Hi everyone I'm sorry for my english I did a new install of ispconfig with Centos 7.6 as described in howtoforge perfect-server-centos-7.6 ... Then I wanted to add the SSL certificate to my main domain "hostname -f: archive.xxxxxxxx.it" and I followed the other howtoforge guide ....... securing ispconfig ...free-lets-encrypt-ssl-certificate. After creating the domain equal to the hostname -f on the ispconfig panel I activated the flag on "SSL" and "Let's Encrypt" ..... the Let's Encrypt certificates were created regularly, but seeing the website https://archive.xxxxxxxx.it I receive the usual unsafe certificate error seems to load the self-created certificate that expires 364 days ... So I checked and tested the Let's Encrypt certificates and it looks like they were created correctly in the /etc/letsencrypt/live/archive.xxxxxxxx.it/ directory and then I checked the files available for the sites and the sites enabled to see if the links are correct and everything seems ok following the symbolic links ........ So I tried to put a certificate on the admin panel as a guide: ln -s /etc/letsencrypt/live/$ (hostname -f) /fullchain.pem ispserver.crt ln -s /etc/letsencrypt/live /$ (hostname -f) /privkey.pem ispserver.key and the result ok !! https://archive.xxxxxxxx.it:8080 valid ok certificate! instead the host name of the site https://archive.xxxxxxxx.it no! always invalid! After reinstalling the entire server twice and several tests I could not understand ....., I have other servers with ubuntu and ispconfig and I never encountered the problem, it's the first time I try Centos .... Thanks everyone in advance!
Hi Taleman, thanks for your reply I had already seen that post ... but I don't have the problem that I can't create the certificates but only that it is not shown as explained above ... I have not found answers in that post nor on the log because the certificates are created regularly .....
yes I wrote so because the forum does not allow me the links ..... created domain: archive.xxxxxxxx.it and activated ssl but if I look at the site https://archive.xxxxxxxx.it invalid certificate, then I copied the certificates x admin panel and if I look at https://archive.xxxxxxxx.it:8080 certificate is ok! I hope you understand I'm translating with google .... :-( archive.xxxxxxxx.it certified invalid archive.xxxxxxxx.it:8080 valid certificate ok Yes, the domain for which the certificate was requested is hostname -f: archive.xxxxxxxx.it already done on other ubuntu servers I had no problems .... but following the guide perfect server centos 7.6 happens this ...
Have you created in ISPConfig website archive.xxxxxxxx.it and turned Let's Encrypt on for that site and it stays turned on? Does it show a certificate in browser, which certificate?
yes in the panel the flags remain correctly active both SSL + LETS ENCRYPT. detail certificate in the browser: name: archive.xxxxxxx.it Organization: someorganisation validity: started July 14, 2019 end 13 July 2020 1 year? ..... seems to be the self-generated certificate during the ispconfig installation ... while on archive.xxxxxx.it:8080 verified by Let's Encrypt expires October 13, 2019 3 months is ok! I did not understand how the browser loads the incorrect certificates ..... as I said I checked the apache configuration files and link to the correct folder where there are the correct Let's Encrypt certificates and I also tested the individual certificate files with an online test site and are correct and released by Let's Encrypt. I have been using ispconfig on other servers for several years and I have hundreds of active domains but in this case after having reinstalled everything 2 times without errors, it seems to me a bug or they have changed something in the latest updates of centos 7.6 which causes this error, with centos I have not experience I have only done new clean installation created the domain as hostname and activated ssl ..... thanks Taleman for help
The linux structure for centos is not the same with debian or its derivatives (ubuntu etc). You must make necessary modifications where and when they are needed.
Hi Ahrasis I am certainly aware that they are not the same in fact I followed the specific guide: https://www.howtoforge.com/tutorial...l-php-pureftpd-postfix-dovecot-and-ispconfig/ What further changes do I need to make to solve the problem?
this is what I get if I test the site with https://www.sslshopper.com/ssl-checker.html: ------------------------------------------------------------------------------------------------------ The hostname (archive.xxxxxxxxxx.it) is correctly listed in the certificate. The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider. Common name: archive.xxxxxxx.it Organization: SomeOrganization Org. Unit: SomeOrganizationalUnit Location: SomeCity, SomeState, -- Valid from July 14, 2019 to July 13, 2020 Serial Number: 10588 (0x295c) Signature Algorithm: sha256WithRSAEncryption Issuer: archive.xxxxxxxxx.it Common name: Let's Encrypt Authority X3 Organization: Let's Encrypt Location: US Valid from March 17, 2016 to March 17, 2021 Serial Number: 0a0141420000015385736a0b85eca708 Signature Algorithm: sha256WithRSAEncryption Issuer: DST Root CA X3 Server Type: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 mod_python/3.5.0- Python/2.7.5 PHP/7.2.20 The certificate will expire in 363 days. ------------------------------------------------------------------------------------------------------
Did you select * or the IP address in the website archive.xxxxxxxx.it in ISPConfig? Most likely you have an additional default ssl vhost which sues the self-signed certificate and has a higher priority.
Hi, Till thanks for your reply ... I had selected the IP address now I have tried also with * but the problem is not solved ... in the httpd/site-anable folder there are: 000-apps.vhost 000-ispconfig.vhost 000-ispconfig.conf 100-archive.xxxxxxxxxxx.it.vhost in the httpd/site-avaiable folder there are: apps.vhost ispconfig.vhost ispconfig.conf archive.xxxxxxxxxxx.it.vhost can I try to delete ispconfig.vhost? or freezes everything? are there other ways to force the priority? ... thank you
The website setting "IPv4-Address" must be the same on all websites. Have you checked it is now "*" in all websites?
hi Taleman The server is new, there are no other sites, only one of the hostname and is set with * .... if it helps to understand the problem I can send user and password if in private ... thank you
I am not familiar with centos though securing ISPConfig should be straight forward. What I think you should check is - if there exist any minor mistake / difference in your hostname fqdn both in server or letsencrypt folder.
hi Ahrasis I tried to see but it all seems ok with the hostname, can you be more precise about what files you mean? I don't know what to look at or how to proceed to a solution, I didn't want to format and reinstall everything with ubuntu ... but I'm losing hope ... ps:Is it not possible to force the use of the correct certificate?
Try editing the /etc/httpd/conf.d/ssl.conf file, set the paths to the ssl cert to the ones from your LE ssl cert (/etc/letsencrypt/live/...... ) and restart httpd.
Great Till ....... ok it works! I don't think I have problems with automatic renewal certified so right? Thanks again Till
