Let's Encrypt help : 2 cases whose one unsolvable

Discussion in 'Installation/Configuration' started by Keoz, Dec 22, 2020.

  1. Keoz

    Keoz Member

    *** MY ENVIRONMENT ***
    Machine : remote VPS SSD 2
    OS distro : Ubuntu 18.04
    Cpanel : ISPConfig 3.2.1
    Web server : apache2.4 (pots 80/443)

    Hello,

    I just want to get rid of a security alert page (screen capture in case 2 below) that loads and shows up to visitors in front of the login page, whose access is subject to acceptance of a security risk !

    Please consider my questions at the end of this post.


    ******* CASE 1 (NO FAILURE) *************
    Domain :
    mydomaine.com
    Repository path : var/www/clients/client1/web1/web/
    Ports (default) : 80 / 443
    Installation and cofiguration :
    • Website builder installed from FTP client
    • Let’s Encrypt and SSL enabled in ISPConfig /sites/mydomain/domain (checked LE and SSL checkboxes)
    • Http to https redirection checkbox checked in ISPConfig /sites/mydomain/redirection
    CLEAN HTTPS CONNECTION : proper connection to the website landing page (no security alert page, and no warning tringle hovering the padlock in the URL field)

    Most significative differences between case 1 above and case 2 hereunder :
    installation mode
    (see screen capture in case 2), and ports.

    ******* CASE 2 (SECURITY ALERT) ***************
    Domain :
    webradio.mydomaine.com
    Repository path : var/www/clients/client1/web2/web/azuracast
    Ports :
    10080 / 10443 (allowed from the firewall tab)
    Installation and cofiguration :
    • Webradio server installed from terminal SSH command lines
    • Docker and docker compose installation accepted
    • Let’s Encrypt automatic setting refused during installation
    • Let’s Encrypt and SSL enabled in ISPConfig /sites/webradio.mydomain/domain (checked LE and SSL checkboxes)
    • Http to https redirection checkbox checked in ISPConfig /sites/webradio.mydomain/redirection
    HTTPS CONNECTION ERROR : security alert page showing up in front of the login page (Login page comes with a warning tringle hovering the padlock in the URL field)
    SCREEN CAPTURES : terminal (installation) and security alert page
    [​IMG]

    [​IMG]

    *** QUESTIONS ***
    What makes case 1 and case 2 behave differently upon https connection ?
    What may cause the loading of a security alert page in case 2 ?
    Should I add some apache directives (proxy_path matter...) : https://github.com/AzuraCast/AzuraCast/issues/2616) ?
    Do I need to get a free SSL certificate from Certbot Git repository (link below) ?
    https://www.ma-no.org/en/networking...o-s-encrypt-ssl-certificates-with-ispconfig-3

    Regards,
     
    Last edited: Dec 22, 2020
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    It is written in the screeshot you provided:
    Utilise un certificat de securite invalide
    Examine what certificate the site has by clicking the padlock icon on browser address bar.
     
    ahrasis likes this.
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    So you created 2 sites in ISPConfig, but they're on different ports? ISPConfig vhosts set port numbers from the same template, what did you do to set different port numbers? Or do you mean that azuracast is running on those ports, and the website itself is on 80/443, proxying connections?

    The text in your screenshot seems like azuracast is configuring nginx, and also handling letsencrypt? but you said you had apache. I've never used it, and maybe that's harmless.

    As for debugging why you can't request a certificate using ISPConfig, see the letsencrypt faq. I think that applies to your setup, but it's not entirely clear.
     
  4. ahrasis

    ahrasis Well-Known Member

    I think you got it wrong. Simply open ISPConfig vhost created for your AzuraCast website, modify it according to AzuraCast suggested configuration, without any need to change ports to 10080 and 10443 and that basically should be it. In most website software, the default is "no need proxying whatsoever", unless it clearly specifies you to do so.

    https://www.azuracast.com/extending/letsencrypt.html#enabling-letsencrypt
     
    Jesse Norell likes this.
  5. ahrasis

    ahrasis Well-Known Member

    Unfortunately, after doing some in-depth reading on AzuraCast, I found out that it is a complete server package and therefore cannot be used together with ISPConfig unless you want to use already mentioned ansible approach which requires a lot of time, energy and expertise to make a successful install.
     
  6. Keoz

    Keoz Member

    You’re probably right, because I succeeded to install AzuraCast and finally established a proper secured connection to setup page (https in URL’s prefix and none alert symbole or security alert page), outside of the ISPConfig tree structure :

    Installation through path var/azuracat WORKS !
    whereas installation through pat var/www/clients/clent1/web1/web FAILS (as already said in above posts).

    AZURACAST INSTALLATION PROCESS DETAIL
    • Firstly, as to avoid ports conflict, I temporary changed apache default ports 80 / 443 to custom ones in file ect/apache2/ports.conf and in file ect/apache2/sites-available/000-default.conf, as Azuracast LE automatic setting (upon installation) can only be done on ports 80 / 443 (that must not be already used).
    • Secondly, I followed instruction to install Azuracast through standard path var/azuracat. During installation, I did accept docker packages installation, and I agree to LE automatic setting on default ports 80 / 443.
    • Thirdly, using docker script I changed AzuraCast server ports from 80 / 443 to 10080 / 10443, and I rechanged apache customized ports to default ports 80 / 443 in file ect/apache2/ports.conf and in file ect/apache2/sites-available/000-default.conf.
    • Fourthly, I tried to connect my Azuracast server setup page in secured HTTPS mode, e.g. https://radio.mydomain.com : SUCCESS ! (no security alert sign or page) !
    Afterward, I created a new website, as to insure that AzuraCast can work on my VPS alongside with other websites set in ISPConfig and that have Vhost listening to same 80 / 443 ports than apache. I succeeded to connect the new website default ISPConfig welcome page successfully too, e.g. https://somecms.mydomain.com

    QUESTIONS
    If for whatever reason I prefer to install AzuraCast webradio server using the ISPConfig tree structure e.g. var/www/clients/clent1/web1/web :
    • Would you confirm that whatever attempts, proper https connection to AzuraCast setup page will fails (showing security alert symbole or page) ?
    • Or may such this issue be avoided if LE configuration is set on ISPConfig panel side, rather than upon AzuraCast server installation ?
    • Or may such this issue can be solved using some apache or php directives… ?
     
  7. ahrasis

    ahrasis Well-Known Member

    The point is, AzuraCast is not just a website software but it is a full server software that like ISPConfig, it prefers fresh clean install.
     

Share This Page