Sites and email not working after following SSL cerificate guide

Discussion in 'Installation/Configuration' started by ngdm, Jun 2, 2016.

  1. ngdm

    ngdm New Member

    Hi.
    I have server set up to host multiple sites, running Apache2, Postfix, Dovecot, BIND and MySQL. Everything was working perfectly until I followed a guide in these forums to install an SSL certificate. The guide can be found here: https://www.howtoforge.com/securing...h-a-free-class1-ssl-certificate-from-startssl.

    After following that guide, I can't access either of the two sites currently hosted on the server, or even the server itself, by any means except using the server IP address over ssh.

    I've gone back through the guide and restored all the files backed up during the process to their original versions. Not sure what to try next. I'm new to running a web and mail server, and willingly admit that I don't really know what I'm doing.

    I do see a line that the server.sh script can't find the server IP address using ifconfig, but when I ran ifconfig, the IP address was correct.

    How can I fix this please?

    Here is the output of /usr/local/ispconfig/server/server.sh
    --------------------------------------------
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] ISPConfig is installed.

    ##### ISPCONFIG #####
    ISPConfig version is 3.0.5.4p9


    ##### VERSION CHECK #####

    [INFO] php (cli) version is 5.6.20-0+deb8u1
    [INFO] php-cgi (used for cgi php in default vhost!) is version 5.6.20-0+deb8u1

    ##### PORT CHECK #####

    [WARN] Port 143 (IMAP server) seems NOT to be listening
    [WARN] Port 993 (IMAP server SSL) seems NOT to be listening
    [WARN] Port 110 (POP3 server) seems NOT to be listening
    [WARN] Port 995 (POP3 server SSL) seems NOT to be listening

    ##### MAIL SERVER CHECK #####


    ##### RUNNING SERVER PROCESSES #####

    [INFO] I found the following web server(s):
    Apache 2 (PID 2685)
    [INFO] I found the following mail server(s):
    Postfix (PID 1367)
    [WARN] I could not determine which pop3 server is running.
    [WARN] I could not determine which imap server is running.
    [INFO] I found the following ftp server(s):
    PureFTP (PID 765)

    ##### LISTENING PORTS #####
    (only ()
    Local (Address)
    [anywhere]:25 (1367/master)
    [anywhere]:443 (2685/apache2)
    [localhost]:2812 (383/monit)
    [localhost]:10024 (962/amavisd-new)
    [localhost]:10025 (1367/master)
    [anywhere]:587 (1367/master)
    [localhost]:11211 (270/memcached)
    [anywhere]:8080 (2685/apache2)
    [anywhere]:80 (2685/apache2)
    [anywhere]:8081 (2685/apache2)
    [anywhere]:465 (1367/master)
    [anywhere]:21 (765/pure-ftpd)
    [anywhere]:22 (268/sshd)
    *:*:*:*::*:25 (1367/master)
    *:*:*:*::*:3306 (578/mysqld)
    *:*:*:*::*:587 (1367/master)
    *:*:*:*::*:465 (1367/master)
    *:*:*:*::*:21 (765/pure-ftpd)
    *:*:*:*::*:22 (268/sshd)

    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    fail2ban-postfix-sasl tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25
    fail2ban-dovecot-pop3imap tcp -- [anywhere]/0 [anywhere]/0 multiport dports 110,995,143,993
    fail2ban-pureftpd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 21
    fail2ban-ssh tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    target prot opt source destination
    fail2ban-postfix-sasl tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25
    fail2ban-dovecot-pop3imap tcp -- [anywhere]/0 [anywhere]/0 multiport dports 110,995,143,993
    fail2ban-pureftpd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 21
    fail2ban-ssh tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain fail2ban-dovecot-pop3imap (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain fail2ban-postfix-sasl (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain fail2ban-pureftpd (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain fail2ban-ssh (1 references)
    target prot opt source destination
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    RETURN all -- [anywhere]/0 [anywhere]/0
    -------------------------------------------------------
    The output of ifconfig is here, with the IP address redacted:

    --------------------------------------------------------
    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:65536 Metric:1
    RX packets:1869 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1869 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:449094 (438.5 KiB) TX bytes:449094 (438.5 KiB)

    venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:127.0.0.2 P-t-P:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.255.255
    UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
    RX packets:15961 errors:0 dropped:0 overruns:0 frame:0
    TX packets:15031 errors:0 dropped:66 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:1379381 (1.3 MiB) TX bytes:1840881 (1.7 MiB)

    venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:[this is correct] P-t-P:[this is correct] Bcast:[this is correct] Mask:255.255.255.255
    UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
     
  2. well, my guess is that you broke apache because of a wrong symlink to the cert + key :). Mail (postfix/dovecot) will probably have been impacted too :).

    Check the configuration files for clues where the cert + key + chain files are supposed to be and restart the apache services.

    Or: don't be foolish and get your hosting done for you. There is plenty of people that do know what they are doing ;-).

    Getting a certificate is just one thing. Getting SSL/TLS/HTTPS configured right is a whole other matter.
     
  3. ngdm

    ngdm New Member

    Ah, but it weren't for my foolishness I'd never learn anything! :)
    You were right. I'm honestly not sure which one fixed it, but it was a problem with one of the symlinks. Thanks for that!
     
  4. Good to hear ;-). I wasn't saying you were foolish per sé ;-). I just have seen too many people losing their business due to dataloss or other things. And sometimes it is a bit annoying to see crappy security on "professional hosting" and self proclaimed system administrators :p
     

Share This Page