Also for this issue check the ip addresses you set in your sites, and don't mix '*' with specific ips.
Hello (slm), Sorry for the late response. DNS Info: Code: root@panel3:~# dig sandras.anizy-le-grand.clg.ac-amiens.fr ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> sandras.anizy-le-grand.clg.ac-amiens.fr ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63916 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;sandras.anizy-le-grand.clg.ac-amiens.fr. IN A ;; ANSWER SECTION: sandras.anizy-le-grand.clg.ac-amiens.fr. 86400 IN CNAME panel3.ac-amiens.fr. panel3.ac-amiens.fr. 86400 IN A 194.254.103.168 ;; AUTHORITY SECTION: ac-amiens.fr. 86400 IN NS mars.ac-creteil.fr. ac-amiens.fr. 86400 IN NS ns.ac-amiens.fr. ac-amiens.fr. 86400 IN NS orion.utc.fr. ;; ADDITIONAL SECTION: ns.ac-amiens.fr. 86400 IN A 194.199.46.3 mars.ac-creteil.fr. 252 IN A 195.98.246.50 orion.utc.fr. 1750 IN A 195.83.155.16 ;; Query time: 1 msec ;; SERVER: 194.199.46.5#53(194.199.46.5) ;; WHEN: jeu. déc. 17 11:03:12 CET 2020 ;; MSG SIZE rcvd: 224 sandras.anizy-le-grand.clg.ac-amiens.fr. 86400 IN CNAME panel3.ac-amiens.fr (194.254.103.168). Code: dig -x 194.254.103.168 ;; ANSWER SECTION: 168.103.254.194.in-addr.arpa. 86400 IN PTR panel3.ac-amiens.fr Crémos
For all web domain Vhost we have: <VirtualHost *: 80> <VirtualHost *: 443> except for the vhost of Ispconfig 000-ispconfig.conf which listens on IP end of file: Ispconfig is behind a Haproxy or private IP (192.168.236.50) . Code: NameVirtualHost *:80 NameVirtualHost *:443 NameVirtualHost 192.168.236.50:80 NameVirtualHost 192.168.236.50:443
I have no more information in the apache2 logs regarding the "Bad Request" error It’s still the same http vhost configuration problem. Code: I [194.254.103.168]: « <! DOCTYPE HTML PUBLIC \ »-//IETF//DTD HTML 2.0//FR\">\n<html><head>\n<title> ;400 Bad Request</title>\n</head><body>\n<h1>Bad Request</h1 » certbot.errors.FailedChallenges: Procédure d’autorisation échouée. sandras.anizy-le-grand.clg.ac-amiens.fr (http-01): urne:ietf:params:acme:error:unauthorized :: Le client manque d’autorisation suffisante :: Réponse invalide de http://sandras.anizy-le-grand.clg.ac-amiens.fr/.well-known/acme-challenge/QVvmF91CL1exL4GrIilWmI7yfYQOKeapHUz-2MGb8 I When the URL is displayed : http://sandras.anizy-le-grand.clg.ac-amiens.fr je reçois : Code: Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache/2.4.38 (Debian) Server at dev.dsden60.ac-amiens.fr Port 80 When I go to the site https://sandras.anizy-le-grand.clg.ac-amiens.fr/ in HTTPS mode knowing that SSL is not activated and the certificate not generated for this site. I have a certificate alert. After verification, this corresponds to another vhost (dev.dsden60.ac-amiens.fr)
1 / I deactivated all the Subdomains (Vhost) while keeping the sandras.anizy-le-grand.clg.ac-amiens.fr website. 2 / I then activated via Ispconfig "SSL & Let's Encrypt" then the redirection "Rewrite HTTP to HTTPS" 3 / the certificate has been created. Code: Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/100-sandras.anizy-le-grand.clg.ac-amiens.fr.vhost - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Your existing certificate has been successfully renewed, and the new certificate has been installed. The new certificate covers the following domains: https://sandras.anizy-le-grand.clg.ac-amiens.fr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/sandras.anizy-le-grand.clg.ac-amiens.fr/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/sandras.anizy-le-grand.clg.ac-amiens.fr/privkey.pem Your cert will expire on 2021-03-17. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le 4 / Without the activation of HTTPS the site displays "Not Found The requested URL was not found on this server ". 5 / it seems that we are obliged to systematically activate HTTPS and redirection. Weird, you have to deactivate the whole Subdomain (Vhost) to generate a certificate of a website. When do you think ? Thank you in advance for your answers.
Code: Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache/2.4.38 (Debian) Server at dev.dsden60.ac-amiens.fr Port 80 perhaps this is due to haproxy, do you have it configured to send everything to port 443 on the backend? perhaps a single frontend is listening to both port 80 and 443? or two frontends, one port 80, one port 443, both using the same backend configuration? you need a frontend listening on port 80, with the backend configured to send to port 80 and a separate frontend listening on port 443, with another backend configured to send to port 443.
