Cannot connect to website with https

Discussion in 'ISPConfig 3 Priority Support' started by LinuxPete, Oct 22, 2015.

  1. LinuxPete

    LinuxPete Member

    Hi,
    I'm building a system using "the perfect server Centos 7 - NGINX, Dovecot, postfix, mysql, ispconfig3...."
    The problem is that I cannot get to my website to work with https. I does work with http.
    I can reach Ispcinfig3 and phpMyAdmin with https but the host website gives me an "unable to connect."
    I've checked ispconfig.vhost and it has ssl enabled:
    ispconfig.vhost: ssl on;
    ispconfig.vhost: ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ispconfig.vhost: ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
    ispconfig.vhost: ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;

    But it is not enabled for the website.
    The SSL checkbox is checked for the domain.
    I've tried deleting and recreating the certificate in ispconfig3 without any luck.
    I know if I put it in manually, it will get overwritten the next time I make a change.
    Are there any ideas to get this working.
    Thanks.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Could not connect can also be a firewall problem (port 443 is closed) or apache is not listening on port 443 at all. Does the vhost file of the website (not the one of ispconfig) contains 2 vhost sections, one for port 80 and a second one for port 443? Is apache listening n port 443 (check with netstat -ntap) and is the port 443 open (check with iptables -L).
     
  3. LinuxPete

    LinuxPete Member

    Thanks Till,
    i'm using nginx.
    I did: # iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    But: # iptables -L "shows nothing"
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT tcp -- anywhere anywhere tcp dpt:https
    ACCEPT tcp -- anywhere anywhere tcp dpt:https

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    # netstat -tap| grep 443 - "show no output"
    # netstat -tap | grep -i http
    tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN 2971/nginx: master
    tcp6 0 0 [::]:http [::]:* LISTEN 2971/nginx: master
    tcp6 0 0 localhost:http localhost:49513 TIME_WAIT -

    I am sitting behind a router so add deleted the port forwarding on 443 and re-added it. Port 80 works because I can get to my site with http.

    I checked SELINUX
    SELINUX=disabled

    MyDomain in /etc/nginx/sites-available/mydomain.com.vhost does not have two sections.
    Here is my nginx directive (I'm also setting up owncloud) for MyDomain.com:
    upstream php-handler {
    server 127.0.0.1:9000;
    #server unix:/var/run/php5-fpm.sock;
    }

    server {
    listen 80;
    server_name MyDomain.com;
    # enforce https
    return 301 https://$server_name$request_uri;
    }

    server {
    listen 443 ssl;
    server_name MyDomain.com;

    ssl_certificate /var/www/clients/client1/web5/ssl/MyDomain.com.crt;
    ssl_certificate_key /var/www/clients/client1/web5/ssl/MyDomain.com.key;

    # Add headers to serve security related headers
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;

    # Path to the root of your installation
    root /var/www/clients/client1/web5/web/;
    # set max upload size
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
    rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
    rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;

    index index.php;
    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
    }

    location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){
    deny all;
    }

    location / {
    # The following 2 rules are only needed with webfinger
    rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

    rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
    rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

    rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

    try_files $uri $uri/ /index.php;
    }

    location ~ \.php(?:$|/) {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param HTTPS on;
    fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the location ~ \.php(?:$|/) { block
    location ~* \.(?:css|js)$ {
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    # Optional: Don't log access to assets
    access_log off;
    }

    # Optional: Don't log access to other assets
    location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
    access_log off;
    }
    }
    }

    Out of desperation I even rebooted the box.
    Do you have any other ideas?
    Thanks
     
  4. LinuxPete

    LinuxPete Member

    Let me point out that after doing some research I found I did not have a firewall record for the server.
    I added a FW record and included port 443. However, netstat -nap does not show port 443.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    That's ok, the two sections are only for apache servers.

    Is this what you put in the nginx directives field? This is a complete nginx server configuration and not just the rules required for owncloud. If you entered this then nginx could not load it as it contians a lot of duplicate config that is already defined in the nginx configuration of this site and therefor nginx to reject the ssl activation as no new actions will be performed until the invalid extra config is removed.

    The first step is to remove everything that you added in the nginx directived field and then press save and wait a minute. Then check if ssl works. Then you can add back only the URL rewrites from the config above, e.g. the ones for caldav.
     
  6. LinuxPete

    LinuxPete Member

    That's exactly what the problem was. Once I got rid of all the extra info and trimmed it down to just the rewrites, I was able to get in with https. And 443 started showing up with netstat -nap.

    The nginx directives came from owncloud.org for an nginx installation. So what I get out of this is that the install must be tailored not just for nginx, but also for ISPconfig3. You can mark this solved.
    Thanks again.
    Till
     

Share This Page