Installing problem let's Encrypt.

Discussion in 'ISPConfig 3 Priority Support' started by pawan, Sep 28, 2016.

  1. pawan

    pawan Member

    I tried to install let's encrypt using this guide - https://www.howtoforge.com/tutorial...ovecot-ispconfig-3-1/2/#-install-lets-encrypt

    Only the part for let's Encrypt.
    but while installing ./certbot-auto
    I am encountered with these errors:
    Code:
    Get:1 Changelog for libssl1.0.0 (http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.0.1-4ubuntu5.38/changelog) [122 kB]
    openssl (1.0.1-4ubuntu5.38) precise-security; urgency=medium
    
      * SECURITY REGRESSION: incomplete fix for CVE-2016-2182 (LP: #1626883)
        - debian/patches/CVE-2016-2182-2.patch: fix off-by-one in overflow
          check in crypto/bn/bn_print.c.
    
    -- Marc Deslauriers <[email protected]>  Fri, 23 Sep 2016 07:59:32 -0400
    
    openssl (1.0.1-4ubuntu5.37) precise-security; urgency=medium
    
      * SECURITY UPDATE: Constant time flag not preserved in DSA signing
        - debian/patches/CVE-2016-2178-*.patch: preserve BN_FLG_CONSTTIME in
          crypto/dsa/dsa_ossl.c.
        - CVE-2016-2178
      * SECURITY UPDATE: DTLS buffered message DoS
        - debian/patches/CVE-2016-2179.patch: fix queue handling in
          ssl/d1_both.c, ssl/d1_clnt.c, ssl/d1_lib.c, ssl/d1_srvr.c,
          ssl/ssl_locl.h.
        - CVE-2016-2179
      * SECURITY UPDATE: OOB read in TS_OBJ_print_bio()
        - debian/patches/CVE-2016-2180.patch: fix text handling in
          crypto/ts/ts_lib.c.
        - CVE-2016-2180
      * SECURITY UPDATE: DTLS replay protection DoS
        - debian/patches/CVE-2016-2181-1.patch: properly handle unprocessed
          records in ssl/d1_pkt.c.
        - debian/patches/CVE-2016-2181-2.patch: protect against replay attacks
          in ssl/d1_pkt.c, ssl/ssl.h, ssl/ssl_err.c.
        - debian/patches/CVE-2016-2181-3.patch: update error code in ssl/ssl.h.
        - CVE-2016-2181
      * SECURITY UPDATE: OOB write in BN_bn2dec()
        - debian/patches/CVE-2016-2182.patch: don't overflow buffer in
          crypto/bn/bn_print.c.
        - CVE-2016-2182
      * SECURITY UPDATE: SWEET32 Mitigation
        - debian/patches/CVE-2016-2183.patch: move DES ciphersuites from HIGH
          to MEDIUM in ssl/s3_lib.c.
        - CVE-2016-2183
      * SECURITY UPDATE: Malformed SHA512 ticket DoS
        - debian/patches/CVE-2016-6302.patch: sanity check ticket length in
          ssl/t1_lib.c.
        - CVE-2016-6302
    :
    
    How can I resolve it to move further?
     
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Try updating your packages manually first (apt-get upgrade).
     
  3. pawan

    pawan Member

    Ok Croydon,
    Now I am facing this problem when running apt-get upgrade
    Code:
    E: dpkg was interrupted, you must manually run 'sudo dpkg --configure -a' to correct the problem.
    root@server1:/home/pawan# sudo dpkg --configure -a
    dpkg: dependency problems prevent configuration of libssl-dev:
    libssl-dev depends on libssl1.0.0 (= 1.0.1-4ubuntu5.38); however:
      Version of libssl1.0.0 on system is 1.0.1-4ubuntu5.36.
    dpkg: error processing libssl-dev (--configure):
    dependency problems - leaving unconfigured
    Errors were encountered while processing:
    libssl-dev
    root@server1:/home/pawan# 
    How to address thsi?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    run:

    apt-get update

    and then

    apt-get upgrade
     
  5. pawan

    pawan Member

    Till
    I did just that and I face with this problem?
     
  6. pawan

    pawan Member

    is this command safe to run?
    Code:
    sudo dpkg --configure -a --force-all
     
  7. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Just using
    Code:
    sudo dpkg --configure -a
    would be better.
     
