isconfig is not enabling ssl on website

Discussion in 'General' started by dpto. operacoes, Feb 4, 2020.

  1. dpto. operacoes

    dpto. operacoes New Member

    Hello there,
    I am using on my server ISPConfig Version: 3.0.5.3 and debian 7.11.
    I am trying to install a ssl certificate for a website but it is not working. I use the options create certificate, save certificate and even delete certificate, but it was useless. Using the terminal, the certificate files are there on the ssl directory. The domain.crt, domain.csr, domain.key and domain.key.org and the bak for each of them. I tried to find something using the logs, but couldn't find nothing about this domain ssl. On /var/log I checked isconfig and apache logs.
    Do you have any ideas?


    Thanks for the help and have a nice day!
     
  2. Steini86

    Steini86 Active Member

    For the domain in question, do you have a .err file in /etc/apache2/sites-available (or nginx equivalent, if you are using nginx)? That would indicate that the webserver did not restart properly with the certificate and reverted the configuration.
    I could think of problems, that arise from your old software versions when trying with modern encryption. Also consider using at least letsencrypt certificates instead of self-signed (unless this server is not connected to the internet)
    There is always the option to enable ispconfig debug logging, make the change and see whats failing.
    => http://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/


    Please note that Debian wheezy is end of life and even the extended long term support will end in the next months. Before changing a lot at your system, consider upgrading. Many of the problems will be magically gone (unfortunately, new ones will arise, too)
     
    dpto. operacoes likes this.
  3. dpto. operacoes

    dpto. operacoes New Member

    Thank you.
    I enabled the DEBUG mode. Last night I deleted the certificate using the ispconfig, so now I created a new one. The log is below.


    Code:
    root@acmewebserver:~# /usr/local/ispconfig/server/server.sh
    04.02.2020-14:21 - DEBUG - Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    04.02.2020-14:21 - DEBUG - Found 1 changes, starting update process.
    04.02.2020-14:21 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    128032 semi-random bytes loaded
    Generating RSA private key, 2048 bit long modulus
    .........................................................................................................+++
    ........................................................+++
    e is 65537 (0x10001)
    writing RSA key
    04.02.2020-14:21 - DEBUG - Creating self-signed SSL Cert for: www.domain.com
    04.02.2020-14:21 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    setquota: Not setting block grace time on /dev/mapper/acmewebserver-root because softlimit is not exceeded.
    setquota: Not setting inode grace time on /dev/mapper/acmewebserver-root because softlimit is not exceeded.
    setquota: Not setting block grace time on /dev/mapper/vg001-lv001 because softlimit is not exceeded.
    setquota: Not setting inode grace time on /dev/mapper/vg001-lv001 because softlimit is not exceeded.
    04.02.2020-14:21 - DEBUG - Add server alias: www2.domain.com
    04.02.2020-14:21 - DEBUG - Add server alias: domain.com.br
    04.02.2020-14:21 - DEBUG - Creating fastcgi starter script: /home/www/php-fcgi-scripts/web170/.php-fcgi-starter
    04.02.2020-14:21 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/domain.com.vhost
    04.02.2020-14:21 - DEBUG - Apache status is: running
    04.02.2020-14:21 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    04.02.2020-14:21 - DEBUG - Apache restart return value is: 0
    04.02.2020-14:21 - DEBUG - Apache online status after restart is: running
    04.02.2020-14:21 - DEBUG - Processed datalog_id 1587
    04.02.2020-14:21 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished.
    "Writing the vhost file" There is no change to it but the time that the file was edited is changed.

    Will be a problem if a edit myself the sites-enable file on apache2?



    Again, thanks for the help and have a nice day!
     
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Do you have a vhost template file in /usr/local/ispconfig/server/conf-custom/ ? If so, I'd guess your local template does not handle adding the certificate, and you should update it (copy the latest version from 'conf' and make your local changes to it).

    Yes; you can make changes and restart apache as a short term fix, but your changes will be overwritten the next time the vhost file is generated by ISPConfig.
     
  5. SamTzu

    SamTzu Active Member

    Have you checked if the root domain (ie. address without www.) points to same IP address than the www. address?
    Sometimes they are configured with different DNS address and are actually located on different servers (maybe because of email?)
    I'm not sure if it's possible to generate Certbot SSL unless both addresses are same.
    Does any1 know? How to configure www. SSL without root?
     
  6. SamTzu

    SamTzu Active Member

    If the DNS points to wrong (or old) server you get something like this on /var/log/letsencrypt/ log:
    Code:
    Failed authorization procedure. avainexpert.fi (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://avainexpert.fi/.well-known/acme-challenge/uludFCynlHpOzo4z0vG5DfOCGJ4CmTJ5LLd_EdpQC3Y [79.134.108.134]:
    The IP address gives a clue.
     
  7. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    It is possible with a correct setup. Eg. if you had the domain website on one server and www subdomain setup as a website on another server, each of those could request and receive a certificate. However if your domain website had the default Auto-Subdomain setting of 'www', it would not be able to obtain a certificate, because it would try to request a single certificate with both the domain name and www subdomain included, and couldn't verify the latter.
     
    SamTzu and ahrasis like this.
  8. SamTzu

    SamTzu Active Member

    Now why didn't I think of that?
    I guess it's just a habit to enter only the root domain name in the Website config - probably because of the "Auto-Subdomain" box assumes www.
     

Share This Page