"solved" How to secure ISPConfig3.2 panel?

Hello,
The perfect server Ubuntu 20.04 apache and ISPConfig 3.2.2
I have messed up the Now the DNS record while installing the fresh server.
I have corrected all DNS records now and created sited and they are all secure including for example "server1.example.com"
Now the question is how do I go back to make the system to use that certificate to secure the panel, mail and ftp?
Thanks in advance,

 

It works, thanks a million.
Now another question, how do I prevent/hide "Apache2 Ubuntu Default Page"?
is it OK, to redirect to https like any other site? or do you deal with the host's website differently?
Thanks

 

Thanks for the quick reply, but I am not sure if I understand.
After Jesse response, I have a secured "https://server1.example.com" with a valid LE certificate.
Now if you go open "http://server1.example.com" it will show you


How do I hide or prevent this page from showing?
Thanks,

 

Thanks, Th0m,
Yes, I have created the site server1.example.com in ISPConfig.
What do you mean by changing the content?
I see two different pages for the same site, The default page of ISPconfig3 when I open the https which is good and normal.
But what bothers me is I see the apache default page when you open http
How do I show the proper default page in either case
Thanks again

 

Great, but it does not show the content of the web folder. What is in the web folder shows correctly when you view "https" but shows the apache2 default page when you access "http"
Why?

 

Is this the classic "wrong website shown"? Usually it is mixing * and IP-number in IPv4-Address field, or certificate failing for some websites.
https://www.howtoforge.com/community/threads/wrong-site-for-given-url.79058/

 

Code:

root@server1:~# ls -l /etc/apache2/sites-available
total 52
-rw-r--r-- 1 root root 1332 Apr 13  2020 000-default.conf
-rw-r--r-- 1 root root  310 Jan 27 05:48 acme.conf
-rw-r--r-- 1 root root 3048 Jan 27 05:48 apps.vhost
-rw-r--r-- 1 root root 6338 Apr 13  2020 default-ssl.conf
-rw-r--r-- 1 root root 2119 Jan 27 05:48 ispconfig.conf
-rw-r--r-- 1 root root 3394 Jan 27 05:49 ispconfig.vhost
-rw-r--r-- 1 root root 2152 Jan 29 09:40 net.mydomain.com.vhost
-rw-r--r-- 1 root root 8505 Jan 29 09:40 mydomain.com.vhost
-rw-r--r-- 1 root root 5840 Jan 29 09:40 server1.mydomain.com.vhost

 

Could you please clarify what does this command do?

 

I have added the dummy site but nothing improved

 

Issue the command and see.
If that is not suitable, read the man-page for the command. Or use the built-in help:

Code:

apachectl --help

apachectl -h

 

Does this happen when you open the site in incognito mode of your browser? If not, its a caching problem

 

@steini86
Incognito, shows the same.
@Jesse Norell

Code:

apachectl -S
VirtualHost configuration:
*:8081                 server1.mydomain.com (/etc/apache2/sites-enabled/000-apps.vhost:9)
*:8080                 server1.mydomain.com (/etc/apache2/sites-enabled/000-ispconfig.vhost:9)
*:80                   is a NameVirtualHost
         default server server1.mydomain.com (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost server1.mydomain.com (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost 000default.com (/etc/apache2/sites-enabled/100-000default.com.vhost:7)
                 alias www.000default.com
         port 80 namevhost network.mydomain.com (/etc/apache2/sites-enabled/100-network.mydomain.com.vhost:7)
         port 80 namevhost mydomain.com (/etc/apache2/sites-enabled/100-mydomain.com.vhost:7)
                 alias www.mydomain.com
         port 80 namevhost server1.mydomain.com (/etc/apache2/sites-enabled/100-server1.mydomain.com.vhost:7)
*:443                  is a NameVirtualHost
         default server mydomain.com (/etc/apache2/sites-enabled/100-mydomain.com.vhost:125)
         port 443 namevhost mydomain.com (/etc/apache2/sites-enabled/100-mydomain.com.vhost:125)
                 alias www.mydomain.com
         port 443 namevhost server1.mydomain.com (/etc/apache2/sites-enabled/100-server1.mydomain.com.vhost:93)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex fcgid-pipe: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"

I have found out that the server cirtificate is not getting generated properly.
What I meant here is
1- server1.mydomain.com has a valid LE certificate no question.
2- When I run the command

Code:

ispconfig_update.sh --force

I get the following error

Code:

Create new ISPConfig SSL certificate (yes,no) [no]: yes

Checking / creating certificate for server1.mydomain.com
Using certificate path /etc/letsencrypt/live/server1.mydomain.com
Server's public ip(s) (X.Y.X.W) not found in A/AAAA records for server1.mydomain.com: 10.10.10.2
Ignore DNS check and continue to request certificate? (y,n) [n]:y

So I think the way I configure my server is it has a private IP address and then it is natted to a public IP.
Could that be the problem.
In any case, how do I overcome this issue?
Do I change my setup to have the public on the interface direct and forget about nat.
The only reason, I set it up this way is for security.

 

The only security benefit you get by this is that only forwarded ports connect to the server. You can achieve the same by using a firewall and only open needed ports.

This 'can' be a problem. However, disabling the check should be working then. You might also want to disable the check for all web hosts: ("System" -> "Server Config" -> "Web" -> "Skip Lets Encrypt Check").

Somehow you mixed your vhosts:
You have a "server1.mydomain.com" configured in 000-default.conf and in 100-server1.mydomain.com.vhost
You have 000default.com configured as a web but not with ssl? The purpose of a default host is to be a default for SSL, when the vhost does not have ssl enabled (like network.mydomain.com, which has no ssl config)
I don't know whats inside your /etc/apache2/sites-enabled/000-default.conf, but you could try to delete / move that file and test again.