From root, Installed ISPconfig with: wget -O -get.ispconfig.org | sh -s -- --use-nginx --use-ftp-ports=40110-40210 --unattended-upgrades --use-php=7.4,8.0,8.1 Because Let's Encrypt for server hostname was not created in setup, (self-signed cert was) I used: howtoforge -tutorial-securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate 1) Created site & dns zone for server.mydomain.com and it updated named.conf.local (no err in bind) SSL login to ispconfig panel, phpmyadmin and roundcube all work. 2) Added new website mydomain.com and DNS – it did not update named.conf.local (no err in bind) Also dns would not generate DNSSEC DS-Data for registry. 3) Ran from ssh: ispconfig_update.sh –force 4) Added new website mydomain2.com and DNS – it did not update named.conf.local (no err in bind) 5) Manually added zone to named.conf.local zone "mydomain.com" { type master; file "/etc/bind/pri. mydomain.com"; }; Website worked htf_report.txt shows: [WARN] could not determine server's ip address by ifconfig From: Server Config IP Address 12.34.56.789 Netmask 255.255.255.0 Gateway 35.129.55.1 Hostname server.mydomain.com Nameservers 8.8.8.8,8.8.4.4 htf_report.txt shows: [WARN] Port 443 (Webserver SSL) seems NOT to be listening But: https-server.mydomain.com (works) SSL root@server:~# telnet 12.34.56.789 443 Trying 12.34.56.789... telnet: Unable to connect to remote host: Connection refused ufw: 443/tcp ALLOW IN Anywhere Any help would be appreciated Thanks Tried to upload 'htf_report.txt' but did not work: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Debian GNU/Linux 11 (bullseye) [INFO] uptime: 15:33:13 up 8:13, 1 user, load average: 0.00, 0.00, 0.00 [INFO] memory: total used free shared buff/cache available Mem: 31Gi 1.8Gi 28Gi 10Mi 1.1Gi 29Gi Swap: 1.0Gi 0B 1.0Gi [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION 0 loaded units listed. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.8p1 ##### VERSION CHECK ##### [INFO] php (cli) version is 7.4.30 [INFO] php-cgi (used for cgi php in default vhost!) is version 7.4.30 ##### PORT CHECK ##### [WARN] Port 443 (Webserver SSL) seems NOT to be listening ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Unknown process (nginx (PID 2749) [INFO] I found the following mail server(s): Postfix (PID 1784) [INFO] I found the following pop3 server(s): Dovecot (PID 995) [INFO] I found the following imap server(s): Dovecot (PID 995) [INFO] I found the following ftp server(s): PureFTP (PID 1266) ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:143 (995/dovecot) [anywhere]:80 (2749/nginx [anywhere]:8080 (2749/nginx [anywhere]:8081 (2749/nginx [anywhere]:465 (1784/master) [anywhere]:21 (1266/pure-ftpd) ***.***.***.***:53 (1000/named) ***.***.***.***:53 (1000/named) ***.***.***.***:53 (1000/named) ***.***.***.***:53 (1000/named) ***.***.***.***:53 (1000/named) ***.***.***.***:53 (1000/named) ***.***.***.***:53 (1000/named) ***.***.***.***:53 (1000/named) [localhost]:53 (1000/named) [localhost]:53 (1000/named) [localhost]:53 (1000/named) [localhost]:53 (1000/named) [localhost]:53 (1000/named) [localhost]:53 (1000/named) [localhost]:53 (1000/named) [localhost]:53 (1000/named) [anywhere]:22 (1067/sshd [anywhere]:25 (1784/master) [localhost]:953 (1000/named) [anywhere]:4190 (995/dovecot) [anywhere]:993 (995/dovecot) [anywhere]:995 (995/dovecot) [localhost]:11332 (1008/rspamd [localhost]:11333 (1008/rspamd [localhost]:11334 (1008/rspamd [localhost]:10023 (883/postgrey) [anywhere]:587 (1784/master) [localhost]:6379 (1007/redis-server) [localhost]:11211 (999/memcached) [anywhere]:110 (995/dovecot) [localhost]43 (995/dovecot) *:*:*:*::*:80 (2749/nginx *:*:*:*::*:8080 (2749/nginx *:*:*:*::*:8081 (2749/nginx *:*:*:*::*:465 (1784/master) *:*:*:*::*:21 (1266/pure-ftpd) *:*:*:*::*:53 (1000/named) *:*:*:*::*:53 (1000/named) *:*:*:*::*:53 (1000/named) *:*:*:*::*:53 (1000/named) *:*:*:*::*:53 (1000/named) *:*:*:*::*:53 (1000/named) *:*:*:*::*:53 (1000/named) *:*:*:*::*:53 (1000/named) *:*:*:*::**:*:*:*::*53 (1000/named) *:*:*:*::**:*:*:*::*53 (1000/named) *:*:*:*::**:*:*:*::*53 (1000/named) *:*:*:*::**:*:*:*::*53 (1000/named) *:*:*:*::**:*:*:*::*53 (1000/named) *:*:*:*::**:*:*:*::*53 (1000/named) *:*:*:*::**:*:*:*::*53 (1000/named) *:*:*:*::**:*:*:*::*53 (1000/named) *:*:*:*::*:22 (1067/sshd *:*:*:*::*:25 (1784/master) *:*:*:*::*:953 (1000/named) *:*:*:*::*:4190 (995/dovecot) *:*:*:*::*:993 (995/dovecot) *:*:*:*::*:995 (995/dovecot) *:*:*:*::*:3306 (1121/mariadbd) *:*:*:*::*:587 (1784/master) *:*:*:*::*:6379 (1007/redis-server) [localhost]10 (995/dovecot) ##### IPTABLES ##### Chain INPUT (policy DROP) target prot opt source destination f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22 ufw-before-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-before-input all -- [anywhere]/0 [anywhere]/0 ufw-after-input all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-reject-input all -- [anywhere]/0 [anywhere]/0 ufw-track-input all -- [anywhere]/0 [anywhere]/0 Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-before-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-reject-forward all -- [anywhere]/0 [anywhere]/0 ufw-track-forward all -- [anywhere]/0 [anywhere]/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-before-output all -- [anywhere]/0 [anywhere]/0 ufw-after-output all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-reject-output all -- [anywhere]/0 [anywhere]/0 ufw-track-output all -- [anywhere]/0 [anywhere]/0 Chain f2b-sshd (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:137 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:138 ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:139 ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:445 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:67 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:68 ufw-skip-to-policy-input all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 ufw-user-forward all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 ctstate INVALID DROP all -- [anywhere]/0 [anywhere]/0 ctstate INVALID ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp spt:67 dpt:68 ufw-not-local all -- [anywhere]/0 [anywhere]/0 ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:5353 ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:1900 ufw-user-input all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-user-output all -- [anywhere]/0 [anywhere]/0 Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ctstate INVALID limit: avg 3/min burst 10 LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type LOCAL RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type MULTICAST RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 ctstate NEW ACCEPT udp -- [anywhere]/0 [anywhere]/0 ctstate NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:22 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:25 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:53 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:80 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:110 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:143 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:443 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:465 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:587 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:993 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:995 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:3306 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:4190 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8080 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8081 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 multiport dports 40110:40210 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:53 Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " REJECT all -- [anywhere]/0 [anywhere]/0 reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination ##### LET'S ENCRYPT ##### acme.sh is installed in /root/.acme.sh/acme.sh
root@server:~# ifconfig eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 12.34.56.789 netmask 255.255.255.0 broadcast 12.34.56.255 inet6 fe80::225:90ff:fee6:444c prefixlen 64 scopeid 0x20<link> ether 00:25:90:e6:44:4c txqueuelen 1000 (Ethernet) RX packets 3057206 bytes 211918850 (202.1 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 32649 bytes 4472214 (4.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device memory 0xf7120000-f713ffff lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 137085 bytes 8482045 (8.0 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 137085 bytes 8482045 (8.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 root@server:~# nano /etc/hosts 127.0.0.1 localhost.localdomain localhost 12.34.56.789 server.mydomain.com server
Use the debug mode to find out why the DNS record could not get added: https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/ 1) Enable debug mode. 2) Change a setting in the DNS zone like adding a new a-record for test subdomain or similar. 3) Post the complete output you get from server.sh
