Use One SSL Certificate in an ISPConfig3 Configuration

Last year I implemented an ISPConfig3 configuration for personal use. Mainly to host some e-mail domains, and perhaps some basic websites. This setup relatively easy to implement a should have been a breeze to maintain.... Untill I got an email from the provider last Tuesday, mentioning that my Linux VPS was attacking other hosts around the world..... *GASP*.. my VPS had (most likely) been assimilated into a botnet of some sort, and it was flooding a ton of other hosts.

I did some research, and investigation, but couldn't find anything really wrong, so I decided to re-implement the ISPConfig3 setup from scratch. This time using other components then before.

Before, I used Courier for mail, and Apache for a webserver. This time I switched to Dovecot for e-mail, and Nginx for webservices. The rest was basically the same.

After the installation I needed to replace the selfsigned certificates of the various services. Just a I did before. Only this time I wanted to use only one place on the filesystem to store the certificate(s). This way, replacing them in a year or two, I don't need to replace several of the same certificates on different locations.

This meant that I needed to find the config files of the services, and re-configure those to point to another location. One problem is the Pure-FTPd service. This one doesn't seem to have a config pointing to a specific location. It just assumes that the certificate is locate at the following location:

/etc/ssl/private/pure-ftpd.pem

This made the decision easy of where to store the certificates for the services. Only problem / challenge is that the various services require different formats for the certificate, so I had to upload the same certificate in different forms.

The names of the files all start with sslcertificate, but you can choose whatever you want.

  • sslcertificate.cer
    This file contains the base64 encoded public certificate.
  • sslcertificate.key
    This file contains the base64 encoded unsecured private key. The reason for it not being secured with a password is that some software can't handle this. I could use a separate key-file with a password for services that do support this, but what's the use If they are both located in the same location......
  • sslcertificate.pem
    This file contains the base64 encoded private key and the public certificate (also in that order).
  • pure-ftpd.pem
    This file is a copy of the sslcertificate.pem file. As mentioned before, the PureFTPd service needs the certificate in a predefined place, with a fixed name, and format.
BASE64 Public Key Format

BASE64 Public Key Format

BASE64 Unsecured Private Key Format

BASE64 Unsecured Private Key Format

BASE64 Public and Private Key Format

BASE64 Public and Private Key Format

Webmin

The Webmin SSL settings can be found under Webmin -> Webmin Configuration -> SSL Encryption. Just 'point' it to the correct file and you're done. In my case I used the combined PEM file containing both public and private key.

Webmin SSL settings

Dovecot

The Dovecot config file is located at the following location:

/etc/dovecot/dovecot.conf

Change to following lines in the config files:

ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key

to

ssl_cert = </etc/ssl/private/sslcertificate.pem
ssl_key = </etc/ssl/private/sslcertificate.pem

ISPConfig3

This certificate reference is for the ISPConfig Webgui which runs by default on port 8080. This doesn't change the certificate settings for possible clients, or other websites.

The ISPConfig config itself has no reference to certificates. The reference is made by the webserver. ISPConfig runs as a virtual host on the Nginx webserver (in my case), so you need to edit a vhost config file at:

/etc/nginx/sites-available/ispconfig.vhost

Replace the following

server {
        listen 8080 ssl;
        ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
        ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;

with

server {
        listen 8080 ssl;
        ssl_certificate /etc/ssl/private/sslcertificate.cer;
        ssl_certificate_key /etc/ssl/private/sslcertificate.key;

Postfix

The postfix config file is located in the following location:

/etc/postfix/main.cf

Were you need to find the following lines:

smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key

And change that to:

# smtpd_tls_cert_file = /etc/postfix/smtpd.cert
# smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_cert_file = /etc/ssl/private/sslcertificate.cer
smtpd_tls_key_file = /etc/ssl/private/sslcertificate.key

Restart the services

All that remains is to restart the affected services:

[root@host ~]# service nginx restart
Stopping nginx:                                            [  OK  ]
Starting nginx:                                            [  OK  ]
[root@host ~]# service postfix restart
Shutting down postfix:                                     [  OK  ]
Starting postfix:                                          [  OK  ]
[root@host ~]# service dovecot restart
Stopping Dovecot Imap:                                     [  OK  ]
Starting Dovecot Imap:                                     [  OK  ]
[root@host ~]# service webmin restart
Stopping Webmin server in /usr/libexec/webmin
Starting Webmin server in /usr/libexec/webmin
Pre-loaded WebminCore
[root@host ~]#

Or you can reboot your server.

Posted on February 15, 2013 by Willem and filed under Software, Tips'n Tricks, Security and tagged ISPConfig Certificates Dovecot ssl.