PDA

View Full Version : Fail to open ISPConfig site: firefox 8182


BigB
21st July 2005, 14:19
It complains about my certificate being invalid, how can I fix this?

IE doesnt open at all

My setup using debian and the howto at http://www.falkotimme.com/howtos/perfect_setup_debian_sarge/

worked great until now...

Help please :(

falko
21st July 2005, 14:42
Is ISPConfig running? Execute

netstat -tap and look if ISPConfig is running on port 81. If not, restart ISPConfig:
/etc/init.d/ispconfig_server restart

BTW, you did try to connect on port 81, didn't you (it's https://url_of_your_server:81)? :D

It's also possible that the firewall on your desktop is blocking access to port 81. Shut down your firewall and try again.

BigB
21st July 2005, 14:45
yes it is running, however the certificates the setup generated seem to be faulty, is there a way to restart that part of the setup or an other way to re-generate those certificates?

falko
21st July 2005, 15:18
Try this:

openssl genrsa -des3 -passout pass:yourpassword -out /root/ispconfig/httpd/conf/ssl.key/server.key2 1024
openssl req -new -passin pass:yourpassword -passout pass:yourpassword -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.csr/server.csr -days 365
openssl req -x509 -passin pass:yourpassword -passout pass:yourpassword -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -in /root/ispconfig/httpd/conf/ssl.csr/server.csr -out /root/ispconfig/httpd/conf/ssl.crt/server.crt -days 365
openssl rsa -passin pass:yourpassword -in /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.key/server.key
chmod 400 /root/ispconfig/httpd/conf/ssl.key/server.key

Restart ISPConfig afterwards.

m u r
9th August 2005, 18:15
Well, firefox at least gives me the option now. It still says, "This certificate is not in the trusted root database." Is that normal?

till
9th August 2005, 18:27
Well, firefox at least gives me the option now. It still says, "This certificate is not in the trusted root database." Is that normal?

Yes, because it is an self signed certificate. If you dont want to have this messgae you must buy an SSL Certificate from an SSL Authority.

KenMcGinnis
13th August 2005, 05:56
I have the SSL working for port 81, admin console, no problem. However, I want to have a cert on port 80 (192.168.0.195:80) but I can't because there already is a cert for that IP. How to remove the https: access and use http: ?

till
13th August 2005, 11:20
I have the SSL working for port 81, admin console, no problem. However, I want to have a cert on port 80 (192.168.0.195:80) but I can't because there already is a cert for that IP. How to remove the https: access and use http: ?

change the file /root/ispconfig/httpd/conf/httpd.conf and the Server URL in the ispconfig configuration in /home/admispconfig/ispconfig/lib/config.inc.php

When you switch the controlpanel httpd to port 80, you must have an IP only for the controlpanel httpd and configure the admin server to only to listen to that IP. And your main apache server must be configured to listen on all IP's except the IP from the controlpanel httpd.

hairydog2
14th November 2005, 23:19
If you dont want to have this message you must buy an SSL Certificate from an SSL Authority.

Is there a step-by-step description of how to install a bought certificate into a working ISPConfig setup?

I'm thinking about the certificate for the Admin login, not the public server.

falko
14th November 2005, 23:41
http://www.instantssl.com/ssl-certificate-support/ssl-certificate-index.html

The "Certificate Signing Request" is /root/ispconfig/httpd/conf/ssl.csr/server.csr, the certificate is /root/ispconfig/httpd/conf/ssl.crt/server.crt.

hairydog2
14th November 2005, 23:43
Thank you. I really appreciate your quick and helpful replies.

If paid-for software was as well supported as ISPConfig, life would be so much easier!

hairydog2
14th November 2005, 23:55
Hmm. I've hit a snag. When I paste in the csr, I get:

"UK is an Invalid Country - do you mean GB?"

The answer to that question is "Yes" but there is nowhere for me to put that. So I guess I need to generate the csr again, properly this time.

Suppose I need to do all that "openssl genrsa -des3 -passout pass:yourpassword -out /root/ispconfig/httpd/conf/ssl.key/server.key2 1024" and so on mentioned above.

I'm not sure what I am supposed to put in place of "yourpassword" for that.

Trial and error with certificates seems to be getting me just errors!

falko
15th November 2005, 00:19
I'm not sure what I am supposed to put in place of "yourpassword" for that.

You can make up a new password and replace yourpassword with it.

hairydog2
15th November 2005, 00:23
And it doesn't matter if that doesn't match any other passwords? Will I need it later (after the certificate is issued?) or can I forget it?

falko
15th November 2005, 09:56
And it doesn't matter if that doesn't match any other passwords? Will I need it later (after the certificate is issued?) or can I forget it?
You should write it down!:) I think you need it if you want to change the certificate for some reason (i.e. change of company name or stuff like that) before it expires. I think your CA (e.g. instantssl.com) wants to see that password then, but I'm not quite sure.

hairydog2
19th November 2005, 21:54
I now have a second IP assigned, and I have added it in /etc/network/interfaces by adding a section that says:

auto eth0:1
iface eth0:1 inet static
address 80.bb.cc.ddd
netmask 255.255.255.255
pointopoint 80.bb.cc.1
gateway 80.bb.cc.1

(Originally, I used auto eth0 and that seemed to give an error.) After a network restart, I seem to be able to ping the new IP.

change the file /root/ispconfig/httpd/conf/httpd.conf and the Server URL in the ispconfig configuration in /home/admispconfig/ispconfig/lib/config.inc.php
I did that, but after I'd restarted the Apache server using 'apachectl restart' it only gave a blank window when I tried to go to the control panel.

Can you give specific details about what needs to be changed in these files?

When you switch the controlpanel httpd to port 80, you must have an IP only for the controlpanel httpd and configure the admin server to only to listen to that IP. And your main apache server must be configured to listen on all IP's except the IP from the controlpanel httpd.
Is it necessary to have it listen to multiple IPs if the server only has one IP? I can't work out where to control which IP the apache2 server is listening on. There seem to be so many configuration files for it! Even if I found where, I know how to make it listen on all (*) or on specific IPs, but how do I exclude one IP?

falko
20th November 2005, 02:36
Is it necessary to have it listen to multiple IPs if the server only has one IP? I can't work out where to control which IP the apache2 server is listening on. There seem to be so many configuration files for it! Even if I found where, I know how to make it listen on all (*) or on specific IPs, but how do I exclude one IP?
You can use the Listen directive. For example, you can write
Listen 127.0.0.1:80
Listen <your public ip>:80
You see, it's allowed to have multiple Listen directives.

Can you give specific details about what needs to be changed in these files?
In /root/ispconfig/httpd/conf/httpd.conf you have to replace all occurences of port 81 with the new port number, the same goes for /home/admispconfig/ispconfig/lib/config.inc.php.

hairydog2
20th November 2005, 12:48
I'm not really clear about where the Listen directives need to go. There seem to be several possible places for it in Apache2. But that's to control where Apache2 listens to normal website connections.

The other two files refer to the Apache1 ISPConfig admin server, don't they? I need to be able to specify a different IP for that as well as changing the port. Do I need to actually specify a port number if I want it to use the standard https port?

falko
20th November 2005, 14:47
I'm not really clear about where the Listen directives need to go. There seem to be several possible places for it in Apache2. But that's to control where Apache2 listens to normal website connections.
Run httpd -V and you'll see which file is the Apache2 configuration file. Many distributions split this file up, so you might see some "Include" lines in the main configuration file. You might have to search these included files also for the Listen directive.

