Hi, I have installed ispconfig on ubuntu server 16,04 following the tutorial. I have added a second ip for hosting two https site. I have also forwarded two public ip to the server. I have created some test site on the main ip address and i try to create an https site on the second ip address. I make this test: - opening main private ip address i can access to test site in http and https - opening main public ip address i can access to test site in http and https - opening second private ip address i can access to site in http but on https i have ERR_SSL_PROTOCOL_ERROR - opening second public address i can access to http site but on https i receive ERR_SSL_PROTOCOL_ERROR Where am I wrong? thank you
Thank you for your reply. Sorry I'm a newbie. In the ssl tab of the site on the secondary ip I have create a certificate and the box request ssl, certificate ssl, ssl key are full of text but nothing opening with firefox I have also SSL_ERROR_RX_RECORD_TOO_LONG
Ok, this normally means that there is no valid SSL cert and therefore, SSL could not be activated. You can try to save the ssl cert again by selecting "save certificate" as action on the SSL tab and then press save. If it does not work after about 1-2 minutes, then check if there a copy of the vhost file in the sites-enabled directory with .err file ending?
Thank you for your reply. I try with save certificate but nothing. Yes there is .err file for that vhost
Try to rename the .vhost file to e.f. vhost.bak, then rename the vhost.err file to .vhost. Then try to restart apache, it will show you the error message then why the restart fails (which is the error why ISPConfig is not able to save / activate the SSL cert).
this is the error.log file Code: [Tue May 16 06:11:02.401728 2017] [auth_digest:notice] [pid 22801] AH01757: generating secret for digest authentication ... [Tue May 16 06:11:02.403579 2017] [:notice] [pid 5027] FastCGI: process manager initialized (pid 5027) [Tue May 16 06:11:02.454698 2017] [:error] [pid 22801] python_init: Python version mismatch, expected '2.7.6', found '2.7.12'. [Tue May 16 06:11:02.454903 2017] [:error] [pid 22801] python_init: Python executable found '/usr/bin/python'. [Tue May 16 06:11:02.454923 2017] [:error] [pid 22801] python_init: Python path being used '/usr/lib/python2.7/:/usr/lib/python2.7/plat-x86_64-linux-gnu:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload'. [Tue May 16 06:11:02.454967 2017] [:notice] [pid 22801] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads. [Tue May 16 06:11:02.454992 2017] [:notice] [pid 22801] mod_python: using mutex_directory /tmp [Tue May 16 06:11:02.480189 2017] [ssl:warn] [pid 22801] AH01906: ***.it:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue May 16 06:11:02.480391 2017] [ssl:error] [pid 22801] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=m@***.it,CN=***.it,O= [Tue May 16 06:11:02.480422 2017] [ssl:error] [pid 22801] AH02604: Unable to configure certificate ***.it:8080:0 for stapling [Tue May 16 06:11:02.480590 2017] [mpm_prefork:notice] [pid 22801] AH00163: Apache/2.4.18 (Ubuntu) mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_fcgid/2.3.9 mod_python/3.3.1 Python/2.7.12 OpenSSL/1.0.2g configured -- resuming normal operations [Tue May 16 06:11:02.480618 2017] [core:notice] [pid 22801] AH00094: Command line: '/usr/sbin/apache2' [Tue May 16 06:11:02.480710 2017] [mpm_prefork:warn] [pid 22801] AH00167: long lost child came home! (pid 22804) [Tue May 16 10:46:08.142573 2017] [mpm_prefork:notice] [pid 22801] AH00169: caught SIGTERM, shutting down
Normally the error is shown on the shell, not in the log for SSL errors. Did apache start without issues? If not, then the SSL cert is broken or the ssl cert and key do not match as apache fails silently then and ispconfig detects that and prevents that the new broken config is written. If apache did not start, rename the config files back to their original names, then login to ispconfg and delete the current SSL cert and create a new one or in case you created the ssl cert outside, then cehcl what you copied as the ssl cert is either incomplete or you entered a wrong ssl cert / key pair.
