How to Enable Let’s Encrypt on ISPConfig?

From LHYcloud Docs
Jump to navigation Jump to search

Let’s Encrypt on ISPConfig

Let’s Encrypt is a free SSL certificate authority. ISPConfig has built-in support for issuing and managing Let’s Encrypt SSL certificates for websites, mail, and services.

It uses acme.sh or certbot (depending on version) to automatically request and renew SSL certificates.


Isp3.png


Prerequisites:

  • ISPConfig Version: Ensure you’re using ISPConfig version 3.1 or later, as it has built-in support for Let’s Encrypt.
  • Domain Name: You must have a valid domain name configured for your website and it must be pointed to your server’s public IP address.
  • Web Server: ISPConfig supports both Apache and Nginx as web servers. Ensure one of them
  • is properly installed and running.
Isp4.png


1) Configure DNS for Your Domain:

  • Ensure that the domain name (e.g., yourdomain.com) has proper A (and optionally AAAA) DNS records pointing to your server’s IP address.
  • You can check your DNS configuration with a tool like DNSstuff or dig.


Isp5.png


2) Enable Let’s Encrypt in ISPConfig: Do the following steps:

  • Log in to ISPConfig using the admin interface (https://your-server-ip:8080).
  • Navigate to Sites > Websites.
  • Select the website you want to enable SSL for.
  • Under the SSL tab, find the option to “Use SSL”.
  • Check the box for “Let’s Encrypt SSL”.
  • Optionally, enable “Force SSL” if you want all traffic to be redirected to HTTPS. Then save the settings.

3) a Let’s Encrypt SSL Certificate: Once you enable Let’s Encrypt for your website, the following will occur:

  • In the Website settings, after checking Let’s Encrypt, ISPConfig will automatically attempt to issue a certificate for your domain.
  • It will use the Webroot method (HTTP-01 challenge) by default, which requires that the domain is publicly accessible and points to the server.
  • If DNS and your web server are configured properly, ISPConfig will successfully request the SSL certificate from Let’s Encrypt.

4) Verify SSL Installation: After the certificate is issued, verify that SSL is working by doing these steps:

Isp6.png
  • Check in the ISPConfig Interface: In the Website settings under the SSL tab, you should see that the SSL certificate is active and has the expiry date of the certificate.
  • Check on the Browser: Visit your website (https://yourdomain.com) and ensure the site is loaded with HTTPS, and check for a padlock symbol in the address bar indicating that the connection is secure.
  • You can also use tool like SSL Labs’ SSL Test to verify the SSL installation.

  5) Set Up Auto-Renewal:

  • Let’s Encrypt certificates are valid for 90 days, so it’s important to set up auto-renewal. ISPConfig automatically handles the renewal process, but it’s good to verify that everything is set up correctly.
  • ISPConfig should automatically renew the certificate before expiration. It checks and renews the certificates when the website is reloaded, or the server is restarted.
  • You can check the status of auto-renewal by navigating to Sites > Websites, selecting the domain, and verifying that the Let’s Encrypt SSL certificate is renewed.

6) Force HTTPS (Optional): If you want to ensure that all traffic to your website uses HTTPS, you can set up an HTTP to HTTPS redirect by doing these steps:

  • In the ISPConfig panel, under the website configuration, enable the “Force SSL” option. This will automatically redirect all HTTP traffic to HTTPS, ensuring that users always connect securely.
  • Alternatively, you can manually configure a redirect in your web server’s configuration file by doing the following steps:
  • Apache: Add the following to your htaccess file or virtual host using the following commands:
  • RewriteEngine On
  • RewriteCond %{HTTPS} off
  • RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  • Nginx: In your Nginx server block, add the following:
  • server {
  • listen 80;
  • server_name yourdomain.com www.yourdomain.com;
  • return 301 https://$server_name$request_uri;
  • }

   7) Troubleshooting Let’s Encrypt Issues: If the certificate isn’t issuing, consider these  common issues:

  • DNS Resolution: Ensure the domain’s DNS is correctly pointing to your server’s public IP address.
  • Web Server Accessibility: Make sure ports 80 (HTTP) and 443 (HTTPS) are open in your firewall and that your web server is accessible from the Internet.
  • Server Configuration: If using Nginx or Apache, ensure your server is correctly configured to serve the domain and that it’s not misconfigured (e.g., not blocking HTTP traffic).
  • Rate Limits: Let’s Encrypt has rate limits (e.g., 5 requests per week per domain). If you hit the rate limit, wait for the limit to reset or try using a staging environment for testing.

  8) Manual Renewal (if needed):

  • In some cases, you might need to manually renew the certificate. You can do this by running the following command on your server:
  • ispconfig_update.sh–letsencrypt-renew
  • This command renews all Let’s Encrypt certificates managed by ISPConfig.

  9) Testing SSL Renewal:


Isp7.png
  • After the certificate renewal, check the expiry date of the SSL certificate in the ISPConfig interface or in a browser to verify that the renewal has been successful.
Retrieved from "https://docs.lhycloud.com/index.php?title=How_to_Enable_Let’s_Encrypt_on_ISPConfig%3F&oldid=205"