403 and SSL Issues

Hi since upgrading my host to Ubuntu 18.04 LTS and running the ispconfig update. ssl has stopped working when I add a new domain to the control panel I'm getting a 403 page and the ssl boxes stay unticked once I look back at the settings.

 

I also went to tools > resync as well with no luck.

 

https://www.howtoforge.com/communit...rking-after-server-upgrade.86959/#post-422439

https://www.howtoforge.com/community/threads/please-read-before-posting.58408/

 

Thanks for the reply,

Code:

##### SERVER #####
IP-address (as per hostname): ***.***.***.***
[WARN] could not determine server's ip address by ifconfig
[INFO] OS version is Ubuntu 18.04.5 LTS
 
[INFO] uptime:  19:01:31 up  5:26,  1 user,  load average: 0.13, 0.09, 0.02
 
[INFO] memory:
              total        used        free      shared  buff/cache   available
Mem:           3.4G        1.6G        449M         31M        1.4G        1.6G
Swap:          2.1G        2.2M        2.1G
 
[INFO] ISPConfig is installed.

##### ISPCONFIG #####
ISPConfig version is 3.2.4


##### VERSION CHECK #####

[INFO] php (cli) version is 7.2.24-0ubuntu***.***.***.***
[INFO] php-cgi (used for cgi php in default vhost!) is version 7.2.24

##### PORT CHECK #####


##### MAIL SERVER CHECK #####


##### RUNNING SERVER PROCESSES #####

[INFO] I found the following web server(s):
    Apache 2 (PID 27143)
[INFO] I found the following mail server(s):
    Postfix (PID 2127)
[INFO] I found the following pop3 server(s):
    Dovecot (PID 1324)
[INFO] I found the following imap server(s):
    Dovecot (PID 1324)
[INFO] I found the following ftp server(s):
    PureFTP (PID 4177)

##### LISTENING PORTS #####
(only        ()
Local        (Address)
[anywhere]:993        (1324/dovecot)
[anywhere]:995        (1324/dovecot)
[localhost]:10024        (7729/amavisd-new)
[localhost]:10025        (2127/master)
[localhost]:10026        (7729/amavisd-new)
[localhost]:10027        (2127/master)
[anywhere]:587        (2127/master)
[localhost]:11211        (1106/memcached)
[localhost]:6379        (1218/redis-server)
[anywhere]:110        (1324/dovecot)
[anywhere]:143        (1324/dovecot)
[anywhere]:465        (2127/master)
[anywhere]:21        (4177/pure-ftpd)
***.***.***.***:53        (1032/named)
[localhost]:53        (1032/named)
***.***.***.***:53        (819/systemd-resolve)
[anywhere]:22        (1349/sshd)
[anywhere]:25        (2127/master)
[localhost]:953        (1032/named)
*:*:*:*::*:993        (1324/dovecot)
*:*:*:*::*:995        (1324/dovecot)
*:*:*:*::*:10023        (4216/postgrey)
*:*:*:*::*:10024        (7729/amavisd-new)
*:*:*:*::*:3306        (3785/mysqld)
*:*:*:*::*:10026        (7729/amavisd-new)
*:*:*:*::*:587        (2127/master)
*:*:*:*::*:6379        (1218/redis-server)
[localhost]10        (1324/dovecot)
[localhost]43        (1324/dovecot)
*:*:*:*::*:8080        (27143/apache2)
*:*:*:*::*:80        (27143/apache2)
*:*:*:*::*:8081        (27143/apache2)
*:*:*:*::*:465        (2127/master)
*:*:*:*::*:21        (4177/pure-ftpd)
*:*:*:*::*:53        (1032/named)
*:*:*:*::*:22        (1349/sshd)
*:*:*:*::*:25        (2127/master)
*:*:*:*::*:953        (1032/named)
*:*:*:*::*:443        (27143/apache2)




##### IPTABLES #####
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-postfix-sasl  tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 25,465
f2b-sshd   tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-postfix-sasl (1 references)
target     prot opt source               destination         
REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
RETURN     all  --  [anywhere]/0            [anywhere]/0           

Chain f2b-sshd (1 references)
target     prot opt source               destination         
REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***      [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***      [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***      [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
RETURN     all  --  [anywhere]/0            [anywhere]/0           




##### LET'S ENCRYPT #####
Certbot is installed in /usr/bin/letsencrypt

 

Letsencrypt log:

Code:

