How to secure your panel with SSL-certificate

From ISPWiki
Jump to: navigation, search

In this module you can add SSL-certificates to panel addresses or a domain name (support of Server Name Indication must be activated).

SSL-certificate will allow you to access a control panel by its IP address or domain name via https protocol.

T-back.png Back to previous page
T-bullet.png List of certificates
T-new.png Add certificate
T-delete.png Delete certificate

List of certificates

  • Domain name - domain names the certificate is issued for. In this column you can see the main domain and its alternative names, if any.
  • IP-address - IP address of the panel the certificate is issue for.
  • Status:
P-lt3.png - Domain's IP address matches panel's IP.
P-lt4.png - Domain leads to IP-address, which doesn't match the selected one
P-lt4.png - Domain leads to IP-address, which is missing on the server
P-lt4.png - Domain leads to IP-address which doesn't among the addresses of the control panel
P-lt4.png - Domain leads to IP-address, which doesn't exist on the server and among the addresses of the control panel
P-tick-grey.png - Domain doesn't exist or leads to unknown IP address

Add certificate

Navigate to Panel addresses -> Certificates -> click Add.

Let’s Encrypt certificate

This feature is supported from version 5.124.

Let’s Encrypt is a free certification authority that provides free X.509 certificated for TLS encryption. An automated process enables to facilitate creation, verification, setup and renewal of SSL certificates for protected web-sites.

For more information, please refer to the official web-site.

Please note the following limits

  • You can order only 5 certificates a week (TLD, including its subdomains)
  • Wildcard certificates are not supported
  • Let’s Encrypt certificate validity period is 3 months (every 3 months ISPmanager will reissue Let’s Encrypt certificates)

More information about additional limits can be found here.

Before you add Let’s Encrypt certificate, make sure that the domain name leads to existing IP address of the control panel, as the system will verify that you are the owner of that domain.

Let’s Encrypt certificate

A file with token and data for verification is created in

/usr/local/mgr5/www/letsencrypt/.well-known/acme-challenge

Let’s Encrypt sends a request by domain name and reads the token.

After the certificate is issued, a new cron job is added. It will check if the certificate needs to be renewed:

0 0 * * * "/usr/local/mgr5/etc/scripts/acmesh"/acme.sh --cron --home "/usr/local/mgr5/etc/scripts/acmesh" > /dev/null

If several certificates for 3d-level (and higher) domain names are issued, you may face the "Too many subdomains" error. This Let’s Encrypt restriction allows to continue the issue procedure after a while (normally, within 24 hours).

Apache and Nginx web-servers are supported. If none of these servers are running, a built-in server will start to receive requests from Let’s Encrypt during domain verification.

Existing certificate

When you add existing certificate, domain name and its IP address is not checked. If domain and IP address do not match, the corresponding icon will be shown next to the certificate.

  • Certificate type - select a certificate that you want to order.
    • Let’s Encrypt certificate
    • Existing certificate
  • Domain name - enter a domain name the certificate will be issued for. If you want to use an existing SSL-certificate, the domain name will be taken from that certificate.
  • IP address - IP address of the control panel that will be associated with the certificate.
  • SSL-certificate - enter an SSL-certificate you want to use.
  • SSL-certificate key - enter a key for your certificate
  • SSL-certificate chain - enter a certificate chain that will be added into the certificate file.

Server Name Indication

If OS supports Server Name Indication, you can add several SSL-certificates for different domain names. When you access a panel via domain name, the panel will use the certificate corresponding to that domain name.

Server Name Indication is supported by:

  • CentOS 7 and later.
  • Debian 8 and later.
  • Ubuntu16.04 and later.

Certificates with alternative domain names are also supported.

Delete certificate

To delete a certificate, select it from the list and click the "Delete" icon. Confirm that you want to delete the selected certificated by clicking "OK" in the form that will open. Once completed, default self-signed certificate will be used for panel address.