How To ISP Server setup with Ubuntu 5.10 (Breezy Badger)

I followed all of the steps here very carefully, save one. I went through the ispconfig installation with "standard" rather than "expert" mode. I'm hoping that this is the solution to the problem I'm having. Everything in the How To went very smoothly.
At the end. Since this is a test environment, the system has a hostname, but is setup as localhost.localdomain. After the completion of the install, I went to
"https://my_ip_address:81", and got this message (firefox 1.5)
"Could not establish an encrypted connection because certificate presented by 'my_ip_address' is invalid or corrupted. Error code: -8182 ...

Any input to this would be greatly appreciated. I'm sure I followed every step here quite carefully (with the noted exception above). This is my first server install, so I was really quite pleased with the progress I had made until this.

 

You have a corrupt SSL certificate. Create a new one as outlined here: http://www.howtoforge.com/forums/showpost.php?p=358&postcount=4

 

fallko~
Thank you for the reply. That certainly helped. The keys now show up in the directory where they should have showed before (although for some reason I don't recall doing the steps you outlined as part of the how-to)...
Now, whether I use https://my_ip_address:81 or http , I get
"The connection was refused when attempting to contact my_ip_address:81"
the box is alive, and it can be ping-ed...
the logs don't have any strange entries in them, so according to the installation and setup, everything "looks" as though it went fine.

I appreciate your feedback.

 

Falko~
I went back through all of my notes on the installation and found one deviation that I made - it seems relatively minor, but I'm wondering if this has anything to do with the problem of not being able to connect...
When installing ispconfig, i didn't choose "expert" mode. So, apache2 sees the doc root in /var/www , while ispconfig sees it in its default, which I believe is /home/www ...
/home/www is empty, and /var/www contains: apache2-default sharedip webalizer

Could this be the problem ?

 

Falko~
ok... more good news. If I access the site by ip address (port 80), I get a directory listing as above (apache2-default sharedip webalizer). If I select apache2-default, I get the expected Apache default index.html . If I select sharedip, I get this:
"SharedIP"
This IP address is shared. For access to the web site which you look for, enter its address instead of its IP.
For questions or problems please contact the server administrator.
--------------------------------------
powered by ISPConfig

So, apparently I can see the server and at least get to the default page(s)...

It feels like a config problem to me.

 

I am stuck in the same position. I have done a re-install, but still get stuck in the same position.

If I use lynx to view ispconfig on the ispconfig machine, I get want I want to see.

 

The original certificate was generated during the ISPConfig installation. I guess you entered wrong values there.

Please post the output of

Code:

netstat -tap

Also make sure that no firewall blocks port 81.

 

Then I guess it's a firewall problem. Make sure your firewall doesn't block port 81.
Is your ISPConfig system inside a LAN, and you're trying to access it from the outside? Then the problem could be that some providers block port 81.

 

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost.localdo:mysql *:* LISTEN 7901/mysqld
tcp 0 0 *:ftp *:* LISTEN 14588/proftpd: (acc
tcp 0 0 216.215.55.21:domain *:* LISTEN 14574/named
tcp 0 0 localhost.locald:domain *:* LISTEN 14574/named
tcp 0 0 localhost.localdoma:953 *:* LISTEN 14574/named
tcp 0 0 *:smtp *:* LISTEN 14544/master
tcp6 0 0 *:imaps *:* LISTEN 9520/couriertcpd
tcp6 0 0 *op3s *:* LISTEN 9423/couriertcpd
tcp6 0 0 *op3 *:* LISTEN 9360/couriertcpd
tcp6 0 0 *:imap2 *:* LISTEN 9465/couriertcpd
tcp6 0 0 *:www *:* LISTEN 22114/apache2
tcp6 0 0 *:ssh *:* LISTEN 6915/sshd
tcp6 0 0 ip6-localhost:953 *:* LISTEN 14574/named
tcp6 0 0 *:https *:* LISTEN 22114/apache2
tcp6 0 352 ::ffff:216.215.55.2:ssh ::ffff:209.208.34:50709 ESTABLISHED21892/sshd: gymsmoke

 

ISPConfig isn't running at all. Please start it:

Code:

/etc/init.d/ispconfig_server start

 

[email protected]:/etc/apache2/sites-available# /etc/init.d/ispconfig_server start
Starting ISPConfig system...
/root/ispconfig/httpd/bin/apachectl startssl: httpd started
FreshClam is already running!
ISPConfig system is now up and running!


