Hi all, So I was configuring ISPConfig 3.13 (mirrored cluster on Ubuntu 18.04) after a migration. I setup a site called host1.domain.com and used Lets Encrypt to have a nice SSL connection to ISPConfig interface. I think to have changed this site configuration and now I can't connect to https://host1.domain.com:8080 I get : Internal Server error Looking at /var/log/apache2/error.log : Code: [Wed Nov 07 21:03:03.805772 2018] [fcgid:warn] [pid 17016] (104)Connection reset by peer: [client 202.22.143.149:41152] mod_fcgid: error reading data from FastCGI server [Wed Nov 07 21:03:03.805799 2018] [core:error] [pid 17016] [client 202.22.143.149:41152] End of script output before headers: index.php suexec policy violation: see suexec log for more details /var/log/apache2/suexec.log : Code: [2018-11-07 21:03:03]: uid: (20004/ispconfig) gid: (20006/ispconfig) cmd: .php-fcgi-starter [2018-11-07 21:03:03]: target uid/gid (20004/20006) mismatch with directory (10382/10383) or program (10382/10383) Last POST from vhost access log before the 500 error (sanitized) : Code: 202.22.143.149 - - [07/Nov/2018:17:54:17 +1100] "POST /sites/web_vhost_domain_edit.php HTTP/1.1" 200 1757 "https://host1.domain.com:8080/index.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0" 202.22.143.149 - - [07/Nov/2018:17:54:21 +1100] "POST /sites/web_vhost_domain_edit.php HTTP/1.1" 200 3318 "https://host1.domain.com:8080/index.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0" Strangely permissions on website are showing : Code: ls -lhtr /var/www/clients/client19/web393 total 28K drwx--x--- 2 web393 10011 4,0K nov. 5 09:32 webdav drwxrwx--- 2 web393 10011 4,0K nov. 5 09:32 tmp drwx--x--- 2 web393 10011 4,0K nov. 5 09:32 private drwxr-xr-x 2 web393 10011 4,0K nov. 5 09:32 cgi-bin drwx--x--x 4 web393 10011 4,0K nov. 5 09:32 web drwxr-xr-x 2 root root 4,0K nov. 5 09:32 ssl drwxr-xr-x 2 root root 4,0K nov. 7 20:32 log But group should be 'client19' : Code: ls -lha /var/www | grep web393 lrwxrwxrwx 1 root root 33 nov. 5 09:32 host1.domain.com -> /var/www/clients/client19/web393/ Strange thing is that : https://host1.domain.com:8080/phpmyadmin is running OK I don"t know where to start to make ISPConfig interface running again. Thanks in advance for your inputs. Nicolas Edit : from memory I changed the owner of host1.domain.com
Looking at the old server, it seems I have desactivated the main reseller on the new setup : OLD SERVER: Code: cat /etc/passwd | grep 10011 ... web271:x:10271:10011::/var/www/clients/client19/web271:/bin/false web277:x:10277:10011::/var/www/clients/client19/web277:/bin/false web291:x:10291:10011::/var/www/clients/client19/web291:/bin/false web295:x:10295:10011::/var/www/clients/client19/web295:/bin/false web301:x:10301:10011::/var/www/clients/client19/web301:/bin/false web317:x:10317:10011::/var/www/clients/client19/web317:/bin/false web331:x:10331:10011::/var/www/clients/client19/web331:/bin/false web333:x:10333:10011::/var/www/clients/client19/web333:/bin/false web335:x:10335:10011::/var/www/clients/client19/web335:/bin/false web343:x:10343:10011::/var/www/clients/client19/web343:/bin/false web345:x:10345:10011::/var/www/clients/client19/web345:/bin/false web347:x:10347:10011::/var/www/clients/client19/web347:/bin/false web287:x:10287:10011::/var/www/clients/client19/web287:/bin/false web394:x:10394:10011::/var/www/clients/client19/web394:/bin/false ... Code: cat /etc/group | grep 10011 client19:x:10011:www-data NEW SERVER : Code: cat /etc/passwd | grep 10011 web11:x:10011:10151::/var/www/clients/client19/web11:/bin/false Code: cat /etc/group | grep 10011 no result from the last command... Is there any proper way to re-inject the /etc/passwd etc... files and made ISPConfig live again ? May the dbispconfig2 database from the mirror server be usefull ?