The other two files refer to the Apache1 ISPConfig admin server, don't they? I need to be able to specify a different IP for that as well as changing the port.
Yes.
Do I need to actually specify a port number if I want it to use the standard https port?Yes.

nenad
27th November 2005, 14:22
When I try to recreate certificate I receive this error in shell:

shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

till
27th November 2005, 14:33
The error means that you are in a directory that does not exist anymore, nothing serious. Is the certificate working that you cretaed or not?

nenad
27th November 2005, 19:17
Yes, I realised that.
After I "reinstalled" certificate according to your instructions everything works fine.
Thank you very much. Your advices are allways great help.

BTW what means:

quotacheck: WARNING - Quotafile //aquota.user was probably truncated. Can't save quota settings...
quotacheck: WARNING - Quotafile //aquota.group was probably truncated. Can't save quota settings...

falko
27th November 2005, 21:54
This happens the first time when you set up quota. That's normal, nothing to worry about.

badben
10th January 2006, 23:18
Try this:

openssl genrsa -des3 -passout pass:yourpassword -out /root/ispconfig/httpd/conf/ssl.key/server.key2 1024
openssl req -new -passin pass:yourpassword -passout pass:yourpassword -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.csr/server.csr -days 365
openssl req -x509 -passin pass:yourpassword -passout pass:yourpassword -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -in /root/ispconfig/httpd/conf/ssl.csr/server.csr -out /root/ispconfig/httpd/conf/ssl.crt/server.crt -days 365
openssl rsa -passin pass:yourpassword -in /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.key/server.key
chmod 400 /root/ispconfig/httpd/conf/ssl.key/server.key

Restart ISPConfig afterwards.
Help!

I have followed the changes to amend the detail of my certificate an now ispconfig will not restart and I can't connect to theserver at port 81.

It won't let me access emails either.

badben
11th January 2006, 00:06
emails now work as I restarted saslauthd and postfix.

port 80 works also, it is just https://www.XXXXXXX.com:81/ that won't work.

It just says "The connection was refused when attempting to connect to https://...."

netstat -tap shows nothing for ispconfig and i've tried to restart ispconfig-server three times, no joy.

badben
11th January 2006, 00:36
Sorry to be a pain but it now works.

I must have done something wrong as I have redone the changes to the cert and the ispconfig apache now works.

On the plus side I have now found were all of the ssl cert stuff is and a bit more about how they work.

Sorry again, but I paniced a bit.

falko
11th January 2006, 00:46
Sorry again, but I paniced a bit.
No problem! :) It's good that it's working again.

geek.de.nz
27th March 2006, 15:08
My SSL certificate is not working properly when the session expired.

I did a wrong choice in the initial setup of ipconfig, but I do not want to reinstall. my ispconfig runs on https://www.myserver.com:81 . When I load this address it works fine (except that my certificate always generates a browser warning). When the session times out, however, I get refered to https://server.myotherdomain.com.myotherdomain.com:81 .This is probably because of my bad choice in the install. How can I change the path server.myotherdomain.com to just www and the myotherdomain.com part to myserver.com? I want to set up a webhost and really don't want customers to see that other domain.

Also, it would be nice if anyone could tell me how to set up a ssl certificate that does not generate the warnings, without having to pay a lot of $$ for an authority. Thanks. :)

You have helped me already quite a lot. Thank you soo much. Great tool. Great support and all that for free, I can't believe it!

falko
28th March 2006, 11:21
I did a wrong choice in the initial setup of ipconfig, but I do not want to reinstall. my ispconfig runs on https://www.myserver.com:81 . When I load this address it works fine (except that my certificate always generates a browser warning). When the session times out, however, I get refered to https://server.myotherdomain.com.myotherdomain.com:81 .This is probably because of my bad choice in the install. How can I change the path server.myotherdomain.com to just www and the myotherdomain.com part to myserver.com? I want to set up a webhost and really don't want customers to see that other domain.
Please set the correct FQDN in /home/admispconfig/ispconfig/lib/config.inc.php and in /root/ispconfig/httpd/conf/httpd.conf and restart ISPConfig:
/etc/init.d/ispconfig_server restart

Also, it would be nice if anyone could tell me how to set up a ssl certificate that does not generate the warnings, without having to pay a lot of $$ for an authority. Thanks. :)

You don't get such a certificate for free.
I'm buying my certificates at InstantSSL.com.

geek.de.nz
28th March 2006, 12:16
Danke. But I think I read somewhere that you can set up your own authority. But yeah, as far as I know this wouldn't really make sense since you need to have a trusted party between the site and the user (browser) as far as my knowlege of security goes.

Ich bin uebrigens auch Deutscher ;)

nvn
9th May 2006, 17:52
Restart ISPConfig afterwards.[/QUOTE]


Perfect.... it's working now..
thanks

asmadius
12th July 2006, 16:58
CAcert.org offers free certs for domains, emails, servers...

are these ok or is ther something wrong with them. I've used it last year but it don't seem like anybody knows about them or there is something not quit ok. :confused:

falko
13th July 2006, 14:58
I think most browsers don't have CAcert.org included that's why you will continue to get warnings with their certificates. So there would be no difference to using your own certificate.

asmadius
13th July 2006, 22:30
OK thanks for the info I didn't think about that.:o

AndyF
8th August 2006, 23:20
Try this:

openssl genrsa -des3 -passout pass:yourpassword -out /root/ispconfig/httpd/conf/ssl.key/server.key2 1024
openssl req -new -passin pass:yourpassword -passout pass:yourpassword -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.csr/server.csr -days 365
openssl req -x509 -passin pass:yourpassword -passout pass:yourpassword -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -in /root/ispconfig/httpd/conf/ssl.csr/server.csr -out /root/ispconfig/httpd/conf/ssl.crt/server.crt -days 365
openssl rsa -passin pass:yourpassword -in /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.key/server.key
chmod 400 /root/ispconfig/httpd/conf/ssl.key/server.key

Restart ISPConfig afterwards.

Sorry for bumping an old thread, but this can be used to change your install so that you don't have to keep putting the password in for the certificate on boot, without having to do a reinstall of ISPConfig.

Rgds

Andy

kingtech
24th August 2006, 00:00
Try this:

Code:

openssl genrsa -des3 -passout pass:yourpassword -out /root/ispconfig/httpd/conf/ssl.key/server.key2 1024 openssl req -new -passin pass:yourpassword -passout pass:yourpassword -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.csr/server.csr -days 365 openssl req -x509 -passin pass:yourpassword -passout pass:yourpassword -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -in /root/ispconfig/httpd/conf/ssl.csr/server.csr -out /root/ispconfig/httpd/conf/ssl.crt/server.crt -days 365 openssl rsa -passin pass:yourpassword -in /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.key/server.key chmod 400 /root/ispconfig/httpd/conf/ssl.key/server.key


Restart ISPConfig afterwards.
__________________

this needs a sticky!!! I also had SSL probs after installing with perfect install for centos 4.3... somewhere along the line I created a self signed cert and could not figure out why the ISPConfig would not work after reboot... was wanting the passphrase....

thanks for the help falko! I have a smooth web server running now!

nenad
24th August 2006, 00:30
It complains about my certificate being invalid, how can I fix this?

