HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   reinstall postfix after securing-short question (http://www.howtoforge.com/forums/showthread.php?t=55897)

fxs 24th January 2012 16:35

reinstall postfix after securing-short question
 
Hi,

I'm on debian 6 ispconfig3.042 roundcube apache2 (kernel version OVH)
The background (in short):
I follow the tuto Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL.
Apache 2 failed and everything was down.

To restart i had to use:
Code:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xvfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install
php -q update.php

The short urgent question
webmail is down because he wants certificates. How can I cancel these lines
Quote:

cd /etc/postfix
mv smtpd.cert smtpd.cert_bak
mv smtpd.key smtpd.key_bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key
postconf -e 'smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt'
By now I would like to restart postfix/dovecot

Thanks for your help
best regards

fxs 25th January 2012 02:20

This night I try a couple of times to secure ISPconfig 3 and failed.
In addition the websites were down for hours. I got these lines:
Quote:

[Wed Jan 25 00:08:24 2012] [warn] NameVirtualHost xxxxxxxxxx:443 has no VirtualHosts
[Wed Jan 25 00:08:24 2012] [warn] NameVirtualHost xxxxxxxxxxxx:80 has no VirtualHosts
[Wed Jan 25 00:08:24 2012] [warn] NameVirtualHost xxxxxxx:443 has no VirtualHosts
Action 'start' failed.
My feeling is that they are two (coincidental?) problems:

1) the computer doesn’t understand the key given by startssl (he looks for something written like that xxxxxxx.ovh.net.crt and xxxxxxx.ovh.net.key and not for something including the domain name (apache log).
Then this error forces apache2 to crash.
So that I decided to disable SSL

2) in the apache log, there is also this message:
Quote:

Wed Jan 25 00:12:42 2012] [warn] Init: (xxxxxxx:443) You configured HTTP(80) on the standard HTTPS(443) port!
What’s wrong? What does it mean? How to solve that?

To disable SSl I comment some lines (defaut-ssl):
Code:

        #  SSL Engine Switch:
        #  Enable/Disable SSL for this virtual host.
        >>>>>>>># SSLEngine on

        #  A self-signed (snakeoil) certificate can be created by installing
        #  the ssl-cert package. See
        #  /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
        #  If both key and certificate are stored in the same file, only the
        #  SSLCertificateFile directive is needed.
        # SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
        # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
        >>>>>>>#  SSLCertificateFile /etc/ssl/certs/xxxxxxx.ovh.net.crt
        >>>>>>>#  SSLCertificateKeyFile /etc/ssl/private/xxxxxxx.ovh.net.key

and ispconfigvhost
Code:

# SSL Configuration
>>>>>>>>#  SSLEngine On
>>>>>>>#  SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
>>>>>>>#  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.ke

Is it safe to do that?
Is there a better way to disable SSL?

Do I have something else to do?

thanks for any inputs

best regards

falko 25th January 2012 16:57

Can you post the outputs of ls -la /usr/local/ispconfig/interface/ssl/ and ls -la /etc/postfix/?

What's in your ISPConfig vhost?

fxs 25th January 2012 21:15

hello

ls -la /usr/local/ispconfig/interface/ssl/

Quote:

total 60
drwxr-s--- 2 ispconfig ispconfig 4096 24 janv. 23:51 .
drwxr-s--- 7 ispconfig ispconfig 4096 7 sept. 18:52 ..
-rwxr-x--- 1 ispconfig ispconfig 2963 24 janv. 23:49 ispserver.crt
-rwxr-x--- 1 ispconfig ispconfig 2963 24 janv. 08:23 ispserver.crt_bak
-rwxr-x--- 1 ispconfig ispconfig 1760 24 janv. 23:30 ispserver.csr
-rwxr-x--- 1 ispconfig ispconfig 3243 24 janv. 23:30 ispserver.key
-rwxr-x--- 1 ispconfig ispconfig 3311 24 janv. 23:29 ispserver.key.secure
-rwxr-x--- 1 ispconfig ispconfig 11178 24 janv. 23:51 ispserver.pem
-rwxr-x--- 1 ispconfig ispconfig 2760 7 mai 2008 startssl.ca.crt
-rwxr-x--- 1 ispconfig ispconfig 4972 24 janv. 23:51 startssl.chain.class1.server.crt
-rwxr-x--- 1 ispconfig ispconfig 2212 18 avril 2010 startssl.sub.class1.server.ca.crt
-rwxr-x--- 1 ispconfig ispconfig 2212 18 avril 2010 sub.class1.server.ca.pem.1
ls -la /etc/postfix/