Thanks for your precisions. I am using the HAProxy with SSL Pass-Through. I did not force the https redirect. Only one single frontend listens to both port 80 and 443 with the backend configured to send to port 443 I think my error is there, I am not returning anything on port 80. Haproxy configuration: Code: ############ # FRONTEND # ############ ### HTTPS-ALT ### frontend panel3-http-alt mode http option forwardfor bind 194.254.103.168:8080 no-sslv3 ssl crt /etc/haproxy/ssl/panel3/panel3.ac-amiens.fr.pem http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; ###DEFAULT_BACKEND### use_backend panel3_http-alt ### TLS 1.3 HAProxy avec SSL Pass-Through ### frontend panel3-https-Pass-Through # on demade à HaProxy de récupérer toutes les requêtes http (80) et https (443) bind 194.254.103.168:80 # pour les requêtes https, on fourni le ou les certificats bind 194.254.103.168:443 mode tcp option tcplog # on force ici la redirection http => https #redirect scheme https if !{ ssl_fc } # Compression compression algo gzip # on définit le backend par défaut default_backend panel3-in_https-Pass-Through ########### # BACKEND # ########### backend panel3_http-alt mode http log global option httpchk option abortonclose option httpclose option forceclose option forwardfor server panel3_http-alt.in 192.168.236.50:8080 check ssl verify none http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } option forwardfor except 127.0.0.1/8 backend panel3-in_https-Pass-Through mode tcp ## vérifie la connexion ainsi que sa capacité à gérer les connexions SSL (SSLv3 en particulier). option ssl-hello-chk server panel3_https.in 192.168.236.50:443 check-ssl verify none ## send-proxy = option forwardfor
So exactly what @nhybgtvfr said, you proxy port 80 on the front end to port 443 on the back end, resulting in clients talking http to an https server.
i'm also not convinced you can force http to https redirection there, (although you have that commented out currently) for ssl passthrough, it needs to be in tcp mode, so the packets 'pass through' haproxy completely unchanged, which won't be the case if the redirection is on, it's been a long time since i looked at any haproxy stuff, but i suspect that http/https redirection can only be used when the frontend is configured to use http mode, which would rule out using ssl pass-through.
as an afterthought, this could also explain your problems with requesting the letsencrypt certificates, which for obvious reasons needs to be started on port 80.
Indeed, the creation of the letsencrypt certificate is done on port 80. I must reconfigure my Haproxy for the TLS passthrough to work correctly. I am thinking of separating port 80 and 443 into two distinct sections then check and only accept TLS packets passing through port 443.
Thank you again for your availability and your clarifications, after having reconfigured the haproxy the generation of certificates with Ispconfig works. Still, I still can't put a website in HTTP only. To be continued
In the apache2 logs: Code: [Thu Dec 17 21:17:52.208567 2020] [ssl:info] [pid 25160] [client 194.254.103.140:55531] AH01964: Connection to child 23 established (server panel3.ac-amiens.fr:443) [Thu Dec 17 21:17:52.209062 2020] [ssl:debug] [pid 25160] ssl_engine_kernel.c(2374): [client 194.254.103.140:55531] AH02645: Server name not provided via TLS extension (using default/first virtual host)
Hello. Can you tell me if this is normal behavior of Ispconfig? If I do not configure a website in HTTS with creation of the certificate plus the redirection from HTTP to HTTPS I get the error: Code: 503 Service Unavailable No server is available to handle this request. Cannot use a site in HTTP only mode without an HTTP to HTTPS redirect worm. Thank you in advance for your answers.
bypass haproxy, create a new website in ispconfig, don't bother about any certs for it, don't create any http-https redirects. use a machine with a gui on the same subnet as the webserver, or vpn into that subnet. then put the domain name with the webservers physical ip into your local hosts file, and then try to browse the site using http. see what happens that way we'll know if it's a ispconfig problem or an haproxy problem.
The behavior is similar, if you redirect your site to https but have nothing listening on port 443, though the message is different. More common is there is another site already using port 443, so the wrong site loads. Your actual message comes from your haproxy setup.
Hello ! 1/ Site labvirtual.ac-amiens.fr configuration in Ispconfig of the web domain: no SSL and Let's Encryp. no problem displaying the site in HTTP mode 2/ Site labvirtual.ac-amiens.fr/robots.txt configuration in Ispconfig du Weof the web domain: with SSL and Let's Encrypt and activation of the Rewrite HTTP to HTTPS redirect. No problem displaying in HTTPS mode with the correct site certificate. 3/ Site labvirtual.ac-amiens.fr/robots.txt configuration in Ispconfig of the web domain: with SSL and Let's Encrypt and without activation of the Rewrite HTTP to HTTPS redirection. No problem of displaying the site in HTTP and HTTPS mode I need to check the load times for sites that I find too long. 1 / empty site default page (index.html): of Ispconfig site : https://gdmaths.dsden60.ac-amiens.fr/, loading time = 0.2 second, ,page size = 8.4 kB and queries = 1 2 / website under wordpress: https://gdml.dsden60.ac-amiens.fr/ load time = 3.9 seconds, page size = 1353.1 kB and requests = 143 When do you think ? I would like to sincerely thank you for the work you have done. Your help contributed a lot to the resolution of the problem (cause configuration of haproxy.
