Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

Secure ISPConfig 3 And Services With GoDaddy Signed Certificate On CentOS


Let’s set up a signed certificate from GoDaddy for the ISPConfig control panel, Pure-FTPD, Postfix, Dovecot, phpMyAdmin, and Squirrelmail. Don’t forget to replace pluto.example.com with your own FQDN throughout this entire section! ISPConfig automatically created an SSL key, CSR, and a self-signed certificate in the /usr/local/ispconfig/interface/ssl/ directory when we answered y to Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:. If we answered no to that question, we could still create them by performing the following steps:

  1. Change the directory to /usr/local/ispconfig/interface/ssl/
  2. Create a key and a certificate signing request
  3. Create a self signed certificate
  4. Change the read/write/execute persmissions on the certificate files
  5. Change the ownership on the certificate files

Type the following lines in your SSH terminal window:

cd /usr/local/ispconfig/interface/ssl/
openssl req -new -newkey rsa:4096 -days 3650 -nodes -keyout ispserver.key -out ispserver.csr
openssl x509 -req -days 3650 -in ispserver.csr -signkey ispserver.key -out ispserver.crt
chmod 750 ispserver.*
chown ispconfig:ispconfig ispserver.*

First, we must log into our GoDaddy account and purchase an SSL certificate. I bought the Standard SSL Single Domain certificate for two years. This certificate covers pluto.example.com and www.pluto.example.com. If you don’t have a GoDaddy account, create one and then purchase a new Standard SSL Single Domain certificate as shown in the following:

godaddysslpurchasesingledomain

Your credit for your new SSL certificate usually doesn’t show up in your GoDaddy account right away. After waiting about 5 minutes, the SSL certificate credit showed up in my account with another SSL certificate that I have previously purchased and setup. It says Standard (Turbo) SSL (2 Years) (Annual) and looks like the following:

godaddysslmyaccount

GoDaddy makes you first activate the credit for the new certificate before you can begin configuring it. To activate the certificate, click the Set Up button beside the SSL credit as shown in the following:

godaddysslsetup1

Then you will be prompted to select which SSL credit you are activating. It will look like the following:

godaddysslsetup2

There are numerous bugs in the GoDaddy software on this page. Don’t be alarmed though. Everything will work! It will say, “Free Product Setup” and “Account Type: Free with Turbo SSL.” That may seem very odd to you, since we just paid for the SSL certificate. It will also ask you, “Which domain do you want to associate with this SSL Certificates account?” However, there are no domains listed in the selection box. The unactivated SSL credits are listed in the box by the date in which they expire. If you have numerous unactivated SSL certificates, make sure you select the correct one. The date listed on my unactivated credit is incorrect! Once, you’ve selected the correct credit, click the Set Up button. You should see a message telling you that the activation was successful like the following:

godaddysslsetupsuccessful

Your SSL credit is now activated and ready to begin being configured. It will be listed in your GoDaddy account as “NEW CERTIFICATE”, like the following:

godaddysslnewcertificate

Note that the expiration date on the certificate has changed, but it is still incorrect. Don’t worry. It will be fixed at the end. Click the Launch button beside the SSL certificate in your GoDaddy account as shown in the following:

godaddyssllaunch

You will be asked for some information to setup your SSL certificate Hosting Options. Make sure that the option “Third Party, or Dedicated Server or Virtual Dedicated Server, without Simple Control Panel” is selected. Then, copy and paste your CSR into the window, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines. To copy your CSR, type the following line in your SSH terminal window:

cat /usr/local/ispconfig/interface/ssl/ispserver.csr

Make sure to paste the entire contents of the CSR into the GoDaddy CSR box. I replaced my actual CSR text with x’s in the screenshot. It should look similar to the following:

godaddysslhostingoptions

Click the Next button. You will see a message saying, “Your domain has been validated. Please continue to the confirmation step.” It will look like the following:

godaddyssldomainvalidation

Click the Next button. You will now see the Confirmation screen like the following:

godaddysslconfirmation

Click the Next button. You will now see the What Now? screen like the following:

godaddysslwhatnow

Click the Finished button. You are now taken the GoDaddy SSL control panel. Your certificate may appear right away or not. Wait a couple of minutes and then click the Certificates link in the left navigation bar. When your certificate appears in the list, the correct date now shows for your certificate. Now, select the certificate and click the Download buttton at the top of the list as shown in the following:

godaddysslcontrolpanel

Now, select Apache from the menu and click the Download button as shown in the following:

godaddyssldownloadcertificate

Save the zipped archive to your computer. Now, extract the zipped archive on your computer. The 2 files extracted from the zip archive can be viewed and copied using a text editor such as Notepad on Windows.

