How to renew the ISPConfig 3 SSL Certificate

This tutorial describes the steps to renew the SSL Certificate of the ISPConfig 3 control panel. There are two alternative ways to achieve that:

  1. Create a new OpenSSL Certificate and CSR on the command line with OpenSSL.
  2. Renew the SSL Certificate with the ISPConfig updater

I'll start with the manual way to renew the ssl cert.

1) Create a new ISPConfig 3 SSL Certificate with OpenSSL

Login to your server on the shell as root user. Before we create a new SSL Cert, backup the current ones. SSL Certs are security sensitive so I'll store the backup in the /root/ folder.

tar pcfz /root/ispconfig_ssl_backup.tar.gz /usr/local/ispconfig/interface/ssl
chmod 600 /root/ispconfig_ssl_backup.tar.gz

Now create a new SSL Certificate key, Certificate Request (csr) and a self signed Certificate.

openssl genrsa -des3 -out ispserver.key 4096
openssl req -new -key ispserver.key -out ispserver.csr
openssl x509 -req -days 3650 -in ispserver.csr \
-signkey ispserver.key -out ispserver.crt
openssl rsa -in ispserver.key -out ispserver.key.insecure
mv ispserver.key
mv ispserver.key.insecure ispserver.key

Restart Apache to load the new SSL Certificate.

service apache2 restart

2) Renew the SSL Certificate with the ISPConfig installer

The alternative way to get a new SSL Certificate is to use the ISPConfig update script.

Download ISPConfig to the /tmp folder, unpack the archive and start the update script.

cd /tmp
tar xvfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install
php -q update.php

The update script will ask the following question during update:

Create new ISPConfig SSL certificate (yes,no) [no]:

Answer "yes" here and the SSL Certificate creation dialog will start.

Enable image caching in apache for better Google Page Speed results

High page speed and short page load times of your website are essential for good search engine rankings today. In this FAQ, I will show you how to enable caching of graphic and CSS files in apache on Ubuntu and Debian.

The first step is to enable the expires module in apache:

a2enmod headers expires

This module allows the apache web server to set HTTP headers, in this case, to set the modification header for static assets like image and CSS files that don't change often.

Add the following config snippet inside the vhost file of the web site or at the end of the file /etc/apache2/apache2.conf to enable it globally.

<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
Header set Cache-Control "max-age=3024000, public"

Finally reload apache to apply the configuration change.

service apache2 reload

On ISPConfig 3 servers, the snippet can be added in the "Apache Directives" field of the website instead. There is no apache reload required as ISPConfig takes care about that.

How to add PHP support for jailed SSH users in ISPConfig 3

Jailkit is an easy to use tool to create and maintain jail environments for shell users on Linux. In this guide, I will show you how to move PHP and its dependencies into the jail so that the jailed user can execute PHP scripts inside the jail.
Continue reading How to add PHP support for jailed SSH users in ISPConfig 3

Which ports are used on a ISPConfig 3 server and shall be open in the firewall?

Here is a list of ports that are used commonly on ISPConfig 3 servers. If you don't have all services installed or if you e.g. don't want to connect to MySQL from external servers, then close the unused or unwanted ports.

TCP ports

20 - FTP Data
21 - FTP Command
22 - SSH
25 - Email
53 - DNS
80 - HTTP (Webserver)
110 - POP3 (Email)
143 -Imap (Email)
443 - HTTPS (Secure web server)
993 - IMAPS (Secure Imap)
995 - POP3S (Secure POP3)
3306 - MySQL Database server
8080 - ISPConfig web interface
8081- ISPConfig apps vhost

UDP ports

53 - DNS
3306 - MySQL

Setting up email routing to gmail / google apps via ISPConfig 3

The following guide describes the steps to add DNS records that route emails from a domain managed in ISPConfig 3 to google apps / gmail. The guide assumes that you have already setup the dns zone for your domain in ispconfig.

Login to ISPConfig, click on the DNS module icon in the upper navigation bar, then open the settings of the DNS zone that you want to redirect to google and click on the "records" tab. You should see a record list similar to this:

Now Delete the existing MX record and the "mail" A-Record. Then add the following new records:

CNAME Record:

Hostname: mail


IMPORTANT: All full domain names like "" have to end with a dot, if the dot is missing, the name is treated as subdomain of the zone.

