For 6 month I have been working with the API and now after I made a re-install of the ic master server, I can't connect with the API, with the same code I worked with for 6 month. So, I have created a remote user with access to all functions. And I get Code: SOAP Error: Could not connect to host its no fw issue, telnet 8080 is no problem. Is there any other setting I have forgotten to enable remote access? It does not seem to be a credential issue , it seems to be something else. Could it be any php issues on the ic master server?
Might be a SSL issue if it's a self-signed cert. You can tell PHP soap connect via options to accept self signed certs.
I can ping, I can telnet to port 8080, I can login to the ISPC portal, and there is a proper le cert. https://ic.etableraweb.com:8080/ I have also put a phpinfo file there, https://ic.etableraweb.com:8080/p.php
This is the soap code I used from the very beginning with no issues at all, until now when I did the re-install. Code: $this->client = new SoapClient(null, array( 'location' => $soap_location, 'uri' => $soap_uri, 'trace' => 1, 'exceptions' => 1));
Whao, I put Code: $opts = [ 'ssl' => [ // set some SSL/TLS specific options 'verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true ], 'http'=>[ 'user_agent' => 'PHPSoapClient' ] ]; so the soap call, and now got connected, Code: Array ( [response] => [success] => [message] => SOAP Error: The login is not allowed from ********* ) (I will adress this error later), but why did it connect now? Is the LE cert not really ok? It did work before, with the LE cert ISPConfig used to create. N.B., this time I used the auto-install script to install the server.
Which hostname are you using to connect to? A different one than the one you are using in the browser to visit the panel? The not allowed from is probably caused because you did not allow remote access from the IP you are trying to log in from.
Same hostname as the for the panel. This is strange. Why is the LE cert treated as a self-signed cert?
And the cert is assigned to the hostname that is called of, "subject=CN = ic.etableraweb.com" Code: [ks@009 ispconfig]$ openssl s_client -showcerts -connect ic.etableraweb.com:8080 -servername ic.etableraweb.com CONNECTED(00000003) depth=0 CN = ic.etableraweb.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = ic.etableraweb.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:CN = ic.etableraweb.com i:C = US, O = Let's Encrypt, CN = R3 -----BEGIN CERTIFICATE----- MIIFKzCCBBOgAwIBAgISBAz6lL7mfUpcqlnUU6UVEIJ9MA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMTAzMDQxOTA3NTVaFw0yMTA2MDIxOTA3NTVaMB0xGzAZBgNVBAMT EmljLmV0YWJsZXJhd2ViLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMMIlacsk6l3Hxg7nLATKYh3iPzBiopTxK9uY0MBMqlsulDabpxholvP8Owj 8Iq4IqdaXlgd2TutNOwW6nGyjyPQoemWLNFkmdtDyYW3AcAkWLIaLuehteyQPG6J FPcptfwfzR4qHEc9n56pf+DMDMrAno3Xl8+PgahmllO3VMHEdtSviqx+3bxJSWe4 gIB2EmGYP55DQX6RAPiYbyChIIq0rzyfFaBBG2h0jMnYFX9ejcYJsn7Ktl8xoVht rvELpVvtGUPT+KhuxeSclakpEiZBLOCQG/1+pv55S/BrFH8UzCfKoMGQy0XCbSP7 +w1e4ISrR+Sny4/Lz4p5ErFVXHcCAwEAAaOCAk4wggJKMA4GA1UdDwEB/wQEAwIF oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd BgNVHQ4EFgQUihEkQC5Wt8glkaZf3J8fuMzpb1MwHwYDVR0jBBgwFoAUFC6zF7dY VsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw Oi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNy