Perfect debian unable to access ISPConfig control panel

which I fully agree on. I was just thinking to prevent dieing mysql or clamav while running the server until the upgrade.
It won't fix the configuration issue I assumed, true.

 

yes, installed on a fresh instances of vultr using their debian. it was a clean slate. i started this instance 8 months ago it was indeed a perfect server .. just LE was not configured correctly.
you were bang on the stopping clamav, rspamd and redis, i stopped and restarted but did not help

 

leaves me puzzled, bang on and it did not solve =) stopping is not enough if you do a reboot afterwards ( disable, mask, comment out in configuration) ?
If this is a fresh setup, any chance you have
/var/log/ispconfig_install.log
still?

 

i did not do anything different.
the codeigniter output is from sub domain billing.example.com:80 which is picked up by default, server1.example.com:80 both are having same output. sorry, if i have confused you, this output is not coming out of 8080

 

i did a force install after the server1.example.com:8080 stopped working. so dont know if that would help. anyway will post it shortly

 

attached ispconfig log

 

see attached a /etc/apache2/sites-available/ispconfig.vhost just to be sure, I think it's fine for you probably.
I took this from a week old new debian 12 setup =)

Could you check if an apache module is missing for some reason?

sure those are not all needed but worthy checking. ( https://www.howtoforge.com/perfect-server-debian-12-buster-apache-bind-dovecot-ispconfig-3-2/ )


Regarding the port 80 issue, seems you rely on php-fpm which seems not to be configured on there.
A quick fix _might_ be, depending on the issue

Code:

a2enconf php8.2-fpm

Also, are you allowing * as IP for Hosts? NameVirtualHost settings for IPs disabled?

 

Code:

● clamav-daemon.service - Clam AntiVirus userspace daemon
     Loaded: loaded (/lib/systemd/system/clamav-daemon.service; disabled; preset: enabled)
    Drop-In: /etc/systemd/system/clamav-daemon.service.d
             └─extend.conf
     Active: active (running) since Sun 2024-05-26 22:17:52 IST; 1min 18s ago
TriggeredBy: ● clamav-daemon.socket
       Docs: man:clamd(8)
             man:clamd.conf(5)
             https://docs.clamav.net/
    Process: 873 ExecStartPre=/bin/mkdir -p /run/clamav (code=exited, status=0/SUCCESS)
    Process: 885 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
   Main PID: 890 (clamd)
      Tasks: 2 (limit: 1099)
     Memory: 672.2M
        CPU: 28.920s
     CGroup: /system.slice/clamav-daemon.service
             └─890 /usr/sbin/clamd --foreground=true

May 26 22:18:52 server1 clamd[890]: Sun May 26 22:18:52 2024 -> fds_poll_recv: timeout after 3600 seconds
May 26 22:18:52 server1 clamd[890]: Sun May 26 22:18:52 2024 -> Received POLLIN|POLLHUP on fd 3
May 26 22:18:52 server1 clamd[890]: Sun May 26 22:18:52 2024 -> Got new connection, FD 9
May 26 22:18:52 server1 clamd[890]: Sun May 26 22:18:52 2024 -> Received POLLIN|POLLHUP on fd 5
May 26 22:18:52 server1 clamd[890]: Sun May 26 22:18:52 2024 -> fds_poll_recv: timeout after 30 seconds
May 26 22:18:52 server1 clamd[890]: Sun May 26 22:18:52 2024 -> Received POLLIN|POLLHUP on fd 9
May 26 22:18:52 server1 clamd[890]: Sun May 26 22:18:52 2024 -> client read error or EOF on read
May 26 22:18:52 server1 clamd[890]: Sun May 26 22:18:52 2024 -> Shutting down socket after error (FD 9)
May 26 22:18:52 server1 clamd[890]: Sun May 26 22:18:52 2024 -> Number of file descriptors polled: 1 fds
May 26 22:18:52 server1 clamd[890]: Sun May 26 22:18:52 2024 -> fds_poll_recv: timeout after 3600 seconds

clamav would not die but rspamd and redis are stopped and disabled. i have rebooted the system again.

 

Code:

/etc/apache2/mods-enabled$ ls
access_compat.load  dav.load          passenger.load
actions.conf        deflate.conf      perl.load
actions.load        deflate.load      proxy.conf
alias.conf          dir.conf          proxy.load
alias.load          dir.load          python.load
auth_basic.load     env.load          reqtimeout.conf
auth_digest.load    fcgid.conf        reqtimeout.load
authn_core.load     fcgid.load        rewrite.load
authn_file.load     filter.load       setenvif.conf
authz_core.load     headers.load      setenvif.load
authz_host.load     include.load      socache_shmcb.load
authz_user.load     mime.conf         ssl.conf
autoindex.conf      mime.load         ssl.load
autoindex.load      mpm_event.conf    status.conf
cgid.conf           mpm_event.load    status.load
cgid.load           negotiation.conf  suexec.load
dav_fs.conf         negotiation.load
dav_fs.load         passenger.conf

seems all mods listed above are enabled

Code:

$ a2enconf php8.2-fpm
Conf php8.2-fpm already enabled

 

a2dismod reqtimeout negotiation deflate autoindex -f
if you do not want apache to be able to list directorys, use memory to compress the output and maybe weaken tls with that,
negotiation is probably not used either and reqtimeout can be a beast depending on the client connection usually but in this case, who knows.
a2disconf localized-error-pages

at least will save you some precious memory too.
If you do not need passenger for anything, disable it aswell aswell as python if possible, it should not disable the ssh clients to run their python code if it's not something attached to the webserver ).
Also perl, who is using perl on a webhosting still ^^

Will this fix your issue? Probably not, just save some memory and cpu time.

both needs to be disabled / masked.

not a good sign

 

yeap not using python for webpages, i think on proxy mode.

 

Is there a
head -n 10 /etc/apache2/sites-enabled/???-server1.example ???..... conf
?
Have you tried enabling Loglevel trace in /etc/apache2/apache.conf , make a request to :8080 and stop the debug log again
Have you tried accessing from a different server, system, or the very same server?

the proxy module is likely used for php-fpm only if you are using proxypass along fcgid module, better to keep that

dav_* dav* is something uncommon these days also

Edit: Were there any other changes? Enabling DNSSEC or something like that? Cleared the browser cache to be sure? Tried different browser, or as mentioned curl on the local server to see if it can wget :8080

 

Never did anything specifically other than what is mentioned in the perfect server setup.

surprise

Code:

server$ wget https://server1.example.in:8080
--2024-05-26 23:49:05--  https://server1.example.in:8080/
Resolving server1.example.in (server1.example.in)... 127.0.1.1
Connecting to server1.example.in (server1.example.in)|127.0.1.1|:8080... connected.
HTTP request sent, awaiting response... 302 Found
Location: /login/ [following]
--2024-05-26 23:49:06--  https://server1.example.in:8080/login/
Reusing existing connection to server1.example.in:8080.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

 

we should've suggested earlier but uhm now we know you have potential for memory related issues, not saying they caused them defnitly but potential, so there's that.

that index.html should have some html login related in it and not what you posted for the :80 host
Question now is, is it your browser, your network, or ISP pr VPN preventing you from reaching the site?
fail2ban bans should have been gone by now I assume. ISPConfig?
Do you get a new IP if you reconnect the internet?

 

wget got different output from client
client$ wget -r --tries=1 https://server1.example.in:8080 -o log -S

Code:

--2024-05-27 00:11:27--  https://server1.example.in:8080/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving server1.example.in (server1.example.in)... 1.2.3.4
Connecting to server1.example.in (server1.example.in)|1.2.3.4|:8080... failed: Connection timed out.
Giving up.

 

the error notice could be because of some php package updates and poorly maintain billing module, i have hosted in the sub domain .. billing.example.in
i have verified another php website still running successfully without downtime (for many years now). if i am banned all the websites should not work right .. not from 8080 only. i may be wrong here, as i am not an expert.
yes, if i switch off and on the router, i will get a new ip from the ISP

 

exhausted by now. will try to resolve the issue during the course of next week or simple do a fresh installation during weekend. going to a slow mode for now. learnt a lot from you Christoph. Thank you and Till together.

 

happy to inform i am able to successfully install all certificates, except another subdomain ( harshit.example.in ) linked with a SSH account.

acme.sh --renew-all --force

Code:

[Mon May 27 12:15:17 PM IST 2024] Renew: 'server1.example.in'
[Mon May 27 12:15:17 PM IST 2024] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Mon May 27 12:15:18 PM IST 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon May 27 12:15:18 PM IST 2024] Single domain='server1.example.in'
[Mon May 27 12:15:21 PM IST 2024] Getting webroot for domain='server1.example.in'
[Mon May 27 12:15:22 PM IST 2024] server1.example.in is already verified, skip http-01.
[Mon May 27 12:15:22 PM IST 2024] Verify finished, start to sign.
[Mon May 27 12:15:22 PM IST 2024] Lets finalize the order.
[Mon May 27 12:15:22 PM IST 2024] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1285050216/2729675107'
[Mon May 27 12:15:24 PM IST 2024] Downloading cert.
[Mon May 27 12:15:24 PM IST 2024] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/038e2643cbdb5c26b8d2c434642aa79d'
[Mon May 27 12:15:25 PM IST 2024] Cert success.

firefox browser is now showing a more descriptive error.