The good news is I installed Beta 2 on a fresh Debian 10 setup. I followed the Perfect Server tutorial and it all went spiffingly well apart from when it failied to get a Letsencrypt certificate for the server/control panel. It defaulted to a self-signed. The Letsencrypt log pointed to the failure to set up an account due to an invalid email address [postmaster@$hostname]. I'm pretty sure I inputted a valid address& FQDN whenever prompted elsewhere but can't exclude finger trouble. I then did the usual 3.1 trick of setting up a site and sharing its certificate. That worked so certbot appears to be working OK. Any ideas on where the missing address/hostname is? NB hostname -f displays expected FQDN. PS I discovered you have moved the favicon into the theme. Fixed that but its worth a note on the changelog unless I missed it.
Thank you for reporting this. the issue has been fixed already a few days ago in git-develop branch. We will make a new beta 3, probably today which contains various other fixes as well.
Btw. the issue that you had is simply a quoting issue, the code uses single quotes but should have used double-quotes as PHP does not replace variables in strings that are quoted by single quotes.
Thank you. When I update will it automatically fix the issue or do I need to clear out the existing symbolic links to the shared certificate?
I'm not sure if this is the same issue - I just got the message and am just wrapping up for the day, so haven't looked more closely. I think I'm using the latest nightly. I'll try to reproduce the issue on Saturday if required. Thanks! Checking / creating certificate for foo.domain.tld Using certificate path /etc/letsencrypt/live/foo.domain.tld Server's public ip(s) (1.2.3.4) not found in A/AAAA records for foo.domain.tld: 127.0.0.1 PHP Fatal error: Uncaught Error: Call to a member function simple_query() on null in /var/local/allinstall/ispconfig3-nightly/install/lib/installer_base.lib.php:2841 Stack trace: #0 /var/local/allinstall/ispconfig3-nightly/install/install.php(574): installer_base->make_ispconfig_ssl_cert() #1 {main} thrown in /var/local/allinstall/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2841 root@foo:/var/local/allinstall/ispconfig3-nightly/install#
I know this is just a result of a failed installation. I tried to continue the installation by simply re-running install.php. That told me to run update.php. OK. The update.php script failed with the following: PHP Warning: include_once(/usr/local/ispconfig/server/lib/config.inc.php): failed to open stream: No such file or directory in /var/local/ispconfig/install/update.php on line 108 PHP Warning: include_once(): Failed opening '/usr/local/ispconfig/server/lib/config.inc.php' for inclusion (include_path='.:/usr/share/php') in /var/local/ispconfig/install/update.php on line 108 PHP Notice: Undefined variable: conf in /var/local/ispconfig/install/update.php on line 109 As seen in my last post, I was installing from a different folder. I just moved all files under /var/local/ispconfig, hoping the hardcoded lookup for the config file would find or create it. But it did not. My request here is not for a "fix" - again, I see what's happened. I'd like to know what should be done when an installation fails like this. Thanks!
Instead of running update.php after a failed install, run uninstall.php to clean up your system and then run install.php again. Uninstall may throw some errors depending on at which stage the first installation failed, but it will clean up things as good as possible in that case.
Thanks for the tips. This process is working, even if the installation isn't. php -q uninstall.php rm -rf /usr/local/ispconfig mysql -u root -p DROP DATABASE dbispconfig; From there a new installation can be started. But then we get to the same error. This is progress... I'll start looking into the error now until we see something else in this thread. Thanks!!
/var/local/allinstall/ispconfig3-nightly/install/lib/installer_base.lib.php:2841 Change $inst to $this. Then it continues without fail. This might be obvious to others, but the server also needs to be available to the public during the install process, otherwise the cert fails to verify. I usually install with firewall blocking public access and then open it up as required after configuration. To rerun the cert process I ran update.php. This does a symlink for the other apps. The result (after opening ports) is a different cert, but then it's broken. This is from the browser page after refresh: Secure Connection Failed An error occurred during a connection to ns1.freakin.rocks:8080. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG It seems the update adds to the existing cert chain (text block) rather than regenerating it. I'll continue to look at this.
I'm not understanding what the first highlighted line is telling us. This FQDN is in both /etc/hosts and defined in DNS. I can access the server using ns1.foo.bar. And I don't know if the ispserver.x files should be there or not. The current configuration results in the browser error SSL_ERROR_RX_RECORD_TOO_LONG, which Googling reveals is related to TLS 1.3? I've looked at the Apache configs but this is all new to me and now out of my scope of experience. Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for ns1.foo.bar Using certificate path /etc/letsencrypt/live/ns1.ns1.foo.bar Server's public ip(s) (1.2.3.4) not found in A/AAAA records for ns1.foo.bar: 127.0.0.1 Ignore DNS check and continue to request certificate? (y,n) [n]: y Using apache for certificate validation Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for ns1.foo.bar Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains. Waiting for verification... Cleaning up challenges cat: /usr/local/ispconfig/interface/ssl/ispserver.key: No such file or directory cat: /usr/local/ispconfig/interface/ssl/ispserver.crt: No such file or directory Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]:
About the missing files, the problem seems to be that the links are self-referencing: Restarting services ... Update finished. root@ns1:/var/local/ispconfig/install# ll /usr/local/ispconfig/interface/ssl total 4 -rwxr-x--- 1 root root 45 Sep 26 08:50 empty.dir* lrwxrwxrwx 1 root root 48 Sep 26 08:50 ispserver.crt -> /usr/local/ispconfig/interface/ssl/ispserver.crt lrwxrwxrwx 1 root root 48 Sep 26 08:50 ispserver.key -> /usr/local/ispconfig/interface/ssl/ispserver.key -rwxr-x--- 1 root root 0 Sep 26 08:50 ispserver.pem* root@ns1:/var/local/ispconfig/install# Apache should also be configured for TLS v1.3. The ISPConfig install makes a number of changes to default settings related to SSL. I don't yet know if we should modify ispconfig.vhost to enable SSLProtocol -TLSv1.3. I'll stop here and wait for other eyes on this. Thanks again. (I'm having fun with this.)
Use the current nightly build instead as it contains many bugfixes since beta2 incl. https://www.ispconfig.org/downloads/ISPConfig-3-nightly.tar.gz Besides that, if your system is not reachable from the internet, the installer falls back to a self-signed SSL cert automatically instead of using let's encrypt. Do not manually edit any files, there are no changes in any vhost files needed. The error is not only TLS 1.3 related, it is a general SSL failure message and just pops up due to the failed SSL creation on your system.
Regarding issue in line 2841, I'll commit a fix in a few minutes, so this will be part of the next nightly build.
To re-run the install, I delete the database, delete 'live' certs, delete /usr/local/ispconfig, and delete related apache files. Then I download from nightly into /tmp, tar, install.php. Am I missing something? Despite these errors, the site is live, just with a self-signed cert. Progress! Thanks. Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: Checking / creating certificate for ns1.foo.bar Using certificate path /etc/letsencrypt/live/ns1.foo.bar Server's public ip(s) (1.2.3.4) not found in A/AAAA records for ns1.foo.bar: 127.0.0.1 Ignore DNS check and continue to request certificate? (y,n) [n]: y PHP Warning: symlink(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2857 PHP Warning: symlink(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2860 PHP Warning: symlink(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2863 PHP Warning: chown(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2865 PHP Warning: chown(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2866 PHP Warning: chown(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2867 PHP Warning: chmod(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2868 PHP Warning: chmod(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2869 PHP Warning: chmod(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2870 Using apache for certificate validation Unable to find renew-hook command letsencrypt_renew_hook.sh in the PATH. (PATH is /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin) Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt Could not issue letsencrypt certificate, falling back to self-signed. Generating RSA private key, 4096 bit long modulus (2 primes) ..............++++ ........................++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request.
It's to be expected that you get errors when you choose to ignore that no LE cert can be issued according to the automatic test. The symlink warnings should not be shown of course, we'll fix that until final release. Your /etc/hosts file is wrong, the server hostname must not point to the localhost IP address, it must point to the 'external' IP address of your system.
With head hung low in embarrassment ... how could I have missed something so obvious. Sorry about that. Current /etc/hosts for my DNS1: 127.0.0.1 ns1.foo.bar ns1 localhost.localdomain localhost 1.2.3.5 ns2.foo.bar ns2Will change to: 127.0.0.1 localhost 1.2.3.4 ns1.foo.bar # This is me=DNS1 1.2.3.5 ns2.foo.bar # FQDN gets external address 10.0.0.1 ns1 # hostnames get internal address 10.0.0.2 ns2 # private addresses used for inbound MySQLWith that pattern it seems the same /etc/hosts can be copied around the network. I spent most of today dealing with MySQL issues when setting up DNS2. But that's not a part of this Beta2 exercise. On Sunday I will blow away the servers again and start over. Thanks as always.
It seems you did not stick to the installation instructions. I guess you executes Code: php -q install/update.php instead of changing to the correct directory by Code: cd install ; php -q update.php That leads to incorrect working directory inside the installer.
Hi, me again. I did the Nightly update (0928). When it asked for if I wanted a new certificate I answered 'yes'. I expected this to overwrite the 'old trick' of symlinking to a shared site SSL. It did - but it created a symlink to itself and hence no certificate could be found for the control panel and connection was refused. The Control Panel was inaccessible. Couldn't use http as that is disabled. I mention this because if it is repeatable it could cause an upgrade error for 3.1 users who, like me, used that trick. I'm guessing that may be quite a lot. I had to truncate and restore the original database and symlinks to fix the issue
That does not make any sense. Why restore the database? The issue with the symlink is a problem as this should already be fixed I thought. Are you using certbot or acme.sh? Edit: and did the installer create a *.bak file for the existing symlinks?