Project InfoSponsor & PartnerInstalling ispCPFAQDocumentationDevelopment
 
Trace: » language » login » manage_ftp_users » manage_sub_domains » update_hosting_package » what_is_ispcp » howto » hostname » replace_courier_with_dovecot_plus_database_quota » ssl_made_easy
Translations of this page:
Table of Contents

In these pages there are several Howtos about creating and installing ssl certificates. Altought most of them are correct, they generate too many certificates and lack a common directory where to store the certs.

You can go to this page on the forum for more information or discussion about this page. http://www.isp-control.net/forum/thread-6327.html

This is just another procedure. Partially based on this

1. Installing dependencies

apt-get install openssl

2. Generate the certificates

This is the fastest way to generate certificates, you get two different keys, a password protected one, and a passwordless one. 

SERVER_NAME=your_host_name

cd /etc/ssl/certs
echo $SERVER_NAME
openssl genrsa -des3 -out $SERVER_NAME-pass.key 2048
openssl req -new -key $SERVER_NAME-pass.key -out $SERVER_NAME.csr
openssl rsa -in $SERVER_NAME-pass.key -out $SERVER_NAME.key
openssl x509 -req -days 365 -in $SERVER_NAME.csr -signkey  $SERVER_NAME.key -out $SERVER_NAME.crt
chmod 444 *.crt
chmod 400 *.key

3. Dovecot ssl for imaps and pop3s

Change this lines in dovecot.conf 

protocols = imap pop3 imaps pop3s
ssl_disable = no
#Certificate
ssl_cert_file = /etc/ssl/certs/$SERVER_NAME.crt
#Keys
ssl_key_file = /etc/ssl/certs/$SERVER_NAME.key

4. Postfix ssl for smtps

Add this lines in /etc/postfix/main.cf 

# TLS parameters; activate, if avaible/used
smtpd_tls_security_level    = may
smtpd_tls_loglevel          = 2
smtpd_tls_cert_file         = /etc/ssl/certs/$SERVER_NAME.crt
smtpd_tls_key_file          = /etc/ssl/certs/$SERVER_NAME.key
#smtpd_tls_auth_only         = no
smtpd_tls_received_header   = yes

After this you should restart Postfix 

/etc/init.d/postfix restart

FIXME: Add config details for courier

5. ProFTPD ssl

Uncoment and edit this lines in /etc/proftpd/proftpd.conf 

<IfModule mod_tls.c>
TLSEngine                on
TLSLog                   /var/log/proftpd/ftp_ssl.log
TLSProtocol              SSLv23
TLSOptions               NoCertRequest NoSessionReuseRequired
TLSRSACertificateFile    /etc/ssl/certs/$SERVER_NAME.crt
TLSRSACertificateKeyFile /etc/ssl/certs/$SERVER_NAME.key
TLSVerifyClient          off
</IfModule>

NOTE: Versions of Proftpd prior to 1.3.3rc1 may error out on line number 139 regarding the use of TLSOptions NoSessionReuseRequired as it appears mod_tls only accepts SSL/TLS data connections that reuse the SSL session of the control connection, as a security measure. Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions. Removing it so it states only NoCertRequest should allow proftpd to be restarted.

After this you should restart ProFTPD 

/etc/init.d/proftpd restart

6. Apache ssl for the admin login or customer sites

Your best bet for this is to follow the guide here: http://www.isp-control.net/documentation/doku.php?id=howto:defaultport The advantages of that solution is that you still have the port 443 for your hosting available for customer usage and also a generic address to give to the customers (e.g. go to https://yourdomain.com:8443)

Old version (deprecated)

You should be using this to start apache listening in https: http://www.isp-control.net/documentation/doku.php?id=howto:defaultport

There's another (deprecated) guide here http://www.isp-control.net/documentation/howto/both_https_and_not_https_when_creating_a_domain

Enable ssl module for apache 

a2enmod ssl
add "Listen 443" to /etc/apache2/ports.conf
/etc/init.d/apache2 reload

Add these lines into /etc/apache/sites_available/00_master.conf and change the port from 80 to 443 Remember to change $SERVER_NAME into you real server name. 

