No SSL Ispconfig with Proxy Manager

Discussion in 'Installation/Configuration' started by ststst, Aug 7, 2024.

Tags:
Page 1 of 2
  1. ststst

    ststst New Member

    Hello!

    I hope someone can help me with this.

    I have a local Ispconfig installation on Ubuntu 2204.

    I run Ispconfig with an Nginx proxy manager and therefore also receive Let's Encrypt certificates for the created websites and the Ispconfig page.

    The Ispconfig domain is vps2.domain.at and the mail server is vps2.domain.at

    Unfortunately I have the following problem:

    The mail server does not have an SSL certificate and I get the message when I want to integrate a mailbox in Outlook and when I specify my mailbox to a service.

    Ports 25, 587,993 are open via Fritzbox and 80 + 443 for Proxy Manager.


    Does anyone have the same setup and how was this solved?

    I thank you in advance for tips!
     
    ststst, Aug 7, 2024
    #1
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Taleman, Aug 7, 2024
    #2
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    You must forward port 80 and 443 for the system hostname to ISPConfig. You will not get a Let#s encrypt certificate otherwise.

    Btw, you can create any kind of web proxy in ISPConfig directly, so there is no need for a separate proxy manager.
     
    till, Aug 7, 2024
    #3
    ahrasis likes this.
  4. ststst

    ststst New Member

    I have other virtual servers running, so I need a proxy manager.

    I opened port 80 and 443 in the Fritzbox on the proxy manager.

    Ispconfig has the domain vps2.domain2.at and this domain is set up in the proxy manager including Let's Encrypt.

    I created 2 test websites in Ispconfig with the domain test1.domain2.at and test2.domain2.at - also in the proxy manager including Let's Encrypt.

    The mail server has the domain vps2.domain2.at - like Ispconfig.


    Port 25, 587, 993 are open in the Fritzbox for the Ispconfig IP.
     
    ststst, Aug 7, 2024
    #4
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Not really, as you can do that trough ISPConfig as well, like I mentioned.

    Ok, so the proxy manager catches all Let's encrypt requests, which means your mail system on ISPConfig can not get a certificate anymore as proxy manager prevents that. To get SSL for the mail system, port 80 for the hostname of the server must point to ISPConfig and you must take care that proxymanager does not interfere with the traffic in a way that it filters out any request or that it tries to catch any LE cert requests for the ISPConfig server hostname.
     
    till, Aug 7, 2024
    #5
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    That's fine, but not relevant for this issue. What matters is port 80 to get a LE certificate for the mail system as LE will try to contact the ISPConfig server on that port, if it can't because you put another software in between that prevents the connection, then you will not get a LE cert and your mail system must use a self-signed certificate or you can buy one and install it manually, or manually copy the LE cert and key from your proxy server to your ispconfig server every 3 months.
     
    till, Aug 7, 2024
    #6
  7. ststst

    ststst New Member

    Thanks for the quick reply!

    Should I delete the LE certificates for ISPConfig and the 2 test websites in the proxy manager?

    The proxy manager then only has the IP from ISPConfig and no more LE certificates.

    Does ISPConfig then create certificates and should I create websites with “vps2.domain2.at” in ISPConfig and check SSL or am I thinking wrong here?
     
    ststst, Aug 7, 2024
    #7
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    I don't know the proxy manager and if it can let pass all traffic unfiltered. You will have to read its docs or contact the support of that software to learn how to configure it so that it does not block Let's encrypt requests to the .well-known folder of a domain.

    The certificate is created at install time, so the proxy should have been set up before you installed iSPConfig. However, you can recreate the system cert by running an ISPConfig update, letting the update reconfigure services, and choosing to create a new certificate during that process. Do not create a website for the system hostname.
     
    till, Aug 7, 2024
    #8
  9. ststst

    ststst New Member

    I installed ISPConfig locally without proxy manager and no open ports. Then I assigned a domain and opened the ports. Should I do a new fresh installation with Proxy Manager port 80 and 443 without
     
    ststst, Aug 7, 2024
    #9
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    A fresh install is not needed, you can still fix the existing one. The most important thing is that you must try to find out if you can set proxymanager to not filter out LE requests. after you did that, run an ISPConfig update as I mentioned above.
     
    till, Aug 7, 2024
    #10
  11. ststst

    ststst New Member

    It is the Nginx Proxy Manager and I will check if it is possible that way.

