Hello, Since a couple of days my website don't work anymore. Or should say they do work, but https give an ssl warning. ERR_SSL_PROTOCOL_ERROR It did work before, what can I do to get it woking again?
Try to disable the let's encrypt and SSL checkbox of that website, press save, then enable both checkboxes again, and press save. Then wait until the changes have been written to disk and test again. if it still does not work, then follow the let's encrypt FAQ to narrow down the issue: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
I tried what you said disable and enable, that didn't help. But it are all the websites on my server who have the same issue. Also I went through the steps of the URL you pointed me add, but I didn't do any changes lately. In the logfile is nothing strange I think. Code: [Mon Nov 1 14:25:02 CET 2021] Running cmd: issue [Mon Nov 1 14:25:02 CET 2021] _main_domain='windchimes.nl' [Mon Nov 1 14:25:02 CET 2021] _alt_domains='www.windchimes.nl' [Mon Nov 1 14:25:02 CET 2021] Using config home:/root/.acme.sh [Mon Nov 1 14:25:02 CET 2021] default_acme_server='https://acme-v02.api.letsencrypt.org/directory' [Mon Nov 1 14:25:02 CET 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Mon Nov 1 14:25:02 CET 2021] DOMAIN_PATH='/root/.acme.sh/windchimes.nl' [Mon Nov 1 14:25:02 CET 2021] Le_NextRenewTime='1637189339' [Mon Nov 1 14:25:02 CET 2021] _saved_domain='windchimes.nl' [Mon Nov 1 14:25:02 CET 2021] _saved_alt='www.windchimes.nl' [Mon Nov 1 14:25:02 CET 2021] Domains not changed. [Mon Nov 1 14:25:02 CET 2021] Skip, Next renewal time is: Thu Nov 18 22:48:59 UTC 2021 [Mon Nov 1 14:25:02 CET 2021] Add '--force' to force to renew. [Mon Nov 1 14:25:02 CET 2021] Lets find script dir. [Mon Nov 1 14:25:02 CET 2021] _SCRIPT_='/root/.acme.sh/acme.sh' [Mon Nov 1 14:25:02 CET 2021] _script='/root/.acme.sh/acme.sh' [Mon Nov 1 14:25:02 CET 2021] _script_home='/root/.acme.sh' [Mon Nov 1 14:25:02 CET 2021] Using default home:/root/.acme.sh [Mon Nov 1 14:25:02 CET 2021] Using config home:/root/.acme.sh [Mon Nov 1 14:25:02 CET 2021] Running cmd: installcert [Mon Nov 1 14:25:02 CET 2021] Using config home:/root/.acme.sh [Mon Nov 1 14:25:03 CET 2021] default_acme_server='https://acme-v02.api.letsencrypt.org/directory' [Mon Nov 1 14:25:03 CET 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Mon Nov 1 14:25:03 CET 2021] DOMAIN_PATH='/root/.acme.sh/windchimes.nl' [Mon Nov 1 14:25:03 CET 2021] Installing key to: /var/www/clients/client1/web4/ssl/windchimes.nl-le.key [Mon Nov 1 14:25:03 CET 2021] Installing full chain to: /var/www/clients/client1/web4/ssl/windchimes.nl-le.crt [Mon Nov 1 14:25:03 CET 2021] Run reload cmd: systemctl force-reload httpd.service [Mon Nov 1 14:25:03 CET 2021] Reload success
If all sites are affected, then the issue is probably something else. Please run the test script from here: https://www.howtoforge.com/community/threads/please-read-before-posting.58408/ and post the result.
Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is CentOS Linux release 8.4.2105 [INFO] uptime: 16:42:31 up 1 day, 21:33, 1 user, load average: 0,00, 0,00, 0,00 [INFO] memory: total used free shared buff/cache available Mem: 3,8Gi 2,1Gi 350Mi 317Mi 1,4Gi 1,2Gi Swap: 1,0Gi 199Mi 823Mi [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION ● systemd-vconsole-setup.service loaded failed failed Setup Virtual Console LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 1 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2dev ##### VERSION CHECK ##### [INFO] php (cli) version is 7.4.22 [INFO] php-cgi (used for cgi php in default vhost!) is version 7.4.22 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Unknown process (httpd) (PID 603693) [INFO] I found the following mail server(s): Postfix (PID 1338) [INFO] I found the following pop3 server(s): Dovecot (PID 1397) [INFO] I found the following imap server(s): Dovecot (PID 1397) [INFO] I found the following ftp server(s): PureFTP (PID 799) ##### LISTENING PORTS ##### (only () Local (Address) [localhost]:10024 (1342/amavisd) [localhost]:10025 (1338/master) [localhost]:10026 (1342/amavisd) [localhost]:10027 (1338/master) [anywhere]:587 (1338/master) [anywhere]:110 (1397/dovecot) [anywhere]:143 (1397/dovecot) [anywhere]:465 (1338/master) [anywhere]:21 (799/pure-ftpd) [anywhere]:22 (1380/sshd) [anywhere]:25 (1338/master) [anywhere]:993 (1397/dovecot) [anywhere]:995 (1397/dovecot) *:*:*:*::*:10024 (1342/amavisd) *:*:*:*::*:10026 (1342/amavisd) *:*:*:*::*:3306 (903/mysqld) *:*:*:*::*:587 (1338/master) [localhost]10 (1397/dovecot) [localhost]43 (1397/dovecot) *:*:*:*::*:8080 (603693/httpd) *:*:*:*::*:80 (603693/httpd) *:*:*:*::*:8081 (603693/httpd) *:*:*:*::*:465 (1338/master) *:*:*:*::*:21 (799/pure-ftpd) *:*:*:*::*:22 (1380/sshd) *:*:*:*::*:25 (1338/master) *:*:*:*::*:443 (603693/httpd) *:*:*:*::*:993 (1397/dovecot) *:*:*:*::*:995 (1397/dovecot) ##### IPTABLES ##### Chain INPUT (policy ACCEPT) target prot opt source destination f2b-FTP tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21 f2b-postfix-sasl tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25,465,587 f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-sshd (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 Chain f2b-postfix-sasl (1 references) target prot opt source destination REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable RETURN all -- [anywhere]/0 [anywhere]/0 Chain f2b-FTP (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ##### LET'S ENCRYPT ##### acme.sh is installed in /root/.acme.sh/acme.sh
Check that all sites use either * or the IP address in the IPv4 field, better is to use * for all. Especially sites that you recently changed or added. If you mix * and Ip on a server, then apache will route all traffic to the site which uses the IP address and if that site has a invalid SSL config, then all sites will fail.
