Hi! After upgrading debian buster to bullseye our webmailservice provided by roundcube (setup done with this guide https://www.howtoforge.com/install-ispconfig-3-roundcube-plugins-on-debian-10/ ) is not working anymore. Apparently the webserver delivers a wrong SSL-certificate, beause in the error.log of our domain-webspace appears Code: [Fri Jun 10 07:51:07.073336 2022] [ssl:warn] [pid 207205] AH01909: XXX.at:443:0 server certificate does NOT include an ID which matches the server name and investigating the error-screen in firefox, the security-window explains: https://imgur.com/a/LGn4nvs [/IMG] the common-name is autodiscover.ourdomain.at instead of ourdomain.at Good to know is, that we use the automail-plugin of https://schaal-it.com/ispconfig-automail/ Any ideas why suddently the wrong certificate is delivered? Thanks for any hints!
For now I had disabled the automail-Service and now the provided SSL-Certificates are alright. But roundcube isnt working - I still get the following error message in apache2 error.log Code: [Fri Jun 10 19:21:41.105384 2022] [core:notice] [pid 360338] AH00052: child pid 369899 exit signal Segmentation fault (11) any hints how to fix this?
Did you follow https://www.howtoforge.com/update-the-ispconfig-perfect-server-from-debian-10-to-debian-11/ for updating? If not, do so
Thank you for the hint to the update-howto, all steps are done finally. But the problem persits. Roundcube ist available and the page httsp://www.xxx.at/webmin shows (again/still) the wrong certificate. See this screenshots Hm ... any further hints? Thanks in advance!
You probably have something wrong in your vhost setup for this. That isn't configured by ISPConfig, of course (and seems like it could be problematic, as the two control panels could likely setup conflicting configurations for services and such).
OMG! Sorry for this information - its NOT /webmin its /webmail webmin isnt active/installed on this server And here are the two imagelinks again, the IMG-function of this board seems to be broken Code: https://imgur.com/SKpyKsZ https://imgur.com/2UQMqvt one thing: If I check the domain with serverl SSL-Check-Services like https://de.ssl-tools.net/users/checks or https://www.ssllabs.com/ssltest/analyze.html?d=hiddenname.at&hideResults=on https://www.sslshopper.com/ssl-checker.html#hostname=tesoro.hiddenname.at there is no same result. On some checkers I get "all ok" on some there is no result given and on some "are errors" - but not specified. Now I checked /var/log/letsencrypt/letsencrypt.log - sadly there are errors too: Code: 2022-06-15 19:11:04,189:DEBUG:certbot._internal.main:certbot version: 1.9.0 2022-06-15 19:11:04,189:DEBUG:certbot._internal.main:Arguments: ['--domains', 'HiddenEntry.at', '--domains', 'www.HiddenEntry.at'] 2022-06-15 19:11:04,190:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2022-06-15 19:11:04,218:DEBUG:certbot._internal.log:Root logging level set at 20 2022-06-15 19:11:04,218:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2022-06-15 19:11:04,298:WARNING:certbot._internal.cert_manager:Renewal configuration file /etc/letsencrypt/renewal/supercloud.HiddenEntry.at.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping. 2022-06-15 19:11:04,310:DEBUG:certbot._internal.cert_manager:Traceback was: Traceback (most recent call last): File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/cert_manager.py", line 78, in certificates renewal_candidate = storage.RenewableCert(renewal_file, config) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/storage.py", line 447, in __init__ "file reference".format(self.configfile)) CertStorageError: renewal config file {} is missing a required file reference 2022-06-15 19:11:04,377:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80 2022-06-15 19:11:04,391:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503 2022-06-15 19:11:04,393:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/live/HiddenEntry.at/cert.pem is signed by the certificate's issuer. 2022-06-15 19:11:04,398:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/live/HiddenEntry.at/cert.pem is: OCSPCertStatus.GOOD Is this server completly "lost" ?
