Enable SSL for the ISPConfig 3 Controlpanel Login

Hint: The procedure that is described below is for ISPConfig versions < 3.0.3. For newer ispconfig versions, use the builtin ssl certificate creation function of the ispconfig updater instead. The steps below should only be used to manually create a new SSL certificate in case that you can not run the updater on your installation.

The ISPConfig controlpanel login is running on http by default. This short tutorial shows you how to enable SSL encryption (https) vor the ispconfig vhost.

1) Make the directory for the SSL certificate:

mkdir /usr/local/ispconfig/interface/ssl
cd /usr/local/ispconfig/interface/ssl

2) Create the SSL certificate files

openssl genrsa -des3 -out ispserver.key 4096
openssl req -new -key ispserver.key -out ispserver.csr
openssl x509 -req -days 3650 -in ispserver.csr \
-signkey ispserver.key -out ispserver.crt
openssl rsa -in ispserver.key -out ispserver.key.insecure
mv ispserver.key ispserver.key.secure
mv ispserver.key.insecure ispserver.key

3) Enable the mod_ssl module

a2enmod ssl

4) Edit th ISPConfig vhost file

vi /etc/apache2/sites-available/ispconfig.vhost

and insert the following lines insert the fallowing lines between the "<VirtualHost ....></VirtualHost>" tags:

SSLEngine On
SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key

5) Restart apache2

/etc/init.d/apache2 restart

The ISPConfig controlpanel login is now reachable on port 8080 by https.

33 thoughts on “Enable SSL for the ISPConfig 3 Controlpanel Login”

  1. Small typ-error in step 2:
    mv server.key server.key.secure -> mv ispserver.key ispserver.key.secure

    Another tip: change port 8080 to for example 8443

  2. You should add this to support old browsers that don’t fully support ssl and to stop browsers from negotiating connections with lower encryptions:

    SSLProtocol All -SSLv2
    SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW
    SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown

  3. The guide says:
    mkdir /etc/apache2/ssl

    But I do nott have a ‘/etc/apache2/’ folder on my Frdora 10 ISPconfig 3 configuration. Do I simply create it? Or is it located elsehere?

  4. Hi,

    Start SSL and many other SSL-certificate companies are providing pem-files to their certificates. Without the pem-files the certificates are running on the actual firefox and internet explorer for example smoothly, but not on iphone or other browsers.

    The following lines were missing in the definitions of the SSL vhost-file regarding to the Domain (example with start ssl class 1 cert):

    SSLCertificateChainFile / usr/local/apache/conf/sub.class1.server.ca.pem
    SSLCACertificateFile / usr / local / apache / conf / ca.pem

    Best wishes,

    • Dear korbynn,

      i suppose you mean apache directives associated to your web site. In case YES. i suggest to use the OPTIONS section under the ISPConfig 3 website administration panel. You will get the same power than a “.htaccess ” file.
      In case you are talking about the apache directive specially to apply the modification explain by Till, i suggest to apply them here : ” /etc/apache2/sites-available/ispconfig.vhost “
      At least all this is valid the ISPConfig under DEBIAN lenny.


      LTVZ ( http://www.jabber.lu )

  5. Doesn’t work on ISPconfig3 on ubuntu 8.04 – after making the changes and restarting apache the ispconfig3 is still accessible via http and https://servername gives error:

    SSL received a record that exceeded the maximum permissible length.
    (Error code: ssl_error_rx_record_too_long)

    • This works on every Linux distribution. The error you get indicates that there is either no ssl cert or that the ssl cert is corrupted. This might happen if you enter characters that openssl can not interpret correctly when the ssl cert is generated. Create the ssl cert again and do not enter any special chars besite a-z and 0-9 to be on the safe side.

  6. One of the lines appears in my browser to be cut short…

    openssl x509 -req -days 3650 -in ispserver.csr -signkey ispserver.key -out ispserver.c

    Should be…

    openssl x509 -req -days 3650 -in ispserver.csr -signkey ispserver.key -out ispserver.crt

    Also, when creating the certificate and one is asked for the Common Name, you should put the fully qualified domain name of the server. Otherwise you will get a warning every time you restart Apache that the Common Name doesn’t match the Server Name. Cleans up the logs a little if they match.

  7. got a weird little problem with one of these steps:

    h1XXX0:/etc/apache2/ssl# openssl rsa -in ispserver.key -out ispserver.key.insecure
    Enter pass phrase for ispserver.key:
    unable to load Private Key
    18968:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461:
    18968:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:

    what exactly is the matter? I followed all steps successfully till I reached this one..

  8. This manual somehow broken my mod ssl. I can start the server when a2dismod ssl, but when I try it with a2enmod ssl, it just fails with no errors in the command line or neither logfiles. No SSL on my server anymore.

    • Seems as if the SSL cert is corrupted. Redot the instruvtions and ensure that you do not add any whitepsace avter the \ chars!

      • Did all the steps again, but the SSL mod seems unreturnably corrupted. The only thing that works is disabling the SSL mod, but I would like to use ssl on my server. Btw restarting the apache2 daemon gets me an error:
        NameVirtualHost xx.xx.xx.xx:80 has no Virtual Hosts
        NameVirtualHost xx.xx.xx.xx:443 has no Virtual Hosts
        I would like to return the changes made here, so SSL works on my websites, I don’t need it on ISPConfig anymore.

  9. Till Thanks again for your wisdom,
    I have followed all the steps listed, but now every time you restart the apache server, asking for the password I used on the certificate, is there any way that this password is stored and is restarted without my intervention?


    • Seems as if you created an encrypted ssl cert. Recreate the ssl certificate and choose no when openssl asks you if the key shall be encrypted

    • Then the creation of the key has failed. Please redo the steps to create the key, dont use any special characters in the ssl cert details as this might cause openssl to fail.

        • The open ssl commands that you executed asked you to input the details of the ssl certificate. When you enter special chars there like german umlauts, then the ssl cert creation will fail. Please redo the ssl cert creation and nter only chars a-z and 0-9 and spaces when openssl asks for details like name, city etc.

          • Thanks Till, I see my error. It appears the code can’t be be copied and pasted all together. I copied line by line and then it asks the SSL info(Country,State,Organization,ETC) unlike before.

  10. Hi

    I enabled SSL, and to link my site with https.
    It show me “502 bad gateway”, but it is normal when I link my site with http.

    How to fix it?


Leave a Comment