problem creating selfsigned or lets encrypt ssl for the only site on new installed ISPC

hello every one and ISPconfig team
iam a new user and this is my first attempt to install and deal with ispc, so i have followed the ubuntu 18.04 tutorial
https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/
with apche to install my first created web site coded with python and after some reading about isp config,
i thought that the easiest way for me to start is to have two servers running the full isp config (standard mode) with all services installed as in the tutorial (Q: is this setup approach good or bad from problems to face or when adding more sites point of view ?)

-- for 1st server i used only the mail service for my website with these settings, host name: mail, domain: server.com, runs nat 1:1 with static ip lets say 1.2.3.4, created a record in namecheap dns ( Q: no need to run dns form ispc right ?), the email is running fine although reaching in the spam folder, then created lets encrypt ssl for all services and in the server by following this guide https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/

-- for 2nd server i need to run the web, db, etc here with these settings: hostname web, domain: server.com, runs nat 1:1 with static ip lets say 1.2.3.5 , added a record for the domin i.e example.com, (Q: do i need to add one for web.domain ?)
after that i have managed to run mod-wsgi with apache and be able to run the site, but when i try to add ssl and lets encrypt ssl or either one it doesn't work yet it works with http

• this is my apache2 error log from 2nd server:

Code:

[Tue Jun 09 21:13:02.536200 2020] [ssl:error] [pid 24660] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=NEW-CAIRO,ST=CAIRO,C=EG / issuer: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=NEW-CAIRO,ST=CAIRO,C=EG / serial: 7581DA45AEBC70B497E5AD5769A23483856EA31F / notbefore: Jun  1 02:04:47 2020 GMT / notafter: May 30 02:04:47 2030 GMT]
[Tue Jun 09 21:13:02.536212 2020] [ssl:error] [pid 24660] AH02604: Unable to configure certificate web.rasnix.com:8080:0 for stapling
[Tue Jun 09 21:13:02.543132 2020] [mpm_prefork:notice] [pid 24660] AH00163: Apache/2.4.29 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/1.1.1 mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
[Tue Jun 09 21:13:02.543178 2020] [core:notice] [pid 24660] AH00094: Command line: '/usr/sbin/apache2'
[Tue Jun 09 21:17:02.435922 2020] [mpm_prefork:notice] [pid 24660] AH00169: caught SIGTERM, shutting down
[Tue Jun 09 21:17:09.793742 2020] [ssl:warn] [pid 25005] AH01906: web.rasnix.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 09 21:17:09.793907 2020] [ssl:error] [pid 25005] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=NEW-CAIRO,ST=CAIRO,C=EG / issuer: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=NEW-CAIRO,ST=CAIRO,C=EG / serial: 7581DA45AEBC70B497E5AD5769A23483856EA31F / notbefore: Jun  1 02:04:47 2020 GMT / notafter: May 30 02:04:47 2030 GMT]
[Tue Jun 09 21:17:09.793931 2020] [ssl:error] [pid 25005] AH02604: Unable to configure certificate web.rasnix.com:8080:0 for stapling
[Tue Jun 09 21:17:09.793957 2020] [suexec:notice] [pid 25005] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Tue Jun 09 21:17:09.848358 2020] [ssl:warn] [pid 25009] AH01906: web.rasnix.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 09 21:17:09.848504 2020] [ssl:error] [pid 25009] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=NEW-CAIRO,ST=CAIRO,C=EG / issuer: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=NEW-CAIRO,ST=CAIRO,C=EG / serial: 7581DA45AEBC70B497E5AD5769A23483856EA31F / notbefore: Jun  1 02:04:47 2020 GMT / notafter: May 30 02:04:47 2030 GMT]
[Tue Jun 09 21:17:09.848515 2020] [ssl:error] [pid 25009] AH02604: Unable to configure certificate web.rasnix.com:8080:0 for stapling
[Tue Jun 09 21:17:09.855499 2020] [mpm_prefork:notice] [pid 25009] AH00163: Apache/2.4.29 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/1.1.1 mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
[Tue Jun 09 21:17:09.855548 2020] [core:notice] [pid 25009] AH00094: Command line: '/usr/sbin/apache2'

• this is my apache2 error log from 2nd server:

Code:

