====== Install on Lenny, Bind, Courier and ISPConfig2 ======
I've started this installation using a precreated template of Debian 5 (Lenny) minimal, downloaded from: [[http://download.openvz.org/template/precreated/contrib/debian-5.0-i386-minimal.tar.gz|download.openvz.org]]
I've also followed the next howto from the guru at [[http://www.howtoforge.com/|www.howtoforge.org]]
* [[http://www.howtoforge.com/perfect-server-debian-lenny-ispconfig2-p3|The Perfect Server - Debian Lenny (Debian 5.0) ISPConfig 2]]
===== 1 - Setup the Virtual Environment =====
Create a container based on the just downloaded template, specifying hostname, IP address, nameserver and give to the root user, a password
vzctl create 1100 --ostemplate debian-5.0-i386-minimal --config vps.custom
vzctl set 1100 --hostname ic2.dw.lan --save
vzctl set 1100 --ipadd 192.168.0.100 --save
vzctl set 1100 --nameserver 192.168.0.22 --save
vzctl set 1100 --userpasswd root:your-root-password
This is the configuration file i've used
nano /etc/vz/conf/1100.conf
# Configuration file generated by vzsplit for 16 VEs on HN with total amount of
# physical mem 2024 Mb, low memory 872 Mb, swap size 5938 Mb, Max treads 8000
# Resourse commit level 0:
# adjusted by kokk: VMGUARPAGES, OOMGUARPAGES, PRIVVMPAGES, DISKSPACE, DISKINODES
# Primary parameters
NUMPROC="500:500"
AVNUMPROC="139:139"
NUMTCPSOCK="500:500"
NUMOTHERSOCK="500:500"
VMGUARPAGES="288M:unlimited"
# Secondary parameters
OOMGUARPAGES="288M:unlimited"
PRIVVMPAGES="512M:1024M"
KMEMSIZE="11440947:12585041"
TCPSNDBUF="1765649:3813649"
TCPRCVBUF="1765649:3813649"
OTHERSOCKBUF="882824:2930824"
DGRAMRCVBUF="882824:882824"
# Auxiliary parameters
LOCKEDPAGES="558:558"
SHMPAGES="31093:31093"
PHYSPAGES="0:unlimited"
NUMFILE="4448:4448"
NUMFLOCK="444:488"
NUMPTY="50:50"
NUMSIGINFO="1024:1024"
DCACHESIZE="2487425:2562048"
NUMIPTENT="125:125"
# Disk quota parameters
DISKSPACE="20000M:22000M"
DISKINODES="200000:220000"
QUOTATIME="0"
# CPU fair sheduler parameter (OpenVZ consider one 1 GHz PIII Intel processor
# to be approximately equivalent to 50000 CPU units)
CPUUNITS="50000"
CPUS="1"
# Host parameters
ONBOOT="yes"
VE_ROOT="/var/lib/vz/root/$VEID"
VE_PRIVATE="/var/lib/vz/private/$VEID"
OSTEMPLATE="debian-5.0-i386-minimal"
ORIGIN_SAMPLE="vps.16"
HOSTNAME="ic2.dw.lan"
IP_ADDRESS="192.168.0.100"
NAMESERVER="192.168.0.22"
===== 2 - Updating the Virtual Environment =====
Start the container and enter as root
vzctl start 1100
vzctl enter 1100
Set the correct timezone, choosing the right value (mine is Europe/Rome):
dpkg-reconfigure tzdata
Make sure that your **/etc/apt/sources.list** contains the right links to the debian repositories, like this
nano /etc/apt/sources.list
## Debian Stable (Lenny)
deb http://ftp.it.debian.org/debian/ lenny main contrib non-free
deb-src http://ftp.it.debian.org/debian/ lenny main contrib non-free
## security updates
deb http://security.debian.org/ lenny/updates main contrib non-free
deb-src http://security.debian.org/ lenny/updates main contrib non-free
## this is to always get the newest updates for the ClamAV virus scanner, this
## project publishes releases very often, and sometimes old versions stop working
deb http://volatile.debian.org/debian-volatile lenny/volatile main contrib non-free
Update the apt package database and and install updates
apt-get update
One time i have got an error, related to gpg keys, after adjusting the **/etc/apt/sources.list**, so before proceed, i've done this
apt-get install debian-archive-keyring
Then again, and the problem vanished
apt-get update
Finally, install updates
apt-get -y upgrade
===== 3 - Install Some Software =====
Now we install a few packages that are needed later on. Run into **one line**:
apt-get install -y binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.6-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential
===== 4 - BIND9 DNS Server =====
To install BIND9 run:
apt-get install -y bind9
For security reasons we want to run BIND chrooted so we have to do the following steps:
/etc/init.d/bind9 stop
Edit the file **/etc/default/bind9** so that the daemon will run as the unprivileged user bind, chrooted to **/var/lib/named**, listening only on v4 IP addresses.
