ISPConfig 3 SSL mismatch

Discussion in 'General' started by onastvar, Jan 6, 2015.

  1. onastvar

    onastvar Member

    Hello,

    I have 2 SSL's already setup correctly. I'm using 1 static IP. I have enabled SNI in System > Server Config > Web > SSL Settings.
    I have issues with setting up 3rd SSL. I'm getting mismatch errors on name. All certificates are from Comodo and their customer support said everything is fine on their side.

    Would anyone be able to provide some info how to troubleshoot this SSL issue?

    ls -la /var/www/clients/client1/web2
    total 3604
    drwxr-xr-x 19 root root 4096 Dec 6 00:28 .
    drwxr-xr-x 6 root root 4096 Dec 5 23:45 ..
    drwxr-xr-x 2 web2 client1 4096 Sep 4 22:19 backup
    -rwxr-xr-x 1 web2 client1 254 Dec 15 23:21 .bash_history
    drwxr-xr-x 2 root root 4096 Dec 6 00:28 bin
    drwxr-xr-x 2 web2 client1 4096 Mar 2 2013 cgi-bin
    drwxr-xr-x 3 root root 4096 Apr 3 2014 clients
    drwxr-xr-x 2 root root 4096 Dec 12 09:03 dev
    drwxr-xr-x 6 root root 4096 Dec 6 00:28 etc
    drwxr-xr-x 4 root root 4096 Dec 6 00:28 lib
    drwxr-xr-x 2 root root 4096 Dec 6 00:28 lib64
    drwxr-xr-x 9 root root 4096 Jan 5 23:22 log
    drwx--x--- 2 web2 client1 4096 Dec 14 00:21 private
    drwx------ 2 web2 client1 4096 Dec 5 23:49 .ssh
    drwxr-xr-x 2 root root 4096 Jan 5 23:29 ssl
    drwxrwxrwx 4 web2 client1 3608576 Jan 5 23:47 tmp
    drwxr-xr-x 6 root root 4096 Dec 6 00:28 usr
    drwxr-xr-x 3 root root 4096 Dec 6 00:28 var
    drwx--x--- 27 web2 client1 4096 Dec 29 23:24 web
    drwxrwx--- 3 web2 client1 4096 Jul 17 11:19 webdav


    var/www/clients/client1/web2/ssl# ls -la /var/www/clients/client1/web2/ssl
    total 92
    drwxr-xr-x 2 root root 4096 Jan 5 23:29 .
    drwxr-xr-x 19 root root 4096 Dec 6 00:28 ..
    -rw-r--r-- 1 root root 4170 Jan 5 23:20 mydomain.com.bundle
    -rw-r--r-- 1 root root 4170 Jan 5 23:20 mydomain.com.bundle.err
    -rw-r--r-- 1 root root 1899 Jan 5 23:20 mydomain.com.crt
    -rw-r--r-- 1 root root 1330 Jan 5 19:20 mydomain.com.crt.bak
    -rw-r--r-- 1 root root 1959 Jan 5 23:20 mydomain.com.crt.err
    -rw-r--r-- 1 root root 1119 Jan 5 23:20 mydomain.com.csr
    -rw-r--r-- 1 root root 1119 Jan 5 19:20 mydomain.com.csr.bak
    -rw-r--r-- 1 root root 1138 Jan 5 23:20 mydomain.com.csr.err
    -r-------- 1 root root 1679 Jan 5 23:20 mydomain.com.key
    -r-------- 1 root root 1679 Jan 5 23:20 mydomain.com.key~
    -r-------- 1 root root 1679 Jan 5 19:20 mydomain.com.key.bak
    -r-------- 1 root root 1706 Jan 5 23:20 mydomain.com.key.err
    -r-------- 1 root root 1743 Jan 5 23:20 mydomain.com.key.org
    -r-------- 1 root root 1751 Jan 5 19:20 mydomain.com.key.org.bak
    -r-------- 1 root root 1743 Jan 5 23:20 mydomain.com.key.org.err
    -rw-r--r-- 1 root root 1342 Dec 6 01:05 drive.mydomain.com.crt
    -rw-r--r-- 1 root root 1123 Dec 6 01:05 drive.mydomain.com.csr
    -r-------- 1 root root 1675 Dec 6 01:05 drive.mydomain.com.key
    -r-------- 1 root root 1743 Dec 6 01:05 drive.mydomain.com.key.org
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    1) Did you use a browser that supports sni to access the website? (there is a list of compatible browsers when you search for sni at wikipedia)
    2) Do you see the correct content (the one of the site that you expect) when you accept the ssl error, or do you see the content of a wrong website?
     
