SSL does not work on server domain

logansbob · Dec 20, 2022

Code:

##### SERVER #####
IP-address (as per hostname): ***.***.***.***
[WARN] could not determine server's ip address by ifconfig
[INFO] OS version is Ubuntu 22.04.1 LTS
 
[INFO] uptime:  15:42:35 up 1 day, 19:52,  1 user,  load average: 0.36, 0.20, 0.
15
 
[INFO] memory:
               total        used        free      shared  buff/cache   available
Mem:           1.9Gi       756Mi       112Mi        44Mi       1.1Gi       982Mi
Swap:             0B          0B          0B
 
[INFO] systemd failed services status:
  UNIT                  LOAD   ACTIVE SUB    DESCRIPTION
● clamav-daemon.service loaded failed failed Clam AntiVirus userspace daemon

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.
1 loaded units listed.

[INFO] ISPConfig is installed.

##### ISPCONFIG #####
ISPConfig version is 3.2.9


##### VERSION CHECK #####

[INFO] php (cli) version is 8.1.13
[INFO] php-cgi (used for cgi php in default vhost!) is version 8.1.13

##### PORT CHECK #####


##### MAIL SERVER CHECK #####


##### RUNNING SERVER PROCESSES #####

[INFO] I found the following web server(s):
    Apache 2 (PID 707398)
[INFO] I found the following mail server(s):
    Postfix (PID 117044)
[INFO] I found the following pop3 server(s):
    Dovecot (PID 117058)
[INFO] I found the following imap server(s):
    Dovecot (PID 117058)
[INFO] I found the following ftp server(s):
    PureFTP (PID 117132)

##### LISTENING PORTS #####
(only        ()
Local        (Address)
[anywhere]:3306        (116431/mariadbd)
[anywhere]:143        (117058/dovecot)
***.***.***.***:53        (117151/named)
[anywhere]:110        (117058/dovecot)
***.***.***.***:53        (547/systemd-resolve)
[anywhere]:4190        (117058/dovecot)
[anywhere]:25        (117044/master)
[anywhere]:22        (113767/sshd:)
[anywhere]:21        (117132/pure-ftpd)
[localhost]:10023        (35002/postgrey)
[anywhere]:465        (117044/master)
***.***.***.***:53        (117151/named)
[localhost]:953        (117151/named)
[localhost]:11211        (69625/memcached)
***.***.***.***:53        (117151/named)
[localhost]:53        (117151/named)
[localhost]:11333        (117051/rspamd:)
[localhost]:11332        (117051/rspamd:)
[localhost]:11334        (117051/rspamd:)
[anywhere]:587        (117044/master)
[localhost]:6379        (34753/redis-server)
[anywhere]:995        (117058/dovecot)
[anywhere]:993        (117058/dovecot)
*:*:*:*::*:3306        (116431/mariadbd)
*:*:*:*::*:953        (117151/named)
[localhost]43        (117058/dovecot)
[localhost]10        (117058/dovecot)
*:*:*:*::*28:1aff:fedb:9:53        (117151/named)
*:*:*:*::*:10023        (35002/postgrey)
*:*:*:*::*:4190        (117058/dovecot)
*:*:*:*::*:80        (707398/apache2)
*:*:*:*::*:25        (117044/master)
*:*:*:*::*:22        (113767/sshd:)
*:*:*:*::*:21        (117132/pure-ftpd)
*:*:*:*::*:465        (117044/master)
*:*:*:*::*:443        (707398/apache2)
*:*:*:*::*3c25:2eff:fecb:53        (117151/named)
*:*:*:*::*:587        (117044/master)
*:*:*:*::*:995        (117058/dovecot)
*:*:*:*::*:993        (117058/dovecot)
*:*:*:*::*:6379        (34753/redis-server)
*:*:*:*::*:8080        (707398/apache2)
*:*:*:*::*:8081        (707398/apache2)
*:*:*:*::*:53        (117151/named)
*:*:*:*::*:11332        (117051/rspamd:)
*:*:*:*::*:11333        (117051/rspamd:)
*:*:*:*::*:11334        (117051/rspamd:)




##### IPTABLES #####
Chain INPUT (policy DROP)
target     prot opt source               destination         
f2b-pure-ftpd  tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 21
f2b-sshd   tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 22
ufw-before-logging-input  all  --  [anywhere]/0            [anywhere]/0           
ufw-before-input  all  --  [anywhere]/0            [anywhere]/0           
ufw-after-input  all  --  [anywhere]/0            [anywhere]/0           
ufw-after-logging-input  all  --  [anywhere]/0            [anywhere]/0           
ufw-reject-input  all  --  [anywhere]/0            [anywhere]/0           
ufw-track-input  all  --  [anywhere]/0            [anywhere]/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  [anywhere]/0            [anywhere]/0           
ufw-before-forward  all  --  [anywhere]/0            [anywhere]/0           
ufw-after-forward  all  --  [anywhere]/0            [anywhere]/0           
ufw-after-logging-forward  all  --  [anywhere]/0            [anywhere]/0           
ufw-reject-forward  all  --  [anywhere]/0            [anywhere]/0           
ufw-track-forward  all  --  [anywhere]/0            [anywhere]/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  [anywhere]/0            [anywhere]/0           
ufw-before-output  all  --  [anywhere]/0            [anywhere]/0           
ufw-after-output  all  --  [anywhere]/0            [anywhere]/0           
ufw-after-logging-output  all  --  [anywhere]/0            [anywhere]/0           
ufw-reject-output  all  --  [anywhere]/0            [anywhere]/0           
ufw-track-output  all  --  [anywhere]/0            [anywhere]/0           

Chain f2b-pure-ftpd (1 references)
target     prot opt source               destination         
RETURN     all  --  [anywhere]/0            [anywhere]/0           

Chain f2b-sshd (1 references)
target     prot opt source               destination         
RETURN     all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  [anywhere]/0            [anywhere]/0            udp dpt:137
ufw-skip-to-policy-input  udp  --  [anywhere]/0            [anywhere]/0            udp dpt:138
ufw-skip-to-policy-input  tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:139
ufw-skip-to-policy-input  tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:445
ufw-skip-to-policy-input  udp  --  [anywhere]/0            [anywhere]/0            udp dpt:67
ufw-skip-to-policy-input  udp  --  [anywhere]/0            [anywhere]/0            udp dpt:68
ufw-skip-to-policy-input  all  --  [anywhere]/0            [anywhere]/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         
LOG        all  --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  [anywhere]/0            [anywhere]/0            ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 3
ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 11
ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 12
ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 8
ufw-user-forward  all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  [anywhere]/0            [anywhere]/0           
ACCEPT     all  --  [anywhere]/0            [anywhere]/0            ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  [anywhere]/0            [anywhere]/0            ctstate INVALID
DROP       all  --  [anywhere]/0            [anywhere]/0            ctstate INVALID
ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 3
ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 11
ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 12
ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 8
ACCEPT     udp  --  [anywhere]/0            [anywhere]/0            udp spt:67 dpt:68
ufw-not-local  all  --  [anywhere]/0            [anywhere]/0           
ACCEPT     udp  --  [anywhere]/0            ***.***.***.***          udp dpt:5353
ACCEPT     udp  --  [anywhere]/0            ***.***.***.***      udp dpt:1900
ufw-user-input  all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  [anywhere]/0            [anywhere]/0           
ACCEPT     all  --  [anywhere]/0            [anywhere]/0            ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  [anywhere]/0            [anywhere]/0            ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  [anywhere]/0            [anywhere]/0            ADDRTYPE match dst-type LOCAL
RETURN     all  --  [anywhere]/0            [anywhere]/0            ADDRTYPE match dst-type MULTICAST
RETURN     all  --  [anywhere]/0            [anywhere]/0            ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 10
DROP       all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
DROP       all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            ctstate NEW
ACCEPT     udp  --  [anywhere]/0            [anywhere]/0            ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-input (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:20
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:21
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:22
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:25
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:80
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:443
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 40110:40210
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:110
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:143
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:465
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:587
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:993
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:995
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:53
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:8080
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:8081
ACCEPT     udp  --  [anywhere]/0            [anywhere]/0            udp dpt:53

Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  [anywhere]/0            [anywhere]/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-output (1 references)
target     prot opt source               destination         




##### LET'S ENCRYPT #####
Certbot is installed in /usr/bin/letsencrypt

Install worked fine..
My server domain "xy.domain.com" where ISP is installed shows in "SSL" and "Let's Encrypt SSL" checked, but on that site ("xy.domain.com" and also "xy.domain.com:8080") it does not work...(all other domains SSL works) In the browser is says no certificate and also, the RoundCube "account" plugin shows a "SOAP ERROR" How can I fix that?

till · Dec 20, 2022

Creating a website for the hostname is not a great idea as your system SSL cert will fail to renew in the future if you do that as an SSL cert for the hostname is created automatically at install time already and used for the ISPConfig interface, the mail system, and FTP. If this failed because your hostname was not pointing to the system in DNS yet or if you changed it later, then let the ISPConfig updater create a new SSL cert instead of creating a website for the hostname.

ispconfig_update.sh --force

And choose yes when the updater asks to recreate the SSL cert. This is only required if the SSL cert for the ISPConfig GUI is not a valid LE cert at the moment.

Regarding SSL certs for websites, if it fails, see FAQ here:

https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/

But as mentioned, a website for the hostname is not a good idea, if you want to do this anyway, then you get in trouble with SSL cert renewal of the main systems cert later, but you can fix that e.g. via symlinks after you got SSL certs for this website.

logansbob · Dec 20, 2022

Well, I created the website, because the ISPConfig interface didn't have a SLL certificate...
I just deleted it and ran: ispconfig_update.sh --force
But no luck - still SOAP ERROR

BTW... there was en error in the update process:
Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: y

PHP Deprecated: explode(): Passing null to parameter #2 ($string) of type string is deprecated in /tmp/update_runner.sh.narDnLwzpz/install/lib/installer_base.lib.php on line 55
Reconfigure Crontab? (yes,no) [yes]:

logansbob · Dec 20, 2022

Is it also possible to run :

sudo certbot --apache

logansbob · Dec 20, 2022

ok, a restart fixed the problem...
Thanks for your help!

till · Dec 21, 2022

logansbob said: ↑

Is it also possible to run :

sudo certbot --apache
Click to expand...

Please don't run this command, as it is incompatible with your setup and will cause issues later with getting SSL certs for sites and other services.

agenturadler · Jan 15, 2023

till said: ↑

Creating a website for the hostname is not a great idea as your system SSL cert will fail to renew in the future if you do that as an SSL cert for the hostname is created automatically at install time already and used for the ISPConfig interface, the mail system, and FTP. If this failed because your hostname was not pointing to the system in DNS yet or if you changed it later, then let the ISPConfig updater create a new SSL cert instead of creating a website for the hostname.

[...]
But as mentioned, a website for the hostname is not a good idea, if you want to do this anyway, then you get in trouble with SSL cert renewal of the main systems cert later, but you can fix that e.g. via symlinks after you got SSL certs for this website.
Click to expand...

I have a similar situation: I've created a website with the server domain, because I want to provide all apps like phpMyAdmin, webmail etc. under this server domain (and deactivated for that the general apache config for phpMyAdmin etc.).
Just for my understanding: It would be enough to symlink the key and crt of the website (/var/www/website.tld/ssl/) to /usr/local/ispconfig/interface/ssl/? The script for creating the pem-file and restarting the services will be triggered without issues after that (where this will be triggered)?

ahrasis · Jan 16, 2023

agenturadler said: ↑

I have a similar situation: I've created a website with the server domain, because I want to provide all apps like phpMyAdmin, webmail etc. under this server domain (and deactivated for that the general apache config for phpMyAdmin etc.).
Just for my understanding: It would be enough to symlink the key and crt of the website (/var/www/website.tld/ssl/) to /usr/local/ispconfig/interface/ssl/?
The script for creating the pem-file and restarting the services will be triggered without issues after that (where this will be triggered)?
Click to expand...

So far that I know, the script to automatically create ispserver.pem file won't work whether with acme.sh or certbot. This option will only work if you know how to manually change renewal config for the server hostname FQDN and properly do all the relevant symlinks to the automatically created ispserver.pem and other LE SSL certs for it.

agenturadler · Jan 16, 2023

As far as I can see, the script `letsencrypt_renew_hook.sh` should be executed after renewing the server domain certificate. It it still in the config of the domain as renew hook.

Le_Domain='xxx'
Le_Alt='no'
Le_Webroot='/usr/local/ispconfig/interface/acme'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook='__ACME_BASE64__START_bGV0c2VuY3J5cHRfcmVuZXdfaG9vay5zaA==__ACME_BASE64__END_'
Le_API='https://acme-v02.api.letsencrypt.org/directory'
Le_Keylength='2048'
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/841580217/147522912137'
Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/841580217/147522912137'
Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/040d50fa4bd2947b6111d27b164c2099b91f'
Le_CertCreateTime='1669412121'
Le_CertCreateTimeStr='2022-11-25T21:35:21Z'
Le_NextRenewTimeStr='2023-01-23T21:35:21Z'
Le_NextRenewTime='1674509721'
Le_RealCertPath=''
Le_RealCACertPath=''
Le_RealKeyPath='/var/www/xxx/ssl/xxx.key'
Le_ReloadCmd='__ACME_BASE64__START_c3lzdGVtY3RsIGZvcmNlLXJlbG9hZCBhcGFjaGUyLnNlcnZpY2U=__ACME_BASE64__END_'
Le_RealFullChainPath='/var/www/xxx/ssl/xxx.crt'
Click to expand...

When I analyze the script, the script "only" creates the .pem-file and restart the services. So it should be enough to symlink the two files in the ispconfig folder to the ones in the website folder.

(...)
hostname=$(hostname -f)
if [ -d "/usr/local/ispconfig/server/scripts/${hostname}" ] ; then
lelive="/usr/local/ispconfig/server/scripts/${hostname}" ;
elif [ -d "/root/.acme.sh/${hostname}" ] ; then
lelive="/root/.acme.sh/${hostname}" ;
else
lelive="/etc/letsencrypt/live/${hostname}" ;
fi
(...)
cd /usr/local/ispconfig/interface/ssl; ibak=ispserver.*.bak; ipem=ispserver.pem; icrt=ispserver.crt; ikey=ispserver.key
if ls $ibak 1> /dev/null 2>&1; then rm $ibak; fi
if [ -e "$ipem" ]; then mv $ipem $ipem-$(date +"%y%m%d%H%M%S").bak; cat $ikey $icrt > $ipem; chmod 600 $ipem; fi
pureftpdpem=/etc/ssl/private/pure-ftpd.pem; if [ -e "$pureftpdpem" ]; then chmod 600 $pureftpdpem; fi
(...)
Click to expand...

Or am I thinking wrong?

ahrasis · Jan 17, 2023

I don't know as I do not use acme.sh except when writing and testing it for ISPConfig.

I already suggested various times that acme.sh code in ISPConfig should be changed from install to symlink which I think would resolve this issue.

agenturadler · Jan 26, 2023

Just a short feedback: the way I described works. The services (monit, postfix, etc.) restarted after the renewal of the SSL cert and have now the renewed cert.

Log in or Sign up

SSL does not work on server domain

logansbob New Member

till Super Moderator Staff Member ISPConfig Developer

logansbob New Member

logansbob New Member

logansbob New Member

till Super Moderator Staff Member ISPConfig Developer

agenturadler New Member

ahrasis Well-Known Member HowtoForge Supporter

agenturadler New Member

ahrasis Well-Known Member HowtoForge Supporter

agenturadler New Member

Share This Page

Log in or Sign up

SSL does not work on server domain

logansbob New Member

till Super Moderator Staff Member ISPConfig Developer

logansbob New Member

logansbob New Member

logansbob New Member

till Super Moderator Staff Member ISPConfig Developer

agenturadler New Member

ahrasis Well-Known Member HowtoForge Supporter

agenturadler New Member

ahrasis Well-Known Member HowtoForge Supporter

agenturadler New Member

Share This Page

Useful Searches