SSL For ISPConfig 3.2 Control Panel (Port 8080)

Discussion in 'Installation/Configuration' started by Mygra, Feb 4, 2021.

  1. Mygra

    Mygra New Member

    Hi I have installed ispconfig 3.2.x and debian 9 in my server.

    When I activate a website I correctly get the lets' encrypt ssl certificate on the https: // domain but not on the mail service or on the control panel port 8080 where a security problem is instead shown due to the self-signed certificate.

    I tried to reinstall ispconfig 3.2 by setting yes to the various steps to activate the ssl again but the result is always negative.

    Can anyone help me by indicating the correct procedure to activate let's encrypt for mail and port 8080?
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Do a force update and let it configure a new cert:
    Code:
    ispconfig_update.sh --force
    If this does not work, share the output shown when updating.
     
  3. Mygra

    Mygra New Member

    Hi Thanks for your reply

    using the command
    ispconfig_update.sh --force

    I get

    Code:
    Select update method: Stable
    Recofigure permission in master database:no
    Service firewall_server: no
    Reconfigure service: yes
    Ispconfig port :8080
    Create new ispconfig Ssl certificate: yes
    
    
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    
    Checking / creating certificate for ns3043849.ip-176-31-233.eu
    Using certificate path /etc/letsencrypt/live/ns3043849.ip-176-31-233.eu
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Cert not yet due for renewal
    Keeping the existing certificate
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: Checking / creating certificate for ns3043849.ip-176-31-233.eu
    Using certificate path /etc/letsencrypt/live/ns3043849.ip-176-31-233.eu
    Using apache for certificate validation
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: Cert not yet due for renewal
    Keeping the existing certificate
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: y
    
    Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: y
    
    Reconfigure Crontab? (yes,no) [yes]:
    
    Updating Crontab
    Restarting services ...
    PHP Warning:  Packets out of order. Expected 1 received 0. Packet size=30 in /tmp/update_runner.sh.eJd0JE88Vi/install/lib/mysql.lib.php on line 207
    Update finished.
    root@ns3043849:~# PHP Warning:  Packets out of order. Expected 1 received 0. Packet size=30 in /tmp/update_runner.sh.eJd0JE88Vi/install/lib/mysql.lib.php on line 207
    -bash: PHP: comando non trovato
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so ssl should be working now.
     
  5. Mygra

    Mygra New Member

    let's encrypt works only in the https://
    In the Port 8080 and the mail it's shown an untrusted self-signed certificate
     
  6. Mygra

    Mygra New Member

    Do I need to enable something like for websites?
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    What is the output of
    Code:
    ls -la /usr/local/ispconfig/interface/ssl
     
  8. Mygra

    Mygra New Member

    Code:
    Last login: Sat Feb  6 13:35:55 2021 from 79.00.000.00
    root@ns000000:~# ls -la /usr/local/ispconfig/interface/ssl
    totale 40
    drwxr-s--- 2 root      root      4096 feb  6 09:23 .
    drwxr-s--- 9 ispconfig ispconfig 4096 feb  6 09:18 ..
    -rwxr-x--- 1 root      root        45 feb  6 09:23 empty.dir
    lrwxrwxrwx 1 root      root        62 feb  6 09:23 ispserver.crt -> /etc/letsencrypt/live/ns3043849.ip-176-31-233.eu/fullchain.pem
    lrwxrwxrwx 1 root      root        62 feb  6 09:17 ispserver.crt-20210206092326.bak -> /etc/letsencrypt/live/ns3043849.ip-176-31-233.eu/fullchain.pem
    lrwxrwxrwx 1 root      root        60 feb  6 09:23 ispserver.key -> /etc/letsencrypt/live/ns3043849.ip-176-31-233.eu/privkey.pem
    lrwxrwxrwx 1 root      root        60 feb  6 09:17 ispserver.key-20210206092326.bak -> /etc/letsencrypt/live/ns3043849.ip-176-31-233.eu/privkey.pem
    -rwxr-x--- 1 root      root      3172 feb  6 09:23 ispserver.pem
    -rwxr-x--- 1 root      root      7082 feb  6 09:17 ispserver.pem-20210206092326.bak
    
     
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Have you tried restarting Apache2?
     
  10. Mygra

    Mygra New Member

  11. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    What is the output of
    Code:
    ls -la /etc/letsencrypt/live/ns3043849.ip-176-31-233.eu
     
  12. Mygra

    Mygra New Member

     
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Weird - did you mess around with the content of this folder?
     