  3. onastvar

    onastvar Member

    Till, Thanks for your reply!
    1) Yes. I've used both browsers that support SNI: Chrome & Firefox
    2) If I accept SSL error I see content of site 2 instead of site 1.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok. Then check that all sites of the server use either * or all sites use the IP. you may not mix * and IP on a server as this will cause all traffic to be redirected to the website that has the IP assigned.
     
  5. onastvar

    onastvar Member

    I checked, all of my websites have * for IP.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    is the ssl checkbox on the fisrt tab of the site activated?
     
  7. onastvar

    onastvar Member

    Yes SSL checkbox is active. I have SSL checked on other 2 sites where SSL is working as expected.

    Is there a way to manually wipe out any SSL related things (files, folders, etc) from the site with issues and try to add SSL certificate from scratch?
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    go to ssl tab. select delete certificate as action and press on save.
     
  9. onastvar

    onastvar Member

    Thanks Till! After I selected delete certificate after 5 minutes when I go back to SSL tab I still see information in following fields: State, Locality, Org, Org Unit, Country, SSL Domain as well as SSL Key & SSL Bundle.

    SSL Request & SSL Certificate fields are blank, just want to make sure this is how it should be, I was expecting all the fields to be blank...please advise.

    Do I need to choose Create Certificate to get new SSL Request?
    Also, will I need get re-issued SSL certificate from Comodo since there is new SSL Request generated by ISPConfig?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats ok, the option just deletes the ssl details on the harddisk, not the ones in the database.

    Yes. After you created a new self signed cert wait 1-2 minutes and test if it works then before you let it sign.
    yes
     
  11. onastvar

    onastvar Member

    Thank You Till!
    I followed all of the steps above, got re-issued certificate. It did not work, if i ignore the ssl warning, under https for site 1 i see site 2. Any other suggestions how to troubleshoot?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you test it after you created the self signed cert and before you reissued the cert like I suggested. the result of this test is important for debugging the issue.
     
  13. onastvar

    onastvar Member

    Thank You!
    I have tested it before post #11, and I tested again just to be sure. Still same issue, if i ignore the ssl warning, under https for site 1 i see site 2.
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so you tested the self signed cert, not the officially signed? We have to find out if the issue is already there with the self signed cert or if it appears later when you insert the officially signed one as that makes a big difference.

    The problem on your server is most likely that ssl could not be anebled for the vhost, this happens when apache refuses to start with the new ssl cert. you can e.g. use these debug instructions to find out more about the issue:

    http://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/

    enable debugging, disable the server.sh cronjob, disable ssl for the website and then enable it again and run the server.sh cronjob manually on the shell to get the debug output.
     
  15. onastvar

    onastvar Member

    Thank You Till!
    I see 2 warnings for apache it's not saving configuration change.
    Any idea where else to look, what else to check.