If you purchased a certificate type other than the Standard SSL Single Domain certificate, you may need to choose a different chain file than the gd_bundle.crt file used in this chapter. GoDaddy’s certificate repository is located at https://certs.godaddy.com/anonymous/repository.pki.

Now, let’s create the files for our new certificates by performing the following steps:

  1. Change the directory to /usr/local/ispconfig/interface/ssl/
  2. Copy the certificate signing request
  3. Copy the key
  4. Copy the certificate
  5. Copy the certificate
  6. Clear the contents of the certificate
  7. Change the read/write/execute permissions on the certificate files
  8. Change the ownership on the certificate files
  9. Download the GoDaddy certificate
  10. Change the read/write/execute permissions on the GoDaddy certificate
  11. Change the ownership on the GoDaddy certificate

Don’t forget to replace your own hostname in the following examples. Type the following lines in your SSH terminal window:

cd /usr/local/ispconfig/interface/ssl/
cp ispserver.csr pluto.example.com.csr
cp ispserver.key pluto.example.com.key
cp ispserver.crt openssl.pluto.example.com.crt
cp ispserver.crt pluto.example.com.crt
cat /dev/null > pluto.example.com.crt
chmod 750 *example.com*
chown ispconfig:ispconfig *example.com*
wget -O gd_bundle.crt “https://certs.godaddy.com/anonymous/repository.pki?streamfilename=gd_bundle.crt&actionMethod=anonymous%2Frepository.xhtml%3Arepository.streamFile%28%27%27%29”
chmod 750 gd_bundle.crt
chown ispconfig:ispconfig gd_bundle.crt

Now, let’s place the GoDaddy signed certificate onto the server by editing the pluto.example.com.crt file. Type the following line in your SSH terminal window:

vi pluto.example.com.crt

Using a text editor, copy the entire contents of your new signed GoDaddy certificate that you just downloaded from GoDaddy and extracted from the zip archive. Paste the contents into the pluto.example.com.crt file in your SSH terminal window.

Now, let’s create the pem chain file used by some services by performing the following steps:

  1. Copy the contents of the key, the certificate and the GoDaddy files into the pem file
  2. Change the read/write/execute permissions on the pem file

Type the following lines in your SSH terminal window:

cat pluto.example.com.{key,crt} gd_bundle.crt > pluto.example.com.pem
chmod 600 pluto.example.com.pem

Now, you should have a complete set of certificates to use. Let’s look and make sure the certificates are all in order. Type the following line in your SSH terminal window:

ls -la

The output should look like the following:

[root@pluto ssl]# ls -la
total 48
drwxr-x— 2 ispconfig ispconfig 4096 May 22 22:50 .
drwxr-x— 7 ispconfig ispconfig 4096 May 12 21:20 ..
-rwxr-x— 1 ispconfig ispconfig 3197 May 22 22:47 gd_bundle.crt
-rwxr-x— 1 ispconfig ispconfig 2061 May 12 21:20 ispserver.crt
-rwxr-x— 1 ispconfig ispconfig 1720 May 12 21:20 ispserver.csr
-rwxr-x— 1 ispconfig ispconfig 3243 May 12 21:20 ispserver.key
-rwxr-x— 1 ispconfig ispconfig 3311 May 12 21:19 ispserver.key.secure
-rwxr-x— 1 ispconfig ispconfig    0 May 22 22:47 pluto.example.com.crt
-rwxr-x— 1 ispconfig ispconfig 1720 May 22 22:47 pluto.example.com.csr
-rwxr-x— 1 ispconfig ispconfig 3243 May 22 22:47 pluto.example.com.key
-rw——- 1 root      root      6440 May 22 22:50 pluto.example.com.pem
-rwxr-x— 1 ispconfig ispconfig 2061 May 22 22:47 openssl.pluto.example.com.crt

