Last year I implemented an ISPConfig3 configuration for personal use. Mainly to host some e-mail domains, and perhaps some basic websites. This setup relatively easy to implement a should have been a breeze to maintain.... Untill I got an email from the provider last Tuesday, mentioning that my Linux VPS was attacking other hosts around the world..... *GASP*.. my VPS had (most likely) been assimilated into a botnet of some sort, and it was flooding a ton of other hosts.
I did some research, and investigation, but couldn't find anything really wrong, so I decided to re-implement the ISPConfig3 setup from scratch. This time using other components then before.
Before, I used Courier for mail, and Apache for a webserver. This time I switched to Dovecot for e-mail, and Nginx for webservices. The rest was basically the same.
After the installation I needed to replace the selfsigned certificates of the various services. Just a I did before. Only this time I wanted to use only one place on the filesystem to store the certificate(s). This way, replacing them in a year or two, I don't need to replace several of the same certificates on different locations.
This meant that I needed to find the config files of the services, and re-configure those to point to another location. One problem is the Pure-FTPd service. This one doesn't seem to have a config pointing to a specific location. It just assumes that the certificate is locate at the following location:
This made the decision easy of where to store the certificates for the services. Only problem / challenge is that the various services require different formats for the certificate, so I had to upload the same certificate in different forms.
The names of the files all start with sslcertificate, but you can choose whatever you want.
This file contains the base64 encoded public certificate.
This file contains the base64 encoded unsecured private key. The reason for it not being secured with a password is that some software can't handle this. I could use a separate key-file with a password for services that do support this, but what's the use If they are both located in the same location......
This file contains the base64 encoded private key and the public certificate (also in that order).
This file is a copy of the sslcertificate.pem file. As mentioned before, the PureFTPd service needs the certificate in a predefined place, with a fixed name, and format.
The Webmin SSL settings can be found under Webmin -> Webmin Configuration -> SSL Encryption. Just 'point' it to the correct file and you're done. In my case I used the combined PEM file containing both public and private key.
The Dovecot config file is located at the following location:
Change to following lines in the config files:
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_cert = </etc/ssl/private/sslcertificate.pem
ssl_key = </etc/ssl/private/sslcertificate.pem
This certificate reference is for the ISPConfig Webgui which runs by default on port 8080. This doesn't change the certificate settings for possible clients, or other websites.
The ISPConfig config itself has no reference to certificates. The reference is made by the webserver. ISPConfig runs as a virtual host on the Nginx webserver (in my case), so you need to edit a vhost config file at:
Replace the following
listen 8080 ssl;
listen 8080 ssl;
The postfix config file is located in the following location:
Were you need to find the following lines:
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
And change that to:
# smtpd_tls_cert_file = /etc/postfix/smtpd.cert
# smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_cert_file = /etc/ssl/private/sslcertificate.cer
smtpd_tls_key_file = /etc/ssl/private/sslcertificate.key
Restart the services
All that remains is to restart the affected services:
[root@host ~]# service nginx restart
Stopping nginx: [ OK ]
Starting nginx: [ OK ]
[root@host ~]# service postfix restart
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
[root@host ~]# service dovecot restart
Stopping Dovecot Imap: [ OK ]
Starting Dovecot Imap: [ OK ]
[root@host ~]# service webmin restart
Stopping Webmin server in /usr/libexec/webmin
Starting Webmin server in /usr/libexec/webmin
Or you can reboot your server.