After ispconfig_upgrade, 502 on admin access but websites and mail are working

My ISPConfig server (Debian + Nginx + Mariadb) has been running for 4 years without problems with some 50 sites. Today I first updated Stretch to Buster and then ran the ispconfig_update.sh script. It appeared parts of PHP7.3 were missing: PHP Fatal error: 'Uncaught Error: Call to undefined function mysqli_connect()', also mentioned by others, so I installed these and ran the script again and got another error: 'Service 'mail_server' has not been detected (strongly recommended, currently enabled) do you want to disable it?' also mentioned by others. Then I logged in as 'su -' and ran the script again without errors. I rebooted the server and the sites and mail appear to work fine but when I access the admin on port 8080 I get an 502 (permission denied).
If I stop the php7.3-fpm service the error message is the same. I hope someone can help.

In /var/log/nginx/error.log:

Code:

2020/05/01 13:04:47 [crit] 6471#6471: *25091 connect() to unix:/var/lib/php7.3-fpm/ispconfig.sock failed (13: Permission denied) while connecting to upstream, client: <myserverip, server: _, request: "GET /?a HTTP/1.1", upstream: "fastcgi://unix:/var/lib/php7.3-fpm/ispconfig.sock:", host: "<myserver>.com:8080"

/etc/nginx/sites-available/ispconfig.vhost:

Code:

ispconfig.vhost

        ...
        root   /usr/local/ispconfig/interface/web/;
        ...
        location ~ \.php$ {
               try_files $uri =404;
               include /etc/nginx/fastcgi_params;
               fastcgi_pass unix:/var/lib/php7.3-fpm/ispconfig.sock; <---------------------------
               fastcgi_index index.php;
               fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
               #fastcgi_param PATH_INFO $fastcgi_script_name;
               fastcgi_buffer_size 128k;
               fastcgi_buffers 256 4k;
               fastcgi_busy_buffers_size 256k;
               fastcgi_temp_file_write_size 256k;
               fastcgi_read_timeout 1200;
                           fastcgi_param HTTP_PROXY "";
        }

/etc/php/7.3/fpm/pool.d/ispconfig.conf

Code:

[ispconfig]

listen = /var/lib/php7.3-fpm/ispconfig.sock
listen.owner = ispconfig
listen.group = ispconfig
listen.mode = 0660

user = ispconfig
group = ispconfig

pm = dynamic
pm.max_children = 500
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 5

chdir = /

; php_admin_value[open_basedir] = /usr/local/ispconfig/interface:/usr/local/ispconfig/security:/usr/share:/var/lib/roundcube:/etc/roundcube:/usr/share/roundcube
php_admin_value[session.save_path] = /usr/local/ispconfig/interface/temp
php_admin_flag[magic_quotes_gpc] = off

php_admin_value[memory_limit] = -1
php_admin_value[max_execution_time] = 1200

/var/lib/php7.3-fpm/

Code:

srw-rw---- 1 ispapps   ispapps   0 May  1 13:59 apps.sock
srw-rw---- 1 ispconfig ispconfig 0 May  1 13:59 ispconfig.sock

 

Thank you for the fast response.
1) Do the dust upgrade. -> did this
2) Go through all steps of the perfect server guide to install the missing packages. -> did this
3) Do an ISPConfig update with reconfigure services. -> did this, see below
4) Login to ISPConfig -> Still get the 502 = Cannot login

???

Result of 3)

Code:

>> Update 

Operating System: Debian 10.0 (Buster) or compatible

This application will update ISPConfig 3 on your server.

Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]:

Creating backup of "/usr/local/ispconfig" directory...
Creating backup of "/etc" directory...
Checking ISPConfig database .. OK
Starting incremental database update.
Loading SQL patch file: /root/ispconfig_3_1_15p3/ispconfig3_install/install/sql/incremental/upd_dev_collection.sql
Reconfigure Permissions in master database? (yes,no) [no]:

Service 'firewall_server' has been detected (currently disabled) do you want to enable and configure it?  (yes,no) [no]:

Reconfigure Services? (yes,no,selected) [yes]:

Configuring Postfix
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring BIND
Configuring nginx
Configuring Apps vhost
Configuring Jailkit
Configuring Database
Updating ISPConfig
ISPConfig Port [8080]:

Create new ISPConfig SSL certificate (yes,no) [no]:

            

Reconfigure Crontab? (yes,no) [yes]:

Updating Crontab
Restarting services ...
Update finished.