Quote:

total 196
drwxr-xr-x 3 root root 4096 25 janv. 00:00 .
drwxr-xr-x 99 root root 4096 24 janv. 08:11 ..
-rw-r--r-- 1 root root 0 25 janv. 00:00 body_checks
-rw-r--r-- 1 root root 373 7 sept. 18:25 dynamicmaps.cf
-rw-r--r-- 1 root root 0 25 janv. 00:00 header_checks
-rw-r--r-- 1 root root 3489 25 janv. 00:00 main.cf
-rw-r--r-- 1 root root 3489 25 janv. 00:00 main.cf~
-rw-r--r-- 1 root root 3489 25 janv. 00:00 main.cf~2
-rw-r--r-- 1 root root 3490 25 janv. 00:00 main.cf~3
-rw-r--r-- 1 root root 3402 15 déc. 17:55 main.cf.bak
-rw-r--r-- 1 root root 6159 25 janv. 00:00 master.cf
-r-------- 1 root root 6159 25 janv. 00:00 master.cf~
content of ISPConfig vhost

Code:

######################################################
# This virtual host contains the configuration
# for the ISPConfig controlpanel
######################################################

 Listen 8080
NameVirtualHost *:8080

<VirtualHost _default_:8080>
  ServerAdmin webmaster@localhost

  <IfModule mod_fcgid.c>
    DocumentRoot /var/www/ispconfig/
    SuexecUserGroup ispconfig ispconfig
    <Directory /var/www/ispconfig/>
      Options Indexes FollowSymLinks MultiViews +ExecCGI
      AllowOverride AuthConfig Indexes Limit Options FileInfo
      AddHandler fcgid-script .php
      FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
      Order allow,deny
      Allow from all
    </Directory>
  </IfModule>

  <IfModule mod_php5.c>
    DocumentRoot /usr/local/ispconfig/interface/web/
    AddType application/x-httpd-php .php
    <Directory /usr/local/ispconfig/interface/web>
      Options FollowSymLinks
      AllowOverride None
      Order allow,deny
      Allow from all
          php_value magic_quotes_gpc        0
    </Directory>
  </IfModule>

  # ErrorLog /var/log/apache2/error.log
  # CustomLog /var/log/apache2/access.log combined
  ServerSignature Off

  <IfModule mod_security2.c>
    SecRuleEngine Off
  </IfModule>

  # SSL Configuration
#  SSLEngine On
#  SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
#  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
# ## must be re-added after an ISPConfig update!!!
#  SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt

</VirtualHost>

<Directory /var/www/php-cgi-scripts>
    AllowOverride None
    Order Deny,Allow
    Deny from all
</Directory>

<Directory /var/www/php-fcgi-scripts>
    AllowOverride None
    Order Deny,Allow
    Deny from all
</Directory>

Thanks

best regards

fxs 26th January 2012 02:01

I thought there was a mistake here: sub.class1.server.ca.pem.1
(see prev thread)
Then I correct
Quote:

ls -l /usr/local/ispconfig/interface/ssl/
total 52
-rwxr-x--- 1 ispconfig ispconfig 2963 24 janv. 23:49 ispserver.crt
-rwxr-x--- 1 ispconfig ispconfig 2963 24 janv. 08:23 ispserver.crt_bak
-rwxr-x--- 1 ispconfig ispconfig 1760 24 janv. 23:30 ispserver.csr
-rwxr-x--- 1 ispconfig ispconfig 3243 24 janv. 23:30 ispserver.key
-rwxr-x--- 1 ispconfig ispconfig 3311 24 janv. 23:29 ispserver.key.secure
-rwxr-x--- 1 ispconfig ispconfig 11178 24 janv. 23:51 ispserver.pem
-rwxr-x--- 1 ispconfig ispconfig 2760 7 mai 2008 startssl.ca.crt
-rwxr-x--- 1 ispconfig ispconfig 4972 24 janv. 23:51 startssl.chain.class1.server.crt
-rwxr-x--- 1 ispconfig ispconfig 2212 18 avril 2010 startssl.sub.class1.server.ca.crt
-rwxr-x--- 1 ispconfig ispconfig 2212 18 avril 2010 sub.class1.server.ca.pem

and get again
Quote:

Restarting web server: apache2[Thu Jan 26 01:28:09 2012] [warn] NameVirtualHost xxxxxx:80 has no Virtual Hosts
[Thu Jan 26 01:28:09 2012] [warn] NameVirtualHost xxxxxxxx:443 has no VirtualHosts
... waiting [Thu Jan 26 01:28:10 2012] [warn] NameVirtualHost xxxxx:80 has no VirtualHosts
[Thu Jan 26 01:28:10 2012] [warn] NameVirtualHost xxxxxxx:443 has no VirtualHosts
Action 'start' failed.
The Apache error log may have more information.
failed!
Comments again and restart. This is the apache log
Quote:

[Thu Jan 26 01:28:10 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Thu Jan 26 01:32:13 2012] [warn] Init: (nsxxxxxx.ovh.net:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Thu Jan 26 01:32:13 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Thu Jan 26 01:32:13 2012] [notice] Digest: generating secret for digest authentication ...
[Thu Jan 26 01:32:13 2012] [notice] Digest: done
[Thu Jan 26 01:32:13 2012] [warn] Init: (xxxxxxx.ovh.net:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Thu Jan 26 01:32:13 2012] [notice] Apache/2.2.16 (Debian) DAV/2 mod_fcgid/2.3.6 PHP/5.3.3-7+squeeze3 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.7(2010-08-16) mod_ssl/2.2.16 OpenSSL/0.9.8o configured -- resuming normal operations

I see again the double errors.
Looks also like discussion: http://http://www.howtoforge.com/for...ad.php?t=55522.

fxs 26th January 2012 08:15

I forget to display these error messages:
Quote:

Mail - Log
an 26 07:15:01 nsxxxx postfix/smtpd[18716]: warning: TLS library problem: 18716:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:406:
Mail-Warn - Log
Jan 26 03:30:01 nsxxxxx postfix/smtpd[26337]: warning: cannot get RSA private key from file /etc/postfix/smtpd.key: disabling TLS support
Mail-Error - Log
Jan 25 01:31:45 xxxxx dovecot: pop3-login: Fatal: Can't load private key file /etc/postfix/smtpd.key: Key is for a different cert than /etc/postfix/smtpd.cert
Thanks for your help

falko 27th January 2012 11:42

Quote:

Originally Posted by fxs (Post 272318)
ls -la /etc/postfix/

Where are smtpd.key and smtpd.cert? They are not in your output...

fxs 27th January 2012 18:24

Quote:

Where are smtpd.key and smtpd.cert? They are not in your output...
Hello,

I made a clean installation starting from point zero.
Then I follow the tutorial from point 1 to 4
Then there's a crash.
Then I stop at point 4

Point 6: cd /etc/postfix
mv smtpd.cert smtpd.cert_bak
mv smtpd.key smtpd.key_bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key

The following morning I forget to create again smtpd.cert and ispserver.key smtpd.key.

I will try at midnight again with theses keys before to see if any change.
In addition, I'll give a try on a second server whith the same config to see what happens.

Thanks

fxs 27th January 2012 19:51

On the second server (smallest but with debian 6, Isp 3 (ovh) upgd to 3.042, this is what I get

Quote:

root@ksxxxxx:/usr/local/ispconfig/interface/ssl# ls -l
total 20
-rw-r--r-- 1 root ispconfig 2963 Jan 27 18:56 ispserver.crt
-rwxr-x--- 1 ispconfig ispconfig 2394 Jan 27 18:46 ispserver.crt_bak
-rwxr-x--- 1 ispconfig ispconfig 1765 Jan 27 18:46 ispserver.csr
-rwxr-x--- 1 ispconfig ispconfig 3247 Jan 27 18:46 ispserver.key
-rwxr-x--- 1 ispconfig ispconfig 3311 Jan 27 18:45 ispserver.key.secure
root@ksxxxx:~# cd /usr/local/ispconfig/interface/ssl
root@ksxxxx:/usr/local/ispconfig/interface/ssl# wget https://www.startssl.com/c erts/ca.pem
--2012-01-27 19:00:08-- https://www.startssl.com/certs/ca.pem
Resolving www.startssl.com... xxxxxxxxx
Connecting to www.startssl.com|xxxxxx|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2760 (2.7K) [application/x-x509-ca-cert]
Saving to: `ca.pem'