IE doesnt open at all

My setup using debian and the howto at http://www.falkotimme.com/howtos/perfect_setup_debian_sarge/

worked great until now...

Help please :(

I noticed that sometimes after re-installation of ISPConfig, or after new installation, Firefox is complaining about certificate. Usually I create a new certificate, but few days ago I tried different approach:

I deleted certificates in Firefox, and then it accepted certificate from ISPConfig webiste, withouth compaining about certificate issue any more

till
24th August 2006, 09:50
I deleted certificates in Firefox, and then it accepted certificate from ISPConfig webiste, withouth compaining about certificate issue any more

Firefox is complaining about a certificate if it is used on two servers.

For example: If you have 2 servers and you entered the same values in the certificate setup, firefox will complain against the 2nd server. If you delete the cert in firefox and browse the 2nd server again, everything is ok, but if you go to the 1st server, it will complain there now :)

nenad
24th August 2006, 11:02
Firefox is complaining about a certificate if it is used on two servers.

For example: If you have 2 servers and you entered the same values in the certificate setup, firefox will complain against the 2nd server. If you delete the cert in firefox and browse the 2nd server again, everything is ok, but if you go to the 1st server, it will complain there now :)

Actually, you don't need to have 2 servers, it is enough to reinstall ISPConfig with same data (what most useres actually do) on the same server.

BTW I have to serevers and I entered same data, and after deleting certs from Firefox it's is not complaining neither for server200 neither for server 201

cybere
14th December 2006, 01:29
Greetings,

I have attempted to complete the instructions provided by Till and falko, on the creation of new certificates. However i am getting an error generated, due to there not being a server.key2 file. The directory structure is fine up until then but there are only 2 files in there:

README.csr and server.csr

this file server.key2 is not to be found anywhere on myserver, and im just wondering if that needs to be replaced with the file i do have.

The browser is operational, but im unable to view ispconfig admin.

error is as follows:

Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.

TIA

cybere
14th December 2006, 02:14
Woot!, pays to check the scroll bar was at the complete bottom.....

Recreated the certificates, and missed the bottom line...

Just needed to restart ispconfig......

Thanks to everyones postings here, sorted me out.

netphreak
7th January 2007, 16:27
Greetings,

I have attempted to complete the instructions provided by Till and falko, on the creation of new certificates. However i am getting an error generated, due to there not being a server.key2 file. The directory structure is fine up until then but there are only 2 files in there:

README.csr and server.csr

this file server.key2 is not to be found anywhere on myserver, and im just wondering if that needs to be replaced with the file i do have.

The browser is operational, but im unable to view ispconfig admin.

error is as follows:

Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.

TIA

I don't have any server.key2 either... Everything is working, but I'm trying to get rid of the annoying passphrase thing at boot... I must have missed something?

nenad
8th January 2007, 04:42
I was solving those Firefox certificates problems with deleting of certificates within Firefox, and then accepting/importing new ones...

falko
8th January 2007, 23:06
I don't have any server.key2 either... Everything is working, but I'm trying to get rid of the annoying passphrase thing at boot... I must have missed something?
Have a look here: http://www.ispconfig.org/manual_installation.htm

In step 7 ("Encrypting RSA private key of CA with a pass phrase for security [ca.key]")and step 8 ("Encrypting RSA private key of SERVER with a pass phrase for security [server.key]") of the certificate creation process you are asked if you want to encrypt the respective key now. Choose n there because otherwise you will always be asked for a password whenever you want to restart the ISPConfig system which means it cannot be restarted without human interaction!

netphreak
8th January 2007, 23:14
Yes, I realize I walked the wrong path under installation... So - there's no fix? Do I have to reinstall ISPConfig and start from scratch? I hope there's other ways?

till
9th January 2007, 10:29
Yes, I realize I walked the wrong path under installation... So - there's no fix? Do I have to reinstall ISPConfig and start from scratch? I hope there's other ways?

Yes, and thats exactly what this thread is about. Please read the thread from the beginning and recreate the SSL certificates as Falko posted on the first page of the thread.

celtic
20th January 2007, 12:18
Not sure if this is the right place to post my problem, but after reading a bit this looks like it.

No special skills with linux or ISP Config but till a week ago everything was working fine, then suddently canoot access anymore https://212.13.41.2:81 that should give the ISP Config control panel and cannot either access my php admin.

The mail clients dont complain about mail: they receive a SSL warning but everything works fine. ISP Config is up and running. Was stopped and started lots of times to check that. Server was rebooted some times also after some experiences but nothing works. Will the re-issuing of the certificate solve my problem?

Apart from that the web sites work fine (http://forum.boavistafc.net) for example and as I said mails work fine either.

Some help would be appreciated

Sorry for my poor english

Kind regards and thanks in advance

Joaquim Oliveira
Oporto - Portugal

till
20th January 2007, 12:21
Please make always a new thread for a new problem, your problem is most likely not related to SSL certificates.

Please post the output of:

netstat -tap | grep ispconfig

and

iptables -L

celtic
20th January 2007, 12:27
Sorry for the inconvenience.

Here it goes:

