VestaCP: How to fix LetsEncrypt SSL certificate (Admin Panel)

EDIT: Method 1 still working as of 13/06/2018

Recently I have been playing around with VestaCP, an alternative to cPanel. VestaCP is a free, open source website control panel with website, email, database, and DNS functionalities built in.

The Issue (Symptoms)

Unfortunately, when I installed VestaCP and setup an SSL certificate via LetsEncrypt though the VestaCP admin panel, the certificate was not installed into the VestaCP web interface (admin panel). This meant that whenever I tried to access the VestaCP admin panel, I was presented with the following SSL error:

The Problem

This error was present because the SSL certificate generated by VestaCP and LetsEcnrypt was not installed in the VestaVP admin panel. Instead, it was only installed on the web domain as shown in the image below (please note, the domain, IP address and SSL certificate information have been removed):

The Solution

The solution, therefore, is to install the very same certificate from the web domain (shown above) into the VestaCP admin panel. The SSL certificate information for the VestaVP admin panel is located by default at the following location (for version 0.9.8):

/usr/local/vesta/ssl

The valid SSL certificate information for your domain can be found in the following location:

/home/admin/conf/web/

The files we are interested in here are “ssl.[your server domain].key” and “ssl.[your server domain].crt”.

There are two methods for solving this issue;

  1. Create a symbolic link from “/home/admin/conf/web/” (for each of the two files mentioned above) to “/usr/local/vesta/ssl”
  2. Simply copy the two files from “/home/admin/conf/web/” to “/usr/local/vesta/ssl”

The Solution – Method 1

This solution consists of creating a symbolic link from the certificate origin location to the destination location. This is the best solution since VestaCP will automatically renew LetsEncrypt certificates – a symbolic link would ensure any updates are reflected for the VestaCP admin panel.

cd /usr/local/vesta/ssl
mv certificate.crt certificate.crt_old
mv certificate.key certificate.key_old
ln -s /home/admin/conf/web/ssl.[your server domain].key /usr/local/vesta/ssl/certificate.key
ln -s /home/admin/conf/web/ssl.[your server domain].crt /usr/local/vesta/ssl/certificate.crt
sudo service vesta restart

Please be sure to replace “[your server domain]” with the domain your server is using for VestaCP.

The Solution – Method 2

This solution consists of copying the certificate key and certificate file.

Downside: Since LetsEncrypt requires certificates to be renewed every three months, you would need to perform this method each time the certificate renews.

cd /usr/local/vesta/ssl
mv certificate.crt certificate.crt_old
mv certificate.key certificate.key_old
cp /home/admin/conf/web/ssl.[your server domain].key /usr/local/vesta/ssl/certificate.key
cp /home/admin/conf/web/ssl.[your server domain].crt /usr/local/vesta/ssl/certificate.crt

sudo service vesta restart

Please be sure to replace “[your server domain]” with the domain your server is using for VestaCP.

9 Replies to “VestaCP: How to fix LetsEncrypt SSL certificate (Admin Panel)”

  1. Hi, I has used this method in the past and it works. However with the recent issue with the VESTACP I have changed my admin port to something other than the default. I have created the Let’s Encrypt SSL certs, however using the method above the vesta service will not restart. The error is with the certificate key and crt. Is there somewhere else I need to change the port number to correspond with my admin port number change in a nginx conf file? The domain is showing SSL with Let’s Encrypt but I cannot get the Admin port to go secure.

    Thank you

    1. Hi Adam,

      Changing the port for the VestaCP admin panel should have no effect on the SSL certificate. This seems like a configuration issue with regards to VestaCP and the port change.

      It would help me significantly if you could answer the following questions:
      Did the certificate work correctly before the port change?
      How did you perform the port change?

      Thanks.

  2. Hello,

    Thanks for the post. Method 1 did work for me.

    But – it broke the exim mailserver on my Vesta install:

    Version:0.9.8 (amd64), Release:22, Debian 8.11 (x86_64)

    Symptom: emails from some servers do not arrive.

    Diagnosis:

    tail /var/log/exim4/mainlog

    …and see an error like:
    TLS error on connection from mail-ua0-f173.google.com [209.85.217.173] (cert/key setup: cert=/usr/local/vesta/ssl/certificate.crt key=/usr/local/vesta/ssl/certificate.key): Error while reading file.

    My fix:

    Run chmod 644 on the certificate files.

    I’m not a Linux admin and I don’t know if there is a better fix.

    Hope this helps someone.

  3. HI!
    I used the same on my servers (16.04 + 18.04) with only one hitch. The servers run steady for 60+ days. The Letsencrypt certificates renew nicely. However, VESTA will cache the “old” certificate and then present an expired certificate (even tough a valid one was installed automatically).
    Solution: I run a cron job once a month to restart Vesta (sudo systemctl restart vesta) wgich will catch the new certificate. ALL is good.

  4. This Works but How about the other domains login panel,so let’s say i add another domain and i want to login from that domain to the vestapanel. But i see no ssl there,just only on my maion domain and not in this other.

    Is there a way to secure with ssl every domain:port of vesta?

    Thanks

    1. Hi Andros, thanks for your comment!

      Based on my understanding of your comment I believe you are asking how to successfully install SSL certificates for multiple domains when accessing the Vesta control panel. For example, if you have two website owners on one server and you want them both to be able to access VestaCP under their own domain with a valid certificate.

      I have not had an in-depth look but I would say this is not easily possible since there is only one instance of VestaCP running at any given time. The only way to do this would be to install multiple SSL certificates or to run multiple instances of VestaCP which I do not believe is possible.

      You could potentially create a new virtual host for each new domain where you want a verified certificate on the VestaCP.

      Regarding your question about ports, yes, I believe it is possible to secure all VestaCP ports but you will have to configure each service separately (Web Server, Mail Server and FTP Server) but I cannot confirm since I have not had an in-depth look at this.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.