2021-05-12 13:44:14,609:DEBUG:certbot.main:certbot version: 0.27.0
2021-05-12 13:44:14,610:DEBUG:certbot.main:Arguments: []
2021-05-12 13:44:14,610:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-05-12 13:44:14,618:DEBUG:certbot.log:Root logging level set at 20
2021-05-12 13:44:14,618:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-05-12 13:44:14,619:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
2021-05-12 13:44:14,619:DEBUG:certbot.plugins.selection:No candidate plugin
2021-05-12 13:44:14,619:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
2021-05-12 13:46:35,172:DEBUG:certbot.main:certbot version: 0.27.0
2021-05-12 13:46:35,173:DEBUG:certbot.main:Arguments: ['--apache']
2021-05-12 13:46:35,174:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-05-12 13:46:35,183:DEBUG:certbot.log:Root logging level set at 20
2021-05-12 13:46:35,183:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-05-12 13:46:35,184:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2021-05-12 13:46:35,184:DEBUG:certbot.plugins.selection:No candidate plugin
2021-05-12 13:46:35,184:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
2021-05-12 13:47:46,021:DEBUG:certbot.main:certbot version: 0.27.0
2021-05-12 13:47:46,022:DEBUG:certbot.main:Arguments: []
2021-05-12 13:47:46,023:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-05-12 13:47:46,047:DEBUG:certbot.log:Root logging level set at 20
2021-05-12 13:47:46,048:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-05-12 13:47:46,049:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
2021-05-12 13:47:46,168:DEBUG:certbot_apache.configurator:Apache version is 2.4.29
2021-05-12 13:47:47,806:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f4a74328c50>
Prep: True
2021-05-12 13:47:47,808:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0x7f4a74328c50> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7f4a74328c50>
2021-05-12 13:47:47,808:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2021-05-12 13:47:56,312:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.27.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1116, in run
    le_client = _init_le_client(config, authenticator, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 641, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 528, in _determine_account
    config.account = acc.id
AttributeError: 'NoneType' object has no attribute 'id'
2021-05-12 13:47:56,313:ERROR:certbot.log:An unexpected error occurred:
2021-05-12 13:50:06,905:DEBUG:certbot.main:certbot version: 0.27.0
2021-05-12 13:50:06,906:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v02.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'wptestdomain.xyz', '--domains', 'www.wptestdomain.xyz', '--webroot-path', '/usr/local/ispconfig/interface/acme']
2021-05-12 13:50:06,907:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-05-12 13:50:06,934:DEBUG:certbot.log:Root logging level set at 20
2021-05-12 13:50:06,940:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-05-12 13:50:06,941:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-05-12 13:50:06,941:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f5f0c7a4cc0>
Prep: True
2021-05-12 13:50:06,942:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f5f0c7a4cc0> and installer None
2021-05-12 13:50:06,942:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-05-12 13:50:06,960:DEBUG:certbot.log:Exiting abnormally:

 

Code:

/var/log$ php -v
PHP 7.2.24-0ubuntu0.18.04.7 (cli) (built: Oct  7 2020 15:24:25) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.24-0ubuntu0.18.04.7, Copyright (c) 1999-2018, by Zend Technologies

Code:

apache2 -v
Server version: Apache/2.4.29 (Ubuntu)
Server built:   2020-08-12T21:33:25

Add a new domain and it also redirects to another website in the list. there is no redirection on this domain at all. I'm pretty lost what is going on. adding a domain and ssl seems to be not working. I'm currently now on version 18.04. Do you think upgrading to the lastest 20.04lts release would make a difference or is the issue still going to be there.

 

Based on your logs, I guess you have certbot problems, so follow this FAQ: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/

Yes, it would make a difference but it won't resolve your certbot issues unless you follow the above mentioned FAQ.

 

i've run certbot from the cli and it's creating the certifcates but there is some certs is could'nt renew when I used the --dry-run option.
this is a new domain today that has generated a cert.

Code:

total 12K
4.0K drwxr-xr-x 2 root root 4.0K May 13 13:05 .
4.0K drwx------ 8 root root 4.0K May 13 13:05 ..
   0 lrwxrwxrwx 1 root root   44 May 13 13:05 cert.pem -> ../../archive/www.wptestdomain.xyz/cert1.pem
   0 lrwxrwxrwx 1 root root   45 May 13 13:05 chain.pem -> ../../archive/www.wptestdomain.xyz/chain1.pem
   0 lrwxrwxrwx 1 root root   49 May 13 13:05 fullchain.pem -> ../../archive/www.wptestdomain.xyz/fullchain1.pem
   0 lrwxrwxrwx 1 root root   47 May 13 13:05 privkey.pem -> ../../archive/www.wptestdomain.xyz/privkey1.pem
4.0K -rw-r--r-- 1 root root  682 May 13 13:05 README
root@webpanel:/etc/letsencrypt/live/www.wptestdomain.xyz#

But it's still not ticking the check boxes in the panel and the domain is pointing to another. [EDIT] seems to be my chrome cache. just checked on mobile and it's going to the green page without no ssl, that's on http.
soon as you go to https://wptestdomain.xyz then the domain says invalid cert and goes to another domain.