  8. pawan

    pawan Member

    Hi Croydon
    I have run that command as well as apt-get update and apt-get upgrade.
    Now I am getting this error
    Code:
    E: Internal Error, No file name for libssl1.0.0
    I am really stuck with this and couldn't find a solution.
     
  9. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Somehow sounds like there's something messed up on your system.
     
  10. pawan

    pawan Member

    I think I have resolved it.
    I have run these commands and reboot the system then run the update commands
    Code:
    sudo rm /var/lib/apt/lists/lock
    sudo rm /var/cache/apt/archives/lock 
    Now when installing let's Encrypt I am presented with a dialogue box with all the names of my websites asking which names would like to activate HTTPS for
    what I should choose, don't have any idea. As I suppose that I can activate HTTPS for any website from within ISPCONFIG.
    So what I should do here, please guide.
     
  11. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Please don't choose any, just hit abort.
     
  12. pawan

    pawan Member

    Thanks Croydon.
    I did that as you suggested.
    Now Please tell me, how I can use let's encrypt in ISPCONFIG to generate the certificates.
    I mean how and where I should configure ispconfig3.1.
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Go to the website settings, enable the letsencrypt checkbox for the website and press the save button.
     
  14. pawan

    pawan Member

    Sorry Till, I coudn't find the letsencrypt checkbox.
    Ok I found it.
     
  15. pawan

    pawan Member

    Till,
    I have Checked for one website, but now non of mywebsite including IPSCONFIG control panel can be reached.
     
  16. pawan

    pawan Member

    I have tried to reatart apache in terminal, but it failed.
    MY Apache log is like this:
    Code:
    [Thu Sep 29 15:30:24 2016] [error] [client 192.168.0.10] client denied by server configuration: /var/www/ispconfig/datalogstatus.php, referer: http://server1.mywebsolutions.co.in:8080/index.php
    [Thu Sep 29 15:30:25 2016] [error] [client 192.168.0.10] client denied by server configuration: /var/www/ispconfig/datalogstatus.php, referer: http://server1.mywebsolutions.co.in:8080/
    [Thu Sep 29 15:31:24 2016] [notice] caught SIGTERM, shutting down
    [Thu Sep 29 15:31:25 2016] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
    [Thu Sep 29 15:31:25 2016] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
    [Thu Sep 29 15:31:25 2016] [notice] Digest: generating secret for digest authentication ...
    [Thu Sep 29 15:31:25 2016] [notice] Digest: done
    [Thu Sep 29 15:31:25 2016] [notice] FastCGI: process manager initialized (pid 27184)
    [Thu Sep 29 15:31:26 2016] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
    [Thu Sep 29 15:31:26 2016] [notice] Apache/2.2.22 (Ubuntu) DAV/2 mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_fcgid/2.3.6 PHP/5.3.10-1ubuntu3.24 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.7(2011-06-30) mod_ssl/2.2.22 OpenSSL/1.0.1 configured -- resuming normal operations
    [Thu Sep 29 15:31:31 2016] [notice] caught SIGTERM, shutting down
     
  17. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Check
    Code:
    apache2ctl -S
     
  18. pawan

    pawan Member

    The specific site for which I was trying to generate was cbsindia.in
    I removed the SSL code from the vhost of cbsindia and restarted apache.
    Not it restarted without any problem.
    Ok Let me try to recreate the problem, then I will post the output of the command.
     
  19. pawan

    pawan Member

    Ok,
    First I deleted the certificate and saved.
    Next create certificate and saved.
    Now my websites are running without any problem.
    but when I am trying to access https://cbsindia.in
    it is raising security exception and telling that it is a self signed certificate.
    Also the SSL Key and SSL bundle field is remain blank.
    Code:
    cbsindia.in uses an invalid security certificate. The certificate is not trusted because it is self-signed. Error code: SEC_ERROR_UNKNOWN_ISSUER
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    To get a letsencrypt certificate, all you do is to enable the letsencrypt checkbox and the ssl checkbox, nothing maore. if you wizld create a ssl cert manually on the ssl tab, then letsencrypt gets overwritten by your manual ssl cert.
     

Share This Page