nano /etc/default/bind9
# run resolvconf?
RESOLVCONF=yes
# startup options for the server
OPTIONS="-4 -u bind -t /var/lib/named"
Create the necessary directories under **/var/lib**:
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
Then move the config directory from **/etc** to **/var/lib/named/etc**:
mv /etc/bind /var/lib/named/etc
Create a symlink to the new config directory from the old location, to avoid problems when BIND gets updated in the future:
ln -s /var/lib/named/etc/bind /etc/bind
Make null and random devices, and set ownership of the directories:
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
Edit **/etc/rsyslog.d/bind-chroot.conf** adding the appropriate line so that we can still get important messages logged to the system logs:
nano /etc/rsyslog.d/bind-chroot.conf
[...]
$AddUnixListenSocket /var/lib/named/dev/log
Restart the logging daemon and BIND, then check **/var/log/syslog** for errors:
/etc/init.d/rsyslog restart
/etc/init.d/bind9 start
===== 5 - MySQL =====
In order to install MySQL, we run
apt-get install -y mysql-server mysql-client libmysqlclient15-dev
You will be asked to provide a password for the MySQL user **root**. This password is valid for **root@localhost** as well as **root@ic2.dw.lan**, so we don't have to specify a MySQL root password manually later.
If you want MySQL to listen on all interfaces, and not just localhost, edit **/etc/mysql/my.cnf** and add a comment in front of the line that begin with **bind-address**, like this
nano /etc/mysql/my.cnf
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
Then restart MySQL
/etc/init.d/mysql restart
To check that networking is enabled. Run
netstat -tap | grep mysql
The output should look like this
root@ic2:/# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 6612/mysqld
root@ic2:/#
===== 6 - Postfix With SMTP-AUTH And TLS =====
In order to install Postfix with SMTP-AUTH and TLS do the following steps:
apt-get install -y postfix libsasl2-2 sasl2-bin libsasl2-modules procmail
You will be asked two questions. Answer as follows:
* General type of mail configuration: <- **Internet Site**
* System mail name: <- **ic2.dw.lan**
Then run
dpkg-reconfigure postfix
Again, you'll be asked some questions:
* General type of mail configuration: <- **Internet Site**
* System mail name: <- **ic2.dw.lan**
* Root and postmaster mail recipient: <- **[blank]**
* Other destinations to accept mail for (blank for none): <- **ic2.dw.lan, localhost.dw.lan, localhost**
* Force synchronous updates on mail queue? <- **No**
* Local networks: <- **127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128**
* Use procmail for local delivery? <- **Yes**
* Mailbox size limit (bytes): <- **0**
* Local address extension character: <- **+**
* Internet protocols to use: <- **ipv4**
Next, do this:
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
Afterwards we create the certificates for TLS:
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
You need to enter a password and remember it, then:
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
You need to answer the following questions
* Country Name (2 letter code) [AU]: <- **IT**
* State or Province Name (full name) [Some-State]: <- **Reggio Emilia**
* Locality Name (eg, city) []: <- **Bagnolo in Piano**
* Organization Name (eg, company) [Internet Widgits Pty Ltd]: <- **italmedia.net**
* Organizational Unit Name (eg, section) []: <- **Internet Server**
* Common Name (eg, YOUR name) []: <- **ic2.dw.lan**
* Email Address []: <- **k-root@rete.us**
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Again you need to enter a password and remember it. Next we configure Postfix for TLS (make sure that you use the correct hostname for myhostname):
postconf -e 'myhostname = ic2.dw.lan'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
The file **/etc/postfix/main.cf** should now look like this:
cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = ic2.dw.lan
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = ic2.dw.lan, localhost.dw.lan, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in **/var/spool/postfix** we have to do the following:
mkdir -p /var/spool/postfix/var/run/saslauthd
Now we have to edit **/etc/default/saslauthd** in order to activate saslauthd. Set START to yes and change the line OPTIONS="-c -m /var/run/saslauthd" to OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r":
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#
# Should saslauthd run automatically on startup? (default: no)
START=yes
# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"
# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"
# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5
# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
Next add the postfix user to the sasl group (this makes sure that Postfix has the permission to access saslauthd):
adduser postfix sasl
Now restart Postfix and start saslauthd:
/etc/init.d/postfix restart
/etc/init.d/saslauthd start
To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your Postfix mail server type:
ehlo localhost
If you see these 2 lines everything is fine.
