Hint: The procedure that is described below is for ISPConfig versions < 3.0.3. For newer ispconfig versions, use the builtin ssl certificate creation function of the ispconfig updater instead. The steps below should only be used to manually create a new SSL certificate in case that you can not run the updater on your installation.

The ISPConfig controlpanel login is running on http by default. This short tutorial shows you how to enable SSL encryption (https) vor the ispconfig vhost.

1) Make the directory for the SSL certificate:

mkdir /usr/local/ispconfig/interface/ssl
cd /usr/local/ispconfig/interface/ssl

2) Create the SSL certificate files

openssl genrsa -des3 -out ispserver.key 4096
openssl req -new -key ispserver.key -out ispserver.csr
openssl x509 -req -days 3650 -in ispserver.csr \
-signkey ispserver.key -out ispserver.crt
openssl rsa -in ispserver.key -out ispserver.key.insecure
mv ispserver.key ispserver.key.secure
mv ispserver.key.insecure ispserver.key

3) Enable the mod_ssl module

a2enmod ssl

4) Edit th ISPConfig vhost file

vi /etc/apache2/sites-available/ispconfig.vhost

and insert the following lines insert the fallowing lines between the "<VirtualHost ....></VirtualHost>" tags:

SSLEngine On
SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key

5) Restart apache2

/etc/init.d/apache2 restart

The ISPConfig controlpanel login is now reachable on port 8080 by https.

Facebooktwittergoogle_plusredditlinkedinmail

33 thoughts on “Enable SSL for the ISPConfig 3 Controlpanel Login

  • August 15, 2009 at 10:16 pm
    Permalink

    Small typ-error in step 2:
    mv server.key server.key.secure -> mv ispserver.key ispserver.key.secure

    Another tip: change port 8080 to for example 8443

    Reply
  • August 17, 2009 at 7:24 pm
    Permalink

    Thanks, I’ve fixed the typo.

    Reply
  • September 17, 2009 at 12:06 pm
    Permalink

    You should add this to support old browsers that don’t fully support ssl and to stop browsers from negotiating connections with lower encryptions:

    SSLProtocol All -SSLv2
    SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW
    SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown

    Reply
  • November 17, 2009 at 11:19 am
    Permalink

    The guide says:
    mkdir /etc/apache2/ssl

    But I do nott have a ‘/etc/apache2/’ folder on my Frdora 10 ISPconfig 3 configuration. Do I simply create it? Or is it located elsehere?

    Reply
  • November 18, 2009 at 2:55 pm
    Permalink

    On Fedora, the apache folder is /etc/httpd/ instead of /etc/apache2/.

    Reply
  • December 14, 2009 at 11:05 am
    Permalink

    Hi,

    Start SSL and many other SSL-certificate companies are providing pem-files to their certificates. Without the pem-files the certificates are running on the actual firefox and internet explorer for example smoothly, but not on iphone or other browsers.

    The following lines were missing in the definitions of the SSL vhost-file regarding to the Domain (example with start ssl class 1 cert):

    SSLCertificateChainFile / usr/local/apache/conf/sub.class1.server.ca.pem
    SSLCACertificateFile / usr / local / apache / conf / ca.pem

    Best wishes,
    pee

    Reply
  • December 14, 2009 at 10:37 pm
    Permalink

    Where can you put the directives so that the update does not nuke them.

    Reply
    • January 2, 2010 at 7:14 pm
      Permalink

      Dear korbynn,

      i suppose you mean apache directives associated to your web site. In case YES. i suggest to use the OPTIONS section under the ISPConfig 3 website administration panel. You will get the same power than a “.htaccess ” file.
      In case you are talking about the apache directive specially to apply the modification explain by Till, i suggest to apply them here : ” /etc/apache2/sites-available/ispconfig.vhost “
      At least all this is valid the ISPConfig 3.0.1.6 under DEBIAN lenny.

      Cheers

      LTVZ ( http://www.jabber.lu )

      Reply
  • February 19, 2010 at 6:48 pm
    Permalink

    Doesn’t work on ISPconfig3 on ubuntu 8.04 – after making the changes and restarting apache the ispconfig3 is still accessible via http and https://servername gives error:

    SSL received a record that exceeded the maximum permissible length.
    (Error code: ssl_error_rx_record_too_long)

    Reply
    • February 20, 2010 at 9:50 am
      Permalink

      This works on every Linux distribution. The error you get indicates that there is either no ssl cert or that the ssl cert is corrupted. This might happen if you enter characters that openssl can not interpret correctly when the ssl cert is generated. Create the ssl cert again and do not enter any special chars besite a-z and 0-9 to be on the safe side.