Now, let’s configure the ISPConfig control panel to use the signed certificate. Be aware that you have to reconfigure these lines whenever you update or install ISPConfig! Type the following line in your SSH terminal window:

vim /etc/httpd/conf/sites-available/ispconfig.vhost

Edit the 2 lines with the paths to the key and the signed certificate files. Now, add the line SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/gd_bundle.crt to the SSL Configuration section. It should look like the following:

  # SSL Configuration
  SSLEngine On
  SSLCertificateFile /usr/local/ispconfig/interface/ssl/pluto.example.com.crt
  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/pluto.example.com.key
  SSLCACertificateFile /usr/local/ispconfig/interface/ssl/gd_bundle.crt

Now, let’s restart Apache. Type the following line in your SSH terminal window:

/etc/init.d/httpd restart

Now, let’s configure Postfix to use the signed certificate by performing the following steps:

  1. Set the path to the signed certificate file in postfix using the postconf command
  2. Set the path to the key file in postfix using the postconf command
  3. Set the path to the gd_bundle file in postfix using the postconf command
  4. Restart postfix

Be aware that you have to reconfigure these lines whenever you update or install ISPConfig! Type the following lines in your SSH terminal window:

postconf -e ‘smtpd_tls_cert_file = /usr/local/ispconfig/interface/ssl/pluto.example.com.crt’
postconf -e ‘smtpd_tls_key_file = /usr/local/ispconfig/interface/ssl/pluto.example.com.key’
postconf -e ‘smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/gd_bundle.crt’
/etc/init.d/postfix restart

Now, let’s configure Dovecot to use the signed certificate. Be aware that you have to reconfigure these lines whenever you update or install ISPConfig! Type the following line in your SSH terminal window:

vim /etc/dovecot/dovecot.conf

Make the SSL section look like the following:

ssl_cert = </usr/local/ispconfig/interface/ssl/pluto.example.com.crt
ssl_key = </usr/local/ispconfig/interface/ssl/pluto.example.com.key
ssl_ca = </usr/local/ispconfig/interface/ssl/gd_bundle.crt

Then, restart Dovecot. Type the following line in your SSH terminal window:

/etc/init.d/dovecot restart

Now, let’s configure phpMyAdmin and Squirrelmail to use the signed certificate. It’s important to know, that when a client has his own SSL certificate installed through ISPConfig, his own certificate will be used when he accesses phpMyAdmin and Squirrelmail through his own domain. If a client doesn’t have a certificate in place, the certificate that we are about to configure will be used. Type the following line in your SSH terminal window:

vim /etc/httpd/conf.d/ssl.conf

The following 3 lines need edited to look like the following:

SSLCertificateFile /usr/local/ispconfig/interface/ssl/pluto.example.com.crt

SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/pluto.example.com.key

SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/gd_bundle.crt

Now, let’s restart Apache. Type the following line in your SSH terminal window:

/etc/init.d/httpd restart

Now, let’s configure Pure-FTPD to use the signed certificate by performing the following steps:

  1. Change the directory to /etc/pki/pure-ftpd
  2. Rename the pem file
  3. Create a symbolic link to the signed pem file
  4. Restart pure-ftpd

Type the following lines in your SSH terminal window:

cd /etc/pki/pure-ftpd
mv pure-ftpd.pem openssl.pure-ftpd.pem
ln -s /usr/local/ispconfig/interface/ssl/pluto.example.com.pem pure-ftpd.pem
/etc/init.d/pure-ftpd restart

We are now using the GoDaddy signed certificate for ISPConfig and our services. Since we have two sets of certificates, we can easily switch back and forth between using the self-signed certificate or the GoDaddy signed certificate. We can also create a brand new set of files for our self-signed certificate without affecting our GoDaddy signed certificate files.

Comments

comments