2020-06-09 22:33:39,267:DEBUG:acme.client:Storing nonce: 0102UBsPQxGKfjxLGchy3w7GYcvuIvNtjRz81AOn_OHt0J0
2020-06-09 22:33:39,268:DEBUG:acme.client:JWS payload:
b''
2020-06-09 22:33:39,290:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/cert/0469c00abf61f8a9c0061da5c2a2d16b0f62:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODg0MTg1NzUiLCAibm9uY2UiOiAiMDEwMlVCc1BReEdLZmp4TEdjaHkzdzdHWWN2dUl2TnRqUno4MUFPbl9PSHQwSjAiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NlcnQvMDQ2OWMwMGFiZjYxZjhhOWMwMDYxZGE1YzJhMmQxNmIwZjYyIn0",
  "signature": "O-QeROqIDiL2T4G75X-_c8B_G5lsK9O3q4nYjMJl_OZDKOk62ak_22lrN5FQVd94EGR8OIQZWKNjTYwqZXlWXG0YoZ8q7dNJQKZKdB8N0it9kXg01nmqmCv8GWlFTJ37vIX2WO_l-ZAI536iZRu8zZki4Z5BrqkmO3jV0eU1PNk7VOHNG_DVH15hwx4U3cszmslTIBSmGCrwn3Jm9w5dqR0T08WsLcrph_UakCCRS9Kg7Ah_XeXYngZNmpJos3mkC5aDrfXhbG4zZY8uj4Rq43eCHk7X0ZdJnMh3GKbyAf8GPS3fdpzd_ADvYQs-JoYBAth2Adkm-KDHopm1kYTSsypOH2R8xykddZCY-M1_vaYr0eGSN22RrYREHH7dGwtFtHpY8tBijQ8rMyt_5-Owtgcc2eM_xq0W7hHl-14qpY7Rygl0XCvHAY4b4znuMwl__G8UOcMWbMFsfXk3eawvRFURg7drNiUuDe7Vd-ihZGDLbhTVWjCDx-7y7x_Mn8FBbM-WyoUI2m1-wQ81LSUKLIxJpN35Q4Fbf_0ONLtHQgTRWyXQeRsCyB-jQm8nfji6p--NOC-rzUURYraAECmJinnfYFCH1XyRDxJy_IHO1-iChn8nvs1Pyc8NsZCckZ4q_3ivvO5OsX4ZsGgAcvXfhOIPXpaPRtHJ2xRT1Cbm6PA",
  "payload": ""
}
2020-06-09 22:33:39,539:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/cert/0469c00abf61f8a9c0061da5c2a2d16b0f62 HTTP/1.1" 200 3912
2020-06-09 22:33:39,539:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 09 Jun 2020 22:33:39 GMT
Content-Type: application/pem-certificate-chain
Content-Length: 3912
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101MANnVtr4asKQTuMdhqRQu0OmXp_8hDSYTMFhqAavJk0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

2020-06-09 22:33:39,540:DEBUG:acme.client:Storing nonce: 0101MANnVtr4asKQTuMdhqRQu0OmXp_8hDSYTMFhqAavJk0
2020-06-09 22:33:39,541:DEBUG:certbot.storage:Creating directory /etc/letsencrypt/archive.
2020-06-09 22:33:39,541:DEBUG:certbot.storage:Creating directory /etc/letsencrypt/live.
2020-06-09 22:33:39,541:DEBUG:certbot.storage:Archive directory /etc/letsencrypt/archive/rasnix.com and live directory /etc/letsencrypt/live/rasnix.com created.
2020-06-09 22:33:39,542:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/live/rasnix.com/cert.pem.
2020-06-09 22:33:39,542:DEBUG:certbot.storage:Writing private key to /etc/letsencrypt/live/rasnix.com/privkey.pem.
2020-06-09 22:33:39,542:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/live/rasnix.com/chain.pem.
2020-06-09 22:33:39,543:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/live/rasnix.com/fullchain.pem.
2020-06-09 22:33:39,543:DEBUG:certbot.storage:Writing README to /etc/letsencrypt/live/rasnix.com/README.
2020-06-09 22:33:39,559:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer <certbot.cli._Default object at 0x7f5cc49b0c88>
2020-06-09 22:33:39,560:DEBUG:certbot.cli:Var server=https://acme-v02.api.letsencrypt.org/directory (set by user).
2020-06-09 22:33:39,560:DEBUG:certbot.cli:Var account={'server'} (set by user).
2020-06-09 22:33:39,564:DEBUG:certbot.cli:Var rsa_key_size=4096 (set by user).
2020-06-09 22:33:39,574:DEBUG:certbot.cli:Var server=https://acme-v02.api.letsencrypt.org/directory (set by user).
2020-06-09 22:33:39,575:DEBUG:certbot.cli:Var authenticator=webroot (set by user).
2020-06-09 22:33:39,582:DEBUG:certbot.cli:Var webroot_path=/usr/local/ispconfig/interface/acme (set by user).
2020-06-09 22:33:39,583:DEBUG:certbot.cli:Var webroot_path=/usr/local/ispconfig/interface/acme (set by user).
2020-06-09 22:33:39,583:DEBUG:certbot.cli:Var webroot_map={'webroot_path'} (set by user).
2020-06-09 22:33:39,584:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/rasnix.com.conf.
2020-06-09 22:33:39,586:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/rasnix.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/rasnix.com/privkey.pem
Your cert will expire on 2020-09-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
2020-06-09 22:33:39,586:DEBUG:certbot.reporter:Reporting to user: If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

