So... let's encrypt seems to be working... But I cannot seem to access any pages with https. With or without a cert. http works fine I followed this tutorial https://www.howtoforge.com/tutorial...sl-pureftpd-bind-postfix-doveot-and-ispconfig With the small exception of making sure I got the latest ispconfig from the downloads page. That's the only difference and my currently configured sites are childrenofatom.church and myzera.com as reference. I couldn't really find anything pertaining to this conundrum, so I figured I'd ask. Willing to provide whatever other information that'll help.
Code: ✘ jase@yxia ~ dig gethosting.today. any @174.105.101.49 ; <<>> DiG 9.13.2 <<>> gethosting.today. any @174.105.101.49 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60031 ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: e677b0db049bb0bebb65ed3f5b889b12ef610cb07ca80a17 (good) ;; QUESTION SECTION: ;gethosting.today. IN ANY ;; ANSWER SECTION: gethosting.today. 3600 IN NS ns2.gethosting.today. gethosting.today. 3600 IN NS ns1.gethosting.today. gethosting.today. 3600 IN MX 10 mail.gethosting.today. gethosting.today. 3600 IN TXT "v=spf1 mx a ~all" gethosting.today. 3600 IN SOA ns1.gethosting.today. admin.thehost.ninja. 2018083103 7200 540 604800 3600 gethosting.today. 3600 IN A 174.105.101.49 ;; ADDITIONAL SECTION: ns1.gethosting.today. 3600 IN A 174.105.101.49 ns2.gethosting.today. 3600 IN A 174.105.101.49 mail.gethosting.today. 3600 IN A 174.105.101.49 ;; Query time: 62 msec ;; SERVER: 174.105.101.49#53(174.105.101.49) ;; WHEN: Thu Aug 30 21:34:10 EDT 2018 ;; MSG SIZE rcvd: 278 ✘ jase@yxia ~ dig myzera.com. any @174.105.101.49 ; <<>> DiG 9.13.2 <<>> myzera.com. any @174.105.101.49 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27792 ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 17ff9194fdf8de3c1d6922225b88ba09142ef3711e851cf7 (good) ;; QUESTION SECTION: ;myzera.com. IN ANY ;; ANSWER SECTION: myzera.com. 3600 IN MX 10 mail.myzera.com. myzera.com. 3600 IN NS ns1.gethosting.today. myzera.com. 3600 IN NS ns2.gethosting.today. myzera.com. 3600 IN TXT "v=spf1 mx a ~all" myzera.com. 3600 IN A 174.105.101.49 myzera.com. 3600 IN SOA ns1.gethosting.today. admin.thehost.ninja. 2018083101 7200 540 604800 3600 ;; ADDITIONAL SECTION: mail.myzera.com. 3600 IN A 174.105.101.49 ns1.gethosting.today. 3600 IN A 174.105.101.49 ns2.gethosting.today. 3600 IN A 174.105.101.49 ;; Query time: 59 msec ;; SERVER: 174.105.101.49#53(174.105.101.49) ;; WHEN: Thu Aug 30 23:46:17 EDT 2018 ;; MSG SIZE rcvd: 288 jase@yxia ~
Please run this command on the server and post the output: grep SSL /etc/apache2/sites-enabled/gethosting.today.vhost
Will do, I had run `sudo ufw enable` without checking if it was setup at all, and locked myself out. Should be back in shortly... been down since Thursday
root@ns1:~# grep SSL /etc/apache2/sites-enabled/gethosting.today.vhost grep: /etc/apache2/sites-enabled/gethosting.today.vhost: No such file or directory I have not added it as a site, because last time that's where my previous conflict arose. Could it be because I don't have that site setup and SSL'd?
You want to access a website by SSL but have not added the website yet? This can not work. 1) Add the website in ISPconfig, press save. 2) Open the website settings again, enable Let's encrypt for that site and press save.
I understand that. Childrenofatom.church has let's encrypt enabled. I'm not trying to access gethosting today over SSL at the moment. I'm trying to confirm that https:// will open and throw an error for sites with no cert like gethosting.today or Myzera.com. I have certed childrenofatom.church. None of the sites do anything with https:// not even error. I was under the assumption childrenofatom.church would work since it does have the SSL. root@ns1:~# grep SSL /etc/apache2/sites-enabled/900-childrenofatom.church.vhost SSLEngine on SSLProtocol All -SSLv2 -SSLv3 # SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-RSA-AES256-SHA256HE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHAES-CBC3-SHA:!DSS SSLHonorCipherOrder on SSLCertificateFile /var/www/clients/client1/web1/ssl/childrenofatom.church-le.crt SSLCertificateKeyFile /var/www/clients/client1/web1/ssl/childrenofatom.church-le.key SSLCertificateChainFile /var/www/clients/client1/web1/ssl/childrenofatom.church-le.bundle SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) Accessing Anything on the server over https results in nothing. I am understood that gethosting does not have an ssl. Are you saying I - HAVE - to setup and SSL all sites? What if I wish not to ssl one hypothetically? Again. My inquiry is not why I can't access gethosting.today via ssl. It points to apache root for now. I'm concerned as to why I can't access childrenofatom.church over https with a cert enabled. Did I miss some sort of step perhaps? I will setup gethosting.today when I get home. But I don't think that's the issue here. Because they should still throw an error without a cert? Am I wrong?