> netstat - tap
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 jfo.nortenet.pt:10000 ADSL-F49-S200-jfo:15600 TIME_WAIT
tcp 0 0 jfo.nortenet.pt:10000 ADSL-F49-S200-jfo:15596 TIME_WAIT
tcp 0 8701 jfo.nortenet.pt:10000 ADSL-F49-S200-jfo:15599 ESTABLISHED
tcp 0 0 jfo.nortenet.pt:10000 ADSL-F49-S200-jfo:15595 TIME_WAIT
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 8533 /var/lib/named/dev/log
unix 16 [ ] DGRAM 8531 /dev/log
unix 2 [ ] DGRAM 5159 @/org/kernel/udev/udevd
unix 2 [ ] DGRAM 11062
unix 2 [ ] DGRAM 10729
unix 2 [ ] DGRAM 10557
unix 2 [ ] DGRAM 10492
unix 2 [ ] DGRAM 10485
unix 3 [ ] STREAM CONNECTED 10481
unix 3 [ ] STREAM CONNECTED 10480
unix 3 [ ] STREAM CONNECTED 10477
unix 3 [ ] STREAM CONNECTED 10476
unix 3 [ ] STREAM CONNECTED 10473
unix 3 [ ] STREAM CONNECTED 10472
unix 3 [ ] STREAM CONNECTED 10469
unix 3 [ ] STREAM CONNECTED 10468
unix 3 [ ] STREAM CONNECTED 10465
unix 3 [ ] STREAM CONNECTED 10464
unix 3 [ ] STREAM CONNECTED 10461
unix 3 [ ] STREAM CONNECTED 10460
unix 3 [ ] STREAM CONNECTED 10457
unix 3 [ ] STREAM CONNECTED 10456
unix 3 [ ] STREAM CONNECTED 10453
unix 3 [ ] STREAM CONNECTED 10452
unix 3 [ ] STREAM CONNECTED 10449
unix 3 [ ] STREAM CONNECTED 10448
unix 3 [ ] STREAM CONNECTED 10445
unix 3 [ ] STREAM CONNECTED 10444
unix 3 [ ] STREAM CONNECTED 10441
unix 3 [ ] STREAM CONNECTED 10440
unix 3 [ ] STREAM CONNECTED 10437
unix 3 [ ] STREAM CONNECTED 10436
unix 3 [ ] STREAM CONNECTED 10433
unix 3 [ ] STREAM CONNECTED 10432
unix 3 [ ] STREAM CONNECTED 10429
unix 3 [ ] STREAM CONNECTED 10428
unix 3 [ ] STREAM CONNECTED 10425
unix 3 [ ] STREAM CONNECTED 10424
unix 3 [ ] STREAM CONNECTED 10421
unix 3 [ ] STREAM CONNECTED 10420
unix 3 [ ] STREAM CONNECTED 10417
unix 3 [ ] STREAM CONNECTED 10416
unix 3 [ ] STREAM CONNECTED 10413
unix 3 [ ] STREAM CONNECTED 10412
unix 3 [ ] STREAM CONNECTED 10409
unix 3 [ ] STREAM CONNECTED 10408
unix 3 [ ] STREAM CONNECTED 10405
unix 3 [ ] STREAM CONNECTED 10404
unix 3 [ ] STREAM CONNECTED 10401
unix 3 [ ] STREAM CONNECTED 10400
unix 3 [ ] STREAM CONNECTED 10397
unix 3 [ ] STREAM CONNECTED 10396
unix 3 [ ] STREAM CONNECTED 10393
unix 3 [ ] STREAM CONNECTED 10392
unix 3 [ ] STREAM CONNECTED 10389
unix 3 [ ] STREAM CONNECTED 10388
unix 3 [ ] STREAM CONNECTED 10385
unix 3 [ ] STREAM CONNECTED 10384
unix 3 [ ] STREAM CONNECTED 10382
unix 3 [ ] STREAM CONNECTED 10381
unix 3 [ ] STREAM CONNECTED 10378
unix 3 [ ] STREAM CONNECTED 10377
unix 3 [ ] STREAM CONNECTED 10375
unix 3 [ ] STREAM CONNECTED 10374
unix 2 [ ] DGRAM 10360
unix 2 [ ] STREAM CONNECTED 9871
unix 2 [ ] DGRAM 9463
unix 2 [ ] DGRAM 8906
unix 2 [ ] DGRAM 8797
unix 2 [ ] DGRAM 8774
unix 2 [ ] DGRAM 8753
unix 2 [ ] DGRAM 8728
unix 2 [ ] DGRAM 8697
unix 2 [ ] DGRAM 8576


> iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere 127.0.0.0/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain PAROLE (11 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:www
PAROLE tcp -- anywhere anywhere tcp dpt:81
PAROLE tcp -- anywhere anywhere tcp dpt:pop3
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:10000
PAROLE tcp -- anywhere anywhere tcp dpt:imaps
PAROLE tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT udp -- anywhere anywhere udp dpt:domain
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

I think this is it.

till
20th January 2007, 12:31
Please run:

/etc/init.d/ispconfig_server stop

and then:

/etc/init.d/ispconfig_server start

Any errors? If you still cant connect to ISPConfig, post the output of:

nestat -tap

again.

celtic
20th January 2007, 12:37
Still I cant get no connection.

IE 7 States:

Network Access Message: The page cannot be displayed

Technical Information (for Support personnel)
Error Code: 502 Proxy Error. Connection refused(10061)
IP Address: 212.13.41.2
Date: 20-01-2007 11:33:57 [GMT]
Server: afonso.JFO.local
Source: proxy



Command outputs:



> /etc/init.d/ispconfig_server stop
Shutting down ISPConfig system...
/root/ispconfig/httpd/bin/apachectl stop: httpd (no pid file) not running
ISPConfig system stopped!
> /etc/init.d/ispconfig_server start
Starting ISPConfig system...
/root/ispconfig/httpd/bin/apachectl startssl: httpd started
ISPConfig system is now up and running!
> netstat - tap
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 jfo.nortenet.pt:10000 ADSL-F49-S200-jfo:15665 ESTABLISHED
tcp 0 0 jfo.nortenet.pt:10000 ADSL-F49-S200-jfo:15664 ESTABLISHED
tcp 0 0 jfo.nortenet.pt:10000 ADSL-F49-S200-jfo:15679 TIME_WAIT
tcp 0 8701 jfo.nortenet.pt:10000 ADSL-F49-S200-jfo:15680 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 8533 /var/lib/named/dev/log
unix 15 [ ] DGRAM 8531 /dev/log
unix 2 [ ] DGRAM 5159 @/org/kernel/udev/udevd
unix 2 [ ] DGRAM 13078
unix 2 [ ] DGRAM 13054
unix 2 [ ] DGRAM 13047
unix 3 [ ] STREAM CONNECTED 13044
unix 3 [ ] STREAM CONNECTED 13043
unix 3 [ ] STREAM CONNECTED 13040
unix 3 [ ] STREAM CONNECTED 13039
unix 3 [ ] STREAM CONNECTED 13036
unix 3 [ ] STREAM CONNECTED 13035
unix 3 [ ] STREAM CONNECTED 13032
unix 3 [ ] STREAM CONNECTED 13031
unix 3 [ ] STREAM CONNECTED 13028
unix 3 [ ] STREAM CONNECTED 13027
unix 3 [ ] STREAM CONNECTED 13024
unix 3 [ ] STREAM CONNECTED 13023
unix 3 [ ] STREAM CONNECTED 13020
unix 3 [ ] STREAM CONNECTED 13019
unix 3 [ ] STREAM CONNECTED 13016
unix 3 [ ] STREAM CONNECTED 13015
unix 3 [ ] STREAM CONNECTED 13012
unix 3 [ ] STREAM CONNECTED 13011
unix 3 [ ] STREAM CONNECTED 13008
unix 3 [ ] STREAM CONNECTED 13007
unix 3 [ ] STREAM CONNECTED 13004
unix 3 [ ] STREAM CONNECTED 13003
unix 3 [ ] STREAM CONNECTED 13000
unix 3 [ ] STREAM CONNECTED 12999
unix 3 [ ] STREAM CONNECTED 12996
unix 3 [ ] STREAM CONNECTED 12995
unix 3 [ ] STREAM CONNECTED 12992
unix 3 [ ] STREAM CONNECTED 12991
unix 3 [ ] STREAM CONNECTED 12988
unix 3 [ ] STREAM CONNECTED 12987
unix 3 [ ] STREAM CONNECTED 12984
unix 3 [ ] STREAM CONNECTED 12983
unix 3 [ ] STREAM CONNECTED 12980
unix 3 [ ] STREAM CONNECTED 12979
unix 3 [ ] STREAM CONNECTED 12976
unix 3 [ ] STREAM CONNECTED 12975
unix 3 [ ] STREAM CONNECTED 12972
unix 3 [ ] STREAM CONNECTED 12971
unix 3 [ ] STREAM CONNECTED 12968
unix 3 [ ] STREAM CONNECTED 12967
unix 3 [ ] STREAM CONNECTED 12964
unix 3 [ ] STREAM CONNECTED 12963
unix 3 [ ] STREAM CONNECTED 12960
unix 3 [ ] STREAM CONNECTED 12959
unix 3 [ ] STREAM CONNECTED 12956
unix 3 [ ] STREAM CONNECTED 12955
unix 3 [ ] STREAM CONNECTED 12952
unix 3 [ ] STREAM CONNECTED 12951
unix 3 [ ] STREAM CONNECTED 12948
unix 3 [ ] STREAM CONNECTED 12947
unix 3 [ ] STREAM CONNECTED 12945
unix 3 [ ] STREAM CONNECTED 12944
unix 3 [ ] STREAM CONNECTED 12941
unix 3 [ ] STREAM CONNECTED 12940
unix 3 [ ] STREAM CONNECTED 12938
unix 3 [ ] STREAM CONNECTED 12937
unix 2 [ ] DGRAM 12923
unix 2 [ ] STREAM CONNECTED 12561
unix 2 [ ] DGRAM 10729
unix 2 [ ] DGRAM 9463
unix 2 [ ] DGRAM 8906
unix 2 [ ] DGRAM 8797
unix 2 [ ] DGRAM 8774
unix 2 [ ] DGRAM 8753
unix 2 [ ] DGRAM 8728
unix 2 [ ] DGRAM 8697
unix 2 [ ] DGRAM 8576

