Enable SSL for the ISPConfig 3 Controlpanel Login

Monday, August 3, 2009 posted by Till

Hint: The procedure that is described below is for ISPConfig versions < 3.0.3. For newer ispconfig versions, use the builtin ssl certificate creation function of the ispconfig updater instead. The steps below should only be used to manually create a new SSL certificate in case that you can not run the updater on your installation.

The ISPConfig controlpanel login is running on http by default. This short tutorial shows you how to enable SSL encryption (https) vor the ispconfig vhost.

1) Make the directory for the SSL certificate:

mkdir /usr/local/ispconfig/interface/ssl
cd /usr/local/ispconfig/interface/ssl

2) Create the SSL certificate files

openssl genrsa -des3 -out ispserver.key 4096
openssl req -new -key ispserver.key -out ispserver.csr
openssl x509 -req -days 3650 -in ispserver.csr \
-signkey ispserver.key -out ispserver.crt
openssl rsa -in ispserver.key -out ispserver.key.insecure
mv ispserver.key ispserver.key.secure
mv ispserver.key.insecure ispserver.key

3) Enable the mod_ssl module

a2enmod ssl

4) Edit th ISPConfig vhost file

vi /etc/apache2/sites-available/ispconfig.vhost

and insert the following lines insert the fallowing lines between the "<VirtualHost ....></VirtualHost>" tags:

SSLEngine On
SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key

5) Restart apache2

/etc/init.d/apache2 restart

The ISPConfig controlpanel login is now reachable on port 8080 by https.

Be Sociable, Share!



31 Responses to “Enable SSL for the ISPConfig 3 Controlpanel Login”

  1. Cor says:

    Small typ-error in step 2:
    mv server.key server.key.secure -> mv ispserver.key ispserver.key.secure

    Another tip: change port 8080 to for example 8443

  2. admin says:

    Thanks, I’ve fixed the typo.

  3. Leszek says:

    You should add this to support old browsers that don’t fully support ssl and to stop browsers from negotiating connections with lower encryptions:

    SSLProtocol All -SSLv2
    SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW
    SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown

  4. Jon says:

    Excellent, thanks!

  5. strCoder says:

    The guide says:
    mkdir /etc/apache2/ssl

    But I do nott have a ‘/etc/apache2/’ folder on my Frdora 10 ISPconfig 3 configuration. Do I simply create it? Or is it located elsehere?

  6. Till says:

    On Fedora, the apache folder is /etc/httpd/ instead of /etc/apache2/.

  7. pee says:

    Hi,

    Start SSL and many other SSL-certificate companies are providing pem-files to their certificates. Without the pem-files the certificates are running on the actual firefox and internet explorer for example smoothly, but not on iphone or other browsers.

    The following lines were missing in the definitions of the SSL vhost-file regarding to the Domain (example with start ssl class 1 cert):

    SSLCertificateChainFile / usr/local/apache/conf/sub.class1.server.ca.pem
    SSLCACertificateFile / usr / local / apache / conf / ca.pem

    Best wishes,
    pee

  8. korbynn says:

    Where can you put the directives so that the update does not nuke them.

    • ltvz says:

      Dear korbynn,

      i suppose you mean apache directives associated to your web site. In case YES. i suggest to use the OPTIONS section under the ISPConfig 3 website administration panel. You will get the same power than a “.htaccess ” file.
      In case you are talking about the apache directive specially to apply the modification explain by Till, i suggest to apply them here : ” /etc/apache2/sites-available/ispconfig.vhost “
      At least all this is valid the ISPConfig 3.0.1.6 under DEBIAN lenny.

      Cheers

      LTVZ ( http://www.jabber.lu )

  9. Rauls says:

    Doesn’t work on ISPconfig3 on ubuntu 8.04 – after making the changes and restarting apache the ispconfig3 is still accessible via http and https://servername gives error:

    SSL received a record that exceeded the maximum permissible length.
    (Error code: ssl_error_rx_record_too_long)

    • Till says:

      This works on every Linux distribution. The error you get indicates that there is either no ssl cert or that the ssl cert is corrupted. This might happen if you enter characters that openssl can not interpret correctly when the ssl cert is generated. Create the ssl cert again and do not enter any special chars besite a-z and 0-9 to be on the safe side.