Ok, so does https://www.xxx.at/webmail show the wrong site? Or roundcube works fine there, just the wrong certificate? Is www.xxx.at a site you added through the control panel? Do other urls for https://www.xxx.at/ work with the correct certificate? How did you setup the /webmail alias? Did you install roundcube from source or a .deb package? Have you reviewed the "When visiting domain B, the content of domain A is showing!" entry at https://www.howtoforge.com/community/threads/please-read-before-posting.58408/ ?
Its not possible to check this, because all browsers I can use are declining the connection. All domains which are hosted on this server are working, but no domain is showing the right SSL-certifiacte. Even not the "main"-domain HiddenDomain.at Yes. yes, they are working. until you go to OtherURL.com/webmail - then the ssl-error is shown its done by https://www.howtoforge.com/perfect-...g-3-1/#-installnbsproundcube-webmail-optional and it worked for months on debian buster, until I upgraded to bullseye last weekend. i used the .deb as mentioned above Yes, I reviewed that. Its not applicable to me.
Curious, I don't know of any reason why this path would have different ssl settings that another path when using the above path, there is nothing in the default vhost config that would do that. What do you have for the site's vhost file and /etc/apache2/conf-enabled/roundcube.conf? What do you get as then HTTP response if you use curl or even plain openssl to request it? Eg. Code: echo -en "GET /webmail HTTP/1.1\r\nHost: www.xxx.at\r\n\r\n" | openssl s_client -connect www.xxx.at:443 -quiet -ign_eof"
Code: cat /etc/apache2/conf-enabled/roundcube.conf # Those aliases do not work properly with several hosts on your apache server # Uncomment them to use it or adapt them to your configuration Alias /roundcube /var/lib/roundcube Alias /webmail /var/lib/roundcube <Directory /var/lib/roundcube/> Options +FollowSymLinks # This is needed to parse /var/lib/roundcube/.htaccess. See its # content before setting AllowOverride to None. AllowOverride All <IfVersion >= 2.3> Require all granted </IfVersion> <IfVersion < 2.3> Order allow,deny Allow from all </IfVersion> </Directory> # Protecting basic directories: <Directory /var/lib/roundcube/config> Options -FollowSymLinks AllowOverride None </Directory> <Directory /var/lib/roundcube/temp> Options -FollowSymLinks AllowOverride None <IfVersion >= 2.3> Require all denied </IfVersion> <IfVersion < 2.3> Order allow,deny Deny from all </IfVersion> </Directory> <Directory /var/lib/roundcube/logs> Options -FollowSymLinks AllowOverride None <IfVersion >= 2.3> Require all denied </IfVersion> <IfVersion < 2.3> Order allow,deny Deny from all </IfVersion> </Directory> Code: #echo -en "GET /webmail HTTP/1.1\r\nHost: www.HiddenDomain.at\r\n\r\n" | openssl s_client -connect www.HiddenDomain.at:443 -quiet -ign_eof depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = HiddenDomain.at verify return:1 HTTP/1.1 301 Moved Permanently Date: Thu, 16 Jun 2022 09:42:46 GMT Server: Apache Strict-Transport-Security: max-age=15552000; includeSubDomains; preload Location: https://www.HiddenDomain.at/webmail/ Content-Length: 245 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://www.HiddenDomain.at/webmail/">here</a>.</p> </body></html> What i don't understand is that firefox and safari criticise the authenticity of the certificate. But if you display the allegedly faulty certificate in FF or Safari, that the correct domain name is then displayed. By the way, Chrome completely refuses to deliver "This page does not work www.hiddendomain.at has not sent any data / ERR_EMPTY_RESPONSE". With Chrome, FF, Safari you can reach the maindomain without /webmail without any problems.
The certificate seems good for the HiddenDomain.at name at least, though may or may not include the SAN www.HiddenDomain.at (you could confirm with additional openssl commands). You requested the /webmail location and it redirected you to /webmail/ (with trailing slash), you could request that and see if the output differs, but if you were stuck in a redirect loop that might explain not showing any content.
