Can not enable SSL and HTTP/2 (ISPconfig 3.2 + Nginx + Ubuntu18.04)

Discussion in 'Installation/Configuration' started by skysky, Nov 18, 2020.

  1. skysky

    skysky Member

    Hi

    I installed the server using auto install script, and now running ISPconfig 3.2 + Nginx + Ubuntu18.04

    my website is load in http://www.mysite.com no problem.

    Questions:
    1 .I tried to enable https (I checked the SSL setting box as shown in image) , but when I load my site in https, is shows "Welcome to nginx! page" instead of my website. I check the vhosts file (/ect/nginx/sites-available/mysite.com.vhost) and there is no 443 listen added to it. (why?)

    server {
    listen *:80;
    listen [::]:80;

    2. I also want to enable Nginx for HTTP/2 support for all sites by following this guide:
    https://www.digitalocean.com/commun...-up-nginx-with-http-2-support-on-ubuntu-18-04

    How should I enable this in ISPconfig? Should I add below codes via ISPconfig Nginx Directive Snippets, then add to each site via option setting?

    listen [::]:443 ssl http2 ipv6only=on;
    listen 443 ssl http2;
     

    Attached Files:

  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    http/2 should be supported by default when SSL is enabled. For SSL to work, you need to enable SSL and install a SSL certificate. You can get a free one from Let's Encrypt by checking the checkbox for Let's Encrypt. Or upload one under the "SSL" tab of your website.
    It is also possible to generate a self signed certificate, by going to the SSL tab and choosing the action "create certificate". But this cert won't be trusted by browsers so it will show a warning.
     
  3. skysky

    skysky Member

    thanks so much for the tips. It works perfectly now. I was confused by old document.

    All I need to to to enable https and http2 is to:
    for my localhost test site: check the SSL box, and in SSL tab select Create Cert
    for live site: checking the checkbox for Let's Encrypt

    I thought I checked the SSL box will auto create the self-signed SSL cert, and I was wrong.
     
    Th0m likes this.
  4. Taxi

    Taxi Member

    Do I understand it correctly, that I only have to install the letsencrypt certbot and other packages of the OS and check the two checkboxes: SSL and Let's Encrypt SSL in the Domain Tab of ISPConfig in order for https to work?
    I did so and unfortunately I'm getting the error:
    Secure Connection Failed
    An error occurred during a connection to beamtenfilz.de. SSL received a record that exceeded the maximum permissible length.
    Error code: SSL_ERROR_RX_RECORD_TOO_LONG
    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.
     
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  6. Taxi

    Taxi Member

    Many thanks Th0m for your quick reply!
    I got through the FAQ and followed the steps.
    I deleted the certificates. The key field was still filled with the key. I deleted that one also, I unchecked the SSL and Let's Encrypt SSL boxes and saved the config. After saving I checkt if the SSL Tab hat no entries at all. Then I checked the Let's Encrypt SSL and SSL boxes and saved again. Then I tested with https://domain1.de and also https://cloud.domain1.de
    Unfortunately I'm getting the same error as mentioned above.
    http://cloud.domain1.de works.
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Are there any related logs under Monitor -> System Log?
     
  8. Taxi

    Taxi Member

    Unfortunately not.
     
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Can you share the content of the vhost file for that domain?
     
  10. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  11. Taxi

    Taxi Member

    I tried to generate a certificate manually with the following command. Unfortunately I couldn't find the certificate.

    malta12:/var/www/rothmedia.de/web# certbot-auto certonly -w /var/www/rothmedia.de/web -d rothmedia.de -d www.rothmedia.de -d cloud.rothmedia.de
    Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
    Hit:1 http://repo.mysql.com/apt/debian buster InRelease
    Hit:2 http://deb.debian.org/debian testing InRelease
    Hit:3 http://deb.debian.org/debian testing-updates InRelease
    Hit:4 http://deb.debian.org/debian-security testing-security InRelease
    Reading package lists... Done
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    Note, selecting 'python-is-python2' instead of 'python'
    Note, selecting 'python-dev-is-python2' instead of 'python-dev'
    Package python-virtualenv is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source

    E: Package 'python-virtualenv' has no installation candidate
     
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You should never use the certbot command manually. This can break the integration with ISPConfig.

    Did you install your system according to the perfect server guide? Maybe you missed a step?
     
  13. Taxi

    Taxi Member

    <Directory /var/www/cloud.rothmedia.de>
    AllowOverride None
    Require all denied
    </Directory>

    <VirtualHost 85.25.213.11:80>


    DocumentRoot /var/www/clients/client1/web9/nextcloud

    ServerName cloud.rothmedia.de
    ServerAdmin [email protected]


    ErrorLog /var/log/ispconfig/httpd/cloud.rothmedia.de/error.log



    <Directory /var/www/cloud.rothmedia.de/nextcloud>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler None
    </FilesMatch>
    Options +SymlinksIfOwnerMatch
    AllowOverride All
    Require all granted

    # ssi enabled
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    Options +Includes
    </Directory>
    <Directory /var/www/clients/client1/web9/nextcloud>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler None
    </FilesMatch>
    Options +SymlinksIfOwnerMatch
    AllowOverride All
    Require all granted
    # ssi enabled
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    Options +Includes
    </Directory>

    <IfModule mod_ruby.c>
    <Directory /var/www/cloud.rothmedia.de/nextcloud>
    Options +ExecCGI
    </Directory>
    RubyRequire apache/ruby-run
    #RubySafeLevel 0
    AddType text/html .rb
    AddType text/html .rbx
    <Files *.rb>
    SetHandler ruby-object
    RubyHandler Apache::RubyRun.instance
    </Files>
    <Files *.rbx>
    SetHandler ruby-object
    RubyHandler Apache::RubyRun.instance
    </Files>
    </IfModule>

