Port 8080 no longer secure

Discussion in 'ISPConfig 3 Priority Support' started by mrbronz, Apr 13, 2021.

  1. mrbronz

    mrbronz Member HowtoForge Supporter

    Hi

    I have just checked my emails, and although it's not related I noticed I am getting quite a few spam emails coming through.
    So to combat this thought I would create a blacklist of the main domains.
    However, I have noticed that my CP on port 8080 is no longer secure. I have not changed anything so would have thought it would not just stop working. All other sites are working as expected.
    My question is, why has this happened and more to the point is there a way to fix it so that it does not happen again.

    Many thanks
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you use Let's encrypt for the ISPConfig vhost on port 8080? If yes, check in the letsencrypt.log if the renewal failed.
     
  3. mrbronz

    mrbronz Member HowtoForge Supporter

    Thanks for the reply Till

    I use the acme.sh scripts as guided in this guide however I did a search for a letsencrypt.log but came up with nothing
     
  4. mrbronz

    mrbronz Member HowtoForge Supporter

    I just disabled the LE then re-enabled it I got the following email

    Code:
    martin.gregson.me.uk - 13.04.2021-12:20 - WARNING - Could not verify domain www.martin.gregson.me.uk, so excluding it from letsencrypt request.
    why is it trying to verify www?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Most likely you configured it to do so by chosing auto subdomain www
     
  6. mrbronz

    mrbronz Member HowtoForge Supporter

    Yes you are correct I have turned it "auto subdomain www" to none for now
    But surely it would still find its way back to my server?

    I've tried disabling and re-enabling SSL and LE but still not working

    How do I update/renew the certificate?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    If you turn it on, then it's on, and if you turn it off, then it's off. Settings do not change unless you change them.

    Then check the log again to find out why LE refuses to issue the cert.

    Certs renew automatically as long as the domain still points to the server.
     
  8. mrbronz

    mrbronz Member HowtoForge Supporter

    Which log and what am I looking for?
     
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  10. mrbronz

    mrbronz Member HowtoForge Supporter

    Hi Thom

    Thanks for the reply.
    I've looked at the link you sent and I have seen this link several times.
    I must have done something wrong because having read
    I don't have the "/var/log/letsencrypt" directory because I using the acme.sh method.
    Having said that I also don't have acme.sh.log in the "/.acme.sh/" directory.

    I know the link gives details in the section entitled "What if the above steps don't help?", on how to get other messages but, shouldn't the system have a log file for such an important part of the system?

    Have I missed some part of the install?
     
  11. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Do you have /var/log/ispconfig/acme.log? I think it might be that the installer doesn't specify a path, so the default /root/.acme.sh/acme.sh.log is used, whereas the server plugins which renew and act on the interface changes specifies /var/log/ispconfig/acme.log. Probably the installer should use that path, too, and the faq updated (to mention both for now, and just /var/log/ispconfig/acme.log if/when the installer uses it).
     
  12. mrbronz

    mrbronz Member HowtoForge Supporter

    Thanks for that Jesse

    That particular log was empty but there is a rotated log file with the following

    Code:
    [Wed 14 Apr 00:00:02 BST 2021] di='/root/.acme.sh/martin.gregson.me.uk/'
    [Wed 14 Apr 00:00:02 BST 2021] d='martin.gregson.me.uk'
    [Wed 14 Apr 00:00:02 BST 2021] Using config home:/root/.acme.sh
    [Wed 14 Apr 00:00:02 BST 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Wed 14 Apr 00:00:02 BST 2021] DOMAIN_PATH='/root/.acme.sh/martin.gregson.me.uk'
    [Wed 14 Apr 00:00:02 BST 2021] Renew: 'martin.gregson.me.uk'
    [Wed 14 Apr 00:00:02 BST 2021] Le_API='https://acme-v02.api.letsencrypt.org/directory'
    [Wed 14 Apr 00:00:02 BST 2021] Using config home:/root/.acme.sh
    [Wed 14 Apr 00:00:02 BST 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Wed 14 Apr 00:00:02 BST 2021] Skip, Next renewal time is: Mon 10 May 00:01:59 UTC 2021
    [Wed 14 Apr 00:00:02 BST 2021] Add '--force' to force to renew.
    [Wed 14 Apr 00:00:02 BST 2021] Return code: 2
    [Wed 14 Apr 00:00:02 BST 2021] Skipped martin.gregson.me.uk
    With my limited knowledge, this looks like it just skipped that particular site but no explanation
     
  13. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Explanation here:
    Code:
    Skip, Next renewal time is: Mon 10 May 00:01:59 UTC 2021
     
  14. mrbronz

    mrbronz Member HowtoForge Supporter

    Thanks, Taleman

    How do I force it to renew now?
     
  15. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  16. mrbronz

    mrbronz Member HowtoForge Supporter

    Never mind I found the answer
    If your using certbot
    Code:
    acme.sh -f -r -d yourdomain.com
    
    I have tried running this but get the error:
    Code:
     martin.gregson.me.uk:Verify error:Fetching http://martin.gregson.me.uk/.well-known/acme-challenge/-***************[
    
    looking at the log file on the verification I get this
    [CODE]Verifying: martin.gregson.me.uk
     d='martin.gregson.me.uk'
     keyauthorization='-*******************************************************************'
     uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/12325922109/CVslog'
     _currentRoot='/usr/local/ispconfig/interface/acme'
     wellknown_path='/usr/local/ispconfig/interface/acme/.well-known/acme-challenge'
     writing token:-************** to /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/-***********
     Changing owner/group of .well-known to ispconfig:ispconfig
     url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/1232592****/CVslog'
     payload='{}'
     POST
     _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/12325*****/CVslog'
     _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
     _ret='0'
     code='200'
     trigger validation code: 200
     sleep 2 secs to verify
     checking
     url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/1232592*****/CVslog'
     payload
     POST
    Deciphering this is beyond my knowledge and skill.
     
  17. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You should never run the commands manually. Let ISPConfig handle it.
     
  18. mrbronz

    mrbronz Member HowtoForge Supporter

    That would mean I have to wait for a month before my site is secure again
     
  19. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Please read #15.
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    No, the cert is still valid, that's why it did not got renewed. Check what's the exact error is that your browser shows you, does it really claim that the SSL cert is expired and if yes, when did it expire.
     

Share This Page