till
20th January 2007, 13:07
Please post the output of:

df -h

Are there any errors in the logfile in /root/ispconfig/httpd/logs/error_log

celtic
20th January 2007, 14:18
> df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 9.2G 943M 7.8G 11% /
varrun 252M 88K 252M 1% /var/run
varlock 252M 4.0K 252M 1% /var/lock
udev 252M 60K 252M 1% /dev
devshm 252M 0 252M 0% /dev/shm
/dev/sda1 118M 14M 98M 13% /boot
/dev/sda6 64G 2.8G 58G 5% /var


LOG from December 2006


[Sun Dec 3 18:28:27 2006] [error] [client 212.13.49.200] File does not exist: /home/admispconfig/ispconfig/web/myphpadmin
[Sun Dec 3 19:31:44 2006] [notice] caught SIGTERM, shutting down
PHP: Error parsing /root/ispconfig/php/php.ini on line 1114
PHP: Error parsing /root/ispconfig/php/php.ini on line 1114
[Sun Dec 3 19:33:18 2006] [notice] Apache/1.3.34 (Unix) PHP/5.1.4 mod_ssl/2.8.25 OpenSSL/0.9.8a configured -- resuming normal operations
[Sun Dec 3 19:33:18 2006] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Wed Dec 6 15:29:30 2006] [notice] caught SIGTERM, shutting down
PHP: Error parsing /root/ispconfig/php/php.ini on line 1114
PHP: Error parsing /root/ispconfig/php/php.ini on line 1114
[Wed Dec 6 15:31:01 2006] [notice] Apache/1.3.34 (Unix) PHP/5.1.4 mod_ssl/2.8.25 OpenSSL/0.9.8a configured -- resuming normal operations
[Wed Dec 6 15:31:01 2006] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Sat Dec 9 12:15:53 2006] [notice] caught SIGTERM, shutting down
PHP: Error parsing /root/ispconfig/php/php.ini on line 1114
PHP: Error parsing /root/ispconfig/php/php.ini on line 1114
[Sat Dec 9 12:17:24 2006] [notice] Apache/1.3.34 (Unix) PHP/5.1.4 mod_ssl/2.8.25 OpenSSL/0.9.8a configured -- resuming normal operations
[Sat Dec 9 12:17:24 2006] [notice] Accept mutex: sysvsem (Default: sysvsem)
du: `/var/www/web1/user/web1_pn/Maildir': Permission denied
[Wed Dec 20 21:32:42 2006] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows)
[Wed Dec 20 21:32:42 2006] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?]
[Fri Dec 29 16:21:16 2006] [notice] caught SIGTERM, shutting down
PHP: Error parsing /root/ispconfig/php/php.ini on line 1114
PHP: Error parsing /root/ispconfig/php/php.ini on line 1114
[Fri Dec 29 16:22:41 2006] [notice] Apache/1.3.34 (Unix) PHP/5.1.4 mod_ssl/2.8.25 OpenSSL/0.9.8a configured -- resuming normal operations
[Fri Dec 29 16:22:41 2006] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Sat Jan 6 16:17:12 2007] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows)
[Sat Jan 6 16:17:12 2007] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?]
[Sat Jan 6 16:17:20 2007] [error] [client 212.13.49.200] File does not exist: /home/admispconfig/ispconfig/web/myphpadmin
[Wed Jan 10 15:04:25 2007] [notice] caught SIGTERM, shutting down
[Wed Jan 17 21:23:34 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443
[Wed Jan 17 21:31:33 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443
[Wed Jan 17 21:34:31 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443
[Thu Jan 18 21:58:42 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443
[Thu Jan 18 22:16:14 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443
[Thu Jan 18 22:20:52 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443
[Sat Jan 20 10:33:54 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443
[Sat Jan 20 11:33:28 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443

till
20th January 2007, 14:24
Did you change the port 81 from the ISPConfig httpd to port 443?

celtic
20th January 2007, 14:46
Absolutelly not!

As I said, my knowledge of linux is very limited and constrains itself in following troubleshooting directions when something goes wrong.

falko
21st January 2007, 15:58
The command is netstat -tap, not netstat - tap!
Please post the output of netstat -tap
What's in the error log in /root/ispconfig/httpd/logs?

