Hmmm - I have followed the "Perfect Server" installation HowTo for Ubuntu 12.04. Everything worked fine, the ISPConfig 3 installation as well. BUT - when I try to get access to the server IP:8080, there is no access, "Zeitüberschreitung" with https as well as with http. The server's landing page http://IP is avalilable with the default text (It works....). Currently, I have no idea where to locate the problem. Any help would be appreciated...
The most likely reason is a firewall that blocks port 8080. If the server is in a datacenter, then check that the datacenter does not run a firewall in front of the server. to check the server itself, run: iptables -L and netstat -tap
Hmm there is a provider's (1&1) firewall; I have opened TCP port 8080 netstat -tap does not show anything listening to port 8080 nmap -v IP from the server does show an open TCP port 8080 nmap -v IP from external does not show an open port 8080 Who is still blocking that port? iptables - I do not really see wher the problem could be: Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-dovecot-pop3imap (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-pureftpd (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere Any further help where the problem is?
I have added the complete output of the "htf common issues" report" (sorry, I should have read this before...): ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** IP-address(es) (as per ifconfig): ***.***.***.*** [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.0.5.3 ##### VERSION CHECK ##### [INFO] php (cli) version is 5.3.10-1ubuntu3.11 ##### PORT CHECK ##### Nothing in here? ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 8109) [INFO] I found the following mail server(s): Postfix (PID 15943) [INFO] I found the following pop3 server(s): Dovecot (PID 16865) [INFO] I found the following imap server(s): Dovecot (PID 16865) [INFO] I found the following ftp server(s): PureFTP (PID 16959) ##### LISTENING PORTS ##### (only () Local (Address) ***.***.***.***:53 (16978/named) [localhost]:53 (16978/named) [anywhere]:21 (16959/pure-ftpd) [anywhere]:22 (23399/sshd) [localhost]:953 (16978/named) [anywhere]:25 (15943/master) [anywhere]:993 (16865/dovecot) [anywhere]:995 (16865/dovecot) [localhost]:10024 (8151/amavisd) [localhost]:9000 (27474/php-fpm.conf)) [localhost]:10025 (15943/master) [anywhere]:3306 (15585/mysqld) [anywhere]:587 (15943/master) [anywhere]:110 (16865/dovecot) [anywhere]:143 (16865/dovecot) [anywhere]:465 (15943/master) *:*:*:*::*:53 (16978/named) *:*:*:*::*:21 (16959/pure-ftpd) *:*:*:*::*:22 (23399/sshd) *:*:*:*::*:953 (16978/named) *:*:*:*::*:25 (15943/master) *:*:*:*::*:443 (8109/apache2) *:*:*:*::*:993 (16865/dovecot) *:*:*:*::*:995 (16865/dovecot) *:*:*:*::*:587 (15943/master) [localhost]10 (16865/dovecot) [localhost]43 (16865/dovecot) *:*:*:*::*:8080 (8109/apache2) *:*:*:*::*:80 (8109/apache2) *:*:*:*::*:8081 (8109/apache2) *:*:*:*::*:465 (15943/master) And the netstat output: netstat -tap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 ******.online:domain *:* LISTEN 16978/named tcp 0 0 localhost.locald:domain *:* LISTEN 16978/named tcp 0 0 *:ftp *:* LISTEN 16959/pure-ftpd (SE tcp 0 0 *:ssh *:* LISTEN 23399/sshd tcp 0 0 localhost.localdoma:953 *:* LISTEN 16978/named tcp 0 0 *:smtp *:* LISTEN 15943/master tcp 0 0 *:imaps *:* LISTEN 16865/dovecot tcp 0 0 *op3s *:* LISTEN 16865/dovecot tcp 0 0 localhost.localdo:10024 *:* LISTEN 8151/amavisd (ch1-a tcp 0 0 localhost.localdom:9000 *:* LISTEN 27474/php-fpm.conf) tcp 0 0 localhost.localdo:10025 *:* LISTEN 15943/master tcp 0 0 *:mysql *:* LISTEN 15585/mysqld tcp 0 0 *:submission *:* LISTEN 15943/master tcp 0 0 *op3 *:* LISTEN 16865/dovecot tcp 0 0 *:imap2 *:* LISTEN 16865/dovecot tcp 0 0 *:ssmtp *:* LISTEN 15943/master tcp 0 0 localhost.localdo:mysql localhost.localdo:37472 ESTABLISHED 15585/mysqld tcp 0 272 *****.onlinehom:ssh ****.dip0.t-:29147 ESTABLISHED 17549/sshd: rudolf tcp 0 0 localhost.localdo:37472 localhost.localdo:mysql ESTABLISHED 8151/amavisd (ch1-a tcp 0 0 localhost.localdo:50110 localhost.localdo:imap2 TIME_WAIT - tcp 0 0 localhost.localdo:44351 localhost.localdom:http TIME_WAIT - tcp 69 0 localhost.localdo:51410 localhost.localdo:10025 CLOSE_WAIT 8151/amavisd (ch1-a tcp 0 0 localhost.localdo:45310 localhost.localdoma:ftp TIME_WAIT - tcp6 0 0 [::]:domain [::]:* LISTEN 16978/named tcp6 0 0 [::]:ftp [::]:* LISTEN 16959/pure-ftpd (SE tcp6 0 0 [::]:ssh [::]:* LISTEN 23399/sshd tcp6 0 0 ::1%3453825541:953 [::]:* LISTEN 16978/named tcp6 0 0 [::]:smtp [::]:* LISTEN 15943/master tcp6 0 0 [::]:https [::]:* LISTEN 8109/apache2 tcp6 0 0 [::]:imaps [::]:* LISTEN 16865/dovecot tcp6 0 0 [::]op3s [::]:* LISTEN 16865/dovecot tcp6 0 0 [::]:submission [::]:* LISTEN 15943/master tcp6 0 0 [::]op3 [::]:* LISTEN 16865/dovecot tcp6 0 0 [::]:imap2 [::]:* LISTEN 16865/dovecot tcp6 0 0 [::]:http-alt [::]:* LISTEN 8109/apache2 tcp6 0 0 [::]:http [::]:* LISTEN 8109/apache2 tcp6 0 0 [::]:tproxy [::]:* LISTEN 8109/apache2 tcp6 0 0 [::]:ssmtp [::]:* LISTEN 15943/master Is ISPConfig 3 not running?