Lm9yZy8wHQYDVR0RBBYwFIISaWMuZXRhYmxlcmF3ZWIuY29tMEwGA1UdIARFMEMw CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j cHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYARJRl LrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAF3/tqb7gAABAMARzBFAiEA +M2SuuSzW9ZgEQioe2I3s+i0O6v2cTGfQllG4NK+mAQCIF7ec8LB/+B2O+dhpt0N qNGrkDzxU8i3L20ovmxu9Yi2AHcA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyAL zE7xZOMAAAF3/tqb1QAABAMASDBGAiEA9Ec2mPESuQWAtc/XVTpMBWRCo3GIhbqz qTs1YBNTBLgCIQCEE4aBeMuhSKJ1uGzrZYN1668d9dj36iwV1p1+qAOf8TANBgkq hkiG9w0BAQsFAAOCAQEAolH3lEbUbNYa8emslTjblh/TEGJCfW7yeFzqovg0L39i +bQj8FG6sF/1dtLsFURJqh18dhBdIC5bxsdWtYpfIx4MO+XebVzKGlpVijU6vpMT 8vI/H1eX/pfKPSxKRZTeTEfdGPvxZX/vyNX2b3nFADSwUZ49ZbLV7dZ12dz5NoU8 3uP+H4qtTfV2B7vWZNipPuVd2yM8Bt8qkhv7ppwjUGplvAV3hvJDyQiTAsbIZ8O2 udJSZTKe68qURQ3H5MsC6t14LFizPS4iK06jWQ+sFwitry68s4h5IhnBhbNtc58Q VWH9ZRy6Hit6zJE2MQBOpmA/fZVPdoYrG1iOJqvrIA== -----END CERTIFICATE----- --- Server certificate subject=CN = ic.etableraweb.com issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1887 bytes and written 396 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: F8E6DDB546A2B39A8D5F5F274AC2AA0E2C8A5649E0C38A73D86A93E925988444 Session-ID-ctx: Resumption PSK: 163584B2CBEC3A989735109EF64C1FBFACA99C4621F0389BAEBF6DB462AC0A6B9F72B8CBBCB5DDAAF8FFE471BD995590 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 5a 39 42 23 78 4b 81 c3-08 10 b4 1d 7f 43 46 ab Z9B#xK.......CF. 0010 - 7a af 06 d7 53 b4 07 99-a8 ba b6 8b 76 d2 be a3 z...S.......v... 0020 - 13 43 22 c5 4b 70 30 b3-f4 45 c2 be 6b 72 71 17 .C".Kp0..E..krq. 0030 - 61 c1 f7 e7 3d 3e 3e 63-e2 14 3d b7 c9 fe 3b 8a a...=>>c..=...;. 0040 - 24 d8 ff 31 db 2f 86 bb-e2 b1 d7 82 06 99 0c 8f $..1./.......... 0050 - cb 0a 25 f3 70 04 f4 8a-ae ac 02 ab a2 c8 94 60 ..%.p..........` 0060 - 20 6f c7 61 45 82 26 f8-d5 0b ee 06 ea 5f a1 17 o.aE.&......_.. 0070 - 85 bd fc a1 87 e5 3a c7-c2 da 58 d6 d1 19 31 6e ......:...X...1n 0080 - 66 ab c7 6c 22 f2 57 2b-92 55 ed 8f 1a be 34 65 f..l".W+.U....4e 0090 - cb a7 e5 37 ab d4 1b ae-ef 39 d8 10 d2 e9 68 8f ...7.....9....h. 00a0 - 18 09 8a aa 3c 34 f3 ad-5a 7d bd f5 b5 bb cd 5d ....<4..Z}.....] 00b0 - fa 9d b4 c4 a6 ef 11 cb-1a 1f f5 1c 79 69 3d 81 ............yi=. 00c0 - 9b c1 d4 21 35 0b 5a eb-bc 1a 79 f4 4c d7 f4 33 ...!5.Z...y.L..3 00d0 - 97 08 ae af eb 08 92 fc-1d 85 ce 13 c4 09 03 14 ................ 00e0 - ca a1 1a 28 51 b7 f1 4e-cd 2d d1 13 33 92 9a 7f ...(Q..N.-..3... 00f0 - 1a 5f fa e3 9b de c5 9d-43 24 42 ed 3d 88 e1 59 ._......C$B.=..Y Start Time: 1614961770 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 6766AB01EF834B3666DB010893BA3ACFEABB2D8A8CB99CD9065A4EC55B26A4A3 Session-ID-ctx: Resumption PSK: 683CCDA4CF93F7118BDD1755A28DE7B9583EDFD080C00C7FF65EAD8EC00AB3CB44D978C8BFA17B7B16BE3C37FC1AACCD PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 5a 39 42 23 78 4b 81 c3-08 10 b4 1d 7f 43 46 ab Z9B#xK.......CF. 0010 - ed 77 c6 ef f8 8d 75 c2-04 5d f8 ed 2f d5 b5 f9 .w....u..]../... 0020 - 02 d7 43 8d 32 c3 74 dc-10 0c 21 04 cf 53 0d 27 ..C.2.t...!..S.' 0030 - f9 17 b4 dd 0f 03 b0 12-46 98 c8 09 4b 62 ad 16 ........F...Kb.. 0040 - 76 d4 b9 c4 a7 8d 8b 45-33 3d 8b 11 2b e2 3d fb v......E3=..+.=. 0050 - b9 cb 9b ef 97 3d 16 be-fe 0d 80 ea 19 4f ba de .....=.......O.. 0060 - 7c eb 3e ae e0 7a de 2b-d7 5c 05 06 29 43 2b ca |.