SSLEngine On
SSLCertificateFile /etc/ssl/certs/$SERVER_NAME.crt
SSLCertificateKeyFile /etc/ssl/certs/$SERVER_NAME.key
ServerName $SERVER_NAME
ServerAlias admin.$SERVER_NAME
ServerAdmin admin@grn.es
/etc/init.d/apache2 reload

Here a sample 00_master.conf with mod_rewrite part so it moves you from http to https.

# 
# Master Begin 
# 
<VirtualHost XXX.XXX.XXX.XXX:80>

    ServerAdmin     admin@yourdomain.com
    DocumentRoot    /var/www/ispcp/gui
    ServerName      admin.yourdomain.com
    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://www.yourdomain.com$1 [R,L]
    ErrorLog        /var/log/apache2/users/admin.yourdomain.com-error.log
    TransferLog     /var/log/apache2/users/admin.yourdomain.com-access.log
    CustomLog       /var/log/apache2/admin.yourdomain.com-traf.log traff
    CustomLog       /var/log/apache2/admin.yourdomain.com-combined.log combined

</VirtualHost>

NameVirtualHost XXX.XXX.XXX.XXX:443 
 
<VirtualHost XXX.XXX.XXX.XXX:443>

    SSLEngine On
    SSLCertificateFile /etc/ssl/certs/yourdomain.com.crt
    SSLCertificateKeyFile /etc/ssl/certs/yourdomain.com.key
    ServerAdmin     admin@yourdomain.com
    DocumentRoot    /var/www/ispcp/gui
    ServerName      admin.yourdomain.com
    ErrorLog        /var/log/apache2/users/admin.yourdomain.com-error.log
    TransferLog     /var/log/apache2/users/admin.yourdomain.com-access.log
    CustomLog       /var/log/apache2/admin.yourdomain.com-traf.log traff
    CustomLog       /var/log/apache2/admin.yourdomain.com-combined.log combined
    Alias /errors   /var/www/ispcp/gui/errordocs/
    ErrorDocument 401 /errors/401.html
    ErrorDocument 403 /errors/403.html
    ErrorDocument 404 /errors/404.html
    ErrorDocument 500 /errors/500.html
    ErrorDocument 503 /errors/503.html
    Alias /pma      /var/www/ispcp/gui/tools/pma/
    Alias /webmail  /var/www/ispcp/gui/tools/webmail/
    Alias /ftp      /var/www/ispcp/gui/tools/filemanager/
    <IfModule suexec_module>
           SuexecUserGroup vu2000 vu2000
    </IfModule>
    <Directory /var/www/ispcp/gui>
        Options -Indexes Includes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
    <IfModule mod_fastcgi.c>
        ScriptAlias /php4/ /var/www/fcgi/master/
        ScriptAlias /php5/ /var/www/fcgi/master/
        <Directory "/var/www/fcgi/master">
            AllowOverride None
            Options +ExecCGI MultiViews -Indexes
            Order allow,deny
            Allow from all
        </Directory>
    </IfModule>
    <IfModule mod_php4.c>
        <Directory /var/www/ispcp/gui>
            php_admin_value open_basedir "/var/www/ispcp/gui/:/etc/ispcp/:/var/run/ispcp.lock:/proc/:/bin/df:/bin/mount:/var/log/rkhunter.log:/var/log/chkrootkit.log:/usr/share/php/"
            php_admin_value session.save_path "/var/www/ispcp/gui/phptmp/"
                        php_admin_value upload_tmp_dir "/var/www/ispcp/gui/phptmp/"
        </Directory>
    </IfModule>
    <IfModule mod_php5.c>
        <Directory /var/www/ispcp/gui>
            php_admin_value open_basedir "/var/www/ispcp/gui/:/etc/ispcp/:/var/run/ispcp.lock:/proc/:/bin/df:/bin/mount:/var/log/rkhunter.log:/var/log/chkrootkit.log:/usr/share/php/"
            php_admin_value session.save_path "/var/www/ispcp/gui/phptmp/"
                        php_admin_value upload_tmp_dir "/var/www/ispcp/gui/phptmp/"
        </Directory>
    </IfModule>
    
</VirtualHost> 

# 
# Master End 
#
 
howto/security/ssl_made_easy.txt · Last modified: 2011/10/05 19:50 by hodza
 
Recent changes RSS feed Creative Commons License Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki