Hello, We have recently upgrade an ISPConfig from 3.2.12 to 3.3.0 and also full-upgrade from Debian bullseye to Debian bookworm. We needed also reconfigure the ssl on all sites because it was missconfigured using certbot and we have step by step reconfigure it to use acme.sh for the certification and for letsencrypt... Also certbot was removed. Since the upgrade, the accounts for FTP not seems working anymore. We have ufw for the firewall and the ports seems open but not in the report. Here the report ``` cat htf_report.txt | more ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Debian GNU/Linux 12 (bookworm) [INFO] uptime: 10:51:56 up 13 days, 16:59, 6 users, load average: 0,17, 0,20, 0,33 [INFO] memory: total utilisé libre partagé tamp/cache disponible Mem: 7,8Gi 4,3Gi 1,6Gi 296Mi 2,4Gi 3,5Gi Échange: 974Mi 974Mi 784Ki [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION ● certbot.service not-found failed failed certbot.service LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 1 loaded units listed. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.3.0p1 ##### VERSION CHECK ##### [INFO] php (cli) version is 8.2.28 [INFO] php-cgi (used for cgi php in default vhost!) is version 8.2.28 ##### PORT CHECK ##### [WARN] Port 21 (FTP server) seems NOT to be listening [WARN] Port 22 (SSH server) seems NOT to be listening ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 834809) [INFO] I found the following mail server(s): Postfix (PID 457533) [INFO] I found the following pop3 server(s): Dovecot (PID 460017) [INFO] I found the following imap server(s): Dovecot (PID 460017) [WARN] I could not determine which ftp server is running. ##### LISTENING PORTS ##### (seulement () Adresse (distante) [anywhere]:10050 (784/zabbix_agentd) [localhost]:10023 (592/postgrey) [anywhere]:587 (457533/master) [anywhere]:995 (460017/dovecot) [anywhere]:993 (460017/dovecot) [localhost]:53 (730/named) [localhost]:53 (730/named) [localhost]:53 (730/named) [localhost]:53 (730/named) [anywhere]:110 (460017/dovecot) [localhost]:953 (730/named) [localhost]:953 (730/named) [localhost]:953 (730/named) [localhost]:953 (730/named) [anywhere]:4190 (460017/dovecot) [anywhere]:25 (457533/master) [localhost]:783 (748/perl) [anywhere]:143 (460017/dovecot) [anywhere]:465 (457533/master) [anywhere]:7777 (776/sshd ***.***.***.***:53 (730/named) ***.***.***.***:53 (730/named) ***.***.***.***:53 (730/named) ***.***.***.***:53 (730/named) [localhost]:3306 (212520/mariadbd) [localhost]:11334 (396801/rspamd [localhost]:11332 (396801/rspamd [localhost]:11333 (396801/rspamd [localhost]:6379 (739/redis-server) [localhost]:11211 (729/memcached) *:*:*:*::*:953 (730/named) *:*:*:*::*:953 (730/named) *:*:*:*::*:953 (730/named) *:*:*:*::*:953 (730/named) *:*:*:*::*:783 (748/perl) [localhost]0050 (784/zabbix_agentd) *:*:*:*::*:53 (730/named) *:*:*:*::*:53 (730/named) *:*:*:*::*:53 (730/named) *:*:*:*::*:53 (730/named) *:*:*:*::*:587 (457533/master) *:*:*:*::*:10023 (592/postgrey) *:*:*:*::*:995 (460017/dovecot) *:*:*:*::*:993 (460017/dovecot) [localhost]10 (460017/dovecot) *:*:*:*::*:80 (834809/apache2) *:*:*:*::*:4190 (460017/dovecot) *:*:*:*::*:25 (457533/master) *:*:*:*::*be24:11ff:fe9c:53 (730/named) *:*:*:*::*be24:11ff:fe9c:53 (730/named) *:*:*:*::*be24:11ff:fe9c:53 (730/named) *:*:*:*::*be24:11ff:fe9c:53 (730/named) [localhost]43 (460017/dovecot) *:*:*:*::*:465 (457533/master) *:*:*:*::*:443 (834809/apache2) *:*:*:*::*:7777 (776/sshd *:*:*:*::*:8081 (834809/apache2) *:*:*:*::*:8080 (834809/apache2) *:*:*:*::*:6379 (739/redis-server) *:*:*:*::*:11334 (396801/rspamd *:*:*:*::*:11333 (396801/rspamd *:*:*:*::*:11332 (396801/rspamd ##### IPTABLES ##### Chain INPUT (policy DROP) target prot opt source destination f2b-dovecot 6 -- [anywhere]/0 [anywhere]/0 multiport dports 110,995,143,993,587,465,4190 f2b-postfix-sasl 6 -- [anywhere]/0 [anywhere]/0 multiport dports 