celtic
22nd January 2007, 10:33
> netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:mysql *:* LISTEN 3953/mysqld
tcp 0 0 *:10000 *:* LISTEN 4805/perl
tcp 0 0 *:ftp *:* LISTEN 15095/proftpd: (acc
tcp 0 0 jfo.nortenet.pt:domain *:* LISTEN 6086/named
tcp 0 0 localhost:domain *:* LISTEN 6086/named
tcp 0 0 *:smtp *:* LISTEN 15259/master
tcp 0 0 localhost:953 *:* LISTEN 6086/named
tcp 0 0 jfo.nortenet.pt:42166 jfo.nortenet.pt:mysql TIME_WAIT -
tcp 0 0 jfo.nortenet.pt:42167 jfo.nortenet.pt:mysql TIME_WAIT -
tcp 0 0 jfo.nortenet.pt:42164 jfo.nortenet.pt:mysql TIME_WAIT -
tcp 0 0 jfo.nortenet.pt:42165 jfo.nortenet.pt:mysql TIME_WAIT -
tcp 0 0 jfo.nortenet.pt:42168 jfo.nortenet.pt:mysql TIME_WAIT -
tcp 0 0 jfo.nortenet.pt:10000 ADSL-F49-S200-jfo:20500 ESTABLISHED24693/perl
tcp 0 0 jfo.nortenet.pt:10000 ADSL-F49-S200-jfo:20497 TIME_WAIT -
tcp 0 0 jfo.nortenet.pt:10000 ADSL-F49-S200-jfo:20499 TIME_WAIT -
tcp 0 0 jfo.nortenet.pt:10000 ADSL-F49-S200-jfo:20498 TIME_WAIT -
tcp 0 4590 jfo.nortenet.pt:10000 ADSL-F49-S200-jfo:20504 ESTABLISHED24703/index.cgi
tcp 0 0 jfo.nortenet.pt:10000 ADSL-F49-S200-jfo:20493 TIME_WAIT -
tcp 0 0 jfo.nortenet.pt:10000 ADSL-F49-S200-jfo:20494 TIME_WAIT -
tcp 1 0 jfo.nortenet.pt:53729 jfo.nortenet.pt:mysql CLOSE_WAIT 2695/apache2
tcp6 0 0 *:imaps *:* LISTEN 3826/couriertcpd
tcp6 0 0 *:pop3s *:* LISTEN 3861/couriertcpd
tcp6 0 0 *:pop3 *:* LISTEN 3841/couriertcpd
tcp6 0 0 *:imap2 *:* LISTEN 3806/couriertcpd
tcp6 0 0 *:www *:* LISTEN 25074/apache2
tcp6 0 0 *:ssh *:* LISTEN 4127/sshd
tcp6 0 0 *:smtp *:* LISTEN 15259/master
tcp6 0 0 ip6-localhost:953 *:* LISTEN 6086/named
tcp6 0 0 *:https *:* LISTEN 25074/apache2
tcp6 0 0 jfo.nortenet.pt:www mail.cm-porto.pt:54621 TIME_WAIT -
tcp6 0 0 jfo.nortenet.pt:www mail.cm-porto.pt:54867 ESTABLISHED11180/apache2
tcp6 0 0 jfo.nortenet.pt:www mail.cm-porto.pt:54800 TIME_WAIT -
tcp6 0 0 jfo.nortenet.pt:www mail.cm-porto.pt:54870 ESTABLISHED7344/apache2
tcp6 0 0 jfo.nortenet.pt:www mail.cm-porto.pt:54869 TIME_WAIT -
tcp6 0 0 jfo.nortenet.pt:www mail.cm-porto.pt:54868 ESTABLISHED9421/apache2
tcp6 0 0 jfo.nortenet.pt:www mail.cm-porto.pt:54667 TIME_WAIT -
tcp6 0 0 jfo.nortenet.pt:www mail.cm-porto.pt:54794 TIME_WAIT -
tcp6 0 0 jfo.nortenet.pt:www mail.cm-porto.pt:54799 TIME_WAIT -
tcp6 0 0 jfo.nortenet.pt:www mail.cm-porto.pt:54798 TIME_WAIT -
tcp6 0 0 jfo.nortenet.pt:www mail.cm-porto.pt:54790 TIME_WAIT -
tcp6 0 0 jfo.nortenet.pt:www mail.cm-porto.pt:54585 TIME_WAIT -
tcp6 0 0 jfo.nortenet.pt:www mail.cm-porto.pt:54566 TIME_WAIT -

celtic
22nd January 2007, 10:36
access_log 1Mb
error_log 28Kb
ssl_engine_log 7Mb
ssl_request_log 1Mb

falko
23rd January 2007, 17:17
ISPConfig isn't running. Please start it (as root):
/etc/init.d/ispconfig_server start
Do you get any error messages?
Which distribution do you use?


error_log 28Kb
What's in the error_log?

celtic
23rd January 2007, 18:04
> /etc/init.d/ispconfig_server start
Starting ISPConfig system...
/root/ispconfig/httpd/bin/apachectl startssl: httpd started
FreshClam is already running!
ISPConfig system is now up and running!

Ubuntu 6.06

[Sat Jan 6 16:17:12 2007] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows)
[Sat Jan 6 16:17:12 2007] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?]
[Sat Jan 6 16:17:20 2007] [error] [client 212.13.49.200] File does not exist: /home/admispconfig/ispconfig/web/myphpadmin
[Wed Jan 10 15:04:25 2007] [notice] caught SIGTERM, shutting down
[Wed Jan 17 21:23:34 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443
[Wed Jan 17 21:31:33 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443
[Wed Jan 17 21:34:31 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443
[Thu Jan 18 21:58:42 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443
[Thu Jan 18 22:16:14 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443
[Thu Jan 18 22:20:52 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443
[Sat Jan 20 10:33:54 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443
[Sat Jan 20 11:33:28 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443
[Tue Jan 23 09:24:42 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443
[Tue Jan 23 16:58:36 2007] [crit] (98)Address already in use: make_sock: could not bind to port 443

Still cant connect to port 81 :(

till
24th January 2007, 09:26
You or someone else must have modified the port where ISPConfig listens on as I posted earlier in this thread. Please post the output of:

grep 443 /root/ispconfig/httpd/conf/httpd.conf

celtic
24th January 2007, 10:24
> grep 443 /root/ispconfig/httpd/conf/httpd.conf
Listen 443
<VirtualHost _default_:443>

till
24th January 2007, 10:26
Please open the file, search for these two lines and replace 443 with 81, then restart ISPConfig.

celtic
24th January 2007, 10:39
Shall I Replace:

<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>

with:

<IfDefine SSL>
Listen 80
Listen 81
</IfDefine>

and

<VirtualHost _default_:443>

with:

<VirtualHost _default_:81>?

till
24th January 2007, 11:03
Please replace:

<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>

with:

<IfDefine SSL>
Listen 81
</IfDefine>

and

<VirtualHost _default_:443>

with:

<VirtualHost _default_:81>?

I Really dont know where you have this config from, its definately not from the ISPConfig installer package.

celtic
24th January 2007, 16:06
Changes made according to your instructions.

Service stopped and restarted and unfortunelly https://212.13.41.2:81 is still unreachable.

:(

falko
25th January 2007, 18:40
I suggest you install the latest ISPConfig again, it will perform an update and erase your messed up configuration.

celtic
25th January 2007, 20:28
Can it be done with a webmin shell window remotely or it must be done locally?

falko
26th January 2007, 17:30
You can do it remotely, but I recommend you use an SSH client such as PuTTY for it: http://www.chiark.greenend.org.uk/~sgtatham/putty/

celtic
29th January 2007, 10:26
When executing the setup again this is the output till it exits to command line again:


Checking the syntax of the httpd.conf...
[Mon Jan 29 09:21:28 2007] [warn] NameVirtualHost 212.13.41.2:80 has no VirtualHosts
Syntax OK
The syntax is ok!

########## gcc ##########

/usr/bin/gcc
OK

########## make ##########

/usr/bin/make
OK

########## lex ##########

/usr/bin/lex
OK

########## g++ ##########

ERROR: g++ not found!


Any ideas?

till
29th January 2007, 10:34
The c++ compiler is missing. Please install the c++ compiler from your linux distribution and run the setup again.

And please make a new thread the next time and dont post your question to a thread that handles other problems. It will confuse users when they read the thread. Thanks :)

celtic
29th January 2007, 18:52
After some investigation this looked the best topic to post and in the end the problem was completely different. Sorry for the inconvenience but after installing c++ the "upgrade" looked like a smooth operation and the server is running well again on port 81.

Mission accomplished.

Thanks again for the brilliant support and kind regards.

Institoris
18th April 2007, 13:49
The c++ compiler is missing. Please install the c++ compiler from your linux distribution and run the setup again.


I have the same problem:

which: no g++ in (/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/libexec)
ERROR: g++ not found!


Though, such packages as cpp, gcc, libgcc are installed.. Where can be the problem?

P.S. The OS is FC4

till
18th April 2007, 13:53
Please run:

yum install gcc-c++

Institoris
18th April 2007, 14:12
till, Thanks!

nenad
25th July 2007, 08:23
Hi,

I am stucked with old problem: web browser won't connect to ISPConfig control panel.
1. ISPConfig is up and running.
2. SSL certificate is recreated ISP Config is restarted.
3. No firewalls is preventing from accessing port or domain

Firefox and Internet explorer just displays short message about invalid certificate signature.
The I tried to connect with text based Lynx from localhost. It complains about:

Can't find common name in certificate

After that (if I accept) it goes straight to login window. Therefore I assume ISPConfig works.