Apache will not throw an error in that case. When you run multiple sites on the same IP address then either all sites should use SSL or no site should use SSL, if you mix that, then apache will start to show the content of the first site it finds with SSL on the same IP address for the site where you did not have SSL enabled. That's the normal behavior of apache and nginx web servers as a port has precedence over a domain name. a) Enable SSL for all sites (which makes sense as all browser start to warn users to not access a site when it has no SSL). b) Do not enable SSL for a site. c) Use two IP addresses, one for SSL sites and one for non-ssl sites.
Okay. I will take your advice once I get home. So basically, I need a second server with its own dedicated ip to host and serve non ssl sites. That's fine. We plan on getting a second server. The ip problem is a bit more difficult at the moment. It's not really an issue, since we do plan to SSL all sites. I just assumed it would throw an error at least instead of not loading at all. I will report back with results. Thank you Till for your timely, and respectful responses. I apologize if any of mine come off edgy. I'm not all that great with social matters.
The problem might be something different though, I just run some tests on your childrenofatom.church domain and I get a network timeout. My guess is that you might have closed port 443 in a firewall or router in front of that server. The other problem I explained above is a general issue when mixing SSL and non SSL sites which you should consider anyway, even if it's not the source of the current problem.
Is that only for some special case of SSL? I use Let's Encrypt and do have host with only one IP-address, and both http and httpS sites. Both work OK. All websites have "*" for IP-address in the website settings, though.
Well port 443 is forwarded and ufw is currently disabled, since I clearly need to configure that so I don't lock myself out again. I'll consider the mystery of SSL partially solved... but I should open a new thread for other problem? Another reason I didn't set up gethosting.today as a site yet, is because when I do... it works for a short while... then it drops. As it seems to be competing for the resources for directing at apache root AND ispConfig directory. I plan on restarting from scratch... and reinstalling via the perfect tutorial again for my distro. Maybe that will solve issues. I am trying to use gethosting.today as a webpage AND NS access. This is more of a trial run/learning experience, this is not a production setup, so whatever we can do to check anything out is fine.
The issue occurs when you try to enter https:// instead of http:// for one of the sites which don't have ssl. What happens is that apache looks trough its vhosts to find a vhost where IP or *, port (443) and the domain name match. As there is no vhost where all three criteria match, apache will show the content of the next best matching vhost, which is basically the first vhost in alphabetical order that has SSL enabled. Example: You have website a.tld with http and https and b.tld with just http. If you would enter https://b.tld in the browser now, then you get the content of a.tld (plus an SSL warning as the cert of a.tld does not contain b.tld).
I noted that you are using one ip to build your dns server but it is really not advisable as it will defeat its original purpose. As an alternative for your second dns server, if you can't afford one, you may check and use free services like http://freedns.afraid.org/secondary. By the way, I noted that not many company is offering free dns services nowadays though I think there is a lot of demands for it. I think DNS servers properly built with ISPConfig are capable of handling these demands but I am not sure I have bumped into one in the markets.
Well, I started from scratch, and now I think I'm missing some step that I accidentally stumbled upon before. I can't seem to bring up my main site... I'll report back once I figure it out. I had the issue before I started over actually... We moved the server's location on the network, which reset the internal ip on the router, and I never bothered to set one statically, so I did, and it did not work, so I reformatted and started from scratch after applying the static lease at the router level, because I had also installed a BUNCH of DEs messing around because the owner wanted to see what linux desktops were like. @ahrasis, thanks for pointing that out, yes I plan to use freedns for a secondary, but will that work for all the other sites on my config was my qualm when I was deciding. I am trying to get all the kinks out. It's not so much I can't afford additional servers, I can't currently afford the static IPs. They wanna sell them in packs of 5@ 15 apiece, that's 80 dollars on top of having to shell out for business class internet. This is currently a private host for our personal domains to get them online and doing stuff, whilst learning. Do you know of any valid config outline for using secondary servers from freedns, it seems straightforward enough, but their instructions are vague. Sorry to derail my own topic, I will start a new topic shortly once I get my main site functioning again.
Okay, so, I had put my internal ip in /etc/hosts. I dunno if I'm supposed to put my external IP there for my hostname, but it started working after I did it seems. Though I just realized I wasn't getting live results from google chrome. Finally decided to check in firefox, and both SSL and regular HTTP are working !! if I should revert to internal ip and revert dns zones to internal ip instead of external, I'd like to know, or if it's fine to continue as is I will.
Thanks for the explanation. I created 00aa.mydomain.fi website, made LE sertificate and created an index.html file which explains visitor why they ended up on an unintended page, and advices to remove the S from HTTPS://. I was up to now ignorant about this feature with HTTPS. I had to test on my server this really happens, and it is really a "feature". Hopefully my shiny new website 00.aa helps avoiding total confusion with visitors.
