Cannot assign valid SSL cert for new install.

Discussion in 'Tips/Tricks/Mods' started by Mikeal Wolfe, Aug 16, 2021.

  1. Mikeal Wolfe

    Mikeal Wolfe New Member HowtoForge Supporter

    Thanks @Chris_UK . I guess I am a little confused when you say to run the installer in "interactive mode". The problem I have is the second server is already fully installed running in all services except the Panel on 8080. Is there a way to Re-run the ISPConfig installer again without messing everything up to have the certificate re-issued? If there is a way to have the ACME.SH client request a LE certificate without having to re-run the installer, I'll do that but I think I read the "symlinks" created by the installer script was basically the only reason why the installer/updater has to be re-run when requesting initial SSL certs. To get a valid certificate on secondary server, would it be possible to have the primary server (node01) use only IPv4 DNS records and only IPv6 DNS Records for secondary server (node02)? Or should I just de-activate node02 until I have my business circuit installed with plenty of public IPs and proper firewall. This is only a Proof of concept for funding and SSL seems to be my only issue. The production environment will not have the limitations of my current environment. Does what I am saying make sense?
     
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Somewhat unconventional, but that actually should work. The issue is just getting a port 80 connection to your second box
     
    Mikeal Wolfe and ahrasis like this.
  3. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    to run interactively you add a parameter to install command before you run it. --interactive there are others.

    To find those add --help

    Acme was not configured by the installer to use letsencrypt since the change in acme.sh defaulted to another provider that is why we have all been having trouble with fresh installs, its been fixed in the dev channel to be pushed to the master on the next release.

    For now the workaround for those of us already installed is to run a forced update.

    ispconfig_update.sh --force
    Choose when prompted nightly
    Check but you should be able to just accept all of the defaults until you get the SSL prompt which you should answer yes for.

    Regarding my previous response.
    I am behind a nat router, single public IP address and nat rules to port forward to the services.
    This for me for a long time prevented me from getting LE certs for my secondary servers because they had no web server to use to get their cert.

    I worked around this by using NFS.
    web1 : nfs host server
    mx1 : nfs client server

    The bottom line is this, for a server that cannot get a cert in the normal way for the reasons I stated, then I "hand off" the acme challenge to the public facing webserver.

    This is the flow of events for this work around.
    1. web1 - shares "exports" its acme directory.
    2. mx1 - mounts the shared acme directory over its own acme directory.
    3. mx1 - acme.sh requests the cert
    4. web1 - receives the acme challenge
    5. mx1 - acme.sh challenge passed. Cert created
    6. mx1 - unmounts the share.
    Now mx1 has a valid certificate for its mail services.

    To see exactly how I managed this https://www.howtoforge.com/community/threads/le-certs-for-secondary-servers.87329/#post-425292
     
    Last edited: Aug 20, 2021
    Mikeal Wolfe likes this.
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You don't have to rely on nfs as you can on the other hand use dns challenge and it should work right away if the plugin is correctly set.

    I am using CF as my domain dns server, and settting its plugin is very easy, though to note, I am still using certbot.

    I discussed the use of dns challenge in tips and tricks board quite some times ago but it should still work whether with certbot or acme.sh, with note that the letter have a lot more to offer in terms of dns plugins.

    The only thing to do, manually that is, is to add the hook link in its renewal conf file, so that it will auto create and renew ispserver.pem and extend to all other services, and this is quite easy as you can refer to the one that is in your primary server LE renewal conf file as a sample for it.

    I hope I can write that down and share them with all of you but I do not have extra time to do that properly, so do ask if you wanna try them out.

    In my note dns challenge is the best for the server, be it web server or other.
     
    Mikeal Wolfe likes this.
  5. Mikeal Wolfe

    Mikeal Wolfe New Member HowtoForge Supporter

    Thank @Chris_UK , I think I still understand what you're saying 100% (I could be wrong), but I do not think you understand what I am saying. I do not get prompted to request an SSL certificate on my second server when running "ispconfig_update --force", select "nightly" for the build, reconfigure services, then it has me verify the SQL master node, port, login, pw, etc. Then when it re-configures services and gets to the part where it would ask if you want to "request a new SSL cert" it skips right over it saying a "certificate is already installed: skipping" then moves on to re-configure CRON then restarts the services, and finish. Maybe I could rename the cert/chain files and remove the symlinks, but I do not know what can of worms that could potentially open up. I would configure the NFS server/client/share, but that would be for a fresh install meaning I have to run the php uninstaller, delete the server from the panel, then start the re-install, which i am sure will not go as it should because of stale records missed during removal. Am I overthinking this way to much or completely misunderstanding what you are suggesting I do. My secondary server runs WEB, MAIL, DNS, FILE, and DB services and the DBs are configured as a Master/Master DB replication not a Mirror. Am I missing something?
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    This is most of the time not possible if the second and other servers are behind the same nat router and nfs as mentioned by @Chris_UK is one of the solution, other than dns challenge I mentioned above. The use of reverse proxy as I mentioned earlier is the best option though.
     