1) Enabled debug mode. 2) Added a new a-record for mydomain1.com. 3) Disabled the server.sh cronjob root@server:~# /usr/local/ispconfig/server/server.sh 06.08.2022-15:38 - DEBUG [plugins.inc:155] - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 06.08.2022-15:38 - DEBUG [server:217] - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished server.php. FROM ISPCONFIG LOG: 2022-08-06 10:38 server.mydomain.com Debug Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock 2022-08-06 10:38 server.mydomain.com Debug Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 2022-08-06 10:37 server.mydomain.com Debug Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock 2022-08-06 10:37 server.mydomain.com Debug Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 2022-08-06 10:36 server.mydomain.com Debug Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock 2022-08-06 10:36 server.mydomain.com Debug safe_exec cmd: systemctl is-enabled 'named' 2>&1 - return code: 0 2022-08-06 10:36 server.mydomain.com Debug Trying to use Systemd to restart service 2022-08-06 10:36 server.mydomain.com Debug Calling function 'restartBind' from module 'dns_module'. 2022-08-06 10:36 server.mydomain.com Debug Processed datalog_id 199 2022-08-06 10:36 server.mydomain.com Debug Writing BIND named.conf.local file: /etc/bind/named.conf.local 2022-08-06 10:36 server.mydomain.com Warning DNSSEC ERROR: We are low on entropy. Not generating new Keys for mydomain1.com. Please consider installing package haveged. 2022-08-06 10:36 server.mydomain.com Debug Writing BIND domain file: /etc/bind/pri.mydomain1.com 2022-08-06 10:36 server.mydomain.com Debug safe_exec cmd: named-checkzone 'mydomain1.com.' '/etc/bind/pri.mydomain1.com' - return code: 0 2022-08-06 10:36 server.mydomain.com Debug Calling function 'rr_insert' from plugin 'bind_plugin' raised by event 'dns_rr_insert'. 2022-08-06 10:36 server.mydomain.com Debug Processed datalog_id 198 CHECKED HAVEGED BECAUSE OF WARNING DNSSEC ERROR: root@server:~# /etc/init.d/haveged status ● haveged.service - Entropy Daemon based on the HAVEGE algorithm Loaded: loaded (/lib/systemd/system/haveged.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2022-08-06 09:17:15 CDT; 55min ago Docs: man:haveged(8) http://www.issihosts.com/haveged/ Main PID: 810 (haveged) Tasks: 1 (limit: 38443) Memory: 3.7M CPU: 315ms CGroup: /system.slice/haveged.service └─810 /usr/sbin/haveged --Foreground --verbose=1 Aug 06 09:17:15 server systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm. Aug 06 09:17:15 server haveged[810]: haveged: command socket is listening at fd 3 Aug 06 09:17:15 server haveged[810]: haveged: ver: 1.9.14; arch: x86; vend: GenuineIntel; build: (gcc 10.2.1 ITV); collect: 128K Aug 06 09:17:15 server haveged[810]: haveged: cpu: (L4 VC); data: 32K (L4 V); inst: 32K (L4 V); idx: 24/40; sz: 32154/54019 Aug 06 09:17:15 server haveged[810]: haveged: tot tests(BA8): A:1/1 B:1/1 continuous tests(B): last entropy estimate 8.00078 Aug 06 09:17:15 server haveged[810]: haveged: fills: 0, generated: 0 Note: No errors in bind - updated pri.mydomain1.com - did not add to named.conf.local, actualy removed zone I had previously added manualy.
I setup another server on Vultr just like the current one with the named.conf.local problem. 'Add new dns zone' worked by adding them to named.conf.local. Then in zone settings, I checked 'Sign zone (DNSSEC)' and noticed that it removed that zone from named.conf.local and did not generate DNSSEC DS-Data for registry I went back to the original server with the named.conf.local problem and unchecked 'Sign zone (DNSSEC)' and it then added the zones to named.conf.local on all 3 sites dns. I compared files in /etc/bind to a vps that has been running for 2 years with no problems and found in both new servers, setup with automated ispconfig, 'named.conf.options' is missing the following 2 lines: dnssec-enable yes; dnssec-validation yes; I though by adding these 2 lines, dnssec would work but it did not. So apparently it is a dnssec problem. Also, it's not a server provider issue because the 2 servers (one a dedicated and the other a VPS) are on different providers.
Please see here for the fix, you have to edit one line in the BIND plugin to fix it: https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1619/diffs Debian lowered the entropy, that's why it worked fine with an entropy value of 400 until now but not with Debian 11 anymore.
Tanks for your help and knowledge! (definitely learned some stuff) That fixed everything. Thanks again