NET::ERR_CERT_AUTHORITY_INVALID for ispconfig 3.1.12

Discussion in 'ISPConfig 3 Priority Support' started by Frost, Jun 17, 2018.

Page 1 of 2
  1. Frost

    Frost Member

    I followed the manual for multiserver setup on debian 8 but when I visited ispconfig url on port 8080, I was prompted that the connection is not private. Does the certbot setup in the manual only for the domains to be added on ispconfig admin and doesn't include ispconfig url?
     
    Frost, Jun 17, 2018
    #1
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Taleman, Jun 17, 2018
    #2
  3. Frost

    Frost Member

    Last edited: Jun 17, 2018
    Frost, Jun 17, 2018
    #3
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Depends on what you want.
    The easy way is to tell your bowser to accept the self signed cert you presumably made during installation.
     
    Taleman, Jun 17, 2018
    #4
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    By default, an ISPConfig setup uses a self signed SSL cert for the controlpanel. A self signed cert is not less secure encryption wise, it is just not issues by a known SSL authority. You can switch to LE by using the guide @Taleman posted a link to. The first step is that you create a website in ispconfig which has the hostname of the server as domain name and enable LE in that website, after this step, you should have an /etc/letsencrypt/live directory.
     
    till, Jun 18, 2018
    #5
  6. Frost

    Frost Member

    I added a website on ISPConfig as discuss in that link and it created /etc/letsencrypt/live. When I access the ISPConfig panel using ip, I received NET::ERR_CERT_COMMON_NAME_INVALID. Because the certificate is issue to my FQDN and not my ip. I check the certificate it shows my FQDN. But when I visit via FQDN it shows ERR_SSL_PROTOCOL_ERROR.

    On the Domain tab it shows the Document Root as /var/www/clients/client0/web1 which is not the root of ISPConfig
    When creating website in ISP config. Do I need to fill up the SSL tab?
     
    Last edited: Jun 18, 2018
    Frost, Jun 18, 2018
    #6
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    SSL Certificates are always issued for a domain name and not for an IP, you have to use the server hostname (FQDN) to access it.
    Protocol errors are shown when you e.g. try to access an https website with http. Ensure that you use https:// in front of the FQDN. Example:

    https://server1.yourdomain.tld:8080
     
    till, Jun 18, 2018
    #7
  8. Frost

    Frost Member

    upload_2018-6-18_19-26-17.png
     
    Frost, Jun 18, 2018
    #8
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, does it work when you use http:// instead of https:// in the exact same URL?
     
    till, Jun 18, 2018
    #9
  10. Frost

    Frost Member

    no. it shows this error
    Bad Request
    Your browser sent a request that this server could not understand.
    Reason: You're speaking plain HTTP to an SSL-enabled server port.
    Instead use the HTTPS scheme to access this URL, please.
     
    Frost, Jun 18, 2018
    #10
  11. Enrique García

    Enrique García Member

    I try but fail at the cat line:

    root@fyde:/usr/local/ispconfig/interface/ssl# cat ispserver.{key,crt} > ispserve r.pem
    cat: ispserver.key: No such file or directory
    cat: ispserver.crt: No such file or directory
    root@fyde:/usr/local/ispconfig/interface/ssl#

    The folder:
    root@fyde:/usr/local/ispconfig/interface/ssl# ls -l
    total 20
    -rwxr-x--- 1 root root 45 Feb 21 09:56 empty.dir
    lrwxrwxrwx 1 root root 51 May 22 21:32 ispserver.crt -> /etc/letsencrypt/live/www.fyde.com.mx/fullchain.pem
    -rwxr-x--- 1 root root 2122 Jan 14 2018 ispserver.crt-190522213034.bak
    -rwxr-x--- 1 root root 1748 Jan 14 2018 ispserver.csr
    lrwxrwxrwx 1 root root 49 May 22 21:32 ispserver.key -> /etc/letsencrypt/live/www.fyde.com.mx/privkey.pem
    -rwxr-x--- 1 root root 3243 Jan 14 2018 ispserver.key-190522213048.bak
    -rwxr-x--- 1 root root 3311 Jan 14 2018 ispserver.key.secure
    -rw------- 1 root root 0 May 22 22:34 ispserver.pem
    root@fyde:/usr/local/ispconfig/interface/ssl#

    Please help :)
     
    Enrique García, May 23, 2019
    #11
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    till, May 23, 2019
    #12
  13. Enrique García

    Enrique García Member

    Here the info:
    root@fyde:~# ls -la /etc/letsencrypt/live/www.fyde.com.mx/fullchain.pem
    ls: cannot access '/etc/letsencrypt/live/www.fyde.com.mx/fullchain.pem': No such file or directory
    root@fyde:~# ls -la /etc/letsencrypt/live/www.fyde.com.mx/privkey.pem
    ls: cannot access '/etc/letsencrypt/live/www.fyde.com.mx/privkey.pem': No such file or directory

    Regards,
     
    Enrique García, May 23, 2019
    #13
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, that explains the problem. Seems as if you did not got an SSL cert from LE. Check the letsencryp.log to find out why LE did not issue a cert to you.
     
    till, May 23, 2019
    #14
  15. Enrique García

    Enrique García Member

    There's no letsencryp.log. But it's works the https://fyde.com.mx is ok
    But the https://fyde.com.mx:8080 is not, I have problems with antivirus an another plataforms that do not access to my server because the self signed certificate.
    The SSL lets's encrypt check box in the ispconfig is activated.

    Please help.
     
    Last edited: May 23, 2019
    Enrique García, May 23, 2019
    #15
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, you say you have a LE cert for fyde.com.mx but above you use the path www.fyde.com.mx. So probably the LE cert has a different name.

    Post the output of:

    ls -la /etc/letsencrypt/live/fyde.com.mx/
     
    till, May 23, 2019
    #16
  17. Enrique García

    Enrique García Member


    root@fyde:~# ls -la /etc/letsencrypt/live/fyde.com.mx/
    total 12
    drwxr-xr-x 2 root root 4096 May 23 03:00 .
    drwx------ 7 root root 4096 Jan 19 01:04 ..
    lrwxrwxrwx 1 root root 35 May 23 03:00 cert.pem -> ../../archive/fyde.com.mx/cert6.pem
    lrwxrwxrwx 1 root root 36 May 23 03:00 chain.pem -> ../../archive/fyde.com.mx/chain6.pem
    lrwxrwxrwx 1 root root 40 May 23 03:00 fullchain.pem -> ../../archive/fyde.com.mx/fullchain6.pem
    lrwxrwxrwx 1 root root 38 May 23 03:00 privkey.pem -> ../../archive/fyde.com.mx/privkey6.pem
    -rw-r--r-- 1 root root 543 Jul 26 2018 README

    :)
     
    Enrique García, May 23, 2019
    #17
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Run these commands to fix it:

    Code:
    cd /usr/local/ispconfig/interface/ssl/
rm ispserver.crt
rm ispserver.key
rm ispserver.pem
ln -s /etc/letsencrypt/live/fyde.com.mx/fullchain.pem ispserver.crt
ln -s /etc/letsencrypt/live/fyde.com.mx/privkey.pem ispserver.key
cat ispserver.{key,crt} > ispserver.pem
chmod 600 ispserver.pem
     
    till, May 23, 2019
    #18
  19. Enrique García

    Enrique García Member

    Done, ok.
    Chrome display:
    NET::ERR_CERT_AUTHORITY_INVALID
    Subject: www.fyde.com.mx

    Issuer: www.fyde.com.mx

    Expires on: 12 ene 2028

    Current date: 23 may 2019

    PEM encoded chain:-----BEGIN CERTIFICATE-----
    MIIF8jCCA9qgAwIBAgIJAPxWq4w8UB6zMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYD
    VQQGEwJNWDELMAkGA1UECAwCTkwxEjAQBgNVBAcMCU1PTlRFUlJFWTENMAsGA1UE
    ..
    ..

    -----END CERTIFICATE-----



    Internet explorer:
    Código de error: DLG_FLAGS_INVALID_CA
    DLG_FLAGS_SEC_CERT_CN_INVALID

    Firefox:
    Código de error: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT


    Please help
     
    Enrique García, May 23, 2019
    #19
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    restart apache afterwards.
     
    till, May 23, 2019
    #20
Page 1 of 2

Share This Page