please advise ...

 

Verify you have completed all steps to use the LE certificate for ISPConfig panel.

That looks like the certificate is not installed correctly.
What is sending the signals to that process?

Code:

[Tue Jun 09 21:17:02.435922 2020] [mpm_prefork:notice] [pid 24660] AH00169: caught SIGTERM, shutting down

 

really thank you Taleman for your support, i should have noticed that but i was awake for 2 days trying to complete (my bad).

even though i have access to isp config interface through https from domain name and subdomain, i ran

Code:

ispconfig_update.sh

to recreate ispconfig ssl , but also with same problem.
finally i find out the source of the problem which was the mod_wsgi (apache module), so i had to comment the wsgi daemon lines in order for the ssl to be generated correctly then comment out the wsgi lines.

yet i still have an issue showing in the apache error log

i don't understand this, so if i have a server host name like web then for every added site in isp config the web should be a sub domain ?

could you mr. Taleman or any one give me an opinion on these questions

 

https://www.google.com/search?clien...IAcoCkgEDMS4ymAEA&sclient=mobile-gws-wiz-serp

 

If both servers should share the same users, etc.. you should go for a master/slave setup. If you have two masters, they become independent servers (could be fine, depends on what you want to achieve)

correct

I do not understand that question. Are you asking if you should create a vhost for web.domain.com? Only if you want to have a website there. Or if you want ispc to create and update a letsencrypt cert for that. ISPC only does certs for webs.

You are using a self-signed certificate that does (obviously) not contain an issuers cert. If you get a letsencrypt cert for the web.domain.com domain then you will get a "fullchain" file which includes the letsencrypt issuer cert. So it looks like you made a mistake in following the guide to get your server a letsencrypt cert. Look again carefully on the steps at https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/

 

first of all thanks to all ispconfig team member and supporters for your guidance and help.
i haven't fixed all the issue but most of it as i do now have lets encrypt for mydomain(dot)com, www(dot)mydomain(dot)com, but not working with the server host name web(dot)mydomain(dot)com

so this is my system setup
OS: ubuntu 18.04, hostname: web
ISPConfig Version: 3.1.15p3, Skip Lets Encrypt Check (checked)
ISPConfig sites: 1 , used domain: mydomain(dot)com (not web(dot)mydomain(dot)com as i don't need web to be visible in site name)
namecheap regestrar dns records:
[cname record] www > mydomain(dot)com ,
[a record] mydomain(dot)com > my_pub_ip ,
[a record] web > my_pub_ip ,
[a record] www(dot)web > my_pub_ip ,
[cname record] web > mydomain(dot)com ,
[cname record] www(dot)web > mydomain(dot)com
i can neglect that web(dot)mydomain is only having self signed ssl not lets encrypt and make apache rewrite redirect rule so web(dot)mydomain get redirected to www(dot)mydomain which has lets encrypt working fine, but i just need to understand what did i do wrong .

this my lets encrypt log

Code:

2020-06-11 17:51:40,082:DEBUG:certbot.main:certbot version: 0.27.0
2020-06-11 17:51:40,083:DEBUG:certbot.main:Arguments: ['-q']
2020-06-11 17:51:40,084:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-06-11 17:51:40,095:DEBUG:certbot.log:Root logging level set at 30
2020-06-11 17:51:40,096:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-06-11 17:51:40,122:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7ff28e463940> and installer <certbot.cli._Default object at 0x7ff28e463940>
2020-06-11 17:51:40,131:INFO:certbot.renewal:Cert not yet due for renewal
2020-06-11 17:51:40,131:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-06-11 17:51:40,135:INFO:certbot.renewal:Cert not yet due for renewal
2020-06-11 17:51:40,136:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-06-11 17:51:40,136:DEBUG:certbot.renewal:no renewal failures

and this apache error log

Code:

[Thu Jun 11 17:45:04.927756 2020] [ssl:warn] [pid 30410] AH01906: web.rasnix.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Jun 11 17:45:04.927893 2020] [ssl:error] [pid 30410] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=CAIRO,ST=CAIRO,C=EG / issuer: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=CAIRO,ST=CAIRO,C=EG / serial: 6E8F46EC471949635AFDBCD0330A7F2FE3604A9C / notbefore: Jun 10 13:45:52 2020 GMT / notafter: Jun  8 13:45:52 2030 GMT]
[Thu Jun 11 17:45:04.927904 2020] [ssl:error] [pid 30410] AH02604: Unable to configure certificate web.rasnix.com:8080:0 for stapling
[Thu Jun 11 17:45:04.935017 2020] [mpm_prefork:notice] [pid 30410] AH00163: Apache/2.4.29 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/1.1.1 mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
[Thu Jun 11 17:45:04.935062 2020] [core:notice] [pid 30410] AH00094: Command line: '/usr/sbin/apache2'
[Thu Jun 11 18:06:09.302909 2020] [mpm_prefork:notice] [pid 30410] AH00169: caught SIGTERM, shutting down
[Thu Jun 11 18:06:09.492649 2020] [ssl:warn] [pid 8826] AH01906: web.rasnix.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Jun 11 18:06:09.492819 2020] [ssl:error] [pid 8826] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=CAIRO,ST=CAIRO,C=EG / issuer: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=CAIRO,ST=CAIRO,C=EG / serial: 6E8F46EC471949635AFDBCD0330A7F2FE3604A9C / notbefore: Jun 10 13:45:52 2020 GMT / notafter: Jun  8 13:45:52 2030 GMT]
[Thu Jun 11 18:06:09.492832 2020] [ssl:error] [pid 8826] AH02604: Unable to configure certificate web.rasnix.com:8080:0 for stapling
[Thu Jun 11 18:06:09.492855 2020] [suexec:notice] [pid 8826] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Thu Jun 11 18:06:09.550348 2020] [ssl:warn] [pid 8839] AH01906: web.rasnix.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Jun 11 18:06:09.550491 2020] [ssl:error] [pid 8839] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=CAIRO,ST=CAIRO,C=EG / issuer: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=CAIRO,ST=CAIRO,C=EG / serial: 6E8F46EC471949635AFDBCD0330A7F2FE3604A9C / notbefore: Jun 10 13:45:52 2020 GMT / notafter: Jun  8 13:45:52 2030 GMT]
[Thu Jun 11 18:06:09.550502 2020] [ssl:error] [pid 8839] AH02604: Unable to configure certificate web.rasnix.com:8080:0 for stapling
[Thu Jun 11 18:06:09.556919 2020] [mpm_prefork:notice] [pid 8839] AH00163: Apache/2.4.29 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/1.1.1 mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
[Thu Jun 11 18:06:09.556964 2020] [core:notice] [pid 8839] AH00094: Command line: '/usr/sbin/apache2'

 

First you have to fix your issue failing which you may not get anywhere. One of which I already posted:

And do troubleshoot all LE errors by reading and following the given FAQ first: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/

There is a saying that said: "repeating the same things won't give you a different result".

 

i have tried to reinstall every thing, so after installing ubuntu 18.04 and following the ispconfig installation tutorial
and after the final step in the tutorial (installing ispconfig with ssl to interface), i have checked the apache error log to see the same errors again even i haven't added any sites or anything
i also tried to reinstall one more time and even added a AAAA record in dns pointing [server-hostname].[domain-dot-com] to this server public ip even though there is A record, but also found the same errors after ispconfig install
ahrasis i have looked at this seach link without help

so can you be more specific to what can i try to do or test

 

The link is to help solving stapling issue as per your info. Did you troubleshoot as per the faq mentioned above? Did you disable LE check? We don't really know how to help you solve your problems unless you follow the advised steps and provide us with useful details.

 

dear i ahrasis,thank you for taking time to help me i have looked at the search you gave me many times and opened all of its

links in the first page of the result and here is what i have found :
1st search result concludes that i need to open debug mode in ispconfig to get more information and i did that but didn't get any error form the debug command line, but the conversation ended without a solution.