  10. paul says:

    only difference for centos is the following:

    step 1:
    mkdir /etc/httpd/ssl
    cd /etc/httpd/ssl

    step 3: sudo yum install mod_ssl

  11. John says:

    One of the lines appears in my browser to be cut short…

    openssl x509 -req -days 3650 -in ispserver.csr -signkey ispserver.key -out ispserver.c

    Should be…

    openssl x509 -req -days 3650 -in ispserver.csr -signkey ispserver.key -out ispserver.crt

    Also, when creating the certificate and one is asked for the Common Name, you should put the fully qualified domain name of the server. Otherwise you will get a warning every time you restart Apache that the Common Name doesn’t match the Server Name. Cleans up the logs a little if they match.

  12. Manolis says:

    great howto. I’m trying to setup http -> https for ispconfig (to automate logging in via https) with mod_rewrite but it doesn’t work. Every time I access http://hostname:8080 I get error 400. Any suggestions?

  13. ovidiu says:

    got a weird little problem with one of these steps:

    h1XXX0:/etc/apache2/ssl# openssl rsa -in ispserver.key -out ispserver.key.insecure
    Enter pass phrase for ispserver.key:
    unable to load Private Key
    18968:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461:
    18968:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:

    what exactly is the matter? I followed all steps successfully till I reached this one..

  14. Marwain says:

    This manual somehow broken my mod ssl. I can start the server when a2dismod ssl, but when I try it with a2enmod ssl, it just fails with no errors in the command line or neither logfiles. No SSL on my server anymore.

    • Till says:

      Seems as if the SSL cert is corrupted. Redot the instruvtions and ensure that you do not add any whitepsace avter the \ chars!

      • Marwain says:

        Did all the steps again, but the SSL mod seems unreturnably corrupted. The only thing that works is disabling the SSL mod, but I would like to use ssl on my server. Btw restarting the apache2 daemon gets me an error:
        NameVirtualHost xx.xx.xx.xx:80 has no Virtual Hosts
        NameVirtualHost xx.xx.xx.xx:443 has no Virtual Hosts
        (2x)
        I would like to return the changes made here, so SSL works on my websites, I don’t need it on ISPConfig anymore.

  15. PermaNoob says:

    Works great–thanks again!

  16. Till Thanks again for your wisdom,
    I have followed all the steps listed, but now every time you restart the apache server, asking for the password I used on the certificate, is there any way that this password is stored and is restarted without my intervention?

    Thanks

    • Till says:

      Seems as if you created an encrypted ssl cert. Recreate the ssl certificate and choose no when openssl asks you if the key shall be encrypted

  17. You could also create a new site within ISPconfig. Like: ispconfig.domain.tld enable SSL, create the certificate and have the following in the options.

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

    allow from all

    This way you don’t have to change the default settings of ISPconfig3.

    Don’t forget to block port 8080 from the outside.

  18. sergi says:

    any solution for phpmyadmin, i put Phpmyadmin option in panel , an put:

    https://serveri.domain.com/phpmyadmin, and appear error , i need phpmyadmin not SSL

    How too??

  19. RushPower says:

    I get this error for some reason. It doesn’t appear the folder exhist. should i create the folder?

    mv: cannot stat `ispserver.key.insecure’: No such file or directory

    • Till says:

      Then the creation of the key has failed. Please redo the steps to create the key, dont use any special characters in the ssl cert details as this might cause openssl to fail.

      • RushPower says:

        All i did was copy and paste. should i be doing something else?

        • Till says:

          The open ssl commands that you executed asked you to input the details of the ssl certificate. When you enter special chars there like german umlauts, then the ssl cert creation will fail. Please redo the ssl cert creation and nter only chars a-z and 0-9 and spaces when openssl asks for details like name, city etc.

          • RushPower says:

            Thanks Till, I see my error. It appears the code can’t be be copied and pasted all together. I copied line by line and then it asks the SSL info(Country,State,Organization,ETC) unlike before.

  20. DanHorniblow says:

    Hi, this has worked perfectly.

    How would I make a auto redirect from http to https for this Virtual host?

  21. Works great–thanks again !!!!

Leave a Reply