I just noticed that you seem to run an ISPConfig 3,2dev version, so it's probably not the latest release? Please run an ISPConfig update with: ispconfig_update.sh and let the updater reconfigure services. Then login to ISPConfig, go to website settings of one of the sites, untick the SSL and the let#s encrypt checkbox, save, go back to site settings and enable both options again and save. Then wait until changes are written to disk (the red dot in the navigation bar disappears) and then test again if you can reach the site now by ssl.
in the end of the update I got some errors. Code: /usr/local/bin/ispconfig_update.sh -------------------------------------------------------------------------------- _____ ___________ _____ __ _ |_ _/ ___| ___ \ / __ \ / _(_) | | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ | | `--. \ __/ | | / _ \| '_ \| _| |/ _` | _| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | \___/\____/\_| \____/\___/|_| |_|_| |_|\__, | __/ | |___/ -------------------------------------------------------------------------------- >> Update Please choose the update method. For production systems select 'stable'. WARNING: The update from GIT is only for development systems and may break your current setup. Do not use the GIT version on servers that host any live websites! Note: On Multiserver systems, enable maintenance mode and update your master server first. Then update all slave servers, and disable maintenance mode when all servers are updated. Select update method (stable,nightly,git-develop) [stable]: Downloading ISPConfig update. Unpacking ISPConfig update. -------------------------------------------------------------------------------- _____ ___________ _____ __ _ ____ |_ _/ ___| ___ \ / __ \ / _(_) /__ \ | | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ / | | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ | _| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \ \___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/ __/ | |___/ -------------------------------------------------------------------------------- >> Update Operating System: CentOS 8.4 This application will update ISPConfig 3 on your server. Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: Creating backup of "/usr/local/ispconfig" directory... Creating backup of "/etc" directory... Checking ISPConfig database .. OK Starting incremental database update. Executing PHP patch file: /tmp/update_runner.sh.GAEv4Lq5Qo/install/patches/upd_0094.php Loading SQL patch file: /tmp/update_runner.sh.GAEv4Lq5Qo/install/sql/incremental/upd_0094.sql Loading SQL patch file: /tmp/update_runner.sh.GAEv4Lq5Qo/install/sql/incremental/upd_0095.sql Loading SQL patch file: /tmp/update_runner.sh.GAEv4Lq5Qo/install/sql/incremental/upd_dev_collection.sql Reconfigure Permissions in master database? (yes,no) [no]: Service 'firewall_server' has been detected (currently disabled) do you want to enable and configure it? (yes,no) [no]: Reconfigure Services? (yes,no,selected) [yes]: Configuring Postfix Configuring Dovecot Configuring Spamassassin Configuring Amavisd Configuring Getmail Configuring Pureftpd Configuring Apache Configuring vlogger Configuring Apps vhost Configuring Jailkit Configuring Database Updating ISPConfig ISPConfig Port [8080]: Create new ISPConfig SSL certificate (yes,no) [no]: which: no acme.sh in (/sbin:/bin:/usr/sbin:/usr/bin) which: no acme.sh in (/usr/local/ispconfig/server/scripts) Reconfigure Crontab? (yes,no) [yes]: Updating Crontab Restarting services ... Update finished.
This might be ok, well see in the next steps. Please proceed with the next steps to see if you get a LE cert now for the sites.
Those are informational, not errors, though it would probably not hurt to hide them. I believe the server certificate was successfully created.
I did all the steps. the update, disabled ssl for the website and enabled, then it didn't work. I waited a night, disabled and enabled ssl again. It has still the same result.
Ok, are there any files with .err file ending in the folder /etc/apache2/sites-available/ ? Did the let's encrypt checkbox of the website stay enabled when you check the settings again after the changes have been written?
/etc/apache2/sites-available/ doesn't exists is it this dir you mean? /etc/httpd/conf/sites-available Code: [root@ sites-available]# pwd /etc/httpd/conf/sites-available [root@ sites-available]# ls -l *.err ls: kan geen toegang krijgen tot '*.err': No such file or directory The checkbox for let's encrypt stayed enabled. Code: ls -la /var/www/clients/client1/web4/ssl/ totaal 20 drwxr-xr-x. 2 root root 4096 22 jul 14:19 . drwxr-xr-x. 10 root root 4096 22 jul 14:19 .. -rw-r--r--. 1 root root 5959 10 nov 08:51 windchimes.nl-le.crt -rw-------. 1 root root 3243 10 nov 08:51 windchimes.nl-le.key
Yes, sorry. Forgot that it's a centos system. The folder I mentioned is the one from Debian and Ubuntu. So this part is ok too then and the LE SSL cert is there as well. Strange error In the folder /etc/httpd/conf/sites-enabled/ there is a vhost file (symlink) for the website windchimes.nl, please post the content of that file, so we can see if the SSL certs are configured in there correctly.