    <IfModule mod_perl.c>
    PerlModule ModPerl::Registry
    PerlModule Apache2::Reload
    <Directory /var/www/cloud.rothmedia.de/nextcloud>
    PerlResponseHandler ModPerl::Registry
    PerlOptions +ParseHeaders
    Options +ExecCGI
    </Directory>
    <Directory /var/www/clients/client1/web9/nextcloud>
    PerlResponseHandler ModPerl::Registry
    PerlOptions +ParseHeaders
    Options +ExecCGI
    </Directory>
    <Files *.pl>
    SetHandler perl-script
    </Files>
    </IfModule>
    <IfModule mod_python.c>
    <Directory /var/www/cloud.rothmedia.de/nextcloud>
    <FilesMatch "\.py$">
    SetHandler mod_python
    </FilesMatch>
    PythonHandler mod_python.publisher
    PythonDebug On
    </Directory>
    <Directory /var/www/clients/client1/web9/nextcloud>
    <FilesMatch "\.py$">
    SetHandler mod_python
    </FilesMatch>
    PythonHandler mod_python.publisher
    PythonDebug On
    </Directory>
    </IfModule>

    # cgi enabled
    <Directory /var/www/clients/client1/web9/cgi-bin>
    AllowOverride All
    Require all granted
    </Directory>
    ScriptAlias /cgi-bin/ /var/www/clients/client1/web9/cgi-bin/
    <FilesMatch "\.(cgi|pl)$">
    SetHandler cgi-script
    </FilesMatch>
    # suexec enabled
    <IfModule mod_suexec.c>
    SuexecUserGroup web9 client1
    </IfModule>
    <IfModule mod_fastcgi.c>
    <Directory /var/www/clients/client1/web9/cgi-bin>
    Require all granted
    </Directory>
    <Directory /var/www/cloud.rothmedia.de/nextcloud>
    <FilesMatch "\.php[345]?$">
    <If "-f '%{REQUEST_FILENAME}'">
    SetHandler php-fcgi
    </If>
    </FilesMatch>
    </Directory>
    <Directory /var/www/clients/client1/web9/nextcloud>
    <FilesMatch "\.php[345]?$">
    <If "-f '%{REQUEST_FILENAME}'">
    SetHandler php-fcgi
    </If>
    </FilesMatch>
    </Directory>
    Action php-fcgi /php-fcgi virtual
    Alias /php-fcgi /var/www/clients/client1/web9/cgi-bin/php-fcgi-85.25.213.11-80-cloud.rothmedia.de
    FastCgiExternalServer /var/www/clients/client1/web9/cgi-bin/php-fcgi-85.25.213.11-80-cloud.rothmedia.de -idle-timeout 300 -socket /var/lib/php7.4-fpm/web17.sock -pass-header Authorization -pass-header Content-Type
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
    #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.4-fpm/web17.sock|fcgi://localhost//var/www/clients/client1/web9/nextcloud/$1
    <Directory /var/www/clients/client1/web9/nextcloud>
    <FilesMatch "\.php[345]?$">
    <If "-f '%{REQUEST_FILENAME}'">
    SetHandler "proxy:unix:/var/lib/php7.4-fpm/web17.sock|fcgi://localhost"
    </If>
    </FilesMatch>
    </Directory>
    </IfModule>

    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
    AssignUserId web9 client1
    </IfModule>

    <IfModule mod_dav_fs.c>
    # Do not execute PHP files in webdav directory
    <Directory /var/www/clients/client1/web9/webdav>
    <ifModule mod_security2.c>
    SecRuleRemoveById 960015
    SecRuleRemoveById 960032
    </ifModule>
    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>
    </Directory>
    DavLockDB /var/www/clients/client1/web9/tmp/DavLock
    # DO NOT REMOVE THE COMMENTS!
    # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
    # WEBDAV BEGIN
    # WEBDAV END
    </IfModule>




    </VirtualHost>
     
  14. Taxi

    Taxi Member

    Well as far as I remember, yes. The ICPConfig management site under port 8080 ist working with an self signed certificate under https://
    And also webmail under Roundcube is working with SSL only with the same certificate.
     
  15. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You say you are using nginx but this is a Apache vhost. Are you using Apache instead of nginx? Did you configure this correctly in ISPConfig?
     
  16. Taxi

    Taxi Member

    No, I just jumped into this thread. I thought not to begin another one, because I have similar issues. I'm using ISPConfig 3.2.1 with Debian Testing Bulleseye, PHP 7.4 and Apache 2.4.46. In the ISPConfig configurartion file is entered apache as web server.
     
  17. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You are indeed using Debian testing.
    Code:
    Hit:2 http://deb.debian.org/debian testing InRelease
    Hit:3 http://deb.debian.org/debian testing-updates InRelease
    Hit:4 http://deb.debian.org/debian-security testing-security InRelease
    Debian buster is supported, but I have seen no info that Debian testing is supported. So my guess is it just plain does not work.
    And you have confused me and @Th0m with your thread hijacking.
     
  18. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Please don't, as you can see it can confuse us and it can spam the OP with notifications for no reason. Instead open a new thread and eventually refer to this one.
     
  19. Taxi

    Taxi Member

    Sorry for that. I'll try to downgrade to php7.3 and do an update on ISPConfig and hopefully it will all work as supposed.
    I'm really happy and impressed about your work on ISPConfig. I used for a couple of years ispCPOmega and am happy with this new and fresh looking Server Management Tool!
     
    Th0m likes this.
  20. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Thanks for your kind words! If it doesn't work, don't hestitate to open a new thread :)
     

Share This Page