  14. Mygra

    Mygra New Member

    These are the certificates that are shown if it helps
    https://mygrashop.it
    Code:
    Organization: Let's Encrypt
    Location: US
    Valid from October 7, 2020 to September 29, 2021
    Serial Number: 400175048314a4c8218c84a90c16cddf
    Signature Algorithm: sha256WithRSAEncryption
    Email, ftp or port 8080
    Code:
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                96:c7:dc:b5:7a:08:0e:4d
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=--, ST=Germany, L=lim1, O=--, OU=--, CN=ns3135929.ip-51-77-65.eu/[email protected]
            Validity
                Not Before: Jan 30 10:07:39 2019 GMT
                Not After : Jan 27 10:07:39 2029 GMT
            Subject: C=--, ST=Germany, L=lim1, O=--, OU=--, CN=ns3135929.ip-51-77-65.eu/[email protected]
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    RSA Public-Key: (2048 bit)
                    Modulus:
                        00:b0:f2:11:1b:29:9e:1b:76:c8:1c:ce:0f:b4:1f:
                        ec:52:45:b7:95:65:72:e2:e8:1b:3f:03:86:bb:db:
                        2f:95:36:54:b9:ff:e7:96:a7:d7:a0:00:07:44:fb:
                        40:70:71:cb:a6:cf:ce:a5:9d:13:0d:df:37:31:97:
                        cc:24:c7:a9:12:19:9f:64:1f:3b:ec:18:62:2e:82:
                        4b:fe:b6:ff:cd:3e:38:3a:0f:c5:b9:6f:22:2a:49:
                        de:dd:8a:a4:ce:cc:66:cc:86:07:9d:ed:5c:bb:85:
                        84:60:f6:fe:77:de:5b:a5:bd:1f:0e:01:7b:fd:8c:
                        23:d6:10:df:4c:2b:1b:62:b0:79:5b:d8:92:ff:7b:
                        05:ff:28:04:20:0d:47:b8:85:1f:cd:b5:1a:a8:68:
                        5e:4d:3f:9d:75:1b:a3:29:89:ec:9e:e2:8c:d8:26:
                        84:4e:df:38:cd:6f:d2:62:64:95:6b:36:a1:c6:09:
                        e3:9d:92:30:7a:c1:1a:ac:f8:5c:3a:2c:a9:16:63:
                        e3:f3:2e:1b:6b:d7:7f:28:bc:b7:e2:22:54:2b:19:
                        25:ea:96:7e:ea:a2:43:31:4b:6d:e7:e7:4a:0b:8c:
                        07:2f:2a:74:51:12:41:1f:34:09:ee:e3:ab:34:d1:
                        9a:c4:d4:ac:51:b2:9c:df:53:27:df:3c:cd:79:e6:
                        b7:b9
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Subject Key Identifier:
                    BB:EB:D7:04:83:B9:4B:0C:CB:B8:DC:02:EA:F1:7D:62:17:E7:DF:E5
                X509v3 Authority Key Identifier:
                    keyid:BB:EB:D7:04:83:B9:4B:0C:CB:B8:DC:02:EA:F1:7D:62:17:E7:DF:E5
    
                X509v3 Basic Constraints: critical
                    CA:TRUE
        Signature Algorithm: sha256WithRSAEncryption
             11:87:91:a2:93:46:94:2c:8a:d2:51:1f:7d:97:fd:b0:83:97:
             38:9a:0d:d3:a9:24:eb:a3:6a:12:54:28:4f:85:ba:4f:0f:01:
             50:95:6a:7c:82:99:e3:33:20:27:e9:72:26:6e:01:80:df:4d:
             03:78:aa:a0:b7:96:cf:02:d4:ae:8e:4a:78:f8:30:d0:26:fd:
             ec:0e:7a:2f:c3:96:11:e2:dc:8b:25:42:13:c9:e7:19:87:ed:
             8c:08:f0:2e:ad:a8:c3:dd:9e:be:a9:40:1a:a4:98:db:a1:86:
             3d:df:17:97:65:47:1a:5a:6b:60:4c:ae:a7:83:b7:77:63:01:
             fd:68:5c:d0:81:49:df:ec:af:4f:ff:82:b0:23:04:92:d1:aa:
             38:fa:75:c8:e2:91:28:03:05:24:7e:fd:c5:e0:17:da:51:ec:
             b7:d8:2a:31:eb:f0:82:2f:8d:53:c9:ce:ea:61:c1:e6:81:7d:
             76:64:32:3b:07:36:19:bc:7b:d7:f1:b4:36:70:a1:d9:46:7d:
             6a:c3:b5:00:d0:94:f4:c1:7a:57:d3:7d:dd:69:a8:7f:af:45:
             d6:96:0f:1f:4f:3f:8b:fb:9e:be:ad:58:88:79:14:55:69:1e:
             8f:00:b2:89:a9:bc:49:5a:f1:84:55:fe:af:40:bd:fe:a7:d3:
             47:f2:6d:be
     
  15. Mygra

    Mygra New Member

  16. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    What is the output of
    Code:
    php -v
     
  17. Mygra

    Mygra New Member

    Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.0.33-38+0~20210112.44+debian9~1.gbpab637c, Copyright (c) 1999-2017, by Zend Technologies
     
  18. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Very weird. According to your outputs, it is using a LE cert, but a self signed cert is served.

    Your hostname is weird aswell though, ns3043849.ip-176-31-233.eu - did your provider give you this? Can you create your own hostname, like server1.example.com, where example.com is your domain?
     
  19. Mygra

    Mygra New Member

    ns3043849.ip-176-31-233.eu it 's automatically generated in the initial phase when i install the "Debian 9 + ispconfig 3.2" pack available from my provider's panel ovh.com after that i can manage domains from ispconfig.

    My domain if you want to see is www.migratoria.it
     
  20. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I would not use that installer from OVH, especially because it still uses Debian 9. Better install Debian 10 and use the ISPConfig autoinstaller: https://www.howtoforge.com/community/threads/ispconfig-3-autoinstaller.86078/
    (before running that autoinstaller, follow step 6 and 7 from https://www.howtoforge.com/tutorial/debian-minimal-server/#-configure-the-network)
     

Share This Page