How To Get LetsEncrypt Working With ISPConfig 3

LetsEncrypt is a new SSL certificate authority who offer free (as in beer and as in liberty) certificates along with an automated renewal tool. In theory it’s the ‘magic bullet’ for anyone who needs a free, quick and easy SSL certificate to help their site’s SEO. However it’s still in Beta for the moment and there are very few integrations with any major control panel solutions yet.

In this tutorial we will create certificates with LetsEncrypt, create certificates with ISPConfig and then replace them with the LetsEncrypt certificates using symbolic links so that LetsEncrypt can update its certificates and the change will automatically be recognised by Apache with no further changes required (hopefully, I’ll let you know how renewal goes in a couple of months).

The commands below are for Apache webserver running on Debian/Ubuntu servers. If you are using a different Linux distro (e.g CentOS) or a different web server (e.g NginX) you’ll need to adapt them for your own set-up.

Note: You’ll need to be the root user for these commands to work, otherwise prefix them with sudo.

1. Install git if it isn’t already installed:

$ apt-get install git

2. Download LetsEncrypt and change directory:

  $ git clone https://github.com/letsencrypt/letsencrypt
  $ cd letsencrypt

3. By default LetsEncrypt wants to operate on port 80 which will probably conflict with Apache so instead we set up mod_proxy and mod_proxy_http so LetsEncrypt can be proxied via another port (in this example I’ll use 9999). More information on this issue is available:

  $ a2enmod proxy proxy_http
  $ service apache2 restart

4. Edit proxy.conf

  $ vim /etc/apache2/mods-enabled/proxy.conf

5. Add this to the file, if the <IfModule mod_proxy.c>…</IfModule> tags already exist you can re-use them:

  
      ProxyPass "/.well-known/acme-challenge/" "http://127.0.0.1:9999/.well-known/acme-challenge/" retry=1
      ProxyPassReverse "/.well-known/acme-challenge/" "http://127.0.0.1:9999/.well-known/acme-challenge/"
      <Location "/.well-known/acme-challenge/">
          ProxyPreserveHost On
          Order allow,deny
          Allow from all
          Require all granted
      
  

6. Restart Apache again:

  $ service apache2 restart

7. Generate the LetsEncrypt certificates for your domain (change example.com to your domain name):

  $ ./letsencrypt-auto --agree-dev-preview --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 9999 --server https://acme-v01.api.letsencrypt.org/directory certonly -d example.com

8. You should now have some nice new certificates:

  $ ls -lA /etc/letsencrypt/live/example.com/
  total 0
  lrwxrwxrwx 1 root root 49 Nov 11 10:27 cert.pem -> ../../archive/example.com/cert1.pem
  lrwxrwxrwx 1 root root 50 Nov 11 10:27 chain.pem -> ../../archive/example.com/chain1.pem
  lrwxrwxrwx 1 root root 54 Nov 11 10:27 fullchain.pem -> ../../archive/example.com/fullchain1.pem
  lrwxrwxrwx 1 root root 52 Nov 11 10:27 privkey.pem -> ../../archive/example.com/privkey1.pem

9. In ISPConfig go to:

Websites -> example.com -> Domain

Check the SSL checkbox and Save

10. In ISPConfig go to:

Websites -> example.com -> SSL

Enter values in the State, Locality, Organisation, Organisation Unit, Country fields and then at the bottom of the page under SSL Action select Create Certificate and click Save.

11. You might have to wait a minute for ISPConfig to generate it’s own certificates but eventually you should be able to see them here:

  $ ls -lA /var/www/example.com/ssl/
  total 16
  -rw-r--r-- 1 root root 1330 Nov 11 13:22 example.com.crt
  -rw-r--r-- 1 root root 1119 Nov 11 13:22 example.com.csr
  -r-------- 1 root root 1675 Nov 11 13:22 example.com.key
  -r-------- 1 root root 1743 Nov 11 13:22 example.com.key.org

12. The next step is to remove the ISPConfig certs and add the symlinks:

  $ mv /var/www/example.com/ssl/example.com.crt /var/www/example.com/ssl/example.com.crt.old
  $ mv /var/www/example.com/ssl/example.com.key /var/www/example.com/ssl/example.com.key.old
  $ ln -s /etc/letsencrypt/live/example.com/fullchain.pem /var/www/example.com/ssl/example.com.crt
  $ ln -s /etc/letsencrypt/live/example.com/privkey.pem /var/www/example.com/ssl/example.com.key

To Note: The LetsEncrypt fullchain.pem certificate contains the domain specific cert AND the CA Root cert, i.e it contains the ‘full chain’.

13. Finally restart Apache again:

  $ service apache2 restart

Your new LetsEncrypt certificates should now be working. The last step is to set up renewal.

14. According to the docs: “The letsencrypt tool will keep track of certificate expiration and renew certificates automatically by default.” but I can’t see anything new in cron.daily or cron.hourly and looking at the user guide it says “Let’s Encrypt is working hard on automating the renewal process. Until the tool is ready, we are sorry for the inconvenience!” Also, while the service is in beta testing they recommend renewing the certificates before they expire (normally after 90 days). So in order to prompt a renewal you can run the same command again:

  $ ./letsencrypt-auto --agree-dev-preview --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 9999 --server https://acme-v01.api.letsencrypt.org/directory certonly -d example.com

…or, more conveniantly, add this to the root crontab:

  30 1 10 1,3,5,7,9,11 * /root/letsencrypt/letsencrypt-auto --agree-dev-preview --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 9999 --server https://acme-v01.api.letsencrypt.org/directory certonly -d example.com

This will run the renewal job at 1.30am on the 10th of every other month (Jan, Mar, May, etc)


Can we help you offer more to your clients?
Speak to our team to find out how our services can compliment your creative work

Get in touch