In your old server, 10011 was the group id; on your new server it is 10151; so compare with Code: grep 10151 /etc/group If you only made changes in the ISPConfig ui, I wouldn't guess that your problem is in /etc/passwd. Can you login via the ip address? https://xx.xx.xx.xx:8080/ .. if so, fix your host1 vhost from there.
Thanks for your answer ! Code: grep 10151 /etc/group client19:x:10151:www-data Yes I was making changes on ISPConfig GUI only. No changes using IP instead of hostname : still error 500 on :8080, but phpmyadmin accessible on :8080/phpmyadmin https://host1.domain.com/webmail is well displaying roundcube too ...
So, I'm now pretty sure the last modification I made on the vhost was to changes PHP to FastCGI. Looking at /etc/apache2/sites-available/ispconfig.vhost Code: <Directory /var/www/ispconfig/> <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> </Directory> <Directory /usr/local/ispconfig/interface/web/> <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> </Directory> <IfModule mod_fcgid.c> DocumentRoot /var/www/ispconfig/ SuexecUserGroup ispconfig ispconfig <Directory /var/www/ispconfig/> Options -Indexes +FollowSymLinks +MultiViews +ExecCGI AllowOverride AuthConfig Indexes Limit Options FileInfo <FilesMatch "\.php$"> SetHandler fcgid-script </FilesMatch> FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php Require all granted </Directory> IPCCommTimeout 7200 MaxRequestLen 15728640 </IfModule> Here is the result FCGIWrapper file content : Code: #!/bin/sh PHPRC=/etc/php/7.0/cgi/ export PHPRC export PHP_FCGI_MAX_REQUESTS=5000 export PHP_FCGI_CHILDREN=1 exec /usr/bin/php-cgi \ -d disable_classes= \ -d disable_functions= \ -d magic_quotes_gpc=off \ -d open_basedir= \ -d session.save_path=/usr/local/ispconfig/interface/temp but PHP is 7.2, not 7.0: Code: php --version PHP 7.2.10-0ubuntu0.18.04.1 (cli) (built: Sep 13 2018 13:45:02) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies with Zend OPcache v7.2.10-0ubuntu0.18.04.1, Copyright (c) 1999-2018, by Zend Technologies[/code} I tried to change PHPRC to 7.2 directory and Apache2 restart but no luck. suexec.log still shows : Code: [2018-11-08 06:24:22]: uid: (20004/ispconfig) gid: (20006/ispconfig) cmd: .php-fcgi-starter [2018-11-08 06:24:22]: target uid/gid (20004/20006) mismatch with directory (10382/10383) or program (10382/10383) I'm pretty sure it just need to change PHP option in vhost from 'fcgi' to 'y' to make it run again. (I'm now pretty sure to have troubles with PHP on this installation too, as it should run under FastCGI) I thought to use the 'remoter' user, but no way as ISPConfig Interface can't be reached...
Well, after a lot of digging, solution to make interface live again was : Modify /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter to point to right PHP version : Code: PHPRC=/etc/php/7.0/cgi/ to Code: PHPRC=/etc/php/7.2/cgi/ Modify permissions on /var/www/php-fcgi-scripts/ispconfig from: Code: drwxr-xr-x 2 web382 10383 4,0K nov. 8 06:23 ispconfig to Code: drwxr-xr-x 2 ispconfig ispconfig 4,0K nov. 8 06:23 ispconfig by command : Code: chown -R ispconfig:ispconfig /var/www/php-fcgi-scripts/ispconfig systemctl restart apache2 I really don't understand how the normal ISPConfig interface can produce this kind of troubles (bad PHP version, bad permissions)...
After that I launched a complete resync (everything checked) through ISPConfig interface, I had a Code: 1.CSRF attempt blocked I'll continue to test ...
