I thought maybe the ispconfig_update would help updating from p2 to p3, but now i'm down COMPLETELY!!! I put in a passphrase when asked for a phrase for the ns9.cdbsystems.com:443 as I told it to redo the ssl cert from ispconfig and now http cannot run. fails completely. systemctl status httpd give me failed to start apache server. when I try to run it manually /usr/sbin/httpd it gives! password entry required for 'Enter SSL pass phrase for ns9.cdbsystems.com:443' and the passord I entered does not work. it talks about a systemd-tty-ask-password-agent tool. how to I disable this and let httpd come up???
Rereun the update: cd /tmp wget https://www.ispconfig.org/downloads/ISPConfig-3.1.15p3.tar.gz tar xvfz ISPConfig-3.1.15p3.tar.gz cd ispconfig3_install/install php -q update.php and this time, don't enter a password when you create a new SSL cert for the ISPConfig GUI.
ah both the above are a big NO!!!!! 1) rerunning the update wont work 'says there are no updates to 15p3' 2) till I did as you say ran all the steps did NOT put a passphrase at 'Enter SSL pass phrase' and completed. httpd wont start same error asks for phrase running /usr/sbin/httpd still has 'password entry required for 'Enter SSL pass phrase for ns9.cdbsystems.com:443 (RSA)' and systemctl restart httpd still asks Enter SSL pass phrase for ns9.cdbsystems.com:443 (RSA): i'm truly hosed
till above was the php -q update run in install folder. I did not put any challenge password - but httpd still asks for one. is it in the vhost file for ns9.cdbsystems.com I assume? or in ispconfig somewhere? all websites down
What kind of SSL cert did you use before for the ns9? Was it an LE cert? if yes, then you can not generate a new cert using the ispconfig updater as an le cert is a manually configured symlink outside of ispconfig. probably in the ispconfig.vhost. But I don't know your exact setup, so might be that the ns9 vhost is affected too.
I redid the LE process as per here: cd /usr/local/ispconfig/interface/ssl/ mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key cat ispserver.{key,crt} > ispserver.pem chmod 600 ispserver.pem but nothing changes. all sites down. /usr/sbin/httpd still demands a phrase people are starting to notice! what a day. maybe a bit of documentation in theupdater script? add a 'IF YOU USE LE YOU WILL WRECK SYSTEM' note? or "NEVER ADD A PASSPHRASE BELOW OR YOU ARE HOSED"? <trying to see humour in situation> so .. how do I dig myself out?
This would be plain wrong as it does not cause any damage under normal circumstances on systems that are installed according to perfect server guide. Disable the symlinks of the ns9 vhost and ispconfig vhost in apache sites-enabled directory and then restart apache. When the sites are up again, check if the paths to the ssl certs in those two files are correct and if any of them points to a password protected cert.
only ispconfig.conf and ispconfig.vhost have current date sept1. ns9 has not been altered today... ive moved 100-isp* and 000-isp* out of sites-enabled and sites-available up one folder but httpd still wont start.
First, try removing the /etc/apache2/sites-enabled/000-ispconfig.vhost symlink and see if apache will start. If so, customer sites are up and you can work on the certificate for the panel.
This does not matter as it might be that you replaced the SSL cert of the ns9 site trough their symlinks with a different SSL cert.
And I asked you to remove the ns9 and ispconfig vhost symlinks only and not 000-isp* as this would remove the ispconfig.conf symlink as well which might cause your other sites to fail.
now roundcube says cant connect to storage database. I'm truly $*$@ed. I just moved the 000-links one level higher. didnt remove them. the pem with the password appears to be a letsencrypt cert /etc/letsencrypt/live/ns9.cdbsystems.com can I force letsencrypt to create just that cert without a passphrase? and why could roundcube not connect??
That's ok, but not what I asked you to do. I asked you to remove (or copy one level higher if you prefer that) the symlink for the ispconfig vhost and the ns9 vhost, you have to do that for BOTH vhosts and to NOT copy or remove the ispconfig.conf symlink. Then restart apache. If it would have been a standard install, it would have worked. Due to the use of Let's encrypt and symlinks, there seem to be some interference between le and the SSL cert. That's what I guessed, it's not a le cert, its the manually created cert which overwrote the le cert trough the symlinks that point the ispconfig cert to le on your system. You wiped out the SSL cert used by the whole system, so all services are affected by that that use the cert.
Have you tried what Till suggested in #2, run the update but select no when asked if you want to create a new SSL cert?
you can try these commands to create a new self signed SSL cert for ispconfig: Code: cd /usr/local/ispconfig/interface/ssl mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak openssl genrsa -des3 -out ispserver.key 4096 openssl req -new -key ispserver.key -out ispserver.csr openssl x509 -req -days 3650 -in ispserver.csr \ -signkey ispserver.key -out ispserver.crt openssl rsa -in ispserver.key -out ispserver.key.insecure mv ispserver.key ispserver.key.secure mv ispserver.key.insecure ispserver.key cat ispserver.{key,crt} > ispserver.pem chmod 600 ispserver.pem this should give you a new self-signed SSL cert for ispconfig. Then copy back the ispconfig vhost symlink, restart apache, login to ispconfig, disable the letsencrypt checkbox in the ns9 website, press save, enable the le checkbox for ns9 vhost again, press save, then check if ns9 works again with a new and correct le cert. if that's ok, run the commands: Code: mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key cat ispserver.{key,crt} > ispserver.pem chmod 600 ispserver.pem to enable le back for ispconfig and the other services.
ok out of desperation (and a wtf?) I loked in /etc/letsencrypt and I see that the live ns9.cdbsystems points to archive/ns9.cdbsystems.com/pem14xxxx (4files with 14 in them). I saved them and copied the 4 matching slightly older files with 13 in place of 14. replaced all the 000* and 100* files and httpd can now start! however of course the certificates are out of date now. how can I force just ns9.cdbsystem.com to be renewed by letsencrypt? dont see helpful instructions anywhere ps roundcube fails because dovecot is not running properly complaining about the passphrase so its obviously still pointing at the wrong cert. how can