Really can't get nothing workin on my fresh debian9/ispconfig install. Until when I try to access the webmail (roudcube), dovecot throwing : I did a completely fresh install Debain9/ispconfig3.0 then ispconfig update to 3.1.13: Code: cd /tmp wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz tar xvfz ISPConfig-3-stable.tar.gz cd ispconfig3_install/install php -q update.php Reconfigured all services. At whitch step should have that cert created ?
I think this is normally handled during your ISPConfig installation where it will create the required self-signed certs for postfix. You can also create that manually if you want to use the self-signed certs but if you want to use Let's Encrypt, you can use LE4ISPC script or follow its thread in here.
I had followed that tutorial but your script worked. Thanks a lot. Now my webmail seems to work but I still get "Your connection is not secure" messages on both ispconfig website myserver:8080 and when I try to connect on imap mail account.
The web browser can show which certificate the website uses, check that. Is it the self signed or the LE cert?
I followed the link in your signature which gives me your domain name and when I try viewing https://yourdomain.tld:8080 it shows the error that you mentioned. The certs clearly belong to your subdomain ns1.yourdomain.tld and not yourdomain.tld, but you must have setup it wrongly because you may view https://yourdomain.tld:8080 with error but totally cannot view https://ns1.yourdomain.tld:8080. Either you secure your ISPConfig control panel manually or using the LE4ISPC script, you must use your server hostname FQDN which the subdomain and definitely not the main domain. So, retrack and redo where it went wrong, then fix it so that you may access your ISPConfig control panel and its service(s) without any unnecessary warning.
Thanks a lot for your helps. I think I have a real problem with names. Originaly that server's FQDN is ks392200.kimsufi.com At server's re-install I was asked to give a personalized name. I gave "ns1" thinking it's FQDN would be ns1.webologix.com. But at DNS definitions time the domain name webologix.com was not defined anymore so I used ks392200.kimsufi.com to define everything and at certificates generation time I used ns1.webologix.com... So. Now, as I prefer to not touch to DNS anymore, could I redefine that server's FQDN with something like: and generate certificates based on that name ? I would access ispconfig as ks392200.kimsufi.com:8080 instead of ns1.webologix.com:8080 That way, would everything come in order, certificates, mail helo and others I probably missed ? Or is there another name strategy to solve all the problems I encountered with that re-install ?
Well, without answer to my preceding post I assume the question was silly and DNS definitions are OK as is with the ks392200 name. So I retry the tutorial from start. I created a server website ns1.webologix.com with ispconfig. OK. But when I click SSL and Let's Encrypt check buttons and save, apache logs shows this: Code: ... [Fri Oct 12 11:39:16.154129 2018] [:error] [pid 813] python_init: Python version mismatch, expected '2.7.5+', found '2.7.13'. [Fri Oct 12 11:39:16.154489 2018] [:error] [pid 813] python_init: Python executable found '/usr/bin/python'. [Fri Oct 12 11:39:16.154536 2018] [:error] [pid 813] python_init: Python path being used '/usr/lib/python2.7:/usr/lib/python2.7/plat-x86_64-linux-gnu:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload'. [Fri Oct 12 11:39:16.154628 2018] [:notice] [pid 813] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads. [Fri Oct 12 11:39:16.154659 2018] [:notice] [pid 813] mod_python: using mutex_directory /tmp [Fri Oct 12 11:39:16.200082 2018] [ssl:warn] [pid 813] AH01906: ns1.webologix.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Fri Oct 12 11:39:16.207230 2018] [ssl:warn] [pid 813] AH01906: ns1.webologix.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Fri Oct 12 11:39:16.207306 2018] [ssl:warn] [pid 813] AH01909: ns1.webologix.com:8080:0 server certificate does NOT include an ID which matches the server name ... And the SSL and Let's Encrypt check buttons are unchecked back Whitch files should have been created exactly that I could vertify ?
Take a look into the letsencrypt.log file to see why let's encrypt was not able to issue that cert. You might also see let's encrypt FAQ here at howtoforge for more details. And a server name like ks392200.kimsufi.com will probably not work as LE will not issue a cert for that name as probably too many le certs have been issued for kimsufi.com subdomains already. That's why it's wise to use a subdomain of your own domain name as server hostname instead of using the default one from your hosting provider.
Thanks for your reply. Absolutely nothing in letsencrypt logs!; have to enable it somewhere perhaps ?
Try to disable the letsencrypt check in ispconfig under system > server config > web and then enable let's encrypt again for the website. If the checkbox gets unchecked again, then take a look into the letsencrypt log again.
Thanks for replying. Absolutely nothing new in /var/log/letsencrypt/letsencrypt.log when I save . I suspect something nasty with my DNS. I can access ns1.webologix.com but don't see it in ispconfig dns A definitions (I probably removed it earlier). So I add it and when I save configuration I get this in syslog: I uncheck DNSSEC to see if related and I get this: But the file exists: Code: root@ns1:~# locate Kwebologix.com.+007+13847.key /etc/bind/Kwebologix.com.+007+13847.key and serial still unchanged and not the one shown in log report !:
Have you setup your own DNS name service? https://www.howtoforge.com/tutorial/setting-up-your-own-name-service-with-ispconfig/#nbsptools
You're right, zone doesn't load properly: What is that file Kwebologix.com.+007+30810.key and how to make ispconfig generate it properly ?
checked Skip Lets Encrypt Check in ispconfig under system > server config > web and the checkbox gets unchecked again and still nothing in letsencrypt logs.
You can use debug mode to get more details why the cert cannot be created: https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/
I believe since you used LE4ISPC script, it might have created a standalone Let's Encrypt SSL certificates for your ns1.domain.tld on your first trial, thus the certificates may still exist (and valid) therefore causing the error. The script no longer require you to setup a website for your server so you can delete the website and continue to secure your server control panel and services by running the script. You do not have to follow the tutorial if you are using the script.
Now I deleted the ns1 and use the script: Code: root@ns1:/etc/ssl# ./le4ispc.sh Enter passphrase for SSL/TLS keys for ns1.webologix.com:8080 (RSA): *********** Job for apache2.service failed because the control process exited with error code. See "systemctl status apache2.service" and "journalctl -xe" for details. Seems I need to remove encryption from the apache private key file but don't even know where it is ! A headake Now I launched an ispconfig update to recover apache and no more passphrase asked. But the problem is still there
Tried to remove passphrase like that: Code: root@ns1:/etc/letsencrypt/archive/ns1.webologix.com# umask 077 root@ns1:/etc/letsencrypt/archive/ns1.webologix.com# mv privkey1.pem privkey1.pem.old root@ns1:/etc/letsencrypt/archive/ns1.webologix.com# openssl rsa -in privkey1.pem.old -o privkey1.pem rsa: Unknown cipher o rsa: Use -help for summary. root@ns1:/etc/letsencrypt/archive/ns1.webologix.com# openssl rsa -in privkey1.pem.old -out privkey1.pem Enter pass phrase for privkey1.pem.old: 140003398714624:error:28069065:UI routines:UI_set_result:result too small:../crypto/ui/ui_lib.c:778:You must type in 4 to 1023 characters Enter pass phrase for privkey1.pem.old: 140003398714624:error:2807106B:UI routines:UI_process:processing error:../crypto/ui/ui_lib.c:493:while reading strings Don't know what to do
Simply run "rm -rf /etc/letsencrypt/*/ns1.webologix.com*" to delete all ssl and renewal files. Then choose either you want to follow the tutorial or use the LE4ISPC script. Do not use both unless you understand what you are doing.