250-STARTTLS
250-AUTH LOGIN PLAIN
The output on my system looks like this:
ic2:/etc/postfix/ssl# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 ic2.dw.lan ESMTP Postfix (Debian/GNU)
ehlo localhost
250-ic2.dw.lan
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
ic2:/etc/postfix/ssl#
To return to the system's shell type
quit
===== 7 - Courier-IMAP/Courier-POP3 =====
Run this to install Courier-IMAP/Courier-IMAP-SSL (for IMAPs on port 993) and Courier-POP3/Courier-POP3-SSL (for POP3s on port 995):
apt-get install -y courier-authdaemon courier-base courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl gamin libgamin0 libglib2.0-0
You will be asked two questions:
* Create directories for web-based administration? <- **No**
* SSL certificate required <- **Ok**
During the installation, the SSL certificates for IMAP-SSL and POP3-SSL are created with the hostname **localhost**. To change this to the correct hostname (ic2.dw.lan in this tutorial), delete the certificates...
cd /etc/courier
rm -f /etc/courier/imapd.pem
rm -f /etc/courier/pop3d.pem
... and modify the following two files; replace CN=localhost with CN=ic2.dw.lan (you can also modify the other values, if necessary):
vi /etc/courier/imapd.cnf
[...]
CN=ic2.dw.lan
[...]
vi /etc/courier/pop3d.cnf
[...]
CN=ic2.dw.lan
[...]
Then recreate the certificates and restart Courier-IMAP-SSL and Courier-POP3-SSL:
mkimapdcert
mkpop3dcert
/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart
===== 8 - Apache, PHP5, Ruby, Python =====
Now we install Apache as follows
apt-get -y install apache2 apache2-doc apache2-mpm-prefork apache2-utils apache2-suexec libexpat1 ssl-cert
Next install PHP5, Ruby, and Python (all three as Apache modules):
apt-get -y install libapache2-mod-php5 libapache2-mod-ruby libapache2-mod-python php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-suhosin php5-tidy php5-xcache php5-xmlrpc php5-xsl
Next we edit **/etc/apache2/mods-available/dir.conf** and change the **DirectoryIndex** line
nano /etc/apache2/mods-available/dir.conf
# DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
DirectoryIndex index.php index.html index.htm index.cgi
Now we have to enable some Apache modules (SSL, rewrite, suexec, and include):
a2enmod ssl
a2enmod rewrite
a2enmod suexec
a2enmod include
We have to fix a small problem with Ruby. If you install ISPConfig and enable Ruby for a web site, .rbx files will be executed fine and displayed in the browser, but this does not work for .rb files, you will be prompted to download the .rb file. The same happens if you configure Ruby manually for a vhost (i.e., it has nothing to do with ISPConfig). To fix this, we open **/etc/mime.types** ...
nano /etc/mime.types
[...]
#application/x-ruby rb
[...]
Now .rb files will be executed and displayed in the browser, just like .rbx files. Next we are going to disable PHP. Unlike PHP, Ruby and Python are disabled by default, therefore we don't have to do it. In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.
To disable PHP globally, we edit **/etc/mime.types** and comment out the **application/x-httpd-php** lines:
nano /etc/mime.types
[...]
#application/x-httpd-php phtml pht php
#application/x-httpd-php-source phps
#application/x-httpd-php3 php3
#application/x-httpd-php3-preprocessed php3p
#application/x-httpd-php4 php4
[...]
Edit **/etc/apache2/mods-enabled/php5.conf** and comment out the following lines:
nano /etc/apache2/mods-enabled/php5.conf
# AddType application/x-httpd-php .php .phtml .php3
# AddType application/x-httpd-php-source .phps
Then restart Apache:
/etc/init.d/apache2 restart
**A note on Suhosin**
So that you don't spend 14 hours confused and frustrated like me, be sure that you are NOT submitting forms with lots of data (e.g. 100 form items--yes, I know they're huge by design) when using this setup. Suhosin won't allow that, and submits may FAIL SILENTLY.
after playing with standard php.ini POST settings for WAY too long, /var/log/apache2/error.log was the clue that solved this problem...