Ok... ispconfig is up and running... here is the re-do of netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost.localdo:mysql *:* LISTEN 7901/mysqld
tcp 0 0 *:ftp *:* LISTEN 3550/proftpd: (acce
tcp 0 0 216.215.55.21:domain *:* LISTEN 3536/named
tcp 0 0 localhost.locald:domain *:* LISTEN 3536/named
tcp 0 0 localhost.localdoma:953 *:* LISTEN 3536/named
tcp 0 0 *:smtp *:* LISTEN 3506/master
tcp6 0 0 *:imaps *:* LISTEN 9520/couriertcpd
tcp6 0 0 *op3s *:* LISTEN 9423/couriertcpd
tcp6 0 0 *op3 *:* LISTEN 9360/couriertcpd
tcp6 0 0 *:imap2 *:* LISTEN 9465/couriertcpd
tcp6 0 0 *:www *:* LISTEN 3409/apache2
tcp6 0 0 *:ssh *:* LISTEN 6915/sshd
tcp6 0 0 ip6-localhost:953 *:* LISTEN 3536/named
tcp6 0 0 *:https *:* LISTEN 3409/apache2
tcp6 0 448 ::ffff:216.215.55.2:ssh ::ffff:209.208.34:50709 ESTABLISHED21892/sshd: gymsmok

Using Firefox 1.5 on Ubuntu 5.10, I go to https://216.215.55.21:81 , and get this:
Unable to connect
Firefox can't establish a connection to the server at 216.215.55.21:81.
* The site could be temporarily unavailable or too busy. Try again in a few
moments.
* If you are unable to load any pages, check your computer's network
connection.
* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.

There is no firewall on the box running ispconfig
I;m running firestarter locally and have allowed incoming connections from this box.

 

I tried the other suggestion of using lynx on the local machine to access the page as:
[email protected]:/etc/apache2/sites-available# lynx https://216.215.55.21:81
Looking up 216.215.55.21:81
Making HTTPS connection to 216.215.55.21:81
Alert!: Unable to connect to remote host.

lynx: Can't access startfile https://216.215.55.21:81/
And again as:
[email protected]:/etc/apache2/sites-available# lynx https://127.0.0.1:81

Looking up 127.0.0.1:81
Making HTTPS connection to 127.0.0.1:81
Alert!: Unable to connect to remote host.

lynx: Can't access startfile https://127.0.0.1:81/

I hope this doesn't sound too n00b-ish, but, as i said in an earlier post, this machine is setup as localhost.localdomain ...
Does ispconfig need to have a public domain in order for it to work at all?

 

It seems as if ISPConfig doesn't start for some reason. Can you find errors in /root/ispconfig/httpd/logs?

 

Yes, there are...
error_log:
[Wed Mar 29 05:23:58 2006] [warn] pid file /root/ispconfig/httpd/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[Wed Mar 29 05:23:58 2006] [error] mod_ssl: Init: (localhost.localdomain:81) Unable to configure RSA server private key (OpenSSL library error follows)
[Wed Mar 29 05:23:58 2006] [error] OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