 

when I do tick the boxes under the panel I do notice under the letsencrypt log:

Code:

certbot.errors.missingcommandlineflag: Missing command line flag or config entry for this setting:
please choose an account
choices: ['webpanel@2017-11-29T04:23:14Z (aae3)', 'webpanel.readconsulting.co.uk@2019-05-24T12:35:10Z (45c3)']

 

running certbot from cli:

Code:

Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

[Thu May 13 13:37:57.184093 2021] [pagespeed:warn] [pid 3436] ModPagespeedInheritVHostConfig is deprecated.  Please remove it from your configuration.
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.vhost:7
AH00526: Syntax error on line 71 of /etc/apache2/sites-enabled/wptestdomain.xyz.vhost-le-ssl.conf:
FastCgiExternalServer: redefinition of previously defined class "/var/www/clients/client0/web11/cgi-bin/php-fcgi-*-80-wptestdomain.xyz"

Rolling back to previous server configuration...
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

[Thu May 13 13:37:57.184093 2021] [pagespeed:warn] [pid 3436] ModPagespeedInheritVHostConfig is deprecated.  Please remove it from your configuration.
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.vhost:7
AH00526: Syntax error on line 71 of /etc/apache2/sites-enabled/wptestdomain.xyz.vhost-le-ssl.conf:
FastCgiExternalServer: redefinition of previously defined class "/var/www/clients/client0/web11/cgi-bin/php-fcgi-*-80-wptestdomain.xyz"


IMPORTANT NOTES:
 - We were unable to install your certificate, however, we
   successfully restored your server to its prior configuration.
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.wptestdomain.xyz/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.wptestdomain.xyz/privkey.pem
   Your cert will expire on 2021-08-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

 

this client ssl folder is empty, shouldn't the certs be copied here by the panel:

Code:

root@webpanel:/var/www/clients/client0/wptestdomain.xyz# ls
cgi-bin  log  private  ssl  tmp  web  webdav
root@webpanel:/var/www/clients/client0/wptestdomain.xyz# cd ssl
root@webpanel:/var/www/clients/client0/wptestdomain.xyz/ssl# ls -lash
total 8.0K
4.0K drwxr-xr-x  2 root root 4.0K May 12 14:21 .
4.0K drwxr-xr-x 10 root root 4.0K May 12 14:21 ..
root@webpanel:/var/www/clients/client0/wptestdomain.xyz/ssl#

 

shall I remove all certificates from the domains manually? would they be under /var/www/client0/domain/ssl?

 

it's created soe manual web11 ,web3 directories as well for some reason:

Code:

4.0K drwxr-xr-x  7 root root 4.0K May 12 22:41 .
4.0K drwxr-xr-x  3 root root 4.0K Nov 29  2017 ..
   0 lrwxrwxrwx  1 root root   30 Feb  1  2018 csal.co.uk -> /var/www/clients/client0/web4/
   0 lrwxrwxrwx  1 root root   30 Aug 20  2018 electricbluelight.co.uk -> /var/www/clients/client0/web6/
   0 lrwxrwxrwx  1 root root   30 Jan  2  2018 newsite.csal.co.uk -> /var/www/clients/client0/web3/
   0 lrwxrwxrwx  1 root root   30 May  9  2018 standrewswestcliff.org -> /var/www/clients/client0/web5/
4.0K drwxr-xr-x 10 root root 4.0K May 12 14:21 web11
4.0K drwxr-xr-x 10 root root 4.0K Jan  2  2018 web3
4.0K drwxr-xr-x 11 root root 4.0K May 13 00:03 web4
4.0K drwxr-xr-x 10 root root 4.0K May  9  2018 web5
4.0K drwxr-xr-x 10 root root 4.0K Aug 20  2018 web6
   0 lrwxrwxrwx  1 root root   31 May 12 14:21 wptestdomain.xyz -> /var/www/clients/client0/web11/

could the duplicates be under them, there are no duplicate accounts inside the panel

 

nope I can see they are symbolic links

 

Code:

Please choose an account
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: webpanel@2017-11-29T04:23:14Z (aae4)
2: webpanel.readconsulting.co.uk@2019-05-24T12:35:10Z (45c3)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: csal.co.uk
2: newsite.csal.co.uk
3: www.newsite.csal.co.uk
4: www.csal.co.uk
5: electricbluelight.co.uk
6: www.electricbluelight.co.uk
7: standrewswestcliff.org
8: www.standrewswestcliff.org
9: wptestdomain.xyz
10: www.wptestdomain.xyz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Is the 2 web panel accounts in certbot what you mean? these two:
1: webpanel@2017-11-29T04:23:14Z (aae4)
2: webpanel.readconsulting.co.uk@2019-05-24T12:35:10Z (45c3)

They both have all domains listed under them. is that's the problem how do I know which one to remove and how?