25 ufw-before-logging-input 0 -- [anywhere]/0 [anywhere]/0 ufw-before-input 0 -- [anywhere]/0 [anywhere]/0 ufw-after-input 0 -- [anywhere]/0 [anywhere]/0 ufw-after-logging-input 0 -- [anywhere]/0 [anywhere]/0 ufw-reject-input 0 -- [anywhere]/0 [anywhere]/0 ufw-track-input 0 -- [anywhere]/0 [anywhere]/0 Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward 0 -- [anywhere]/0 [anywhere]/0 ufw-before-forward 0 -- [anywhere]/0 [anywhere]/0 ufw-after-forward 0 -- [anywhere]/0 [anywhere]/0 ufw-after-logging-forward 0 -- [anywhere]/0 [anywhere]/0 ufw-reject-forward 0 -- [anywhere]/0 [anywhere]/0 ufw-track-forward 0 -- [anywhere]/0 [anywhere]/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output 0 -- [anywhere]/0 [anywhere]/0 ufw-before-output 0 -- [anywhere]/0 [anywhere]/0 ufw-after-output 0 -- [anywhere]/0 [anywhere]/0 ufw-after-logging-output 0 -- [anywhere]/0 [anywhere]/0 ufw-reject-output 0 -- [anywhere]/0 [anywhere]/0 ufw-track-output 0 -- [anywhere]/0 [anywhere]/0 Chain f2b-dovecot (1 references) target prot opt source destination RETURN 0 -- [anywhere]/0 [anywhere]/0 Chain f2b-postfix-sasl (1 references) target prot opt source destination REJECT 0 -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT 0 -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT 0 -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT 0 -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable RETURN 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input 17 -- [anywhere]/0 [anywhere]/0 udp dpt:137 ufw-skip-to-policy-input 17 -- [anywhere]/0 [anywhere]/0 udp dpt:138 ufw-skip-to-policy-input 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:139 ufw-skip-to-policy-input 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:445 ufw-skip-to-policy-input 17 -- [anywhere]/0 [anywhere]/0 udp dpt:67 ufw-skip-to-policy-input 17 -- [anywhere]/0 [anywhere]/0 udp dpt:68 ufw-skip-to-policy-input 0 -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG 0 -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG 0 -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT 0 -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ACCEPT 1 -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT 1 -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT 1 -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT 1 -- [anywhere]/0 [anywhere]/0 icmptype 8 ufw-user-forward 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-before-input (1 references) target prot opt source destination ACCEPT 0 -- [anywhere]/0 [anywhere]/0 ACCEPT 0 -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-logging-deny 0 -- [anywhere]/0 [anywhere]/0 ctstate INVALID DROP 0 -- [anywhere]/0 [anywhere]/0 ctstate INVALID ACCEPT 1 -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT 1 -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT 1 -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT 1 -- [anywhere]/0 [anywhere]/0 icmptype 8 ACCEPT 17 -- [anywhere]/0 [anywhere]/0 udp spt:67 dpt:68 ufw-not-local 0 -- [anywhere]/0 [anywhere]/0 ACCEPT 17 -- [anywhere]/0 ***.***.***.*** udp dpt:5353 ACCEPT 17 -- [anywhere]/0 ***.***.***.*** udp dpt:1900 ufw-user-input 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT 0 -- [anywhere]/0 [anywhere]/0 ACCEPT 0 -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-user-output 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-logging-allow (0 references) target prot opt source destination LOG 0 -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN 0 -- [anywhere]/0 [anywhere]/0 ctstate INVALID limit: avg 3/min burst 10 LOG 0 -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN 0 -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type LOCAL RETURN 0 -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type MULTICAST RETURN 0 -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST ufw-logging-deny 0 -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 DROP 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT 6 -- [anywhere]/0 [anywhere]/0 ctstate NEW ACCEPT 17 -- [anywhere]/0 [anywhere]/0 ctstate NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:21 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:22 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:25 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:53 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:80 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:110 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:143 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:443 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:465 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:587 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:993 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:995 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:3306 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:4190 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:8080 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:8081 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 multiport dports 40110:40210 ACCEPT 17 -- [anywhere]/0 [anywhere]/0 udp dpt:53 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:7777 ACCEPT 17 -- [anywhere]/0 [anywhere]/0 udp dpt:7777 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:10050 ACCEPT 17 -- [anywhere]/0 [anywhere]/0 udp dpt:10050 Chain ufw-user-limit (0 references) target prot opt source destination LOG 0 -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " REJECT 0 -- [anywhere]/0 [anywhere]/0 reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination ##### LET'S ENCRYPT ##### acme.sh is installed in /root/.acme.sh/acme.sh [WARN] You have /etc/letsencrypt/live in place, although only acme.sh is installed. This might indicate a problem ``` For the last message is just because we have let the folder `/etc/letsencrypt/live` in place, but the ssl is working with `acme.sh` and a crontab ``` 15 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null ``` I have different errors... when try connect with a ftp user ``` Statut : Échec de la tentative de connexion avec « ECONNREFUSED - Connexion refusée par le serveur ». Erreur : Impossible d’établir une connexion au serveur ``` and also I have received mails with ``` web1.console.domain.tld - 19.06.2025-16:51 - WARNING - The PHP cli binary is not set for the selected PHP version. Affected web: clientdomain.tld ``` the path for `php-cli` and `jail-kit` are not edited in the sites for PHP-CLI Settings ? not sure if they must be
\O/ I found how resolve FTP connexion... The service pure-ftpd was not working as wanted Code: systemctl status pure-ftpd-mysql ● pure-ftpd-mysql.service Loaded: loaded (/etc/init.d/pure-ftpd-mysql; generated) Active: active (exited) since Thu 2025-06-12 00:00:34 CEST; 1 week 5 days ago Docs: man:systemd-sysv-generator(8) CPU: 61ms juin 12 00:00:34 myserver systemd[1]: Starting pure-ftpd-mysql.service... juin 12 00:00:34 myserver pure-ftpd-mysql[1281906]: Starting ftp server: juin 12 00:00:34 myserver pure-ftpd-mysql[1281913]: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -A -p 40110:402> juin 12 00:00:34 web1 systemd[1]: Started pure-ftpd-mysql.service. juin 12 00:00:34 web1 pure-ftpd[1281914]: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem] lines 1-11/11 (EN So I found the problem, as we changed the certs and the symbolic links to use acme.sh, the file /usr/local/ispconfig/interface/ssl/ispserver.pem was no more here and /etc/ssl/private/pure-ftpd.pem should be a symbolic link of /etc/ssl/private/pure-ftpd.pem. The solution was recreate the file as explain here https://www.howtoforge.com/tutorial...-lets-encrypt-ssl-certificate/#d-for-pureftpd Restarting the service pure-ftpd now works and we could use FTP again.
