Hello, I use isp config to create my subdomains on my debian server, I also use cloudflare for my domain names, The problem is that when I create a subdomain with isp config, the redirection is not done correctly, there is ERR_SSL_PROTOCOL_ERROR, I have the impression that there is an ssl conflict between cloudflare and isp config. The ssl of my domain names is activated are activated on clouflare and in isp config: I activate it SSL And Let's Encrypt SSL In the isp confog options of the vhost subdomain and in the redirect section, activate the HTTP to HTTPS Rewrite. Has anyone already corrected this problem? , When i deactivate the ssl of my cloudflare domain name, i no longer have access to the domain name.
Is the Let's Encrypt box still checked? If not, generate a self signed cert by going to the SSL tab of your web and selecting "Create certificate" as action and let Cloudflare handle securing the web with a valid SSL.
Other than your root domain, did you set the proper A and/or AAAA record for your subdomain, whether specific or wildcard, in CF?
I already have 2 subdomains for this domain name that I manage with a CNAME @ in the cloud flare dns, but a prioris for this v host subdomain that I want to create it does not seem to work: Blog.example.fr in the root of the existing website. I have never created a self-signed ssl in the ssl option of the domain name of the isp config, I have always left managed cloudflare to take care of it maybe the conflict comes from there? If I create a self-signed ssl in the isp config, I must create the self-signed ssl for the main domain name and all the subdomains? Or I keep the same ssl for the main domain name and all these subdomains ?, because in the cloudflare I can manage only the main domain name.
When I type the url of the subdomain, it is returned to: subdomain.example.fr:80 and not the port 443 of the ssl when I look at the virtual host of the apache file of the subdomain, isp config to correctly configured the virtual host In 443.
I'd suggest using wildcard in CF if all subdomains are to be in the same web server as it is easier to manage. I won't suggest creating self-signed certs if LE SSL certs are obtainable even if your medium for dns is CF, but that is a matter of preference. For LE SSL certs issuance problems you should try following its official FAQ.
I uncheck all the ssl on isp config, I activated the general ssl on all the domains of the cloudflare the problem is that I no longer have access to my websites, when I connect it is indicated: Nothing . I am wondering if the cloudflare ssl is compatible with isp config. When I deactivate the ssl via cloud flare, I have the error err-too-many redirect which appears, I have to let activate the ssl on cloudflare and isp config. When I go to the ssl folder of my domain name, I have, I don't know how many old ssl files lol, here is a screenshoot, maybe they should be deleted:
My CF SSL/TLS encryption mode is full (strict) with its recommender on and I used wildcard (*) for all sub domains so proxy status for them can only be dns only, not proxied like the root domain. While all website root, sub or alias domains (with vhost) always use LE SSL certs and I do not use redirect except via my customized nginx vhost for all domains where all access from http are redirected to https. Code: server { listen *:80; listen [::]:80; server_name mydomain.tld; return 301 https://$host$request_uri; } server { listen *:443 ssl http2; listen [::]:443 ssl http2; ssl_protocols TLSv1.2 TLSv1.3; ... My customized nginx_vhost.conf.master file. Code: server { listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>; <tmpl_if name='use_proxy_protocol' op='==' value='y'> <tmpl_if name='proxy_protocol_http' op='>' value='0'> listen <tmpl_var name='ip_address'>:<tmpl_var name='proxy_protocol_http'> proxy_protocol; </tmpl_if> </tmpl_if> <tmpl_if name='ipv6_enabled'> listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>; </tmpl_if> <tmpl_if name='ipv6_wildcard'> listen [::]:<tmpl_var name='http_port'>; </tmpl_if> <tmpl_if name='ssl_enabled'> # redirect to https if accessed with http server_name <tmpl_var name='domain'> <tmpl_var name='alias'>; return 301 https://$host$request_uri; } server { listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl http2; <tmpl_if name='use_proxy_protocol' op='==' value='y'> <tmpl_if name='proxy_protocol_https' op='>' value='0'> listen <tmpl_var name='ip_address'>:<tmpl_var name='proxy_protocol_https'> ssl proxy_protocol; </tmpl_if> </tmpl_if> # ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-S> # ssl_prefer_server_ciphers on; <tmpl_if name='ipv6_enabled'> listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl http2; </tmpl_if> <tmpl_if name='ipv6_wildcard'> listen [::]:<tmpl_var name='https_port'> ssl http2; </tmpl_if> <tmpl_if name='tls1.3_supported' op='==' value='y'> <tmpl_var name="ssl_protocols"> ssl_protocols TLSv1.3 TLSv1.2; <tmpl_else> <tmpl_var name="ssl_protocols"> ssl_protocols TLSv1.2 TLSv1.3; </tmpl_if> ssl_certificate <tmpl_var name='ssl_crt_file'>; ssl_certificate_key <tmpl_var name='ssl_key_file'>; </tmpl_if> So far these CF and ISPConfig SSL settings work fine for me.
