certificate updates

As in "5. Service reloading" section described we always need to reload the services on SSL certificate changes. So we need to change some configuration settings for the LetsEncrypt plugin which is able to do this for us.
Open the /var/www/imscp/gui/plugins/LetsEncrypt/config.php file in your favorite editor and add an additional line at the certbot_cmd_create_options:

In my case it looks like that:
2016-09-25_02h44_43.png

Last step is to go in the control panel and reload the plugins. As long as you are not reloading the configuration, the changes are not applied.

7. Updating I-MSCP

During the update procedure I-MSCP tries to set permissions again on our linked certificate files which will fail. If you move the linked files to another folder the certs are missing, I-MSCP is checking that and is showing you the page to configure the certs again. To avoid that I wrote two little scripts which needs to be executed before you start an update and after the update finished successfully.

7.1 Before update start

This script moves both linked files temporary to the "/root/" folder and copies a original file back to the cert location I-MSCP needs. If you wanna change that be sure to change it at the finish script below too!

7.2 Start update

Now start the update of I-MSCP as usual. There should be no question about your SSL configuration.

7.3 After update finished

After the update finished you have to move the link files back to ensure the usage of the latest cert file. This script is deleting the current cert files inside the I-MSCP directory (see "1. Introduction" for paths) and replace them with the linked file which was moved by "7.1 Before update start". Only use this script if you run "7.1 Before update start"!

8. Check certs

Tools to check if the certs are applied as wanted:

• All ports: https://www.digicert.com/util/ (Windows only) - can be used to show certificates on a specific port:
• Online mail server check:
  
  
  • Inbound: https://de.ssl-tools.net/mailservers
  • Outboung: https://de.ssl-tools.net/mails (this is going to list the domain part of your e-mail on the page for everyone)
• IMAP/POP check: use your favorite E-Mail client and connect using ssl - it should give you a report if there is a ssl error
• FileZilla: open a ftp connection by using the prefix "ftpes://" to ensure secure connection (e.g. "ftpes://srv.domain.tld")
• Browser for admin panel

Please tell me if you have any questions regarding this documentation.

Feel free to use the "thumbs up" Button

In the LetsEncrypt plugin version 2.0.0, a new feature is introduced which make this documentation obsolete! So if you are using it - please stop to use it after you applied to LetsEncrypt plugin in version 2.0.0 or newer. To do so please execute the before update start script (7.1) before enabling service and panel certs - but do not use the finish part!!! After that be sure to not restart/reload the services, the plugin is knowing when they need be restarted/reloaded.

@Nuxwin
Installation worked and everything seems to be up and running *THUMBSUP*

Yes, I disabled it. If this is the main trouble - would it be easier to enable it again only for internal use? (but I would perefer to not use bind server if I do not need and use it local)

I just wanted to ask if it would be possible to add these information to the installer/update page like:
2016-09-25_01h11_26.png

Hi there,

I currently get the following error on updating from 1.3.1 to 1.3.2 (I used the bugfixed 1.3.1 version from repository).

Occures in the step:

Adittional information:
If using manual mode it occures on reconfigure: perl /var/www/imscp/engine/setup/imscp-reconfigure -d

OS: Ubuntu 16.04 LTS Linux srv 4.4.0-38-generic #57-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
I-MSCP: 1.3.x (1.3.1 bugfixed version)
Targer I-MSCP: 1.3.2
Server implementation: PHP-FPM
Reproduce: start update procedure

Hello,

maybe you can add some information about installer mode "auto" and "manual" into the installer step "installer mode".

Additional information:
After some hours of testing I found a small mistake: dnsblog also logs if it was a whitelist entry. So all in all whitelisted mail servers get banned by this howto too. So this is not the final solution

Hello,


(Attention: please read the following post about whitelisted entries!)

currently I was under attack from a host which was on a dns blocklist (dnsbl) but was keep on trying with about 20 connections per second. So I decided to do something against it because postscreen blocked it but produced a lot of used cpu power from postscreen as well as fail2ban. Maybe this could help someone else too:

• First I created the file /etc/fail2ban/filter.d/postfix-dnsblog.conf file containing --> https://github.com/jannickfahl…tFix/postfix-dnsblog.conf
• After that I created the following entry inside /etc/fail2ban/jail.conf:

This is banning after 10 dnsblog entries for 300 seconds (5 minutes). And for me it is saving a lot of cpu at the moment

Hello,

just a general question:
Is there a planned feature for I-MSCP panel checkin the plugin version agains the plugin store? For me it would be great because I have a lot of plugins. Currently I use the abo functionality in the store which is working too, but some kind of a button "check versions" to be sure every plugin is up2date would be great.