 

I already mentoined this in the first post.
In /var/log/nginx/error.log:
2020/05/01 13:04:47 [crit] 6471#6471: *25091 connect() to unix:/var/lib/php7.3-fpm/ispconfig.sock failed (13: Permission denied) while connecting to upstream, client: <myserverip>, server: _, request: "GET /?a HTTP/1.1", upstream: "fastcgi://unix:/var/lib/php7.3-fpm/ispconfig.sock:", host: "<myserver>.com:8080"

 

This is also in the first post:
ls -la /var/lib/php7.3-fpm/ispconfig.sock
srw-rw---- 1 ispconfig ispconfig 0 May 1 17:05 /var/lib/php7.3-fpm/ispconfig.sock

 

Brilliant, can log in again. Thank you so much and have a nice weekend!

/var/lib
...
drwxr-xr-x 2 root root 4096 May 1 18:23 php7.0-fpm
drwx------ 2 root root 4096 May 1 18:23 php7.3-fpm
...

Changed to:
...
drwxr-xr-x 2 root root 4096 May 1 18:23 php7.0-fpm
drwxr-xr-x 2 root root 4096 May 1 18:23 php7.3-fpm
...

I also made the permissions identical for the files in:

/etc/php7.0/fpm/pool.d
/etc/php7.3/fpm/pool.d

 

Hello, this problem is happening to me as well, after upgrading from ISPconfig 3.1.12 to the latest 3.2.

I'm using Debian 10, nginx, Mysql.

I've got a "502 Bad Gateway" seen in my web browser, as I try to log into the web admin interface of ISPconfig. In my nginx's error.log, the error message repeats, with each attempt:

Code:

2021/03/06 10:32:35 [crit] 2521#2521: *10 connect() to unix:/var/lib/php7.3-fpm/ispconfig.sock failed (13: Permission denied) while connecting to upstream, client: <my home ip>, server: _, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/lib/php7.3-fpm/ispconfig.sock:", host: "<my server ip>:8080"

Here are the perms of:
/var/lib/php7.3-fpm/

Code:

# ls -la /var/lib/php7.3-fpm/
total 8
drwx------  2 root      root      4096 Mar  6 10:27 .
drwxr-xr-x 58 root      root      4096 Mar  6 10:17 ..
srw-rw----  1 ispapps   ispapps      0 Mar  6 10:27 apps.sock
srw-rw----  1 ispconfig ispconfig    0 Mar  6 10:27 ispconfig.sock

...and the older /var/lib/php7.0-fpm/:

Code:

# ls -la /var/lib/php7.0-fpm/
total 8
drwxr-xr-x  2 root      root      4096 Mar  6 10:27 .
drwxr-xr-x 58 root      root      4096 Mar  6 10:17 ..
srw-rw----  1 ispapps   ispapps      0 Mar  6 10:27 apps.sock
srw-rw----  1 ispconfig ispconfig    0 Mar  6 10:27 ispconfig.sock

Yes, I did the following:

• apt dist-upgrade
• (as per the perfect server install) apt-get install php7.3 php7.3-common php7.3-gd php7.3-mysql php7.3-imap php7.3-cli php7.3-cgi php-pear mcrypt imagemagick libruby php7.3-curl php7.3-intl php7.3-pspell php7.3-recode php7.3-tidy php7.3-xmlrpc php7.3-xsl memcached php-memcache php-imagick php-gettext php7.3-zip php7.3-mbstring memcached php7.3-soap php7.3-fpm php7.3-opcache php-apcu
• (as per the upgrade guide "Updating ISPConfig 3.1 to ISPConfig 3.2"): apt-get install bzip2 p7zip-full xz-utils lzip rar unrar-free goaccess dovecot-lmtpd

