reinstall postfix after securing-short question

Hi,

I'm on debian 6 ispconfig3.042 roundcube apache2 (kernel version OVH)
The background (in short):
I follow the tuto Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL.
Apache 2 failed and everything was down.

To restart i had to use:

Code:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xvfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install
php -q update.php

The short urgent question
webmail is down because he wants certificates. How can I cancel these lines

By now I would like to restart postfix/dovecot

Thanks for your help
best regards

 

This night I try a couple of times to secure ISPconfig 3 and failed.
In addition the websites were down for hours. I got these lines:

My feeling is that they are two (coincidental?) problems:

1) the computer doesn’t understand the key given by startssl (he looks for something written like that xxxxxxx.ovh.net.crt and xxxxxxx.ovh.net.key and not for something including the domain name (apache log).
Then this error forces apache2 to crash.
So that I decided to disable SSL

2) in the apache log, there is also this message:

What’s wrong? What does it mean? How to solve that?

To disable SSl I comment some lines (defaut-ssl):

Code:

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        >>>>>>>># SSLEngine on

        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        # SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
        # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
        >>>>>>>#  SSLCertificateFile /etc/ssl/certs/xxxxxxx.ovh.net.crt
        >>>>>>>#  SSLCertificateKeyFile /etc/ssl/private/xxxxxxx.ovh.net.key

and ispconfigvhost

Code:

# SSL Configuration
>>>>>>>>#  SSLEngine On
>>>>>>>#  SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
>>>>>>>#  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.ke

Is it safe to do that?
Is there a better way to disable SSL?

Do I have something else to do?

thanks for any inputs

best regards

 

Can you post the outputs of ls -la /usr/local/ispconfig/interface/ssl/ and ls -la /etc/postfix/?

What's in your ISPConfig vhost?

 

hello

ls -la /usr/local/ispconfig/interface/ssl/

ls -la /etc/postfix/

content of ISPConfig vhost

Code:

######################################################
# This virtual host contains the configuration
# for the ISPConfig controlpanel
######################################################

 Listen 8080
NameVirtualHost *:8080

<VirtualHost _default_:8080>
  ServerAdmin webmaster@localhost

  <IfModule mod_fcgid.c>
    DocumentRoot /var/www/ispconfig/
    SuexecUserGroup ispconfig ispconfig
    <Directory /var/www/ispconfig/>
      Options Indexes FollowSymLinks MultiViews +ExecCGI
      AllowOverride AuthConfig Indexes Limit Options FileInfo
      AddHandler fcgid-script .php
      FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
      Order allow,deny
      Allow from all
    </Directory>
  </IfModule>

  <IfModule mod_php5.c>
    DocumentRoot /usr/local/ispconfig/interface/web/
    AddType application/x-httpd-php .php
    <Directory /usr/local/ispconfig/interface/web>
      Options FollowSymLinks
      AllowOverride None
      Order allow,deny
      Allow from all
          php_value magic_quotes_gpc        0
    </Directory>
  </IfModule>

  # ErrorLog /var/log/apache2/error.log
  # CustomLog /var/log/apache2/access.log combined
  ServerSignature Off

  <IfModule mod_security2.c>
    SecRuleEngine Off
  </IfModule>

  # SSL Configuration
#  SSLEngine On
#  SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
#  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
# ## must be re-added after an ISPConfig update!!!
#  SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt

</VirtualHost>

<Directory /var/www/php-cgi-scripts>
    AllowOverride None
    Order Deny,Allow
    Deny from all
</Directory>

<Directory /var/www/php-fcgi-scripts>
    AllowOverride None
    Order Deny,Allow
    Deny from all
</Directory>

Thanks

best regards

 

I thought there was a mistake here: sub.class1.server.ca.pem.1
(see prev thread)
Then I correct

and get again

Comments again and restart. This is the apache log

I see again the double errors.
Looks also like discussion: http://http://www.howtoforge.com/forums/showthread.php?t=55522.

 

I forget to display these error messages:

Thanks for your help

 

Where are smtpd.key and smtpd.cert? They are not in your output...

 

Hello,

I made a clean installation starting from point zero.
Then I follow the tutorial from point 1 to 4
Then there's a crash.
Then I stop at point 4

Point 6: cd /etc/postfix
mv smtpd.cert smtpd.cert_bak
mv smtpd.key smtpd.key_bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key

The following morning I forget to create again smtpd.cert and ispserver.key smtpd.key.

I will try at midnight again with theses keys before to see if any change.
In addition, I'll give a try on a second server whith the same config to see what happens.

Thanks

 

On the second server (smallest but with debian 6, Isp 3 (ovh) upgd to 3.042, this is what I get

and later

And inside ispconfig.vhost I see

 

What do you mean with "crash"?

Why do you want to create these again?

 

You're absolutely right. In this sitation, this term is minommer. The computer works well, but Apache2 is down.

We have two servers withe debian 6 and ispconfiger. The other has version 3, we upgrade it and we try again your tuto to see what happens. We get the same same error messages and problems.

 

Please check Apache's error log.

My guess is you did something wrong when you concatenated the intermediate certificates from StartSSL.

 

You have the apache.log above.

In addition, I saw in the apache.log the string:
Invalid method in request \x16\x03\x01
That means there is probably an arror in httpd.conf. The fix could be to specify the port in all of the VirtualHost & NameVirtualHost directives in the apache httpd config or something else.

Maybe it explains the lines (in apache.log):

Is this file (port.conf) correct?

Code:

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
Listen 443
</IfModule>

<IfModule mod_gnutls.c>
Listen 443
</IfModule>

Thank you to give me your inputs