Code: mag 16 10:46:08 systemd[1]: Stopped LSB: Apache2 web server. mag 16 10:46:08 systemd[1]: Starting LSB: Apache2 web server... mag 16 10:46:08 apache2[15043]: * Starting Apache httpd web server apache2 mag 16 10:46:09 apache2[15043]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:69 mag 16 10:46:09 apache2[15043]: Action 'start' failed. mag 16 10:46:09 apache2[15043]: The Apache error log may have more information. mag 16 10:46:09 apache2[15043]: * mag 16 10:46:09 apache2[15061]: * Stopping Apache httpd web server apache2 mag 16 10:46:09 apache2[15061]: * mag 16 10:46:09 systemd[1]: Started LSB: Apache2 web server. this is the output on console. I renamed vhost and I deleted, created and saved a new certificate from ssl tab, but nothing, sorry
Ok. That there is no further error indicates that the SSL cert is broken or has a wrong key and therefore can not be read by apache. ou can e.g. check if the ssl cert files exist and if they contain a valid cert and you can e.g. test if ssl cert and key match.
Sorry I'm a newbie, this is the output of ls on ssl folder Code: drwxr-xr-x 2 root root 21 mag 16 11:39 . drwxr-xr-x 9 root root 9 mag 8 16:48 .. -rw-r--r-- 1 root root 1387 mag 16 11:39***.it.crt -rw-r--r-- 1 root root 1363 mag 16 11:39 ***.it.crt~ -rw-r--r-- 1 root root 1082 mag 16 11:39 ***.it.csr -rw-r--r-- 1 root root 1100 mag 16 11:39 ***.it.csr.err -r-------- 1 root root 1702 mag 16 11:39 ***.it.key -r-------- 1 root root 1675 mag 16 11:39 ***.it.key~ -r-------- 1 root root 1706 mag 15 21:19 ***.it.key.bak -r-------- 1 root root 1743 mag 16 11:37 ***it.key.org -r-------- 1 root root 1743 mag 16 11:39 ***.it.key.org~ -r-------- 1 root root 1751 mag 8 18:54 ***.it.key.org.bak lrwxrwxrwx 1 root root 52 mag 8 17:51 ***.it-le.bundle -> /etc/letsencrypt/live/***.it/chain.pem -rw-r--r-- 1 root root 1647 mag 16 11:39 ***.it-le.bundle.err -r-------- 1 root root 1647 mag 8 17:51 ***.it-le.bundle.old.20170508155117 lrwxrwxrwx 1 root root 51 mag 8 17:51 ***.it-le.crt -> /etc/letsencrypt/live/***.it/cert.pem -rw-r--r-- 1 root root 2191 mag 16 11:39 ***.it-le.crt.err -r-------- 1 root root 2191 mag 8 17:51 ***.it-le.crt.old.20170508155117 lrwxrwxrwx 1 root root 54 mag 8 17:51 ***.it-le.key -> /etc/letsencrypt/live/***it/privkey.pem -r-------- 1 root root 1679 mag 16 11:39***.it-le.key.err -r-------- 1 root root 1679 mag 8 17:51 ***.it-le.key.old.20170508155117 which file I have to compare?
You seem to use LE for SSL plus the SSL tab settings, but these may not be mixed. Either use lE or create an SSL cert on the SSL tab but don't mix it or you might get SSL problems like the ones described in this thread. When LE is on, then the SSL tab may not be used at all and when you use the SSL tab to create an SSL cert, then do not enable LE. To find out which certs are actually used at the moment, take a look into vhost.err file, you can find the path of the currently used SSL cert in the port 443 vhost.
Sorry! Code: SSLCertificateFile /var/www/clients/client1/web6/ssl/***.it-le.crt SSLCertificateKeyFile /var/www/clients/client1/web6/ssl/***.it-le.key SSLCertificateChainFile /var/www/clients/client1/web6/ssl/***.it-le.bundle SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off
Ok, so you ae using Letsencrypt here and not a self created SSL certificate. It might be that letsencrypt has changed the file names due to multiple tries and switching between ssl modes. Check with: ls -la /var/www/clients/client1/web6/ssl/clienti.madsystem.it-le.crt ls -la /var/www/clients/client1/web6/ssl/clienti.madsystem.it-le.key to which file in /etc/letsencrypt/live/ the symlinks are pointing and if that target file exists. If it does not exists, then check in /etc/letsencrypt/live/ how the current file for this subdomain is named.