100%[======================================>] 2,760 --.-K/s in 0s

2012-01-27 19:00:09 (30.6 MB/s) - `ca.pem' saved [2760/2760]

root@ksxxxxx:/usr/local/ispconfig/interface/ssl# wget https://www.startssl.com/c erts/sub.class1.server.ca.pem
--2012-01-27 19:00:21-- https://www.startssl.com/certs/sub.class1.server.ca.pem
Resolving www.startssl.com... xxxxxxxxxxxx
Connecting to www.startssl.com|xxxxxxx|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2212 (2.2K) [application/x-x509-ca-cert]
Saving to: `sub.class1.server.ca.pem'
100%[======================================>] 2,212 --.-K/s in 0s
2012-01-27 19:00:21 (38.9 MB/s) - `sub.class1.server.ca.pem' saved [2212/221
root@ksxxxx:/usr/local/ispconfig/interface/ssl# mv ca.pem startssl.ca.crt
root@ksxxxx:/usr/local/ispconfig/interface/ssl# mv sub.class1.server.ca.pem sta rtssl.sub.class1.server.ca.crt
root@ksxxxxx:/usr/local/ispconfig/interface/ssl# cat startssl.sub.class1.server. ca.crt startssl.ca.crt > startssl.chain.class1.server.crt
root@ksxxxx:/usr/local/ispconfig/interface/ssl# cat ispserver.{key,crt} startss l.chain.class1.server.crt > ispserver.pem
root@ksxxxxx:/usr/local/ispconfig/interface/ssl# chmod 600 ispserver.pem
root@ksxxxx:/usr/local/ispconfig/interface/ssl# nano /etc/apache2/sites-availab le/ispconfig.vhost
root@ksxxx:/usr/local/ispconfig/interface/ssl# nano /etc/apache2/sites-availab le/ispconfig.vhost
root@ksxxx:/usr/local/ispconfig/interface/ssl# /etc/init.d/apache2 restart
Restarting web server: apache2[Fri Jan 27 19:04:43 2012] [warn] NameVirtualHost xxxxx:80 has no VirtualHosts
[Fri Jan 27 19:04:43 2012] [warn] NameVirtualHost xxxxx:443 has no VirtualHosts
... waiting [Fri Jan 27 19:04:44 2012] [warn] NameVirtualHost xxxx:80 has no VirtualHosts
[Fri Jan 27 19:04:44 2012] [warn] NameVirtualHost xxxxxx:443 has no VirtualHosts
Action 'start' failed.
The Apache error log may have more information.
failed!
and later

Quote:

root@ksxxxxx:/usr/local/ispconfig/interface/ssl# ls -l
total 48
-rw-r--r-- 1 root ispconfig 2963 Jan 27 18:56 ispserver.crt
-rwxr-x--- 1 ispconfig ispconfig 2394 Jan 27 18:46 ispserver.crt_bak
-rwxr-x--- 1 ispconfig ispconfig 1765 Jan 27 18:46 ispserver.csr
-rwxr-x--- 1 ispconfig ispconfig 3247 Jan 27 18:46 ispserver.key
-rwxr-x--- 1 ispconfig ispconfig 3311 Jan 27 18:45 ispserver.key.secure
-rw------- 1 root ispconfig 11182 Jan 27 19:01 ispserver.pem
-rw-r--r-- 1 root ispconfig 2760 May 7 2008 startssl.ca.crt
-rw-r--r-- 1 root ispconfig 4972 Jan 27 19:00 startssl.chain.class1.server.crt
-rw-r--r-- 1 root ispconfig 2212 Apr 18 2010 startssl.sub.class1.server.ca.crt
root@ksxxxx:/usr/local/ispconfig/interface/ssl#
And inside ispconfig.vhost I see

Quote:

# SSL Configuration
SSLEngine On
SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
## must be re-added after an ISPConfig update!!!
SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt


falko 28th January 2012 12:50

Quote:

Originally Posted by fxs (Post 272497)
Hello,

I made a clean installation starting from point zero.
Then I follow the tutorial from point 1 to 4
Then there's a crash.
Then I stop at point 4

What do you mean with "crash"?

Quote:

Originally Posted by fxs (Post 272497)
Point 6: cd /etc/postfix
mv smtpd.cert smtpd.cert_bak
mv smtpd.key smtpd.key_bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key

The following morning I forget to create again smtpd.cert and ispserver.key smtpd.key.

Why do you want to create these again? :confused:


All times are GMT +2. The time now is 16:07.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.