    Mikeal Wolfe and Chris_UK like this.
  7. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    Just to be clear, I am not recommending NFS over other options, for me it was the last resort when all else failed.
    web for me too is a secondary server. Primary being ISPC which runs on port 8080

    When I am talking about nfs, primary is relative just means the one hosting the share. secondary being the client that mounts the share. I should probably stick with host:client

    I am able to have both running publicly because the three ports needed web 80 443 panel 8080 but the primary has no standard http port assigned to it in the router because you know.. nat.

    DNS would be my first option if I did not need to manually add a new record, http acme my second, Nginx RP, and finally NFS. I did have nginx reverse proxying for a while. I just can't recall why I stopped using that method.

    I have actually put the first name server back on my local network, nat means a second cant be added but to be honest, would also be pointless so I have glued two ns to the same ip. So nfs will probably not be needed because as far as I know ISPC adds the dns record?

    Oh I know i am a total disgrace, two ns glues pointing to one server, I may bring the internet down!.

    Still for anybody;
    1. behind a nat router
    2. Doesn't want a local dns server
    3. or to manually update dns entries
    4. or to faff setting up nginx
    5. or to buy an SSL cert
    6. and cant get a LE cert otherwise, ...
    Wow that's a whole lot of options to pass over haha, anyway nfs is still an option if you REALLY have to use it.
     
    Mikeal Wolfe likes this.
  8. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Yep, just remove the old self signed cert files, and rerun the installer.

    For your test setup, if you forwarded ipv4 port 80 to the first server and ipv6 port 80 to your second, and have dns set accordingly, the verification should work.
     
    Mikeal Wolfe likes this.
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I don't think this step is needed with the newest fix in nightly.
     
    Mikeal Wolfe and Chris_UK like this.
  10. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    Correct, it isn't needed. I've tested the install in multiple ways, one to force a self sign so I could force update using nightly, that just sorted the cert, the others were install only but on various OS, all worked perfectly since acme.sh was set to use LE in the dev build.

    Hopefully that roll out from dev to 3.2.6 stable will not be too far away but its still available right now for those installing in the interim, they just have to make sure to run the installer with the --channel=dev parameter, that or just force update to nightly right after install. Both options work.
     
    Mikeal Wolfe likes this.
  11. Mikeal Wolfe

    Mikeal Wolfe New Member HowtoForge Supporter

    I want to thank @Chris_UK , @ahrasis , @Jesse Norell , @till , and @Th0m (hopefully I didn't miss anybody that played a role in assisting me). I did get both servers running all services up and running without issue, however, that is only when I am off the residential line or using SMTP-relays, reverse-proxies, etc. And these configurations are going to be trashed very shortly when my business internet circuit is installed with all the IP Addresses I for all my servers and services. But, I definitely wanted to thank you all because I was able to resolve the initial issue I posted with a simple fix. With my extremely unique hardware configuration/design and with an equally unique Debian 10 Lite 64-bit OS installation architecture because of the HW/Network architecture, it rendered the "auto install script" (which is written beautifully) unusable for me. With my design, I was able to become very intimate with the setup and structure of ISPConfig 3.2.5, Dovecot, Postfix, MariaDB/MySQL, PureFTPD, RSPAMD, Lets Encrypt with ACME.sh as the client, DNS, Apache2, and so much more. So, I very much appreciate you all assisting me. Thank you again!
    Mikeal
     
    Chris_UK, ahrasis and Th0m like this.
  12. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    Hi Mikeal, I am very glad to see you have everything working correctly.

    Just a quick FYI, you may have a valid reason to dump all of the configurations you have made, but you may find that you do not have to.

    So far as I can see it, the only thing that will really change for your network is plugging the servers into a new network. Of course you will now have dedicated IP addresses for all of your services, but I for one would be happy to help you manage the change over when the time comes.

    It isnt really a big deal, here are the areas where you would need to change them.