      Reply
  • March 8, 2010 at 4:14 pm
    Permalink

    only difference for centos is the following:

    step 1:
    mkdir /etc/httpd/ssl
    cd /etc/httpd/ssl

    step 3: sudo yum install mod_ssl

    Reply
  • March 30, 2010 at 10:44 pm
    Permalink

    One of the lines appears in my browser to be cut short…

    openssl x509 -req -days 3650 -in ispserver.csr -signkey ispserver.key -out ispserver.c

    Should be…

    openssl x509 -req -days 3650 -in ispserver.csr -signkey ispserver.key -out ispserver.crt

    Also, when creating the certificate and one is asked for the Common Name, you should put the fully qualified domain name of the server. Otherwise you will get a warning every time you restart Apache that the Common Name doesn’t match the Server Name. Cleans up the logs a little if they match.

    Reply
  • June 12, 2010 at 8:55 pm
    Permalink

    great howto. I’m trying to setup http -> https for ispconfig (to automate logging in via https) with mod_rewrite but it doesn’t work. Every time I access http://hostname:8080 I get error 400. Any suggestions?

    Reply
  • June 21, 2010 at 6:47 pm
    Permalink

    got a weird little problem with one of these steps:

    h1XXX0:/etc/apache2/ssl# openssl rsa -in ispserver.key -out ispserver.key.insecure
    Enter pass phrase for ispserver.key:
    unable to load Private Key
    18968:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461:
    18968:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:

    what exactly is the matter? I followed all steps successfully till I reached this one..

    Reply
  • July 27, 2010 at 12:35 pm
    Permalink

    This manual somehow broken my mod ssl. I can start the server when a2dismod ssl, but when I try it with a2enmod ssl, it just fails with no errors in the command line or neither logfiles. No SSL on my server anymore.

    Reply
    • July 27, 2010 at 12:43 pm
      Permalink

      Seems as if the SSL cert is corrupted. Redot the instruvtions and ensure that you do not add any whitepsace avter the \ chars!

      Reply
      • September 26, 2010 at 7:16 pm
        Permalink

        Did all the steps again, but the SSL mod seems unreturnably corrupted. The only thing that works is disabling the SSL mod, but I would like to use ssl on my server. Btw restarting the apache2 daemon gets me an error:
        NameVirtualHost xx.xx.xx.xx:80 has no Virtual Hosts
        NameVirtualHost xx.xx.xx.xx:443 has no Virtual Hosts
        (2x)
        I would like to return the changes made here, so SSL works on my websites, I don’t need it on ISPConfig anymore.

        Reply
  • September 24, 2010 at 11:47 pm
    Permalink

    Works great–thanks again!

    Reply
  • September 25, 2010 at 6:59 pm
    Permalink

    Till Thanks again for your wisdom,
    I have followed all the steps listed, but now every time you restart the apache server, asking for the password I used on the certificate, is there any way that this password is stored and is restarted without my intervention?

    Thanks

    Reply
    • September 25, 2010 at 7:04 pm
      Permalink

      Seems as if you created an encrypted ssl cert. Recreate the ssl certificate and choose no when openssl asks you if the key shall be encrypted

      Reply
  • October 16, 2010 at 9:14 pm
    Permalink

    You could also create a new site within ISPconfig. Like: ispconfig.domain.tld enable SSL, create the certificate and have the following in the options.

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

    allow from all

    This way you don’t have to change the default settings of ISPconfig3.

    Don’t forget to block port 8080 from the outside.

    Reply
    • July 7, 2011 at 11:52 am
      Permalink

      Enter the URL to your phpmyadmin installation in ISPConfig under System > Interface config.

      Reply
  • September 26, 2011 at 4:35 am
    Permalink

    I get this error for some reason. It doesn’t appear the folder exhist. should i create the folder?

    mv: cannot stat `ispserver.key.insecure’: No such file or directory

    Reply
    • September 26, 2011 at 10:50 am
      Permalink

      Then the creation of the key has failed. Please redo the steps to create the key, dont use any special characters in the ssl cert details as this might cause openssl to fail.

      Reply
      • September 27, 2011 at 1:21 am
        Permalink

        All i did was copy and paste. should i be doing something else?

        Reply
        • September 27, 2011 at 3:25 pm
          Permalink

          The open ssl commands that you executed asked you to input the details of the ssl certificate. When you enter special chars there like german umlauts, then the ssl cert creation will fail. Please redo the ssl cert creation and nter only chars a-z and 0-9 and spaces when openssl asks for details like name, city etc.

          Reply
          • September 27, 2011 at 10:01 pm
            Permalink

            Thanks Till, I see my error. It appears the code can’t be be copied and pasted all together. I copied line by line and then it asks the SSL info(Country,State,Organization,ETC) unlike before.

  • April 30, 2012 at 12:22 am
    Permalink

    Hi, this has worked perfectly.

    How would I make a auto redirect from http to https for this Virtual host?

    Reply
  • December 3, 2014 at 10:47 am
    Permalink

    Hi

    I enabled SSL, and to link my site with https.
    It show me “502 bad gateway”, but it is normal when I link my site with http.

    How to fix it?

    Reply
  • March 26, 2016 at 7:47 am
    Permalink

    I want to install comodo wildcard ssl to ispconfig 3 debian 7. What to do?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *