When you run the autoinstall script, do you do absolutly nothing before? Like for example fixing hostname in hosts, dash to sh, update/upgrade.
Well, now I arrived at the actual ISPConfig setup. Bloody amazing. The learning is to do absolutly nothing before the auto-install script. This time I did update the apt source list and made an update and an upgrade, and it did work. But next time, I will do nothing.
I did not install the following Code: apt-get -y install bzip2 p7zip xz-utils lzip rar unrar-free goaccess apt-get -y install rename I did not install ntp Code: apt-get -y install ntp ntpdate systemctl enable ntp I did not enable quota Code: UUID=31d10185-b8cd-4e1e-b67e-2f63b4fcb8a5 / ext4 errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 1 mount -o remount / quotacheck -avugm quotaon -avug I did not install the firewall csf. I did not set LANG env var Code: export LANGUAGE=en_US.UTF-8 export LANG=en_US.UTF-8 export LC_ALL=sv_SE.UTF-8 I did not put our own caching dns server in /etc/resolve.conf I did not prohibit pw ssh login. That should be about it when I compare my notes.
...and since I did not install csf I did not install the following Code: apt-get install liburi-encode-perl apt-get install libwww-perl liblwp-protocol-https-perl unzip apt-get install ipset
And, nota bene, all of the above I actually did when I installed a www server with the auto-install script last week. This time I just followed my notes from that install.
Wait, you followed the whole guide and then ran the script? You don't have to do anything from the perfect server guide when using the script.
Well, yes, that is the finding I believe. I have another problem now that I am struggling with, it looks like it is a cert problem. I can't connect to the ISPConfig portal, https://ic.etableraweb.com:8080. It seems to have a self-signed cert, not a le cert. I noticed that ISPConfig now use acme, with my previous install there was certbot, so I am a bit lost now. And, it should be possible to connect to a self-signed cert as well, but both Safari and Vivaldi(chromium) refuses to connect and they do not give me the option to bypass. Edit: I might be wrong it used to be certbot, but nevertheless, so far I am lost.
I have looked through the log files of the auto-install, and there is this line there Code: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: Checking / creating certificate for ic.etableraweb.com Using certificate path /etc/letsencrypt/live/ic.etableraweb.com Using apache for certificate validation Issuing certificate seems to have succeeded but /usr/local/ispconfig/interface/ssl/ispserver.crt seems to be missing. Falling back to self-signed. The file /usr/local/ispconfig/interface/ssl/ispserver.crt do exists when I look now, but all are owned by root, if that matters. Code: root@ic:/usr/local/ispconfig/interface/ssl# ls -la total 36 drwxr-x--- 2 root root 4096 Mar 4 21:09 . drwxr-x--- 9 ispconfig ispconfig 4096 Mar 4 21:09 .. -rwxr-x--- 1 root root 45 Mar 4 21:09 empty.dir -rwxr-x--- 1 root root 2159 Mar 4 21:09 ispserver.crt -rwxr-x--- 1 root root 1760 Mar 4 21:09 ispserver.csr -rwxr-x--- 1 root root 3243 Mar 4 21:09 ispserver.key -rwxr-x--- 1 root root 3311 Mar 4 21:07 ispserver.key.secure -rwxr-x--- 1 root root 5402 Mar 4 21:09 ispserver.pem
I copied the certs from .acme.sh/ic.etableraweb.com to /usr/local/ispconfig/interface/ssl and now it works. Hence, the script failed this to happen. How is this supposed to work? Should I soft link the certs to the acme certs? Furthermore, it seems dovecot and postfix are not using the le cert either: Code: [root@009 ~]# openssl s_client -showcerts -connect ic.etableraweb.com:993 | openssl x509 -enddate -noout depth=0 C = SE, ST = NA, L = Stockholm, O = Ikasp AB, OU = Hosting, CN = ic.etableraweb.com, emailAddress = [email protected] verify error:num=18:self signed certificate verify return:1 depth=0 C = SE, ST = NA, L = Stockholm, O = Ikasp AB, OU = Hosting, CN = ic.etableraweb.com, emailAddress = [email protected] verify return:1 notAfter=Mar 2 20:09:00 2031 GMT [root@009 ~]# openssl s_client -showcerts -connect ic.etableraweb.com:465 | openssl x509 -enddate -noout depth=0 C = SE, ST = NA, L = Stockholm, O = Ikasp AB, OU = Hosting, CN = ic.etableraweb.com, emailAddress = [email protected] verify error:num=18:self signed certificate verify return:1 depth=0 C = SE, ST = NA, L = Stockholm, O = Ikasp AB, OU = Hosting, CN = ic.etableraweb.com, emailAddress = [email protected] verify return:1 notAfter=Mar 2 20:09:00 2031 GMT
There is a bug in ISPConfig that breaks the issueing on install, run Code: ispconfig_update.sh --force and let the installer generate a new cert.
Yes, now dovecot and postfix use the le cert as well. How is the ispconfig cert updated in /usr/local/ispconfig/interface/ssl?
Maybe add an autoinstaller switch to specify which ispconfig version to install? The latest nightly build should have that fixed.
There is already such an option (--channel -> Choose the channel to use for ISPConfig. --channel=<stable|dev>), but I strongly disencourage anyone with a production system to use the nightly/dev builds.
I installed a Mailserver now with the auto-install script, and the same cert issue occurred during the ISPConfig setup. Code: Issuing certificate seems to have succeeded but /usr/local/ispconfig/interface/ssl/ispserver.crt seems to be missing. Falling back to self-signed.