    This is my Debug output:
    Code:
     /usr/local/ispconfig/server/server.sh
    08.01.2015-17:01 - DEBUG - Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    08.01.2015-17:01 - DEBUG - Found 4 changes, starting update process.
    08.01.2015-17:01 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'.
    08.01.2015-17:01 - DEBUG - Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'.
    08.01.2015-17:01 - DEBUG - Network configuration disabled in server settings.
    08.01.2015-17:01 - DEBUG - Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'.
    08.01.2015-17:01 - DEBUG - Processed datalog_id 3899
    08.01.2015-17:01 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'.
    08.01.2015-17:01 - DEBUG - Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'.
    08.01.2015-17:01 - DEBUG - Network configuration disabled in server settings.
    08.01.2015-17:01 - DEBUG - Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'.
    08.01.2015-17:01 - DEBUG - Processed datalog_id 3901
    08.01.2015-17:01 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    08.01.2015-17:01 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    08.01.2015-17:01 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web2/.php-fcgi-starter
    08.01.2015-17:01 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/mydomain.com.vhost
    08.01.2015-17:01 - DEBUG - Apache status is: running
    08.01.2015-17:01 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    08.01.2015-17:01 - DEBUG - Restarting httpd: /etc/init.d/apache2 restart
    08.01.2015-17:01 - DEBUG - Apache restart return value is: 0
    08.01.2015-17:01 - DEBUG - Apache online status after restart is: running
    08.01.2015-17:01 - DEBUG - Processed datalog_id 3903
    08.01.2015-17:01 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    08.01.2015-17:01 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    08.01.2015-17:01 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web2/.php-fcgi-starter
    08.01.2015-17:01 - DEBUG - Enable SSL for: mydomain.com
    08.01.2015-17:01 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/mydomain.com.vhost
    08.01.2015-17:01 - DEBUG - Apache status is: running
    08.01.2015-17:01 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    08.01.2015-17:01 - DEBUG - Restarting httpd: /etc/init.d/apache2 restart
    08.01.2015-17:01 - DEBUG - Apache restart return value is: 1
    08.01.2015-17:01 - DEBUG - Apache online status after restart is: down
    08.01.2015-17:01 - WARNING - Apache did not restart after the configuration change for website mydomain.com. Reverting the configuration. Saved non-working config as /etc/apache2/sites-available/mydomain.com.vhost.err
    08.01.2015-17:01 - WARNING - Reason for Apache restart failure: Restarting web server: apache2 ... waiting Action 'start' failed. The Apache error log may have more information. failed!
    08.01.2015-17:01 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    08.01.2015-17:01 - DEBUG - Restarting httpd: /etc/init.d/apache2 restart
    08.01.2015-17:01 - DEBUG - Processed datalog_id 3905
    08.01.2015-17:01 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    08.01.2015-17:01 - DEBUG - Restarting httpd: /etc/init.d/apache2 restart
    08.01.2015-17:01 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished.
    Apache Error Log
    Code:
    [Thu Jan 08 17:01:31 2015] [notice] caught SIGTERM, shutting down
    [Thu Jan 08 17:01:33 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
    [Thu Jan 08 17:01:33 2015] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full.
    [Thu Jan 08 17:01:33 2015] [notice] ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/) configured.
    [Thu Jan 08 17:01:33 2015] [notice] ModSecurity: APR compiled version="1.4.6"; loaded version="1.4.6"
    [Thu Jan 08 17:01:33 2015] [notice] ModSecurity: PCRE compiled version="8.30"; loaded version="8.30 2012-02-04"
    [Thu Jan 08 17:01:33 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1"
    [Thu Jan 08 17:01:33 2015] [notice] ModSecurity: LIBXML compiled version="2.8.0"
    [Thu Jan 08 17:01:33 2015] [notice] Original server signature: Apache/2.2.22
    [Thu Jan 08 17:01:33 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
    [Thu Jan 08 17:01:33 2015] [notice] Digest: generating secret for digest authentication ...
    [Thu Jan 08 17:01:33 2015] [notice] Digest: done
    [Thu Jan 08 17:01:34 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
    [Thu Jan 08 17:01:34 2015] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full.
    [Thu Jan 08 17:01:34 2015] [notice] Apache/2.2.22 (Debian) DAV/2 mod_ssl/2.2.22 OpenSSL/1.0.1e Apache/2.2.0 (Fedora) mod_fcgid/2.3.6 PHP/5.4.36-0+deb7u1 mod_ruby/1.2.6 Ruby/1.8.7(2012-                      02-08) mod_perl/2.0.7 Perl/v5.14.2 configured -- resuming normal operations
    [Thu Jan 08 17:01:35 2015] [notice] caught SIGTERM, shutting down
    [Thu Jan 08 17:01:45 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
    [Thu Jan 08 17:01:45 2015] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full.
    [Thu Jan 08 17:01:45 2015] [notice] ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/) configured.
    [Thu Jan 08 17:01:45 2015] [notice] ModSecurity: APR compiled version="1.4.6"; loaded version="1.4.6"
    [Thu Jan 08 17:01:45 2015] [notice] ModSecurity: PCRE compiled version="8.30"; loaded version="8.30 2012-02-04"
    [Thu Jan 08 17:01:45 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1"
    [Thu Jan 08 17:01:45 2015] [notice] ModSecurity: LIBXML compiled version="2.8.0"
    [Thu Jan 08 17:01:45 2015] [notice] Original server signature: Apache/2.2.22
    [Thu Jan 08 17:01:45 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
    [Thu Jan 08 17:01:45 2015] [notice] Digest: generating secret for digest authentication ...
    [Thu Jan 08 17:01:45 2015] [notice] Digest: done
    [Thu Jan 08 17:01:46 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
    [Thu Jan 08 17:01:46 2015] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full.
    [Thu Jan 08 17:01:46 2015] [notice] Apache/2.2.22 (Debian) DAV/2 mod_ssl/2.2.22 OpenSSL/1.0.1e Apache/2.2.0 (Fedora) mod_fcgid/2.3.6 PHP/5.4.36-0+deb7u1 mod_ruby/1.2.6 Ruby/1.8.7(2012-                      02-08) mod_perl/2.0.7 Perl/v5.14.2 configured -- resuming normal operations
    