Here is an example of a virtual host from one of my subdomains that isp config automatically creates for me, What can i change? Code: <Directory /var/www/blog.example.fr> AllowOverride None Require all denied </Directory> <VirtualHost ip:80> DocumentRoot /var/www/clients/client2/web2/web/blog ServerName blog.example.fr ServerAlias www.blog.example.fr ServerAdmin [email protected] ErrorLog /var/log/ispconfig/httpd/blog.example.fr/error.log <Directory /var/www/blog.example.fr/web/blog> # Clear PHP settings of this website <FilesMatch ".+\.ph(p[345]?|t|tml)$"> SetHandler None </FilesMatch> Options +SymlinksIfOwnerMatch AllowOverride All Require all granted </Directory> <Directory /var/www/clients/client2/web2/web/blog> # Clear PHP settings of this website <FilesMatch ".+\.ph(p[345]?|t|tml)$"> SetHandler None </FilesMatch> Options +SymlinksIfOwnerMatch AllowOverride All Require all granted </Directory> # suexec enabled <IfModule mod_suexec.c> SuexecUserGroup web2 client2 </IfModule> <IfModule mod_fastcgi.c> <Directory /var/www/clients/client2/web2/cgi-bin> Require all granted </Directory> <Directory /var/www/blog.example.fr/web/blog> <FilesMatch "\.php[345]?$"> <If "-f '%{REQUEST_FILENAME}'"> SetHandler php-fcgi </If> </FilesMatch> </Directory> <Directory /var/www/clients/client2/web2/web/blog> <FilesMatch "\.php[345]?$"> <If "-f '%{REQUEST_FILENAME}'"> SetHandler php-fcgi </If> </FilesMatch> </Directory> Action php-fcgi /php-fcgi virtual Alias /php-fcgi /var/www/clients/client2/web2/cgi-bin/php-fcgi-ip-example-blog.example.fr FastCgiExternalServer /var/www/clients/client2/web2/cgi-bin/php-fcgi-ip-example-blog.example.fr -idle-timeout 300 -socket /var/lib/php7.3-fpm/web16.sock -pass-header Authorization -pass-header Content-Type </IfModule> <IfModule mod_proxy_fcgi.c> #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.3-fpm/web16.sock|fcgi://localhost//var/www/clients/client2/web2/web/blog/$1 <Directory /var/www/clients/client2/web2/web/blog> <FilesMatch "\.php[345]?$"> <If "-f '%{REQUEST_FILENAME}'"> SetHandler "proxy:unix:/var/lib/php7.3-fpm/web16.sock|fcgi://localhost" </If> </FilesMatch> </Directory> </IfModule> # add support for apache mpm_itk <IfModule mpm_itk_module> AssignUserId web2 client2 </IfModule> <IfModule mod_dav_fs.c> # Do not execute PHP files in webdav directory <Directory /var/www/clients/client2/web2/webdav> <ifModule mod_security2.c> SecRuleRemoveById 960015 SecRuleRemoveById 960032 </ifModule> <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> </Directory> DavLockDB /var/www/clients/client2/web2/tmp/DavLock # DO NOT REMOVE THE COMMENTS! # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE! # WEBDAV BEGIN # WEBDAV END </IfModule> </VirtualHost> <VirtualHost ip:443> DocumentRoot /var/www/clients/client2/web2/web/blog ServerName blog.example.fr ServerAlias www.blog.example.fr ServerAdmin [email protected] <IfModule mod_http2.c> Protocols h2 http/1.1 </IfModule> ErrorLog /var/log/ispconfig/httpd/blog.example.fr/error.log <IfModule mod_ssl.c> SSLEngine on SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 # SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on # <IfModule mod_headers.c> # Header always add Strict-Transport-Security "max-age=15768000" # </IfModule> SSLCertificateFile /var/www/clients/client2/web2/ssl/blog.example.fr-le.crt SSLCertificateKeyFile /var/www/clients/client2/web2/ssl/blog.example.fr-le.key SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off </IfModule> <Directory /var/www/blog.cexample.fr/web/blog> # Clear PHP settings of this website <FilesMatch ".+\.ph(p[345]?