Issue:
ISPConfig 2's SSL certificates are expiring for the management interface (port 81). Need to create and merge new self-certified certificates.
For these steps, you will need a root terminal and know your keyfile (ssl.key) password.
Self-Certification Solution:
1. Start a root terminal session via sudo or su.
2. Enter the following commands to create the CSR request, apply a new certificate, and merge into the keyring file.
Note: Update the sslkeypwd to your SSL keyring password, and the file-paths if not using the default ISPConfig paths.
# openssl genrsa -des3 -passout pass:sslkeypwd -out /root/ispconfig/httpd/conf/ssl.key/server.key2 1024
# openssl req -new -passin pass:sslkeypwd -passout pass:sslkeypwd -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.csr/server.csr -days 730
# openssl req -x509 -passin pass:sslkeypwd -passout pass:sslkeypwd -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -in /root/ispconfig/httpd/conf/ssl.csr/server.csr -out /root/ispconfig/httpd/conf/ssl.crt/server.crt -days 730
# openssl rsa -passin pass:sslkeypwd -in /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.key/server.key
# chmod 400 /root/ispconfig/httpd/conf/ssl.key/server.key
3. Stop and start the ISPConfig management system:
# /etc/init.d/ispconfig_server stop
. . . wait . . .
# /etc/init.d/ispconfig_server start
__________________________
Replace Existing Self-Certificate w/UCC (Multiple Domains in Cert) Certificates Solution:
Notes:
- Your ISPConfig3.x folder might be different. Ours is /usr/local/ispconfig/interface/ssl.
- This folder contains the current/old ispserver.crt, the ca_bundle.crt for the intermediate and root certificates, and the ispserver.key file.
- If the key file has NOT been re-keyed, then you can leave the server ispserver.key file from last time. Otherwise, replace it with the new version.
1. Start a root terminal session via sudo or su.
2. Backup and replace the certificate files:
# cd /usr/local/ispconfig/interface/ssl/
(old version of ispconfig: # cd /root/ispconfig/httpd/conf/ssl.crt/ )
# mv server.crt server-old.crt
# mv ca-bundle.crt ca-bundle-old.crt
Copy the new certificate files:
# mv /root/tmp/new-server.crt ispserver.crt
# mv /root/tmp/new-ca-bundle.crt ca-bundle.crt (might be ca_bundle.crt)
(old version of ispconfig: # cd /root/ispconfig/httpd/conf/ssl.key/)
# mv /root/tmp/server.key ispconfig.key
Update the permissions to 400 or 600:
# chmod 400 ispserver.crt
# chmod 400 ca-bundle.crt
# chmod 400 ispconfig.key
3. Stop and start the ISPConfig management system:
For ispconfig3, either restart httpd or reboot
# reboot
For ispconfig2, there is a service:
# /etc/init.d/ispconfig_server stop
. . . wait . . .
# /etc/init.d/ispconfig_server start
previous page
|