• (ensured this pointed to PHP 7.3): update-alternatives --config php
• (ensured this pointed to PHP 7.3): update-alternatives --config php-cgi
• "su -" before running "ispconfig_update.sh", and then later I also did a "ispconfig_update.sh --force", no luck
  
• (yes, I let it reconfigure my services): ispconfig_update.sh --force
• In my /etc/php/7.3/fpm/php.ini, I set:
  
  Code:

  cgi.fix_pathinfo=0
  
  ...and...
  
  date.timezone="Canada/Mountain"

htf_report.txt:

Code:

##### SERVER #####
IP-address (as per hostname): ***.***.***.***
[WARN] could not determine server's ip address by ifconfig
[INFO] OS version is Debian GNU/Linux 10 (buster)
 
[INFO] uptime:  10:48:08 up 20 min,  4 users,  load average: 0.00, 0.00, 0.00
 
[INFO] memory:
              total        used        free      shared  buff/cache   available
Mem:          987Mi       468Mi       125Mi        15Mi       393Mi       355Mi
Swap:            0B          0B          0B
 
[INFO] ISPConfig is installed.

##### ISPCONFIG #####
ISPConfig version is 3.2.2


##### VERSION CHECK #####

[INFO] php (cli) version is 7.3.27-1~deb10u1

##### PORT CHECK #####

[WARN] Port 21 (FTP server) seems NOT to be listening
[WARN] Port 22 (SSH server) seems NOT to be listening

##### MAIL SERVER CHECK #####


##### RUNNING SERVER PROCESSES #####

[INFO] I found the following web server(s):
        Unknown process (nginx:) (PID 1013)
[INFO] I found the following mail server(s):
        Postfix (PID 2470)
[INFO] I found the following pop3 server(s):
        Dovecot (PID 2508)
[INFO] I found the following imap server(s):
        Dovecot (PID 2508)
[WARN] I could not determine which ftp server is running.

##### LISTENING PORTS #####
(only           ()
Local           (Address)
[anywhere]:25           (2470/master)
[localhost]:61209               (530/python3)
[anywhere]:443          (1013/nginx:)
[anywhere]:993          (2508/dovecot)
[anywhere]:995          (2508/dovecot)
***.***.***.***:2244            (1060/sshd)
[localhost]:10023               (603/postgrey)
[localhost]:10024               (2500/amavisd-new)
[localhost]:10025               (2470/master)
[localhost]:10026               (2500/amavisd-new)
[localhost]:3306                (2235/mysqld)
[localhost]:10027               (2470/master)
[anywhere]:587          (2470/master)
[localhost]:11211               (535/memcached)
[anywhere]:110          (2508/dovecot)
[anywhere]:143          (2508/dovecot)
[anywhere]:80           (1013/nginx:)
[anywhere]:8080         (1013/nginx:)
[anywhere]:465          (2470/master)
[anywhere]:8081         (1013/nginx:)
*:*:*:*::*:25           (2470/master)
*:*:*:*::*:443          (1013/nginx:)
*:*:*:*::*:993          (2508/dovecot)
*:*:*:*::*:995          (2508/dovecot)
*:*:*:*::*:10023                (603/postgrey)
*:*:*:*::*:10024                (2500/amavisd-new)
*:*:*:*::*:10026                (2500/amavisd-new)
*:*:*:*::*:587          (2470/master)
[localhost]10           (2508/dovecot)
[localhost]43           (2508/dovecot)
*:*:*:*::*:80           (1013/nginx:)
*:*:*:*::*:8080         (1013/nginx:)
*:*:*:*::*:465          (2470/master)
*:*:*:*::*:8081         (1013/nginx:)




##### IPTABLES #####
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-postfix-sasl  tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 25

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination                                   

Chain f2b-postfix-sasl (1 references)
target     prot opt source               destination                                   
REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
RETURN     all  --  [anywhere]/0            [anywhere]/0                               

 

I also did numerous reboots along the way, after each little fix attempt. No luck either.