I added a new site, installed RoundCube, enabled ssl, and installed the default self-cert. This worked fine but I need a 'real' ssl certificate for webmail access in many situations. Thus, obtained a GoDaddy cert and installed the certificate via ispconfig's ssl panel. Restarted ispconfig, and that's where the trouble started. Note: I updated ispconfig to 2.2.36 between installing the new site plus RoundCube, and adding the new cert. Upon restarting ispconfig, Apache2 fails to start. This line is near the end of ispconfig.log: Code: ... 24.07.2010 - 15:43:56 => WARN - /root/ispconfig/scripts/lib/classes/ispconfig_system.lib.php, Line 755: WARNING: could not /etc/init.d/apache2 restart &> /dev/null ... I found (from another thread here) that there were two instances of Code: Include /etc/apache2/vhosts/Vhosts_ispconfig.conf in /etc/apache2/apache2.conf. Removed the second instance, but apache failed to restart. Restored the second instance (near the end) and removed the first, same result. I manually restarted apache2: Code: User@Server:/var/log$ sudo /etc/init.d/apache2 restart * Restarting web server apache2 [fail] No error message to the console. /var/log/apache2/error.log gives no clue. The syslog has no relevant entries either. Any help on figuring this out? Thanks!
It gives this response: Code: root@m2a74am-vm1:/# httpd -t httpd: bad user name ${APACHE_RUN_USER} root@m2a74am-vm1:/# I had removed the user names created in ispconfig (my previous post) but restoring /home/admispconfig/ispconfig/users and restarting ispconfig makes no difference.
Chasing this down a little bit: Code: root@m2a74am-vm1:/etc/apache2# cat envvars # envvars - default environment variables for apache2ctl # Since there is no sane way to get the parsed apache2 config in scripts, some # settings are defined via environment variables and then used in apache2ctl, # /etc/init.d/apache2, /etc/logrotate.d/apache2, etc. export APACHE_RUN_USER=www-data export APACHE_RUN_GROUP=www-data export APACHE_PID_FILE=/var/run/apache2.pid ## The locale used by some modules like mod_dav export LANG=C ## Uncomment the following line to use the system default locale instead: #. /etc/default/locale export LANG root@m2a74am-vm1:/etc/apache2# and Code: root@m2a74am-vm1:/# cat /etc/passwd | grep www-data www-data:x:33:33:www-data:/var/www:/bin/sh root@m2a74am-vm1:/# is 33 a sane id for this user / group?
Why the '.' at the front of ./etc/apache2/envvars && httpd -t ? First I had to make envvars executable: Code: root@m2a74am-vm1:/etc/apache2# chmod +x envvars root@m2a74am-vm1:/etc/apache2# /etc/apache2/envvars && httpd -t httpd: bad user name ${APACHE_RUN_USER} root@m2a74am-vm1:/etc/apache2# Still the same result, though. And: Code: root@m2a74am-vm1:/etc/apache2# export APACHE_RUN__USER=www-data root@m2a74am-vm1:/etc/apache2# echo $APACHE_RUN_USER root@m2a74am-vm1:/etc/apache2# export APACHE_RUN_USER="www-data" root@m2a74am-vm1:/etc/apache2# echo $APACHE_RUN_USER www-data root@m2a74am-vm1:/etc/apache2# /etc/apache2/envvars && httpd -t httpd: bad group name ${APACHE_RUN_GROUP} root@m2a74am-vm1:/etc/apache2#
The correct command is Code: [COLOR="Red"].[/COLOR]/etc/apache2/envvars && httpd -t The dot includes the /etc/apache2/envvars file so that the variables in it are available to the httpd command.
OK, but the result is the same: Code: root@m2a74am-vm1:/# ./etc/apache2/envvars && httpd -t httpd: bad user name ${APACHE_RUN_USER} root@m2a74am-vm1:/# It runs from the root directory, but not in /etc/apache2. Is there really any difference between the above and running the two commands separately, in an interactive session? -- John
Try Code: . /etc/apache2/envvars && httpd -t instead (with a space between . and /etc/apache2/envvars).
Code: root@m2a74am-vm1:/etc/apache2# . /etc/apache2/envvars && httpd -t Syntax OK root@m2a74am-vm1:/etc/apache2# echo $APACHE_RUN_USER www-data root@m2a74am-vm1:/etc/apache2# ../init.d/ispconfig_server restart Shutting down ISPConfig system... /root/ispconfig/httpd/bin/apachectl stop: httpd (pid 1862?) not running ISPConfig system stopped! Starting ISPConfig system... Apache/1.3.41 mod_ssl/2.8.31 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server www.myserver.com:81 (RSA) Enter pass phrase: Ok: Pass Phrase Dialog successful. /root/ispconfig/httpd/bin/apachectl startssl: httpd started ISPConfig system is now up and running! root@m2a74am-vm1:/etc/apache2# httpd -t Syntax OK root@m2a74am-vm1:/etc/apache2 This did not start apache2. Here's ISP Server Status:Services from the Management tab: Code: Web-Server: Offline FTP-Server: Online SMTP-Server: Online POP3-Server: Online BIND-Server: Online mySQL-Server: Online I would like to try deleting the ssl site and restarting, then restoring the site. This might make it impossible to know what's happening now, but I do have daily backups of all the files.
Yes, the error is unchanged: Code: root@m2a74am-vm1:/# /etc/init.d/apache2 restart * Restarting web server apache2 [fail] root@m2a74am-vm1:/# There are no relevant apache2 log entries that I can find.
If there is no error message, then its most likely a ssl error. take a look into the error log of the website were you added / changed the ssl certificate.
Yes, that's the problem: Code: [Thu Jul 29 07:24:18 2010] [error] Unable to configure RSA server private key [Thu Jul 29 07:24:18 2010] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch I thought that the key pair was OK. The ispconfig-supplied csr was provided to GoDaddy, they validated the request and my site, and then provided the cert. Although I have installed these before it's been a couple of years since. I've obviously done something wrong here. The cert was downloaded for the "Other" type of web server; the sent me a zip file containing gd_bundle.crt and my.domain.com.crt. I read somewhere else in this forum that I should simply copy the simple crt file into the certificate window in ispconfig but apparently that may be incorrect. Should I obtain the Apache-type cert bundle and install the intermediate file as instructed earlier in the above thread? Also, I checked the first and last six characters of the cert as shown in ispconfig and as in the received crt file -- they are identical -- so there's little chance that this is the wrong cert, but is it possible that the csr was accidentally regenerated at some point? I'll re-key the cert at GoDaddy later today and see what happens. It would be nice to know if either or both of the above procedures ('Other' or 'Apache' cert, without or with the intermediate file and supporting Apache2 directive) are best, required, preferred, or what. Thanks!
I deleted the certificates and made sure that /var/www/web#/ssl was empty. Then used ispconfig to generate a new csr and used that to rekey the GoDaddy cert. Uploaded the two files from GoDaddy's download: sf_bundle.crt and my.domain.com.crt into the web's ssl folder. Added the intermediate file directive to Apache directives: Code: SSLCertificateChainFile /var/www/web##/ssl/sf_bundle.crt Now, when I restart apache2 I get: Code: root@m2a74am-vm1:/# /etc/init.d/apache2 restart * Restarting web server apache2 apache2: Syntax error on line 340 of /etc/apache2/apache2.conf: Could not open configuration file /etc/apache2/vhosts/Vhosts_ispconfig.conf: No such file or directory [fail] and yes, there is no such file, only older versions: Code: root@m2a74am-vm1:/etc/apache2# ls vhosts Vhosts_ispconfig.conf_29-07-10_21-00-25 Vhosts_ispconfig.conf_29-07-10_21-18-53 Vhosts_ispconfig.conf_29-07-10_21-18-56 Vhosts_ispconfig.conf_29-07-10_21-19-11 root@m2a74am-vm1:/etc/apache2# Since there were definitely no changes from the most recent file, and it contained the correct directives and certificate file names, I copied it to Vhosts_ispconfig.conf. Now Apache2 started successfully. Question: where did the Vhosts_ispconfig.conf file go? It apparently was not re-created at a juncture when modifying the site configuration. SSL is now up on the webmail site; the other sites are running as well. So, problem solved. Diagnosis: The intermediate file is required for the GoDaddy cert. The steps I ended up following to get SSL re-keying with GoDaddy to work in this one site (this is not ssl for the ispconfig admin site on :81) were: Enter the directive Code: SSLCertificateChainFile /var/www/web13/ssl/sf_bundle.crt into the Apache Directives window on the Basis tab. Note the exact country, region, etc. in the original request. Delete the existing certificates with the Delete Certificates operation in the ispconfig panel. Make sure that /var/www/web##/ssl was emply. Generate a new csr using the same country, region, etc. as the original. From a terminal, cat and then copy the certificate request, paste it into the re-key window from GoDaddy, and the download the rekeyed certificate files. Unzip and transfer the new crt files to /var/www/web##/ssl Restart apache2
This is not the correct procedure. Your crt file gets removed or overwritten as you have not used ispconfig to save it and ispconfig might now replace the signed certificate with the self signed one. The correct steps are: 6) Copy the csr from the csr field of the ispconfig web interface to godadda and do not use a terminal for that. 7) copy the content of the cert file that you received from godaddy into the certificate field in ispconfig, select "save" as action and click on save. 8) Not nescessary.
Thank you Till, I had forgotten about that. Ssl is now set up via ispconfig, and it survives a restart, so all is OK. Thanks again, John
