I have recently installed ISPConfig following this tutorial : - https://www.howtoforge.com/tutorial...-9-stretch-apache-bind-dovecot-ispconfig-3-1/ I have installed PHPMyAdmin and I would like to access it with a subdomain, but only in https. I have created a subdomain in my DNS pointing to my server. I have checked Skip Lets Encrypt Check in System > Server Config > Web > SSL Settings (the machine is behind a router). LE SSL works for standard websites. I have then created a website in ISPConfig using my subdomain and PHP-FPM and in the Options tab > Apache Directives, I have added : Code: Alias / /usr/share/phpmyadmin/ in order to get to the phpmyadmin interface directly. At this point, I can rightfully access to the phpmyadmin interface when typing http://subdomain.mydom.xx Now, I'm trying to check SSL and LE SSL checkboxes for my website, it is not working. I can wait for a while, and then the checkboxes are unchecked. In logs I have several things (the first line seems pretty interresting): Code: [INTERFACE]: PHP IDS Alert.Total impact: 5<br/> Affected tags: dt, id, lfi<br/> <br/> Variable: POST.php_open_basedir | Value: /var/www/clients/client1/web11/web:/var/www/clients/client1/web11/private:/var/www/clients/client1/web11/tmp:/var/www/subdom.mydom.xx/web:/srv/www/subdom.mydom.xx/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom<br/> Impact: 5 | Tags: dt, id, lfi<br/> Description: Detects specific directory and path traversal | Tags: dt, id, lfi | ID 11<br/> <br/> 2018-03-14 16:15 web.imperium-gaming.fr Debug Let's Encrypt SSL Cert domains: --domains subdom.mydom.xx 2018-03-14 16:15 web.imperium-gaming.fr Debug Create Let's Encrypt SSL Cert for: subdom.mydom.xx exec: /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains subdom.mydom.xx --webroot-path /usr/local/ispconfig/interface/acme Let's Encrypt SSL Cert for: subdom.mydom.xx could not be issued. /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains subdom.mydom.xx --webroot-path /usr/local/ispconfig/interface/acme The vhost generated /etc/apache2/sites-enabled/100-mysite.vhost : Code: <Directory /var/www/subdom.mydom.xx> AllowOverride None Require all denied </Directory> <VirtualHost *:80> DocumentRoot /var/www/clients/client1/web11/web ServerName subdom.mydom.xx ServerAdmin [email protected] ErrorLog /var/log/ispconfig/httpd/subdom.mydom.xx/error.log Alias /error/ "/var/www/subdom.mydom.xx/web/error/" ErrorDocument 400 /error/400.html ErrorDocument 401 /error/401.html ErrorDocument 403 /error/403.html ErrorDocument 404 /error/404.html ErrorDocument 405 /error/405.html ErrorDocument 500 /error/500.html ErrorDocument 502 /error/502.html ErrorDocument 503 /error/503.html <IfModule mod_ssl.c> </IfModule> <Directory /var/www/subdom.mydom.xx/web> # Clear PHP settings of this website <FilesMatch ".+\.ph(p[345]?|t|tml)$"> SetHandler None </FilesMatch> Options +FollowSymLinks AllowOverride All Require all granted </Directory> <Directory /var/www/clients/client1/web11/web> # Clear PHP settings of this website <FilesMatch ".+\.ph(p[345]?|t|tml)$"> SetHandler None </FilesMatch> Options +FollowSymLinks AllowOverride All Require all granted </Directory> # suexec enabled <IfModule mod_suexec.c> SuexecUserGroup web11 client1 </IfModule> <IfModule mod_fastcgi.c> <Directory /var/www/clients/client1/web11/cgi-bin> Require all granted </Directory> <Directory /var/www/subdom.mydom.xx/web> <FilesMatch "\.php[345]?$"> SetHandler php5-fcgi </FilesMatch> </Directory> <Directory /var/www/clients/client1/web11/web> <FilesMatch "\.php[345]?