Code:

root@web:~# /usr/local/ispconfig/server/server.sh

15.06.2020-00:18 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
15.06.2020-00:18 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
finished.

2nd search result says that i need to have AAAA record to fix this error, which i did mention but also didn't help
some search result are about installing OSCP stapling on apache, i have no idea what that is and the tutorial didn't mention it.
4th search result solved the issue by removing a alias in apache conf, and in my case i didn't have any and even disabled rewrites or redirects

but now as i said i have only fresh install of ubuntu and ispconfig on it without creating any clients / sites / domains / subdomains and the issue happend because ispconfig made ssl for itself, that means i didn't add new site and try to get it working with lets encrypt.
if there is any log i can provide to clarify the situation more please tell me
and this is apache error from new unbuntu and ispc install

Code:

[Sun Jun 14 20:02:43.187396 2020] [mpm_prefork:notice] [pid 17090] AH00163: Apache/2.4.29 (Ubuntu) mod_fcgid/2.3.9 mod_python/3.3.1 Python/2.7.17 OpenSSL/1.1.1 configured -- resuming normal operations
[Sun Jun 14 20:02:43.187442 2020] [core:notice] [pid 17090] AH00094: Command line: '/usr/sbin/apache2'
[Mon Jun 15 00:18:02.469417 2020] [mpm_prefork:notice] [pid 17090] AH00169: caught SIGTERM, shutting down
[Mon Jun 15 00:18:02.614724 2020] [ssl:warn] [pid 28717] AH01906: web.rasnix.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Jun 15 00:18:02.614966 2020] [ssl:error] [pid 28717] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=web.rasnix.com,OU=RASNIX IT Department,O=RASNIX IT Department,L=NEW-CAIRO,ST=CAIRO,C=EG / issuer: [email protected],CN=web.rasnix.com,OU=RASNIX IT Department,O=RASNIX IT Department,L=NEW-CAIRO,ST=CAIRO,C=EG / serial: 1E79DF5BCFBB7FEEAE771029D8B01FA25FDF672E / notbefore: Jun 14 20:02:34 2020 GMT / notafter: Jun 12 20:02:34 2030 GMT]
[Mon Jun 15 00:18:02.614982 2020] [ssl:error] [pid 28717] AH02604: Unable to configure certificate web.rasnix.com:8080:0 for stapling
[Mon Jun 15 00:18:02.615017 2020] [suexec:notice] [pid 28717] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Mon Jun 15 00:18:02.670171 2020] [:error] [pid 28730] python_init: Python version mismatch, expected '2.7.6', found '2.7.17'.
[Mon Jun 15 00:18:02.670239 2020] [:error] [pid 28730] python_init: Python executable found '/usr/bin/python'.
[Mon Jun 15 00:18:02.670246 2020] [:error] [pid 28730] python_init: Python path being used '/usr/lib/python2.7:/usr/lib/python2.7/plat-x86_64-linux-gnu:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload'.
[Mon Jun 15 00:18:02.670267 2020] [:notice] [pid 28730] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
[Mon Jun 15 00:18:02.670274 2020] [:notice] [pid 28730] mod_python: using mutex_directory /tmp
[Mon Jun 15 00:18:02.680365 2020] [ssl:warn] [pid 28730] AH01906: web.rasnix.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Jun 15 00:18:02.680513 2020] [ssl:error] [pid 28730] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=web.rasnix.com,OU=RASNIX IT Department,O=RASNIX IT Department,L=NEW-CAIRO,ST=CAIRO,C=EG / issuer: [email protected],CN=web.rasnix.com,OU=RASNIX IT Department,O=RASNIX IT Department,L=NEW-CAIRO,ST=CAIRO,C=EG / serial: 1E79DF5BCFBB7FEEAE771029D8B01FA25FDF672E / notbefore: Jun 14 20:02:34 2020 GMT / notafter: Jun 12 20:02:34 2030 GMT]
[Mon Jun 15 00:18:02.680525 2020] [ssl:error] [pid 28730] AH02604: Unable to configure certificate web.rasnix.com:8080:0 for stapling

can this be an issue because i setup another server that uses the same domain so there may be some kind of conflict in creating certificate or may be ?

