Good day, I completed my first install of ISPConfig 3.1.8p1 on Debian 8.9 on a LXC (Proxmox). Followed : The Perfect Server - Debian 8.6 (nginx, BIND, Dovecot, ISPConfig 3.1) I noticed these 4 things: 1) Is there an nginx config to access webmail (squirrel mail) like phpmyadmin? https://site.com/webmail (works with https://ip:8081/webmail) Something like : location /webmail { I confirm that the symlink is there. * I followed the recommendations and changed the permissions like mentioned with no success: https://www.howtoforge.com/communit...rfect-server-debian-8-6-nginx-problems.77009/ Has another solution been found? 2) HHVM gave an error at install that the log path didn't exist (not sure if it's critical at this point?). I chose it in the Sites/Domain/PHP and it seems to work. Still no /var/log/hhvm... Is it OK? Where would the logs be? 3) FIXED - rkhunter gave an error at install (with a path I believe). In ISPConfig, I get : Invalid WEB_CMD configuration option: Relative pathname: "/bin/false" or if I run: # rkhunter --versioncheck Invalid WEB_CMD configuration option: Relative pathname: "/bin/false" * Update : fixed with procedure in point 1 : https://debianforum.de/forum/viewtopic.php?t=166137 # rkhunter --versioncheck [ Rootkit Hunter version 1.4.2 ] Checking rkhunter version... This version : 1.4.2 Latest version: 1.4.2 4) Can't launch a Let's Encrypt SSL. If I check it and save, when I come back it's unchecked. (I tried and it works fine if I add one I have) Thanks, JP
1) FYI - you may already know : webmail works with : https://site.com:8081/webmail/ -> https://site.com:8081/squirrelmail/ it's a start (Not Secure - uses self signed). JP
@1.) The following is from the tutorial for perfect server using nginx and roundcube. It should be similar when using squirrelmail: Expand: insert into options tab of website in ISPConfig location /roundcube { root /usr/share/; index index.php index.html index.htm; location ~ ^/roundcube/(.+\.php)$ { try_files $uri =404; root /usr/share/; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; fastcgi_param HTTPS on; # <-- add this line fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $request_filename; include /etc/nginx/fastcgi_params; fastcgi_param PATH_INFO $fastcgi_script_name; fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_intercept_errors on; } location ~* ^/roundcube/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { root /usr/share/; } } location /webmail { rewrite ^/* /roundcube last; } @2.) To be honest, I quit using HHVM because the speed advantage is no more relevant since PHP7. So I can't tell you how you enable logging, but I don't think it's mandatory. @4.) Please enable the checkbox and then run /usr/local/ispconfig/server/server.sh immediately by hand to see the letsencrypt output.
Croydon, Thank you for the quick responses. 1) I copied the spoiler right under the /phpmyadmin and it didn't work? It now redirects to /roundcube/ with a 502 this time (from red to yellow). -> I get nothing in the /web1/log access or error logs (or /var/log/nginx) ? 2) Thank you for the advice. I will make sure I use the latest PHP7. 3) I did what you recommended, ran with no error, but when I go back, let's Encrypt in not checked? - check Let's Encrypt - save - run : # /usr/local/ispconfig/server/server.sh finished. Thank you, JP
1.) I didn't mean you to copy it ;-) You have to adjust it because you seem to be using squirrelmail and not roundcube. 3.) Are you sure that you have certbot/letsencrypt installed?
1) I run roundcube, the Perfect install uses a script to rdirect to squirelmail to access roundcube? it works with IP:8081. It would be way nicer to see roundcube if it's roundcube. https://www.howtoforge.com/tutorial/perfect-server-debian-jessie-nginx-bind-dovecot-ispconfig-3.1/3/ ISPConfig has some configuration in the nginx apps vhost for squirrelmail which works for roundcube as well. We activate it with: ln -s /usr/share/roundcube /usr/share/squirrelmail Should I not do this? 2) # apt-get install python-certbot -t jessie-backports Reading package lists... Done Building dependency tree Reading state information... Done python-certbot is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 67 not upgraded. Thanks, JP
You irritate me. In your first post you wrote: "1) Is there an nginx config to access webmail (squirrel mail) like phpmyadmin?" So if you run roundcube then you should be able to use the "spoiler" contents, but you have to adjust the PHP 7-fpm path to the correct one matching your server, of course. Debian 8 uses PHP 5.6 and not 7.0, so you have to use a different socket path. 2.) I always recommend using the official version, as the packaged version is not very useful in my opinion. I recommend uninstalling it and use the following: Code: cd /tmp wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto ./certbot-auto --dry-run This will lead to a warning like "you cannot use dry run blabla" at the end but that does not matter.
Sorry, never meant to irritate you? I'm following a HowToForge procedure and that's what's written (that's how confusing it is to me anyways)? With all these secondary tweaks (rkhunter, roundcube, Let'sEncrypt...) not in the procedure, it's a bit difficult that's all. Why aren't these recommendations put in the document? Guess things change from 8.6 to 8.9. No Procedure on Deb 9 with Nginx yet. Once I get it all polished, it'll be easy to replicate. Thank you once again for the great help. I do not mean any disrespect in any way and thank you for a great product. JP (HowToForge supporter)
Unfortunately after removing the original install (# apt-get remove python-certbot -t jessie-backports) and running the certbot snippet you provided, I still have the same issue with the Let'sEncrypt functionality. I even tried to launch it with /usr/local/ispconfig/server/server.sh like recommended. Just doesn't want to stick? JP
FYI - I have the same issue with SSL-Let'SEncrypt with ISPConfig3.1.8p1 on a Deb9.1 box apt-get remove certbot cd /tmp wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto ./certbot-auto --dry-run ... Installation succeeded. --dry-run currently only works with the 'certonly' or 'renew' subcommands ('run') //what you mention is normal. JP
Please check the log files for the acme-challenge test: grep 'acme-challenge' /var/log/apache2/other_vhost_access.log
And please execute which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt /opt/eff.org/certbot/venv/bin/certbot and post the output.
# grep 'acme-challenge' /var/log/apache2/other_vhost_access.log grep: /var/log/apache2/other_vhost_access.log: No such file or directory # ls -lh /var/log/apache2/ total 3.8M -rw-r----- 1 root adm 32K Nov 28 22:05 access.log -rw-r----- 1 root adm 166K Nov 28 02:46 error.log -rw-r----- 1 root adm 3.6M Nov 28 21:59 other_vhosts_access.log -rw-r--r-- 1 root www-data 1.1K Nov 28 02:46 suexec.log # grep 'acme-challenge' /var/log/apache2/other_vhosts_access.log (nothing) # which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt /opt/eff.org/certbot/venv/bin/certbot /opt/eff.org/certbot/venv/bin/certbot Thanks, JP
Try disabling the LE check: System -> server config -> select server -> tab "web" -> section "ssl" -> skip le check -> save. Then try activating your SSL again.
No success. Enable SNI is checked Make SPDY available is not checked CA path is empty CA passphrase is empty Skip Let's Encrypt check is checked JP