thank you for your reply! Code: ls -la /var/www/clients/client1/web6/ssl/clienti.madsystem.it-le.crt lrwxrwxrwx 1 root root 51 mag 17 08:11 /var/www/clients/client1/web6/ssl/clienti.madsystem.it-le.crt -> /etc/letsencrypt/live/clienti.madsystem.it/cert.pem ale@madws:~$ ls -la /var/www/clients/client1/web6/ssl/clienti.madsystem.it-le.key lrwxrwxrwx 1 root root 54 mag 17 08:11 /var/www/clients/client1/web6/ssl/clienti.madsystem.it-le.key -> /etc/letsencrypt/live/clienti.madsystem.it/privkey.pem ale@madws:~$ Code: ls -al /etc/letsencrypt/live totale 19 drwx------ 5 root root 5 mag 8 17:51 . drwxr-xr-x 8 root root 9 ago 27 2016 .. drwxr-xr-x 2 root root 6 apr 25 05:00 clienti.madsystem.it drwxr-xr-x 2 root root 6 mag 8 17:51 clienti.madsystem.it-0001 Code: ls -al /etc/letsencrypt/live/clienti.madsystem.it totale 3 drwxr-xr-x 2 root root 6 apr 25 05:00 . drwx------ 5 root root 5 mag 8 17:51 .. lrwxrwxrwx 1 root root 44 apr 25 05:00 cert.pem -> ../../archive/clienti.madsystem.it/cert5.pem lrwxrwxrwx 1 root root 45 apr 25 05:00 chain.pem -> ../../archive/clienti.madsystem.it/chain5.pem lrwxrwxrwx 1 root root 49 apr 25 05:00 fullchain.pem -> ../../archive/clienti.madsystem.it/fullchain5.pem lrwxrwxrwx 1 root root 47 apr 25 05:00 privkey.pem -> ../../archive/clienti.madsystem.it/privkey5.pem
Looks fine so far. Do you have any custom apache directives in the apache directives field of the website? and please post the output of: apachectl -S
Code: apachectl -S AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:69 VirtualHost configuration: 192.168.200.47:80 *****.***it (/etc/apache2/sites-enabled/100-***.***.it.vhost:7) 192.168.200.48:443 ###.it (/etc/apache2/sites-enabled/100-###.it.vhost:121) 192.168.200.48:80 is a NameVirtualHost default server ###.it (/etc/apache2/sites-enabled/100-###.it.vhost:7) port 80 namevhost ###.it (/etc/apache2/sites-enabled/100-###.it.vhost:7) alias www.###.it port 80 namevhost ***1.***.it (/etc/apache2/sites-enabled/900-***1.***.it.vhost:7) wild alias *.***1.***.it port 80 namevhost test2.madsystem.it (/etc/apache2/sites-enabled/900-test2.madsystem.it.vhost:7) wild alias *.test2.madsystem.it *:8081 madws.cgillaspezia.it (/etc/apache2/sites-enabled/000-apps.vhost:9) *:8080 madws.cgillaspezia.it (/etc/apache2/sites-enabled/000-ispconfig.vhost:9) *:80 is a NameVirtualHost default server madws.cgillaspezia.it (/etc/apache2/sites-enabled/000-default.conf:1) port 80 namevhost madws.cgillaspezia.it (/etc/apache2/sites-enabled/000-default.conf:1) port 80 namevhost test3.madsystem.it (/etc/apache2/sites-enabled/900-test3.madsystem.it.vhost:7) wild alias *.test3.madsystem.it ServerRoot: "/etc/apache2" Main DocumentRoot: "/var/www/html" Main ErrorLog: "/var/log/apache2/error.log" Mutex default: dir="/var/lock/apache2" mechanism=fcntl Mutex mpm-accept: using_defaults Mutex fcgid-pipe: using_defaults Mutex authdigest-opaque: using_defaults Mutex watchdog-callback: using_defaults Mutex rewrite-map: using_defaults Mutex ssl-stapling-refresh: using_defaults Mutex authdigest-client: using_defaults Mutex fcgid-proctbl: using_defaults Mutex ssl-stapling: using_defaults Mutex ssl-cache: using_defaults PidFile: "/var/run/apache2/apache2.pid" Define: DUMP_VHOSTS Define: DUMP_RUN_CFG Define: ENABLE_USR_LIB_CGI_BIN User: name="www-data" id=33 Group: name="www-data" id=33