The resulting record list should look like this:

Change of mail header form field identifier from ISPConfig 2 to ISPConfig 3

If you have a local mail server installed and change your server controlpanel to ISPConfig 3, having used ISPConfig 2 in the past, you may have to change the value that defines the form field observed by all functions in need of the address that mails are supposed to be delivered to (catchalls, etc.) on your mail server preferences since the identifier has changed from X-Delivered-To to Delivered-To in ISPConfig 3; otherwise the system won't be able to find the necessary information in the mails' headers.

Restart the server afterwards and you should find it working again.

Thanks to Alexander Fox for this post!

Fix “HTTP request length 134926 (so far) exceeds MaxRequestLen” error on Debian Linux

When you get a 500 error in a webpage hosted on Debian Linux (6.0) with apache webserver and fastcgi, take a look into the apache error.log file. This can either be the global error.log or the error.log of the website where you got the error. If you find a error similar to this one:

[Fri Apr 10 15:18:05 2012] [warn] [client] mod_fcgid: HTTP request length 134926 (so far) exceeds MaxRequestLen (131072), referer: http://www.example.tld/administrator/index.php?option=com_installer

then the MaxRequestLen setting of mod_fccgid is too low. To fix that, edit the file /etc/apache2/mods-available/fcgid.conf

vi /etc/apache2/mods-available/fcgid.conf

and add or edit the line "MaxRequestLen 15728640" to set the Request Limit to 15MB. The resulting file should contain these settings:

 AddHandler fcgid-script .fcgi
 FcgidConnectTimeout 20
 MaxRequestLen 15728640

Save the changes and restart apache:

/etc/init.d/apache2 restart

Debugging of ISPConfig 3 server actions in case of a failure

The follwing article describes the steps that can be taken to debug the ISPConfig 3 server scripts.

Enable the debug Loglevel in ISPConfig

Login to the ISPConfig intterface and set the log level to Debug under System > System > Server Config (see also chapter of the ISPConfig 3 manual) for the affected server. After one or two minutes, there should be more detailed messages in ISPConfig's system log (Monitor > System State (All Servers) > Show System-Log).

Disable the cronjob

Go to the command line of the server on which the error happens (on multiserver systems, it is often the slave and not the master) and run (as root):

crontab -e

Comment out the cron job:

#* * * * * /usr/local/ispconfig/server/ > /dev/null >> /var/log/ispconfig/cron.log

Run the server script manually to get detailed debug output

Then run the command:


This will display any errors directly on the command line which should help you to fix the error. When you have fixed the error, please don't forget to uncomment the cron job again.

nginx server error: 413 Request Entity Too Large

The nginx webserver has a max. body size limit of 1 MB for requests as default. This might be too low for file uploads in scripts and you will see the following error message when you try to upload a file:

 413 Request Entity Too Large

The configuration variable for this option is "client_max_body_size" and it can be set in the http, server and location sections of the nginx configuration file. To set the Limit globally to 25 MB, edit the nginx.conf file and add:

client_max_body_size 20M;

in the http section.

Example for Ubuntu Linux:

user www-data;
worker_processes 4;
pid /var/run/;

events {
        worker_connections 768;
        # multi_accept on;

http {
        geoip_country  /etc/nginx/geoip/GeoIP.dat; # the country IP database
        geoip_city     /etc/nginx/geoip/GeoLiteCity.dat; # the city IP database
        # Basic Settings

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        client_max_body_size 20M;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        # Logging Settings

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        # Gzip Settings

        gzip on;
        gzip_disable "msie6";

        # Virtual Host Configs

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;

Enhanced e-mail SPAM protection in ISPConfig 3

The command below enables a stricter SPAM handling for postfix on ISPConfig 3 servers.

In Detail:

  • Reject sender hostnames with invalid syntax
  • Reject sender hostnames that are no fully qualified domains (e.g. reject "server1" but allow server1.domain.tld)
  • Reject sender domains that have no DNS records
  • Check sender IP addresses against realtime blacklists.

First make a backup of the postfix file in case that you want to reverse the changes later:

cp -pf /etc/postfix/ /etc/postfix/

Then execute this command to enable the additional spam protection functions (the command is one line!).

postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client,reject_rbl_client,reject_rbl_client, check_recipient_access mysql:/etc/postfix/, reject_unauth_destination'

Then restart postfix:

/etc/init.d/postfix restart