Free SSL Certificate for your ISPConfig 3 Websites

ISPConfig 3StartSSL™
In this article I will show how to obtain and install a free SSL certificate for ISPConfig 3 installation and websites, from StartSSL™. I’m assuming that SSL was selected at the installation of the ISPConfig system, if not, follow the steps from “Enable SSL for the ISPConfig 3 Control Panel“.

Contents of the article:

  1. Registration and domain validation with StartSSL™;
  2. Obtaining a SSL Certificate for the ISPConfig Interface;
  3. Obtaining a SSL Certificate for a ISPConfig website;

Register and validate your domain with StartSSL™:

register-with-startssl

  • If you already have an account, just “Authenticate”, if not, “Sign-Up”. After login, go to “Validations Wizard” in the top menu, then select “Domain Name Validation” in the “Type” dropdown and click “Continue”;
  • Enter your domain name (enter your primary domain, no sub-domain for now even if you want to use your certificate for one, will configure that later);
  • Select the e-mail address it should be used for authentication (create it or use an alias if it doesn’t exist);

startssl-validations-wizard startssl-domain-validation startssl-domain-validation-1

  • After you click “Continue” open another windows/tab to check your e-mail address for the code and finish validation;

startssl-complete-validation startssl-validation-success

Obtaining a SSL Certificate for the ISPConfig Interface:

  • On the ISPConfig server, go to “/usr/local/ispconfig/interface/ssl” where you will find:
ispserver.crt
ispserver.csr
ispserver.key
ispserver.key.secure
  • Open “ispserver.csr” and copy the full content of the file including “BEGIN / END” tags and paying attention not to copy any other characters or blank spaces:
-----BEGIN CERTIFICATE REQUEST-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE REQUEST-----
  • On the StartSSL™ page go to “Certificates Wizard”, and select “Web Server SSL/TLS Certificate” from the drop-down menu;
  • Skip the step asking to generate a private key, because we already have one;
  • Paste the previously copied “Certificate Request”:

certificates-wizard certificates-wizard-1 csr-submit

  • You will get a confirmation that the request was received and after you click “Continue” you’ll have to choose the domain (previously validated domain);
  • Next you choose the sub-domain (in my case “www”), you can choose any sub-domain, the certificate will be valid for both naked domain and subdomain;

csd-add-domains csr-add-subdomain csr-ready

  • If everything it’s OK, on the next screen you will receive your certificate, or you can get a “Additional Check Warning”. If you get the warning you must wait for the e-mail from “StartCom CertMaster”, and then retrieve your certificate from “Tool Box > Retrieve Certificate”

startssl-retrieve-certificate startssl-retrieve-certificate-1

  • Copy the newly created certificate and paste it in the file “/usr/local/ispconfig/interface/ssl/ispserver.crt” (delete the contents of the file first);
  • On the StartSSL™ website, go to “Tool Box > StartCom CA Certificates” and download “ca-bundle.pem” from “Server Certificate Bundle with CRLs (PEM encoded)”;

startssl-ca-certificates

  • Open “ca-bundle.pem” with a text editor and copy the contents;
  • On the ISPConfig server, create file “/usr/local/ispconfig/interface/ssl/ispserver.bundle” and paste the contents of “ca-bundle.pem“;
  • Set permissions for the file:
chmod 750 /usr/local/ispconfig/interface/ssl/ispserver.bundle
  • Edit SSL Configuration section in “/etc/apache2/sites-available/ispconfig.vhost“, it should look like this:
 # SSL Configuration
 SSLEngine On
 SSLProtocol All -SSLv2 -SSLv3
 SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
 SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
 SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
  • If you want to automatically redirect clients from “http://yourserver.tld:8080” to “https://yourserver.tld:8080” add the following line to “/etc/apache2/sites-available/ispconfig.vhost” also:
ErrorDocument 400 "<script language='javascript' type='text/javascript'>window.location = 'https://'+window.location.hostname+':8080'+window.location.pathname;</script>"

Obtaining a SSL Certificate for a ISPConfig website:

  • After you have registered and validated the website’s domain with StartSSL™ open ISPConfig Sites configuration and go to “SSL” tab;
  • Fill the first part of the form and choose subdomain for SSL certification;
  • Go at the bottom of the page and select “Create certificate” from the “SSL Action” drop-down menu and click “Save“;
  • Wait a minute (it takes a little while for the ISPConfig to create the certificate) and return to “SSL” tab, ISPConfig should have populated the “SSL Key“, “SSL Request” and “SSL Certificate” fields:

domain-ssl-create site-certificate-create-1 site-ssl-created

  • Copy the full content of the “SSL Request” field, including “BEGIN / END” tags and paying attention not to copy any other characters or blank spaces:
-----BEGIN CERTIFICATE REQUEST-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE REQUEST-----
  • On the StartSSL™ page go to “Certificates Wizard”, and select “Web Server SSL/TLS Certificate” from the drop-down menu;
  • Skip the step asking to generate a private key, because we already have one;
  • Paste the previously copied “Certificate Request”:

certificates-wizard certificates-wizard-1 csr-submit

  • You will get a confirmation that the request was received and after you click “Continue” you’ll have to choose the domain (previously validated domain);
  • Next you choose the sub-domain (in my case “www”), you can choose any sub-domain, the certificate will be valid for both naked domain and subdomain;

csd-add-domains csr-add-subdomain csr-ready

  • If everything it’s OK, on the next screen you will receive your certificate, or you can get a “Additional Check Warning”. If you get the warning you must wait for the e-mail from “StartCom CertMaster”, and then retrieve your certificate from “Tool Box > Retrieve Certificate“;
  • Go to “Tool Box > StartCom CA Certificates” and download “ca-bundle.pem” from “Server Certificate Bundle with CRLs (PEM encoded)”;

startssl-retrieve-certificate startssl-retrieve-certificate-1 startssl-ca-certificates

  • Go to Website’s “SSL” tab, in the ISPConfig Control Panel, and copy the newly created certificate in the “SSL Certificate” field (delete the contents of the field first);
  • Open “ca-bundle.pem” with a text editor and copy the contents;
  • Copy the contents of the file to the “SSL Bundle” field;
  • Select “Save certificate” from “SSL Action” drop-down menu and click “Save“;

SSL-save-certificate

 

  • Go to Website’s “Domain” tab, enable “SSL” check-box and click “Save“:

ispconfig-enable-ssl

 

  • That was it… You can access your website on “https://website.tld