ALERT - configured POST variable limit exceeded - dropped variable 'field_agreement[0][value]' (attacker '192.168.10.13', file '/var/www/drupal/index.php'), referer: https://server.mycompany.com/node/add/agreement
The solution is simple, set these values:
nano /etc/php5/conf.d/suhosin.ini
[...]
suhosin.post.max_vars = 1000
suhosin.request.max_vars = 1000
[...]
===== 9 - Proftpd =====
In order to install Proftpd, run
apt-get -y install proftpd ucf
You will be asked a question:
* Run proftpd: <- **standalone**
For security reasons add the following lines to **/etc/proftpd/proftpd.conf** (thanks to Reinaldo Carvalho; more information can be found here: [[http://proftpd.org/localsite/Userguide/linked/userguide.html]]):
nano /etc/proftpd/proftpd.conf
[...]
DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."
ISPConfig expects the configuration to be in **/etc/proftpd.conf** instead of **/etc/proftpd/proftpd.conf**, therefore we create a symlink:
ln -s /etc/proftpd/proftpd.conf /etc/proftpd.conf
Then restart Proftpd:
/etc/init.d/proftpd restart
===== 10 - Webalizer =====
To install webalizer, just run
apt-get -y install webalizer
Then open **/etc/webalizer/webalizer.conf** and change the line starting with **Incremental**, like this
[...]
Incremental yes
[...]
===== 11 - Some Perl modules needed by SpamAssassin (comes with ISPConfig) =====
Run
apt-get -y install libhtml-parser-perl libdb-file-lock-perl libnet-dns-perl libnetaddr-ip-perl libarchive-tar-perl
===== 12 - Install ISPConfig 2 =====
**A note on SuExec**\\
If you want to run CGI scripts under suExec, you should specify **/var/www** as the home directory for websites created by ISPConfig as Debian's suExec is compiled with **/var/www** as Doc_Root. Run
/usr/lib/apache2/suexec -V
and the output should look like this:
root@ic2:~# /usr/lib/apache2/suexec -V
-D AP_DOC_ROOT="/var/www"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="www-data"
-D AP_LOG_EXEC="/var/log/apache2/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX="public_html"
root@ic2:~#
Unpack the ISPConfig-archive and change to the directory install_ispconfig:
tar xvfz ISPConfig*.tar.gz
cd install_ispconfig
In this directory please check the file **dist.txt** and see if the values given there suit to your Linux installation (they should be suitable for standard installations). If you change any values please be sure not to change the format of the file.
**Important**: Be sure to have installed gcc, flex and all the other tools neded for compiling sources before you run **./setup**! You also need to install the MySQL header files which normally come in a package called mysql-devel, mysql-dev, libmysql-devel or something similar. Otherwise PHP5 will not compile, and the installation of ISPConfig stops!
----
Workaround to get it to work on debian lenny:
Go to **compile_apps**, unpack openssl-0.9.7m.tar.gz, edit Configure and Makefile and change all instances of "-m486" to "-mtune=i486". To repack the folder run:
tar -pczf openssl-0.9.7m.tar.gz openssl-0.9.7m
Remove the unpacked directory. Make sure you do this before running **./setup** on any upgrades in the future until this is fixed in **./setup** package.
----
Then start the setup-script from there:
./setup
The installer will now compile an Apache with PHP5 that will run on port 81 and is needed by the ISPConfig system itself. It will not interfere with your existing Apache installation so you can go on unworried.
When the ISPConfig Apache is built, a custom SSL certificate is built. Therefore you are asked a few questions. You can accept the default values, or you can enter new values there, this does not matter:
{{http://www.ispconfig.org/wp-content/uploads/2010/05/installation1.png}}
In **step 7** ("Encrypting RSA private key of CA with a pass phrase for security [ca.key]") and **step 8** ("Encrypting RSA private key of SERVER with a pass phrase for security [server.key]") of the certificate creation process you are asked if you want to encrypt the respective key now. __Choose **n** there__ because otherwise you will always be asked for a password whenever you want to restart the ISPConfig system which means it cannot be restarted without human interaction!
{{http://www.ispconfig.org/wp-content/uploads/2010/05/installation2.png}}
If the compilation fails, the setup is stopped and all compiled files are removed. From the error message you get you should be able to see the reason for the failure (in most cases a package (like the MySQL header files) is missing). Try to solve the problem and the re-run **./setup**.