ISPConfig is running, the line: tcp6 0 0 [::]:http-alt [::]:* LISTEN 8109/apache2 is the ispconfig vhost on port 8080 and: tcp6 0 0 [::]:tproxy [::]:* LISTEN 8109/apache2 is the ispconfig apps vhost on port 8081. So the problem that you cant access is not ispconfig here, the problem must be outside of the server. You should write the support of your isp a email, that you cant access a http service on port 8080 tcp not on your server and aks them to check their firewall. you can e.g. send them the netstat lines as well.
Till - thanks for your feedback. I have checked this with my provider. On his side, 8080 is open, it seems to be blocked on the "perfect server", as this was a new installation. Any further idea what firewall could block that port? Thanks in advance Rudolf
According to the output, there is nothing blocked on the server. But you can test this on the server, run: what do you get when you run these commands on the shell of your server: cd /tmp wget http://localhost:8080 wget https://localhost:8080 wget http://IP:8080 wget https://IP:8080 replace the IP with your external IP address.
Maybe, that_s the problem causer: wget https://localhost:8080 --2014-04-09 12:59:04-- https://localhost:8080/ Resolving localhost (localhost)... 127.0.0.1 Connecting to localhost (localhost)|127.0.0.1|:8080... connected. ERROR: cannot verify localhost's certificate, issued by `/C=DE/ST=Some-State/O=Internet Widgits Pty Ltd': Self-signed certificate encountered. ERROR: certificate common name `' doesn't match requested host name `localhost'. To connect to localhost insecurely, use `--no-check-certificate'. --- Same through IP. It seems that I have made a mistake when establishing the certificate during the last installation steps. Is there a way to renew this step? Thanks for your help! Rudolf
I think the ssl cert is ok, your browser should prompt you to accept the ssl cert and not give you a timeout. you can try with: wget --no-check-certificate https://localhost:8080 wget --no-check-certificate https://IP:8080 Off course you can also try to create a new cert. download the ispconfig tar.gz again, unpack it, go to the install folder and run "php update.php" instead of install.php and choose to reconfigure services. In one of the steps, the updater will ask you if a new ssl cert shal be created, choose "y" and then accept all defaults, this will create a valid cert in any case. you ca later replace it when we solved that issue by a custom one.
wget --no-check-certificate https://IP:8080 --2014-04-09 13:13:54-- https://IP:8080/ Connecting to IP:8080... connected. WARNING: cannot verify IP's certificate, issued by `/C=DE/ST=Some-State/O=Internet Widgits Pty Ltd': Self-signed certificate encountered. WARNING: certificate common name `' doesn't match requested host name `IP'. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: `index.html' [ <=> ] 9,203 --.-K/s in 0s 2014-04-09 13:13:54 (21.7 MB/s) - `index.html' saved [9203] ======== index.html looks like the start page of ISPConfig 3 I have tried this from 2 other servers (one at home, a second one at the provider's server farm): The one from home: "failed: connection timed out" the one in the server farm: wget --no-check-certificate https://IP:8080 --13:07:42-- https://IP:8080/ => `index.html' Verbindungsaufbau zu IP:8080... No further reaction... But there is a difference in the behaviour (the second server is running Debian, the first one Ubuntu 12.04 LTS)
Ok, it shows the the server is working correctly at your provider. That the home server failed might be caused by your router or a similar issue. So it still comes down that your provider blocks port 8080. As a last try, you can run: iptables --flush to remove all local iptables rules and test again. If this wont help, you should write again to the support of your isp, it is not the first time that a isp calimed that they opened a port which is indeed closed
Solved Till - many thanks again for your great assistance and for your patience. Indeed, it was a problem with the firewall of my provider. When I deactivated it, everything was fine - wenn I re-activated it, everything was blocked. Provider: "No, it is not our problem, it must be a problem with your server settings" - but after the third call (and test with on/off, everytime with a delay of ~ 15 minutes), suddenly it worked without any modification on the server side... ISPConfig 3 is a great tool! Best regards Rudolf