 

The certificate certifies that the domain browser goes to really is web.rasnix.com. If you have same FQDN on two hosts, that can not be certified.
Check that the IP number name service gives for web.rasnix.com really goes to the host where you are creating the certificate.

Code:

$ nslookup  web.rasnix.com
Server:        192.168.42.4
Address:    192.168.42.4#53

Non-authoritative answer:
Name:    web.rasnix.com
Address: 197.50.241.59
Name:    web.rasnix.com
Address: ::ffff:197.50.241.59

 

they do not have the same FQDN one is mail.rasnix.com and the other is web.rasnix.com and each have different public ip address.
i am thinking about adding another site to the working server which has only mail site for mail.rasnix.com, i have followed exactly your great guide https://www.howtoforge.com/how-to-install-an-email-server-with-ispconfig-on-debian-10/
but with ubuntu, so can i add another site from ispconfig interface for rasnix.com and are there extra steps or notes.

 

Then you had an error in one of the steps. Your Apache error shows you are not using the LetsEncrypt fullchain certificate.
Your error will be gone when you correctly implement a LE certificate for ispc.
What is the output of

Code:

grep ssl /etc/apache2/sites-enabled/isp000-ispconfig.vhost
ls -al /usr/local/ispconfig/interface/ssl/

You also have a problem with your python install. Are you sure this is a new install and you followed the guide? Is your system up to date ("sudo apt update && sudo apt upgrade")

Anyway, a problem of the guide is that mod_python is installed, which is not maintained since 2013. You should use mod_wsgi instead if you need python. If you don't need python, just remove it with:

Code:

sudo apt remove libapache2-mod-python

If you need python, install mod_wsgi after removing:

Code:

sudo apt install libapache2-mod-wsgi

 

i think you are right Steini86 as i also have found a similar issue in the dutch forum of ispconfig in this link "translated"
https://www.translatetheweb.com/?fr...owtoforge.de/threads/probleme-mit-ssl.12083/#
wich has a reply from (till adminstrator) saying :

so back to my issue the output of

Code:

grep ssl /etc/apache2/sites-enabled/isp000-ispconfig.vhost
ls -al /usr/local/ispconfig/interface/ssl/

from the other server that doesn't have this issue is

Code:

grep ssl /etc/apache2/sites-enabled/000-ispconfig.vhost
    SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
  #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
<IfModule mod_ssl.c>

Code:

ls -al /usr/local/ispconfig/interface/ssl/
total 36
drwxr-x--- 2 root      root      4096 Jun  9 11:35 .
drwxr-x--- 9 ispconfig ispconfig 4096 May 28 22:39 ..
-rwxr-x--- 1 root      root        45 May 28 22:39 empty.dir
lrwxrwxrwx 1 root      root        51 Jun  9 11:29 ispserver.crt -> /etc/letsencrypt/live/mail.rasnix.com/fullchain.pem
lrwxrwxrwx 1 root      root        51 Jun  4 22:24 ispserver.crt-200609112809.bak -> /etc/letsencrypt/live/mail.rasnix.com/fullchain.pem
-rwxr-x--- 1 root      root      1760 May 28 22:39 ispserver.csr
lrwxrwxrwx 1 root      root        49 Jun  9 11:29 ispserver.key -> /etc/letsencrypt/live/mail.rasnix.com/privkey.pem
lrwxrwxrwx 1 root      root        49 Jun  4 22:26 ispserver.key-200609112823.bak -> /etc/letsencrypt/live/mail.rasnix.com/privkey.pem
-rwxr-x--- 1 root      root      3311 May 28 22:37 ispserver.key.secure
-rw------- 1 root      root      7204 Jun  9 11:29 ispserver.pem
-rw------- 1 root      root      7175 Jun  4 22:27 ispserver.pem-200609112853.bak

so if i want link LetsEncrypt fullchain certificate from the workingserver holding mail.mydomain.com to other server holding web.mydomain.com, how to do this?

 

A certificate valid for mail.domain.com can not be used for a domain web.domain.com, except it is a wildcard certificate for *.domain.com.
You can use dns challenge or simply create a web to get a certificate.

1) Create a website web.domain.com
2) Activate letsencrypt for that website
3) Verify that you get certificates in /etc/letsencrypt/live/web.domain.com
4) Create symlinks like done in the guide https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/

Code:

cd /usr/local/ispconfig/interface/ssl/
ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
cat ispserver.{key,crt} > ispserver.pem
chmod 600 ispserver.pem

 

thank you for your quick answer steini86, i will try that and report .