$"> SetHandler php5-fcgi </FilesMatch> </Directory> Action php5-fcgi /php5-fcgi virtual Alias /php5-fcgi /var/www/clients/client1/web11/cgi-bin/php5-fcgi-*-80-subdom.mydom.xx FastCgiExternalServer /var/www/clients/client1/web11/cgi-bin/php5-fcgi-*-80-subdom.mydom.xx -idle-timeout 300 -socket /var/lib/php7.0-fpm/web11.sock -pass-header Authorization -pass-header Content-Type </IfModule> <IfModule mod_proxy_fcgi.c> #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.0-fpm/web11.sock|fcgi://localhost//var/www/clients/client1/web11/web/$1 <Directory /var/www/clients/client1/web11/web> <FilesMatch "\.php[345]?$"> SetHandler "proxy:unix:/var/lib/php7.0-fpm/web11.sock|fcgi://localhost" </FilesMatch> </Directory> </IfModule> # add support for apache mpm_itk <IfModule mpm_itk_module> AssignUserId web11 client1 </IfModule> <IfModule mod_dav_fs.c> # Do not execute PHP files in webdav directory <Directory /var/www/clients/client1/web11/webdav> <ifModule mod_security2.c> SecRuleRemoveById 960015 SecRuleRemoveById 960032 </ifModule> <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> </Directory> DavLockDB /var/www/clients/client1/web11/tmp/DavLock # DO NOT REMOVE THE COMMENTS! # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE! # WEBDAV BEGIN # WEBDAV END </IfModule> Alias / /usr/share/phpmyadmin/ </VirtualHost> The phpmyadmin conf in /etc/apache2/conf-enabled/phpmyadmin.conf : Code: # phpMyAdmin default Apache configuration Alias /phpmyadmin /usr/share/phpmyadmin <Directory /usr/share/phpmyadmin> Options SymLinksIfOwnerMatch DirectoryIndex index.php <IfModule mod_php5.c> <IfModule mod_mime.c> AddType application/x-httpd-php .php </IfModule> <FilesMatch ".+\.php$"> SetHandler application/x-httpd-php </FilesMatch> php_value include_path . php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/php/php-php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/:/usr/share/doc/phpmyadmin/:/usr/share/php/phpseclib/ php_admin_value mbstring.func_overload 0 </IfModule> <IfModule mod_php.c> <IfModule mod_mime.c> AddType application/x-httpd-php .php </IfModule> <FilesMatch ".+\.php$"> SetHandler application/x-httpd-php </FilesMatch> php_value include_path . php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/php/php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/:/usr/share/doc/phpmyadmin/:/usr/share/php/phpseclib/ php_admin_value mbstring.func_overload 0 </IfModule> </Directory> # Authorize for setup <Directory /usr/share/phpmyadmin/setup> <IfModule mod_authz_core.c> <IfModule mod_authn_file.c> AuthType Basic AuthName "phpMyAdmin Setup" AuthUserFile /etc/phpmyadmin/htpasswd.setup </IfModule> Require valid-user </IfModule> </Directory> # Disallow web access to directories that don't need it <Directory /usr/share/phpmyadmin/templates> Require all denied </Directory> <Directory /usr/share/phpmyadmin/libraries> Require all denied </Directory> <Directory /usr/share/phpmyadmin/setup/lib> Require all denied </Directory> I would love to get some feedbacks from that.
The Alias you added prevents LE from verifying it's token, that's why SSL cannot work. What you might try is to add a folder /usr/share/phpmyadmin/.well-known and inside of that a symlink 'acme-challenge' pointing to /usr/local/ispconfig/interface/acme/
That didn't work. PHPMyAdmin root folder is not so easily... customizable. But thanks to your answer I managed to trick the problem. I removed the alias, checked the checkbox for le ssl, It went ok, then I added the alias back. I can now access to my phpmyadmin on https smoothly I may have the problem again when the certificate will expirate and I have to renew it, but I can manage that. Thanks till.
