How to Secure port 8080 with LetsEncrypt on ISPCONFIG server panel

Discussion in 'Installation/Configuration' started by Ravi Shanker, Apr 1, 2021.

  1. Ravi Shanker

    Ravi Shanker Member

    I have installed the latest version of ISPCONFIG and configured as per the tutorial for Installing ispconfig on centos 8. I could install letsencrypt for my websites but when i browse on port 8080 to access the control panel it shows as not secured. Please guide me as to how to secure port 8080 on centos 8 installation.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You can choose that during install and update. Run:

    ispconfig_update.sh --force

    and choose to re-create the SSL cert during update.
     
  3. Ravi Shanker

    Ravi Shanker Member

    I did chose the option of having ssl and completed the certification process... I still couldn't secure the port 8080.

    I did find a tutorial for the same but on debian / ubuntu and I am in a learning stage so could not quite get hold of what to do?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you re-run the updater with the command I posted? If yes and you still have no LE SSL cert, then take a look here:

    https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/

    Do not follow any old tutorials on that topic as ISPConfig has SSL support builtin now, they will break your installation.
     
  5. Ravi Shanker

    Ravi Shanker Member

    Hi,
    I did run the update :
    i tried to choose to install the ssl followed by yes to all the options and filling out the details - SSL certificate generated but not working with port 8080, otherwise it is working fine without using port 8080.
    I recreated certificates for couple of websites that i have already created but the same problem persists...

    It is working fine with : ...//example.com, but not with....://example.com:8080.
    I have enabled SNI in ssl settings unders system-systemconfig-web.
    I am not too sure about the CA path : [ have given /root/.acme.sh/ca/ ]. Does this effect certificate generation and saving ?
    ---------------------
    another issue i am not able to resolve is the IPv6 prefix : [2605:a140:2055:5963::/64] which is showing an error
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Just to be clear, thiugh this may not directly related to your problem, any ISPConfig server FQDN should be a domain sub e.g. server1.example.com and not its root.
     
  7. Ravi Shanker

    Ravi Shanker Member

    true and I do have the server domain in format you described.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you have a self-signed ssl cert on port 8080, or no ssl at all?
     
  9. Ravi Shanker

    Ravi Shanker Member

    1. I have chosen to install one at the time of installation/update and that should be self signed.
    2. The certificate issued by the server fqdn to fqdn as per the details when i click the triangle warning icon near the address bar of the browser
    3. I have mapped one of the domains to the server ip and created letsencrypt ssl for the same.
     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    So you have a self signed cert. This means the verification failed. For example because port 80 is closed or the A/AAAA record for your hostname is incorrect/non-existing.

    You can try to re-issue a cert with
    Code:
    ispconfig_update.sh --force
    Choose yes for getting a new SSL cert and share the output of it.
     
  11. Ravi Shanker

    Ravi Shanker Member

    [root@shreya ~]# ispconfig_update.sh --force


    --------------------------------------------------------------------------------
    _____ ___________ _____ __ _
    |_ _/ ___| ___ \ / __ \ / _(_)
    | | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _
    | | `--. \ __/ | | / _ \| '_ \| _| |/ _` |
    _| |_/\__/ / | | \__/\ (_) | | | | | | | (_| |
    \___/\____/\_| \____/\___/|_| |_|_| |_|\__, |
    __/ |
    |___/
    --------------------------------------------------------------------------------


    >> Update

    Please choose the update method. For production systems select 'stable'.
    WARNING: The update from GIT is only for development systems and may break your current setup. Do not use the GIT version on servers that host any live websites!
    Note: On Multiserver systems, enable maintenance mode and update your master server first. Then update all slave servers, and disable maintenance mode when all servers are updated.

    Select update method (stable,nightly,git-develop) [stable]: stable

    Downloading ISPConfig update.
    Unpacking ISPConfig update.


    --------------------------------------------------------------------------------
    _____ ___________ _____ __ _ ____
    |_ _/ ___| ___ \ / __ \ / _(_) /__ \
    | | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ /
    | | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ |
    _| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \
    \___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/
    __/ |
    |___/
    --------------------------------------------------------------------------------


    >> Update

    Operating System: CentOS 8.3

    This application will update ISPConfig 3 on your server.

    Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: yes

    Creating backup of "/usr/local/ispconfig" directory...
    Creating backup of "/etc" directory...
    Checking ISPConfig database .. OK
    Starting incremental database update.
    Loading SQL patch file: /tmp/update_runner.sh.QF0yta8eZv/install/sql/incremental/upd_dev_collection.sql
    Reconfigure Permissions in master database? (yes,no) [no]: no

    Service 'xmpp_server' has not been detected (strongly recommended, currently enabled) do you want to disable it? (yes,no) [yes]: yes

    Service 'firewall_server' has been detected (currently disabled) do you want to enable and configure it? (yes,no) [no]: no

    Reconfigure Services? (yes,no,selected) [yes]: yes

    Configuring Postfix
    Configuring Dovecot
    Configuring Mailman
    Configuring Spamassassin
    Configuring Amavisd
    Configuring Getmail
    Configuring BIND
    Configuring Pureftpd
    Configuring Apache
    Configuring vlogger
    Configuring Apps vhost
    Configuring Jailkit
    Configuring Database
    Updating ISPConfig
    ISPConfig Port [8080]: 8080

    Create new ISPConfig SSL certificate (yes,no) [no]: yes

    Checking / creating certificate for shreya.shreyacreatives.cf
    Using certificate path /root/.acme.sh/shreya.shreyacreatives.cf
    Server's public ip(s) (144.126.132.121, 144.126.132.121) not found in A/AAAA records for shreya.shreyacreatives.cf:
    Ignore DNS check and continue to request certificate? (y,n) [n]: y

    which: no letsencrypt in (/usr/share/Modules/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
    which: no certbot in (/usr/share/Modules/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
    which: no letsencrypt in (/root/.local/share/letsencrypt/bin)
    which: no certbot in (/opt/eff.org/certbot/venv/bin)
    which: no acme.sh in (/usr/local/ispconfig/server/scripts)
    Using apache for certificate validation
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/shreya.shreyacreatives.cf
    [Fri Apr 2 05:26:57 CDT 2021] shreya.shreyacreatives.cf:Verify error:Fetching http://shreya.shreyacreatives.cf/.w...e/sNokSST1WHaZ7hS1Ux-zr-LhMO5ZfHISkFJmTIqsiuQ: Connection refused
    [Fri Apr 2 05:26:57 CDT 2021] Please check log file for more details: /var/log/ispconfig/acme.log
    Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)
    ....................................................................................++++
    ..............................................................................................++++
    e is 65537 (0x010001)
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:IN
    State or Province Name (full name) []:Telangana
    Locality Name (eg, city) [Default City]:Secunderabad
    Organization Name (eg, company) [Default Company Ltd]:Shreya Creatives
    Organizational Unit Name (eg, section) []:IT Cell
    Common Name (eg, your name or your server's hostname) []:shreya.shreyacreatives.cf
    Email Address []:[email protected]
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    writing RSA key
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: y

    Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: y

    which: no acme.sh in (/usr/local/ispconfig/server/scripts)
    Reconfigure Crontab? (yes,no) [yes]: yes

    Updating Crontab
    Restarting services ...
    Update finished.
    You have new mail in /var/spool/mail/root
     
    Last edited: Apr 2, 2021
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Please put such output in code tags (Insert -> Code)
    Like I suspected and the installer tells you, there is no A record for your hostname shreya.shreyacreatives.cf. So create that records for the DNS zone pointing to your public IP.
     
  13. Ravi Shanker

    Ravi Shanker Member

    Sure... I will do that in future... I am using this for the first time so unaware of using code tags.

    I have added A/AAAA records for shreya.shreyacreatives.cf in the shreyacreatives.cf zone... I am not sure if this is required to be done...
     
  14. Ravi Shanker

    Ravi Shanker Member

    Last edited: Apr 2, 2021
  15. Ravi Shanker

    Ravi Shanker Member

    Code:
    >> Update
    
    Operating System: CentOS 8.3
    
    This application will update ISPConfig 3 on your server.
    
    Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: yes
    
    Creating backup of "/usr/local/ispconfig" directory...
    Creating backup of "/etc" directory...
    Checking ISPConfig database .. OK
    Starting incremental database update.
    Loading SQL patch file: /tmp/update_runner.sh.0SvQKOnR5M/install/sql/incremental/upd_dev_collection.sql
    Reconfigure Permissions in master database? (yes,no) [no]: no
    
    Service 'xmpp_server' has not been detected (strongly recommended, currently enabled) do you want to disable it?  (yes,no) [yes]: yes
    
    Service 'firewall_server' has been detected (currently disabled) do you want to enable and configure it?  (yes,no) [no]: no
    
    Reconfigure Services? (yes,no,selected) [yes]: yes
    
    Configuring Postfix
    Configuring Dovecot
    Configuring Mailman
    Configuring Spamassassin
    Configuring Amavisd
    Configuring Getmail
    Configuring BIND
    Configuring Pureftpd
    Configuring Apache
    Configuring vlogger
    Configuring Apps vhost
    Configuring Jailkit
    Configuring Database
    Updating ISPConfig
    ISPConfig Port [8080]: 8080
    
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    
    Checking / creating certificate for shreya.shreyacreatives.cf
    Using certificate path /root/.acme.sh/shreya.shreyacreatives.cf
    which: no letsencrypt in (/usr/share/Modules/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
    which: no certbot in (/usr/share/Modules/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
    which: no letsencrypt in (/root/.local/share/letsencrypt/bin)
    which: no certbot in (/opt/eff.org/certbot/venv/bin)
    which: no acme.sh in (/usr/local/ispconfig/server/scripts)
    Using apache for certificate validation
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/shreya.shreyacreatives.cf
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: y
    
    Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: y
    
    which: no acme.sh in (/usr/local/ispconfig/server/scripts)
    Reconfigure Crontab? (yes,no) [yes]: yes
    
    Updating Crontab
    Restarting services ...
    Update finished.
    
     
  16. Ravi Shanker

    Ravi Shanker Member

    Just wanted to reconfirm what i have done is in right order:
    I have created a dns zone for shreya.shreyacreatives.cf and pointed to the server ip.
    addes A / AAAA records for the same.
    after running the update command I am now able to login securely using https://shreya.shreyacreatives.cf:8080.

    When i checked with dnschecker.org I am only seeing my ip4 address resolving not the AAAA records...

    Thank you all for your time and support and helping me out in this issue.
     
    Last edited: Apr 2, 2021
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    That's wrong, delete the zone you created. What you have to do is to add a DNA A-Record "shreya" in the zone "shreyacreatives.cf" and this has to happen on the DNS server that is authoritative for this zone, that#s not nescessarily your ISPConfig system. You can look up the server where you have to add this A-record in whois or by using intodns.com
     
    ahrasis likes this.
  18. Ravi Shanker

    Ravi Shanker Member


    I actually have done that as suggested now by you. so I just need to remove the new zone which is not necessary. Thanks
    Will do that and update if there are any further issues on the topic.
     
  19. Cyritintin

    Cyritintin New Member

    Hi,
    I always have an error trying updating SSL ISPConfig:

    Code:
    An unexpected error occurred:
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 417, in wrap_socket
        cnx.do_handshake()
      File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1426, in do_handshake
        self._raise_ssl_error(self._ssl, result)
      File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1174, in _raise_ssl_error
        _raise_current_error()
      File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
        raise exception_type(errors)
    OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
    During handling of the above exception, another exception occurred:
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
        chunked=chunked)
      File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 350, in _make_request
        self._validate_conn(conn)
      File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 837, in _validate_conn
        conn.connect()
      File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 337, in connect
        ssl_context=context)
      File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 327, in ssl_wrap_socket
        return context.wrap_socket(sock, server_hostname=server_hostname)
      File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 424, in wrap_socket
        raise ssl.SSLError('bad handshake: %r' % e)
    ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)
    During handling of the above exception, another exception occurred:
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/requests/adapters.py", line 423, in send
        timeout=timeout
      File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 624, in urlopen
        raise SSLError(e)
    requests.packages.urllib3.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)
    
     
    Last edited: Nov 18, 2021
  20. Taleman

    Taleman Well-Known Member HowtoForge Supporter

Share This Page