|t|tml)$"> SetHandler None </FilesMatch> Options +SymlinksIfOwnerMatch AllowOverride All Require all granted </Directory> <Directory /var/www/clients/client2/web2/web/blog> # Clear PHP settings of this website <FilesMatch ".+\.ph(p[345]?|t|tml)$"> SetHandler None </FilesMatch> Options +SymlinksIfOwnerMatch AllowOverride All Require all granted </Directory> # suexec enabled <IfModule mod_suexec.c> SuexecUserGroup web2 client2 </IfModule> <IfModule mod_fastcgi.c> <Directory /var/www/clients/client2/web2/cgi-bin> Require all granted </Directory> <Directory /var/www/blog.example.fr/web/blog> <FilesMatch "\.php[345]?$"> <If "-f '%{REQUEST_FILENAME}'"> SetHandler php-fcgi </If> </FilesMatch> </Directory> <Directory /var/www/clients/client2/web2/web/blog> <FilesMatch "\.php[345]?$"> <If "-f '%{REQUEST_FILENAME}'"> SetHandler php-fcgi </If> </FilesMatch> </Directory> Action php-fcgi /php-fcgi virtual Alias /php-fcgi /var/www/clients/client2/web2/cgi-bin/php-fcgi-ip-blog.example.fr FastCgiExternalServer /var/www/clients/client2/web2/cgi-bin/php-fcgi-ip-blog.example.fr -idle-timeout 300 -socket /var/lib/php7.3-fpm/web16.sock -pass-header Authorization -pass-header Content-Type </IfModule> <IfModule mod_proxy_fcgi.c> #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.3-fpm/web16.sock|fcgi://localhost//var/www/clients/client2/web2/web/blog/$1 <Directory /var/www/clients/client2/web2/web/blog> <FilesMatch "\.php[345]?$"> <If "-f '%{REQUEST_FILENAME}'"> SetHandler "proxy:unix:/var/lib/php7.3-fpm/web16.sock|fcgi://localhost" </If> </FilesMatch> </Directory> </IfModule> # add support for apache mpm_itk <IfModule mpm_itk_module> AssignUserId web2 client2 </IfModule> <IfModule mod_dav_fs.c> # Do not execute PHP files in webdav directory <Directory /var/www/clients/client2/web2/webdav> <ifModule mod_security2.c> SecRuleRemoveById 960015 SecRuleRemoveById 960032 </ifModule> <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> </Directory> DavLockDB /var/www/clients/client2/web2/tmp/DavLock # DO NOT REMOVE THE COMMENTS! # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE! # WEBDAV BEGIN # WEBDAV END </IfModule> </VirtualHost> <IfModule mod_ssl.c> SSLStaplingCache shmcb:/var/run/ocsp(128000) </IfModule>
Sorry. I am not well-versed in apache2 anymore to check your vhost and I am not really sure that I fully understand your problems to fix any of them but so far I know default ISPConfig vhost is fine with its default vhost whether with or without redirect. This is already right to me, as I mentioned earlier I also activated SSL on both CF and ISPConfig. About the old SSL files, as far as I am concerned, you can delete them as long as you know what you are doing, but do make backup just in case you need to restore any of them back.
Thanks for your help ahrasis, So i deleted all the ssl duplicates of my domain names, ssl is enabled on cloudflare and isp config in strict, and tls enabled, i no longer have redirects via isp config. But despite your instructions, isp config continues to use port 80 with an ERR_SSL_PROTOCOL_ERROR error for my subdomains :/
Check in the website settings that you have letsencrypt enabled for your sites because if they are not, you most probably have letsencrypt issues, which you may need to resolve by following its sticky troubleshooting FAQ. If it is enabled, then you might have vhost error for that file, try uncheck letsencrypt and save, then recheck letsencrypt and save, as sometime this fix the vhost.err problems. If there are a lot of vhost.err files, try rsync in Tools instead, then check after it has fully finished whether that fixes them all, otherwise, if still not fixed, you may need to troubleshoot your server as a whole. The last part of LE troubleshooting FAQ also guides you how to do that.