     
    Last edited: Jan 9, 2015
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    For the server signature error, do you use mod_security?

    https://www.virtualmin.com/node/18675

    To get the full error in the vhost on the screen, try this:

    mv /etc/apache2/sites-available/mydomain.com.vhost /etc/apache2/sites-available/mydomain.com.vhost.bak
    mv /etc/apache2/sites-available/mydomain.com.vhost.err /etc/apache2/sites-available/mydomain.com.vhost

    /etc/init.d/apache2 restart

    apache will most likely not start, but you will see the error, to start it again, do the renaming in reverse order:

    mv /etc/apache2/sites-available/mydomain.com.vhost /etc/apache2/sites-available/mydomain.com.vhost.err
    mv /etc/apache2/sites-available/mydomain.com.vhost.bak /etc/apache2/sites-available/mydomain.com.vhost

    /etc/init.d/apache2 restart
     
  17. onastvar

    onastvar Member

    Yes. I have mod security installed on my server.
    I prefer to leave ServerTokens settings to Minimal

    I'm seeing this in the site error log:
    Code:
    [Fri Jan 09 09:04:15 2015] [error] Unable to configure RSA server private key
    [Fri Jan 09 09:04:15 2015] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    [Fri Jan 09 09:05:31 2015] [error] Unable to configure RSA server private key
    [Fri Jan 09 09:05:31 2015] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    [Fri Jan 09 09:06:07 2015] [error] Unable to configure RSA server private key
    [Fri Jan 09 09:06:07 2015] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    In this thread, under post #9 he: "Manually created the Key, CSR, and resubmitted CSR to trustico, generated new Cert, and copied files into /ssl directory of website".
    https://www.howtoforge.com/community/threads/ssl-certificate-error-apache-does-not-start.53543/

    Do I have to do the same or we could fix the issue within ISPConfig?
     
    Last edited: Jan 9, 2015
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Please do thes esteps:

    1) Go to the ssl tab of the website, selecet delete certificate as action, empty the ssl certificate fields and press save. wait 2 minutes.
    2) delete all files in /var/www/yourdomain.tld/ssl/ folder
    3) Create a new self signed slsl cert for this website in ispconfig.

    IMPORTANT: Do not let it sign it yet. Test if SSL works with the self signed ssl cert.
     
  19. onastvar

    onastvar Member

    Thank You Till.
    I did steps 1-2-3 and now I can see site 1 ok (used to show site 2).
    This is with self-signed cert under https (with SSL warning).
    Can I proceed with signing by providing them with new SSL Request (CSR) to get new re-issued cert?
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. Please make a backup of all files that are now in the ssl folder. Then take the new csr and let it sign.
     

Share This Page