ssl_engine_log:
[29/Mar/2006 05:23:57 07298] [info] Server: Apache/1.3.34, Interface: mod_ssl/2.8.25, Library: OpenSSL/0.9.8a
[29/Mar/2006 05:23:57 07298] [info] Init: 1st startup round (still not detached)
[29/Mar/2006 05:23:57 07298] [info] Init: Initializing OpenSSL library
[29/Mar/2006 05:23:57 07298] [info] Init: Loading certificate & private key of SSL-aware server localhost.localdomain:81
[29/Mar/2006 05:23:57 07298] [info] Init: Seeding PRNG with 136 bytes of entropy
[29/Mar/2006 05:23:57 07298] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[29/Mar/2006 05:23:58 07298] [info] Init: Configuring temporary DH parameters (512/1024 bits)
[29/Mar/2006 05:23:58 07299] [info] Init: 2nd startup round (already detached)
[29/Mar/2006 05:23:58 07299] [info] Init: Reinitializing OpenSSL library
[29/Mar/2006 05:23:58 07299] [info] Init: Seeding PRNG with 136 bytes of entropy
[29/Mar/2006 05:23:58 07299] [info] Init: Configuring temporary RSA private keys (512/1024 bits)
[29/Mar/2006 05:23:58 07299] [info] Init: Configuring temporary DH parameters (512/1024 bits)
[29/Mar/2006 05:23:58 07299] [info] Init: Initializing (virtual) servers for SSL
[29/Mar/2006 05:23:58 07299] [info] Init: Configuring server localhost.localdomain:81 for SSL protocol
[29/Mar/2006 05:23:58 07299] [warn] Init: (localhost.localdomain:81) RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[29/Mar/2006 05:23:58 07299] [warn] Init: (localhost.localdomain:81) RSA server certificate CommonName (CN) `gymsmoke' does NOT match server name!?
[29/Mar/2006 05:23:58 07299] [error] Init: (localhost.localdomain:81) Unable to configure RSA server private key (OpenSSL library error follows)
[29/Mar/2006 05:23:58 07299] [error] OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Obviously, I borked something up generating the keys... But I didn't see anything here that indicated an error on generating them...

 

I guess you entered something wrong when you created the new certificate. Create another one and accept the default values.

 

falko~
Okay. Here's what I did...
[email protected]:/# openssl genrsa -des3 -passout pass:xXxXxX -out /root/ispconfig/httpd/conf/ssl.key/server.key2 1024
Generating RSA private key, 1024 bit long modulus
..................++++++
.........................................................++++++
e is 65537 (0x10001)
[email protected]:/#

[email protected]:/# openssl req -new -passin pass:xXxXxX -passout pass:xXxXxX -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.csr/server.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[email protected]:/#

[email protected]:/# openssl req -x509 -passin pass:xXxXxX -passout pass:xXxXxX -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -in /root/ispconfig/httpd/conf/ssl.csr/server.csr -out /root/ispconfig/httpd/conf/ssl.crt/server.crt -days 365
[email protected]:/#

[email protected]:/# openssl rsa -passin pass:xXxXxX -in /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.key/server.key
writing RSA key
[email protected]:/#

[email protected]:/# chmod 400 /root/ispconfig/httpd/conf/ssl.key/server.key
[email protected]:/#

[email protected]:/root/ispconfig/httpd/logs# cat /dev/null > ./error_log
[email protected]:/root/ispconfig/httpd/logs# cat /dev/null > ./ssl_engine_log
[email protected]:/root/ispconfig/httpd/logs# /etc/init.d/ispconfig_server restart
Shutting down ISPConfig system...
/root/ispconfig/httpd/bin/apachectl stop: httpd stopped
ISPConfig system stopped!
Starting ISPConfig system...
/root/ispconfig/httpd/bin/apachectl startssl: httpd started
ISPConfig system is now up and running!

[email protected]:/root/ispconfig/httpd/logs# more error_log
[Wed Mar 29 12:21:37 2006] [notice] caught SIGTERM, shutting down
[Wed Mar 29 12:21:44 2006] [notice] Apache/1.3.34 (Unix) PHP/5.1.2 mod_ssl/2.8.25 OpenSSL/0.9.8a configured -- resuming normal operations
[Wed Mar 29 12:21:44 2006] [notice] Accept mutex: sysvsem (Default: sysvsem)