Now, I tried to recreate certificate once again, and the I noticed that it does not offer / asks for a CA Name ???

What should I do? It seems that I made some mistake when I input CA name...?
---------------------------------------------
It is brand new install of Debian Etch box, with latest ISPConfig.

nenad
25th July 2007, 08:32
Update:

Problem solved with reboot (I was rebooting server while I was typing this message).

However I don't find it as a elegant solution: to reboot server.

During the restart of ISPConfig I noticed that there was message about, uhhmm, sorry for not remembering quite well, but it was about that some apache ctl module is allready started...

Is it possible that I should restart some daemon responsible for SSL ?

Regards,
Nenad

falko
26th July 2007, 19:11
I think an ISPConfig restart or server reboot is fine. :)

nenad
27th July 2007, 00:44
That's why I was worried about: ISPConfig restart didn't helped, only server reboot resolved issue.

greenhornet
29th July 2007, 17:45
Guys,
I have followed Falko's instructions but I'm still being asked for a password every time I restart ISPconfig. Suggestions on what I'm doing wrong?

daveb
29th July 2007, 18:46
Sounds like you are pressing Y "yes" instead of N "no" during step 7 and 8 of ssl certificate creation which encrypt's the private key. You will always be asked for a password whenever you want to restart your ispconfig system if the private key is encrypted.

greenhornet
29th July 2007, 20:05
Sounds like you are pressing Y "yes" instead of N "no" during step 7 and 8 of ssl certificate creation which encrypt's the private key. You will always be asked for a password whenever you want to restart your ispconfig system if the private key is encrypted.


There is no step 7 in the key regen that Falko posted unless I'm missing something. I think I did select that option originally yes, but now I need to undo it which is what I thought the instructions on page 1 were for.

till
30th July 2007, 09:41
Please recreate the SSL certificate as described here:

http://www.howtoforge.com/forums/showthread.php?t=121&highlight=firefox+8182

greenhornet
30th July 2007, 15:34
Please recreate the SSL certificate as described here:

http://www.howtoforge.com/forums/showthread.php?t=121&highlight=firefox+8182

It doesn't make any difference. I'm still being prompted for a password on restart of ISPconfig. Are we SURE that recreating the SSL cert will change the option to not ask for a password on startup of ISPconfig?

edge
30th July 2007, 15:54
It doesn't make any difference. I'm still being prompted for a password on restart of ISPconfig. Are we SURE that recreating the SSL cert will change the option to not ask for a password on startup of ISPconfig?

From the install instructions:In step 7 ("Encrypting RSA private key of CA with a pass phrase for security [ca.key]")and step 8 ("Encrypting RSA private key of SERVER with a pass phrase for security [server.key]") of the certificate creation process you are asked if you want to encrypt the respective key now. Choose n there because otherwise you will always be asked for a password whenever you want to restart the ISPConfig system which means it cannot be restarted without human interaction!

http://www.ispconfig.org/images/installation2.png

I think that they are sure.

greenhornet
30th July 2007, 15:58
I'm not getting to any of those steps when I change the cert. I'm only getting prompted for the typical cert stuff (ie. country code, state, etc).

falko
30th July 2007, 17:28
Is this what you did?
http://www.howtoforge.com/forums/showpost.php?p=358&postcount=4
Maybe you made a typo somewhere.

greenhornet
30th July 2007, 17:35
Is this what you did?
http://www.howtoforge.com/forums/showpost.php?p=358&postcount=4
Maybe you made a typo somewhere.

I've done this 5 times. I'm POSITIVE I did not typo. Here's my exact entry (with my password changed):

openssl genrsa -des3 -passout pass:xxxxxxx -out /root/ispconfig/httpd/conf/ssl.key/server.key2 1024
openssl req -new -passin pass:xxxxxxx -passout pass:xxxxxxx -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.csr/server.csr -days 365
openssl req -x509 -passin pass:xxxxxxx -passout pass:xxxxxxx -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -in /root/ispconfig/httpd/conf/ssl.csr/server.csr -out /root/ispconfig/httpd/conf/ssl.crt/server.crt -days 365
openssl rsa -passin pass:xxxxxxx -in /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.key/server.key
chmod 400 /root/ispconfig/httpd/conf/ssl.key/server.key

daveb
30th July 2007, 20:25
if greenhornet has
chmod 400 /root/ispconfig/httpd/conf/ssl.key/server.key

wouldnt he have to at least
chmod 600 /root/ispconfig/httpd/conf/ssl.key/server.key
before he tried to create a new cert so it could be rewrote ?

falko
31st July 2007, 14:21
I've done this 5 times. I'm POSITIVE I did not typo. Here's my exact entry (with my password changed):

openssl genrsa -des3 -passout pass:xxxxxxx -out /root/ispconfig/httpd/conf/ssl.key/server.key2 1024
openssl req -new -passin pass:xxxxxxx -passout pass:xxxxxxx -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.csr/server.csr -days 365
openssl req -x509 -passin pass:xxxxxxx -passout pass:xxxxxxx -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -in /root/ispconfig/httpd/conf/ssl.csr/server.csr -out /root/ispconfig/httpd/conf/ssl.crt/server.crt -days 365
openssl rsa -passin pass:xxxxxxx -in /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.key/server.key
chmod 400 /root/ispconfig/httpd/conf/ssl.key/server.keyDid you run the commands one-by-one instead of all at once? Did you accept all default values?

greenhornet
31st July 2007, 16:27
Did you run the commands one-by-one instead of all at once? Did you accept all default values?

running them individually solved the problem. Earlier posts did not specify that as being necessary so I did not assume it was. Thanks guys!

steven_twente
9th December 2007, 00:04
Hi guys,

First, let me once again say that I love your software and your support! :)

I have a small problem with generating the ISPConfig SSL certificate..
Generating the certificate itself works just fine and when I direct my browser to https://mydomain.net:81 the browser presents me with an error stating that the certificate is not signed by an official CA etc. This is normal because the certificate is self-signed. But then the browser presents me with a second error, now stating that the domain of the certificate does not match the domain I tried to access. It says the domain the certificate is assigned to is "" (blank). Is there a way to fix this? I already tried re-generating the certificate using the commands specified earlier in this thread.

**EDIT:**
Ok, I (partially) managed to solve the problem. It seems that the 'Common name' is the one that I should fill in properly in order to correct the error. Sorry if this is obvious to you guys :P But, when I tried to connect to my mailuser login and I got the same error.
That is, if I connected to https://www.mydomain.net:81 I got no error stating that my domains do not match, but if I connected to https://www.mydomain.net:81/mailuser I did get an error stating the domains do not match.

I found out that if I change the common name to mydomain.net (without the www) and I direct my browser to http://mydomain.net:81/mailuser it all goes well. I suppose the problem lies in the fact that I initially chose my FQDN to be mydomain.net instead of www.mydomain.net thus making ISPConfig 'internally' redirect requests to http://mydomain.net:81/mailuser instead of http://www.mydomain.net:81/mailuser. Does this sound sensible? Anyway, I think I'm happy the way it is now :) So thanks again for the great howto's and ISPConfig!

