I've been running 3.0.5.4 for some time now without any problems. I've enabled SSL for the login page with a purchased certificate. Seemingly without explanation it has stopped working. When I attempt to load https://mydomain.com:8080/ in a browser, it times out attempting to create a secure connection. The certificate is still valid. I've tried updating OpenSSL and mod_ssl with no effect. I tried testing by using curl and other console tools and the login page is returned without a problem. It only won't load in browsers. I've tried in Chrome, FF, IE, and Safari. All give some error related to encrypted connections.
Sorry, curl is now complaining about SSL with "curl: (35) SSL connect error". It loads with the -k switch which essentially ignores SSL so I tried openssl too. Code: openssl s_client -connect mydomain.com:8080 CONNECTED(00000003) 140403818878792:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 249 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
I have made some changes to harden ssl while attempting to fix this. But there were no changes prior to when it quit working. I'm not even sure how to troubleshoot it at this point. Online SSL tests and openssl are showing good certificates. This is very confusing.
Here's a look at the configurations. Code: # From /etc/httpd/conf.d/ssl.conf <VirtualHost _default_:443> SSLEngine on SSLProtocol -all -SSLv2 -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH SSLHonorCipherOrder On SSLCertificateFile /usr/local/ispconfig/interface/ssl/myserver_com.crt SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/myserver_com.key SSLCACertificateFile /usr/local/ispconfig/interface/ssl/myserver_com.bundle </VirtualHost> # From /etc/httpd/conf/sites-enabled/000-ispconfig.vhost <VirtualHost _default_:8080> # SSL Configuration SSLEngine On SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key SSLCACertificateFile /usr/local/ispconfig/interface/ssl/myserver_com.bundle </VirtualHost> I've changed a few certificate names to hide my hostname, but they all point to valid certificate files. I'm using a Comodo Positive SSL certificate.
Is this your whole 000-ispconfig.vhost vhost file? There seem to be many lines missing. Did you check that port 8080 is open in the server firewall and also open ina possibly existing external firewall?
This is not the entire file. I only listed the SSL related lines for brevity. Port 8080 is open and listening. There have been no firewall changes. I also don't see anything weird in the log files. It's as if something with the certificate changed. It literally worked perfectly for a year and then stopped suddenly. The certificate expires in 2016.
Please run the test tool and post the result: https://www.howtoforge.com/community/threads/please-read-before-posting.58408/
In order to allow temporary insecure access, I've commented out the SSL lines in ispconfig.vhost but I am still getting a redirect to the https site. Where is the redirect from http to https so that I can remove it temporarily as well?
ISPConfig has no redirect from http to https, all config is in the ispconfig.vhost file so you can see that there is none. Maybe you access a different vhost of your server or from another server or router and not the ispconfig vhost.
Well, that's interesting. I wonder why it's closed all of a sudden. It's been working with no changes for a year. In any case, opening the port resolved the issue. I feel a bit silly now. For anyone else having this problem, I'm running CentOS and here's the commands to allow all traffic on Port 8080. I'm not sure if the restart is actually necessary, but it doesn't hurt anything. Code: sudo iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -m comment --comment "ISPC3 Admin port" sudo service iptables save sudo service iptables restart
Okay, I spoke too soon. It was working long enough to display the login page, but as soon as I attempted to log in, I'm back to the same connection error. Rerunning the commands above didn't help this time.