[email protected]:/root/ispconfig/httpd/logs# more ssl_engine_log
[29/Mar/2006 12:21:43 13272] [info] Server: Apache/1.3.34, Interface: mod_ssl/2.8.25, Library: OpenSSL/0.9.8a
[29/Mar/2006 12:21:43 13272] [info] Init: 1st startup round (still not detached)
[29/Mar/2006 12:21:43 13272] [info] Init: Initializing OpenSSL library
[29/Mar/2006 12:21:43 13272] [info] Init: Loading certificate & private key of SSL-aware server localhost.localdomain:81
[29/Mar/2006 12:21:43 13272] [info] Init: Seeding PRNG with 136 bytes of entropy
[29/Mar/2006 12:21:43 13272] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[29/Mar/2006 12:21:43 13272] [info] Init: Configuring temporary DH parameters (512/1024 bits)
[29/Mar/2006 12:21:44 13273] [info] Init: 2nd startup round (already detached)
[29/Mar/2006 12:21:44 13273] [info] Init: Reinitializing OpenSSL library
[29/Mar/2006 12:21:44 13273] [info] Init: Seeding PRNG with 136 bytes of entropy
[29/Mar/2006 12:21:44 13273] [info] Init: Configuring temporary RSA private keys (512/1024 bits)
[29/Mar/2006 12:21:44 13273] [info] Init: Configuring temporary DH parameters (512/1024 bits)
[29/Mar/2006 12:21:44 13273] [info] Init: Initializing (virtual) servers for SSL
[29/Mar/2006 12:21:44 13273] [info] Init: Configuring server localhost.localdomain:81 for SSL protocol
[29/Mar/2006 12:21:44 13273] [warn] Init: (localhost.localdomain:81) RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[email protected]:/# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost.localdo:mysql *:* LISTEN 7098/mysqld
tcp 0 0 *:81 *:* LISTEN 13273/ispconfig_htt
tcp 0 0 *:ftp *:* LISTEN 13448/proftpd: (acc
tcp 0 0 216.215.55.21:domain *:* LISTEN 13434/named
tcp 0 0 localhost.locald:domain *:* LISTEN 13434/named
tcp 0 0 localhost.localdoma:953 *:* LISTEN 13434/named
tcp 0 0 *:smtp *:* LISTEN 13404/master
tcp6 0 0 *:imaps *:* LISTEN 7008/couriertcpd
tcp6 0 0 *op3s *:* LISTEN 7043/couriertcpd
tcp6 0 0 *op3 *:* LISTEN 7023/couriertcpd
tcp6 0 0 *:imap2 *:* LISTEN 6988/couriertcpd
tcp6 0 0 *:www *:* LISTEN 13309/apache2
tcp6 0 0 *:ssh *:* LISTEN 7238/sshd
tcp6 0 0 ip6-localhost:953 *:* LISTEN 13434/named
tcp6 0 0 *:https *:* LISTEN 13309/apache2
tcp6 0 0 ::ffff:216.215.55.2:ssh ::ffff:209.208.34:50022 ESTABLISHED7537/sshd: gymsmoke

lynx https://216.215.55.21:81
SSL error:Can't find common name in certificate-Continue? (y) y

[login_logo.png]
Here you can log in:
Username: ____________________
Password: ____________________
Login
(a message comes up saying "Location URL is not absolute") and then an Invalid username... (I don't know what to use here to login initially) ...

Looks like I'm a step closer, since Lynx (local machine) can access this. I still get "Operation timed out when attempting to contact 216.215.55.21" from the remote laptop...

Howerver - Woot!!! After asking me 3 or 4 times to accept a certificate (I tried permanent, but Firefox 1.5 on Ubuntu wouldn't allow that so I took "for this session")... I got the ispconfig Login Screen!!!!!
How do I login initially? And, even more importantly, how to I set the certificates up so they are more applicable than just having all "blanks" and defaults?

 

Username admin, password: admin.

By using other values during the certificate creation. The "Common Name" is your URL (e.g. www.example.com), not your name.

 

I'm becoming more convinced that this really needs a public domain to act properly.
The certs are a little out of whack, but, after logging in, I notice that the status icons and graphics don't show up, and when selecting 'log out' I get this error:
Unable to connect
Firefox can't establish a connection to the server at localhost.localdomain:81.

* The site could be temporarily unavailable or too busy. Try again in a few
moments.

* If you are unable to load any pages, check your computer's network
connection.

* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.

 

Also, from anywhere within ISPConfig, if you click the select-able links (which check the local system), they all give a 404 error, along with an error that "localhost.localdomain" cannot be reached.

Can you please tell me if this needs to be installed in a publicly registered domain in order to test it? I'm getting a little frustrated wasting my time with this.

If it has to be tested in a "live" environment, I need to know it so that I can make arrangements to try it out, or just dump it from the server and only test the Ubuntu server characteristics/packages