    The command like in this link do I use? ispconfig_update.sh --force -- https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/

    Does ISPConfig automatically renew all certificates after 3 months or do I have to trigger it manually?

    Thank you for the answers.
     
    ststst, Aug 7, 2024
    #11
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    yes

    Yes. Just take care that LE still can reach ISPConfig, otherwise the renewal will fail.
     
    till, Aug 7, 2024
    #12
  13. ststst

    ststst New Member

    I removed the LE certificates in the proxy manager.

    I started the command "ispconfig_update.sh --force" and after the backup I got this message:


    Checking ISPConfig database .. mysqlcheck: Got error: 1698: Access denied for user 'root'@'localhost' when trying to connect
    OK
    ERROR 1698 (28000): Access denied for user 'root'@'localhost'
    Unable to call mysql command line with credentials from mysql_clientdb.conf



    I will reinstall ISPConfig with vps1.domain.at and set up the DNS in the proxy beforehand so that ISPConfig is exposed to the outside world.

    Do you perhaps have a solution for the update?
     
    ststst, Aug 7, 2024
    #13
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    That's not related to your origiinal issue. It means that you changed the MySQL root password and missed setting the new root password in the ISPConfig mysql_clientdb.conf file. A reinstall is not needed and not useful here.
     
    till, Aug 7, 2024
    #14
  15. ststst

    ststst New Member

    I changed the Mysql password immediately after the automatic installation (script) because an automatic one was generated.

    I entered the new password after installation in /usr/local/ispconfig/server/lib/mysql_clientdb.conf.

    Is the password stored somewhere else? But I ran the script locally without any open ports at the time.

    Thanks.
     
    ststst, Aug 7, 2024
    #15
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    It's just stored there. But as you can see, the update fails when using the password from that file. Or you might have changed other things which prevent it from working like altering mysql port or similar.
     
    till, Aug 7, 2024
    #16
  17. ststst

    ststst New Member

    I was able to repair mysql - should I post the commands here?

    I ran the command and renewed the certificates.

    Can I check the certificates and see if and when they will be renewed? Unfortunately I'm not sure about the proxy manager yet.

    I thank you for the quick answers.

    Is this information also in the manual?
     
    ststst, Aug 7, 2024
    #17
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Sure, feel free to do that.

    When you connect to the ISPConfig UI, your web browser will show you if a certificate is invalid. As the UI uses the same cert as the email system, you know that it's correct by checking the UI. Your mail client will also tell you if it's not valid. Certificates get renewed automatically by Acme.sh, you might want to Google how many days before expiration Acme will attempt to renew it.

    No, as none of this information is useful for a typical install. What we do here is basically work around the fact that you blocked Le from working, that's nothing that applies to any normal installation.
     
    till, Aug 7, 2024
    #18
  19. ststst

    ststst New Member

    I noticed that no certificate was renewed.

    Using certificate path /root/.acme.sh/vps2.domain.at
    sh: 1: cannot open /dev/tcp/127.0.0.1/80: No such file
    Using apache for certificate validation
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/vps2.domain.at
    [Thu Aug 8 08:12:00 AM UTC 2024] vps2.domain.at: Invalid status. Verification error details: xx.xx.xx.xx: Fetching http://vps2.domain.at/.well-known/acme-challenge/qSG0B3iIqNgfNvebHKMx7a7C97KxJ4iOHDdKL5mLf90: Connection refused
    [Thu Aug 8 08:12:00 AM UTC 2024] Please check log file for more details: /var/log/ispconfig/acme.log
    Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.


    There isn't really anything useful in the log either.


    I will do a new installation and do it right away with port 80. 443 and domain in the proxy.

    Thanks for the feedback
     
    ststst, Aug 8, 2024
    #19
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    This is quite useful info, it means that acme.sh could not connect to the ISPConfig system from the internet. You can also test this manually. Create a test file on the ispconfg server:

    touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/test.txt

    this test.txt file must be accessible from the internet now like this:

    http://vps2.domain.at/.well-known/acme-challenge/test.txt

    It might be difficult to test for you unless you have access to another system that is not in your local home network as the connection attempt must come from the internet and not your local network for a real test.
     
    till, Aug 8, 2024
    #20
Page 1 of 2

Share This Page