    All hosts files on the servers
    Mysql master database.
    Code:
    mysql -h masterserversip -u root -p
    USE mysql;
    SELECT user, host FROM user LIKE 'ispcsrv%' ORDER BY user. host DESC;
    
    The only records you will need to change will be the ip address lines.
    Code:
    UPDATE USER SET host = 'NEW_IP' WHERE host = 'OLD_IP' and user='ispcsrvX' LIMIT 1;
    X is the number of the ispcsrv user for the host, you should easily identity it because there is also a corresponding hostname record.
    Also note its important that you use host OLD IP in the where clause, if you omit it then the first record it finds matching the user will be changed (limit 1) this may be your hostname record for the server, you would then have two users using IP address, one for the old ip and one for the new but no user for the hostname, this is not the desired result, you want to maintain the hostname record, and alter the ip address record.

    Once you have changed all you need to.
    Code:
    FLUSH PRIVILEGES;
    You should be able to change server IP's within the ISPConfig panel once you have made those changed, if not, then you can do that in the masters ispconfig database.

    That should be all you need to do. if you decide to migrate services also, there are plenty of posts on here that reference how to do it.

    I have edited the post to clarify exactly what I meant.
     
    Last edited: Aug 26, 2021
    Mikeal Wolfe and ahrasis like this.
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    @Chris_UK The ispcsrv* user is not only in the 'user' table, the user has fine-grained permissions set so you can find it in other tables of the 'mysql' database too and these must be altered as well. The easy way in doing this consistently is to use user editor in phpmyadmin, it will alter all needed tables. Alternatively, you can do this by hand of course, but then you must alter the records in all other tables via SQL query too.
     
    Mikeal Wolfe, Chris_UK and ahrasis like this.
  14. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    I was aware of the users having permissions on various tables. I was not aware that the ip address change would affect those other functions. It's not changing the actual user here or its permissions, just the ip address that it can connect to the mysql server from.

    I say this because I have moved servers to new IP Addresses and only changed the ispcsrv users host ip address as described above. Not seen any unusual behaviour with it either.
     
    Last edited: Aug 26, 2021
    Mikeal Wolfe likes this.
  15. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    Okay, thats weird I just scanned through the privs table, with what I am seeing in it I don't actually know how the ip address change worked.

    I can say this though, that table needs a massive clear out! its got ip addresses from my old network range, i can tell because they are 192.x I dont use that range any more.

    Still it works, and my new range of ips are in there. must have reconfigured the services, I know I did during updates but don't recall doing it for an IP address change. Possibly I did both at the same time.

    So till, before i go clearing that our.. firstly I will not be a noob and will back up: But,

    is dropping all 192 range of ips from the privs table likely to affect anything?
     
    Mikeal Wolfe likes this.
  16. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Not if you don't use them.

    You probably changed the user table to allow connections from your new ip, then answered yes to "reconfigure permissions in the master database" during an update, and ispconfig added permissions for your new ip.

    Note I believe this won't work on Debian 11, as the user 'table' is now a view (as of mariadb 10.4, iirc).
     
    Chris_UK and Mikeal Wolfe like this.
  17. Mikeal Wolfe

    Mikeal Wolfe New Member HowtoForge Supporter

    Thank you @Chris_UK and @till . I will most likely take you up on your offer @Chris_UK when my circuit is installed and I install the new physical and logical network for a true production environment. I am arguing with Comcast right now over pricing for the static IPs and how ridiculous their available upload or upstream bandwidth is. Anyway, I do have a quick question in my current environment. Both node01 and node02 are configured with all services (with exception of the ISPConfig Web Panel only on the primary server, node01), "Mail", "Web", "File", "DNS", and "DB". For this to run, MySQL/MariaDB is configured in a "Master / Master" setup with each server having both the "Master service" and "Slave service" running and synchronized. They are synced and running properly. But I need to change this setup so my transition to the new network will be a little less complicated. Is there a relatively simple way (I know it can't be just changing the "Is mirror of Server:" from "none" to "node01") of re-configuring the secondary server as a "Mirror" to node01 by somehow demoting or disabling MySQL/MariaDB's "Master Service" so it only runs its "Slave service"? Then I can configure it as a Mirror Server in ISPConfig's System tab -> Server Service -> open "node02's" "Server Services" and change it to mirror server "node01". Any thoughts?
     
  18. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    That does seem very likely jesse, I dont think ive moved the servers when I wasnt already updating them.
     
  19. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    I am sure one of the devs will be better placed to answer that for you, though I think that might actually be it. Once you turn off mirror, ISPConfig should stop transferring data. I am not positive in that though, I believe that's how dns server work, you turn off mirroring and secondary dns server stops updating with dns changes, I see no reason it should be different in master secondary mirroring.
     
    Mikeal Wolfe likes this.
  20. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Check out the Migration Tool which I think should do the job of separating each services to different servers.
     
    Mikeal Wolfe and Chris_UK like this.

Share This Page