>..z.+.\..)C+. 0070 - 36 7d 40 d9 d8 ff 46 a0-c9 fe d1 d5 ba ab fc ef 6}@...F......... 0080 - c3 66 7f 51 e8 5e 93 e8-62 68 59 6c f7 cb 20 15 .f.Q.^..bhYl.. . 0090 - 83 a1 ac a3 80 29 54 8d-5e e3 23 e5 98 ed 4f 06 .....)T.^.#...O. 00a0 - c6 5f 7a a2 12 3c f4 86-20 18 47 5d 1b bf 8f 96 ._z..<.. .G].... 00b0 - df 63 1e 31 26 8d 81 e7-ab ca 56 5a 38 11 17 18 .c.1&.....VZ8... 00c0 - da 30 2a c1 f9 6e ab b9-99 61 1e 4a 96 03 b5 17 .0*..n...a.J.... 00d0 - 0e 95 fd 40 31 42 bf df-fb 69 0f a3 2d 02 37 a6 [email protected]. 00e0 - 07 87 12 39 29 e2 f5 5e-bd a8 3f cd 0f f8 77 e9 ...9)..^..?...w. 00f0 - 65 b0 39 33 8d 85 8c a5-4f 05 ac 65 ef a8 ba 1f e.93....O..e.... Start Time: 1614961770 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK
When I look closer to the cert, it says the first certificates can't be verified. I did test to connect with only Code: 'verify_peer' => false, set, and it connects. Hence the issue is the cert that has been created by acme. There were issues with the certs when the server was installed with the auto-install script, see https://www.howtoforge.com/communit...sexception-php-error.86530/page-2#post-419365 I hade to do a forced update to generate new certs.
I did the same test on one of our DA servers that also use le certs, and with these there are no issues to verify peers. There is something not so good with the le certs created by ISPConfig Code: [ks@009 ispconfig]$ openssl s_client -showcerts -connect ronin2.etableraweb.com:443 -servername ronin2.etableraweb.com CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = ronin2.etableraweb.com verify return:1
Well, now I did on a hosted domain on the ISPConfig server, and that domain did get a proper cert. It is the ISPConfig portal, dovecot, postfix and ftp that has poor certs. Code: [ks@009 ispconfig]$ openssl s_client -showcerts -connect blogg.click:443 -servername blogg.click CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = blogg.click verify return:1
Something is wrong with the chain of trust. In your other post, you were messing with the cert. It is likely something went wrong there. You noted you copied the cert from the acme.sh folder, this can lead to problems. What is the output of Code: ls -la /usr/local/ispconfig/interface/ssl now?
You most likely copied the "server1.example.com.cer" cert instead of the fullchain "fullchain.cer" Copy the fullchain.cer from /root/.acme.sh/server1.example.com/ to /usr/local/ispconfig/interface/ssl/ispserver.crt The reason it works in most browsers is that they search for the missing parts (the root certificates), but PHP does not. This was not fixed when you ran the forced upgrade, because you already placed "valid" cert in the ssl folder.
You are the man Thom, wonderful, Code: root@ic:~/.acme.sh/ic.etableraweb.com# openssl s_client -showcerts -connect ic.etableraweb.com:8080 -servername ic.etableraweb.com CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = ic.etableraweb.com verify return:1 --- I suspected it was because there is ni CAA record for the hostname, and the current DNS provider we use for the domain, enom, do not support can records, so just startd to setup DNS for this domain elsewhere, and since this domain is crucial for our whole infrastructure , its not a small task. Glad I got your reply now, so I can stop that task.