Greets, Steven
- The Netherlands

steven_twente
9th December 2007, 02:56
Hi :)
*See post above..*
Just a small question about the courier SSL certificate.. (I hope this is the right thread to post this.) As you can see from my post above I managed to re-generate the SSL certificates for ISPConfig. Thanks to the 'perfect setup' howto for ubuntu 7.10 I also managed to do this for the postfix SSL certificate, which was also giving me an error about non-matching domains. It all works very smoothly now, except for the Courier pop3-ssl server. Since that SSL certificate is auto-generated by courier upon installation I don't know how to modify it in order to get matching domains. In fact, all I want to do is change the 'Common name' setting of the certificate. To do this I suppose I need to regenerate the certificate for courier. Does anyone know a way to do this without messing up anything?

**EDIT:**
Ok, I also managed to solve this one. :) Sorry for these self-answered posts, but I'm posting them anyway in case someone else is having the same problem. In order to get the Courier pop3 SSL certificate working I did the following:

(WARNING! This worked for me, I am not sure it will work for everyone. I am running an Ubuntu 7.10 'perfect server', installed using the Perfect Server Howto found here (http://www.howtoforge.com/perfect_server_ubuntu7.10). If you are running something else, at least check the paths before trying this. Also, I am not aware of any nasty side-effects. For me there don't seem to be any.)

- First edit the file '/etc/courier/pop3d.cnf' This contains the defaults used by mkpop3dcert (the tool used by courier to create a self-signed certificate).
# vim /etc/courier/pop3d.cnf
- Then re-generate the .pem file using mkpop3dcert. (Perhaps it is wise to backup the original first..)
# cd /usr/lib/courier
# cp pop3d.pem pop3d.pem-orig
# mkpop3dcert
(As you can see I did not add './' to the mkpop3dcert command. It seems to be in my path..)
- Next we copy the new .pem to the dir used by courier. (I also backup the original first..)
# cp /etc/courier/pop3d.pem /etc/courier/pop3d.pem-orig
# cp /usr/lib/courier/pop3d.pem /etc/courier/pop3d.pem
- And make sure the permissions are correct.
# chmod 600 /etc/courier/pop3d.pem
- Finally reload the courier ssl server.
# /etc/init.d/courier-pop-ssl force-reload

Greets, Steven

ubuntulinux
27th February 2008, 01:55
openssl genrsa -des3 -passout pass:yourpassword -out /root/ispconfig/httpd/conf/ssl.key/server.key2 1024
openssl req -new -passin pass:yourpassword -passout pass:yourpassword -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.csr/server.csr -days 365
openssl req -x509 -passin pass:yourpassword -passout pass:yourpassword -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -in /root/ispconfig/httpd/conf/ssl.csr/server.csr -out /root/ispconfig/httpd/conf/ssl.crt/server.crt -days 365
openssl rsa -passin pass:yourpassword -in /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.key/server.key
chmod 400 /root/ispconfig/httpd/conf/ssl.key/server.key


I did this and I could get in ISPConfig and login with admin to.

Then I JUST RESTARTED the pc and i can no longer login!! It shows this errors on the page:

Warning: mysql_connect() [function.mysql-connect]: Can't connect to MySQL server on '127.0.0.1' (4) in /home/admispconfig/ispconfig/lib/classes/ispconfig_db_mysql.lib.php on line 77

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'admispconfig'@'localhost' (using password: NO) in /home/admispconfig/ispconfig/web/login/login.php on line 40

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/admispconfig/ispconfig/web/login/login.php on line 40

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'admispconfig'@'localhost' (using password: NO) in /home/admispconfig/ispconfig/web/login/login.php on line 41

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/admispconfig/ispconfig/web/login/login.php on line 41

Warning: Cannot modify header information - headers already sent by (output started at /home/admispconfig/ispconfig/lib/classes/ispconfig_db_mysql.lib.php:77) in /home/admispconfig/ispconfig/web/login/login.php on line 60



I tried to restart ISPConfig but it says this:

root@linuxsrv:~# /etc/init.d/ispconfig_server restart
Shutting down ISPConfig system...
/root/ispconfig/httpd/bin/apachectl stop: httpd stopped
ISPConfig system stopped!
Starting ISPConfig system...
/root/ispconfig/httpd/bin/apachectl startssl: httpd started
Could not connect to MySQL server!ISPConfig system is now up and running!


WHAT CAN I DO? Please help me.

Thank you.

till
27th February 2008, 08:25
Please start the mysql server:

/etc/init.d/mysql start

or

/etc/init.d/mysqld start

ubuntulinux
27th February 2008, 11:13
root@linuxsrv:~# /etc/init.d/mysql start
* Starting MySQL database server mysqld [ OK ]

I did that but it remains the same. :S

I still cannot login in ISPConfig. The first time i logged in everything went fine. I just shutdown my system and then i turned it on and the ISPConfig simply doesn't allow any login.

Here are the errors again when i try to log in:

Warning: mysql_connect() [function.mysql-connect]: Can't connect to MySQL server on '127.0.0.1' (4) in /home/admispconfig/ispconfig/lib/classes/ispconfig_db_mysql.lib.php on line 77

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'admispconfig'@'localhost' (using password: NO) in /home/admispconfig/ispconfig/web/login/login.php on line 40

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/admispconfig/ispconfig/web/login/login.php on line 40

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'admispconfig'@'localhost' (using password: NO) in /home/admispconfig/ispconfig/web/login/login.php on line 41

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/admispconfig/ispconfig/web/login/login.php on line 41

Warning: Cannot modify header information - headers already sent by (output started at /home/admispconfig/ispconfig/lib/classes/ispconfig_db_mysql.lib.php:77) in /home/admispconfig/ispconfig/web/login/login.php on line 60

What is going on? :S
Please help me.
Thank you

falko
28th February 2008, 18:59
What's the name of the MySQL user you're using in /home/admispconfig/ispconfig/lib/config.inc.php? Should be root.

matey
12th March 2009, 11:29
Excellent thread. :cool:
Thanks to everyone for questions and answers, (I cant believe I read the whole thing, even most of the error codes)!
This reminds me of the nightmare I went thru last year with expired certs. I wished I was here back then.:)

odcheck
3rd August 2009, 18:41
Try this:

openssl genrsa -des3 -passout pass:yourpassword -out /root/ispconfig/httpd/conf/ssl.key/server.key2 1024
openssl req -new -passin pass:yourpassword -passout pass:yourpassword -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.csr/server.csr -days 365
openssl req -x509 -passin pass:yourpassword -passout pass:yourpassword -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -in /root/ispconfig/httpd/conf/ssl.csr/server.csr -out /root/ispconfig/httpd/conf/ssl.crt/server.crt -days 365
openssl rsa -passin pass:yourpassword -in /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.key/server.key
chmod 400 /root/ispconfig/httpd/conf/ssl.key/server.key

Restart ISPConfig afterwards.

I guess this happens a lot of times :-) That people have got special chars in their passwords which will cause that.

Thanks again Falko

falko
11th November 2009, 15:05
How do we get rid of 446 in the url.That's not possible because 446 is not the default port.

dwn77
31st March 2010, 16:19
Dear! Friend! Falko! Thank you for your tutorial and also by its indirect support! ;-)

It was a sure shot!

Solution, add a per-line, and problem solved!

Has earned a few beers!

Remind me to pay him some when I pass it around! :rolleyes: