Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 24th January 2012, 16:35
fxs fxs is offline
Junior Member
 
Join Date: Jan 2012
Posts: 27
Thanks: 2
Thanked 1 Time in 1 Post
Default reinstall postfix after securing-short question

Hi,

I'm on debian 6 ispconfig3.042 roundcube apache2 (kernel version OVH)
The background (in short):
I follow the tuto Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL.
Apache 2 failed and everything was down.

To restart i had to use:
Code:
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xvfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install
php -q update.php
The short urgent question
webmail is down because he wants certificates. How can I cancel these lines
Quote:
cd /etc/postfix
mv smtpd.cert smtpd.cert_bak
mv smtpd.key smtpd.key_bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key
postconf -e 'smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt'
By now I would like to restart postfix/dovecot

Thanks for your help
best regards
Reply With Quote
Sponsored Links
  #2  
Old 25th January 2012, 02:20
fxs fxs is offline
Junior Member
 
Join Date: Jan 2012
Posts: 27
Thanks: 2
Thanked 1 Time in 1 Post
Default

This night I try a couple of times to secure ISPconfig 3 and failed.
In addition the websites were down for hours. I got these lines:
Quote:
[Wed Jan 25 00:08:24 2012] [warn] NameVirtualHost xxxxxxxxxx:443 has no VirtualHosts
[Wed Jan 25 00:08:24 2012] [warn] NameVirtualHost xxxxxxxxxxxx:80 has no VirtualHosts
[Wed Jan 25 00:08:24 2012] [warn] NameVirtualHost xxxxxxx:443 has no VirtualHosts
Action 'start' failed.
My feeling is that they are two (coincidental?) problems:

1) the computer doesn’t understand the key given by startssl (he looks for something written like that xxxxxxx.ovh.net.crt and xxxxxxx.ovh.net.key and not for something including the domain name (apache log).
Then this error forces apache2 to crash.
So that I decided to disable SSL

2) in the apache log, there is also this message:
Quote:
Wed Jan 25 00:12:42 2012] [warn] Init: (xxxxxxx:443) You configured HTTP(80) on the standard HTTPS(443) port!
What’s wrong? What does it mean? How to solve that?

To disable SSl I comment some lines (defaut-ssl):
Code:
        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        >>>>>>>># SSLEngine on

        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        # SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
        # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
        >>>>>>>#  SSLCertificateFile /etc/ssl/certs/xxxxxxx.ovh.net.crt
        >>>>>>>#  SSLCertificateKeyFile /etc/ssl/private/xxxxxxx.ovh.net.key
and ispconfigvhost
Code:
# SSL Configuration
>>>>>>>>#  SSLEngine On
>>>>>>>#  SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
>>>>>>>#  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.ke
Is it safe to do that?
Is there a better way to disable SSL?

Do I have something else to do?

thanks for any inputs

best regards
Reply With Quote
  #3  
Old 25th January 2012, 16:57
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Can you post the outputs of ls -la /usr/local/ispconfig/interface/ssl/ and ls -la /etc/postfix/?

What's in your ISPConfig vhost?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #4  
Old 25th January 2012, 21:15
fxs fxs is offline
Junior Member
 
Join Date: Jan 2012
Posts: 27
Thanks: 2
Thanked 1 Time in 1 Post
Default

hello

ls -la /usr/local/ispconfig/interface/ssl/

Quote:
total 60
drwxr-s--- 2 ispconfig ispconfig 4096 24 janv. 23:51 .
drwxr-s--- 7 ispconfig ispconfig 4096 7 sept. 18:52 ..
-rwxr-x--- 1 ispconfig ispconfig 2963 24 janv. 23:49 ispserver.crt
-rwxr-x--- 1 ispconfig ispconfig 2963 24 janv. 08:23 ispserver.crt_bak
-rwxr-x--- 1 ispconfig ispconfig 1760 24 janv. 23:30 ispserver.csr
-rwxr-x--- 1 ispconfig ispconfig 3243 24 janv. 23:30 ispserver.key
-rwxr-x--- 1 ispconfig ispconfig 3311 24 janv. 23:29 ispserver.key.secure
-rwxr-x--- 1 ispconfig ispconfig 11178 24 janv. 23:51 ispserver.pem
-rwxr-x--- 1 ispconfig ispconfig 2760 7 mai 2008 startssl.ca.crt
-rwxr-x--- 1 ispconfig ispconfig 4972 24 janv. 23:51 startssl.chain.class1.server.crt
-rwxr-x--- 1 ispconfig ispconfig 2212 18 avril 2010 startssl.sub.class1.server.ca.crt
-rwxr-x--- 1 ispconfig ispconfig 2212 18 avril 2010 sub.class1.server.ca.pem.1
ls -la /etc/postfix/

Quote:
total 196
drwxr-xr-x 3 root root 4096 25 janv. 00:00 .
drwxr-xr-x 99 root root 4096 24 janv. 08:11 ..
-rw-r--r-- 1 root root 0 25 janv. 00:00 body_checks
-rw-r--r-- 1 root root 373 7 sept. 18:25 dynamicmaps.cf
-rw-r--r-- 1 root root 0 25 janv. 00:00 header_checks
-rw-r--r-- 1 root root 3489 25 janv. 00:00 main.cf
-rw-r--r-- 1 root root 3489 25 janv. 00:00 main.cf~
-rw-r--r-- 1 root root 3489 25 janv. 00:00 main.cf~2
-rw-r--r-- 1 root root 3490 25 janv. 00:00 main.cf~3
-rw-r--r-- 1 root root 3402 15 déc. 17:55 main.cf.bak
-rw-r--r-- 1 root root 6159 25 janv. 00:00 master.cf
-r-------- 1 root root 6159 25 janv. 00:00 master.cf~
content of ISPConfig vhost

Code:
######################################################
# This virtual host contains the configuration
# for the ISPConfig controlpanel
######################################################

 Listen 8080
NameVirtualHost *:8080

<VirtualHost _default_:8080>
  ServerAdmin webmaster@localhost

  <IfModule mod_fcgid.c>
    DocumentRoot /var/www/ispconfig/
    SuexecUserGroup ispconfig ispconfig
    <Directory /var/www/ispconfig/>
      Options Indexes FollowSymLinks MultiViews +ExecCGI
      AllowOverride AuthConfig Indexes Limit Options FileInfo
      AddHandler fcgid-script .php
      FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
      Order allow,deny
      Allow from all
    </Directory>
  </IfModule>

  <IfModule mod_php5.c>
    DocumentRoot /usr/local/ispconfig/interface/web/
    AddType application/x-httpd-php .php
    <Directory /usr/local/ispconfig/interface/web>
      Options FollowSymLinks
      AllowOverride None
      Order allow,deny
      Allow from all
          php_value magic_quotes_gpc        0
    </Directory>
  </IfModule>

  # ErrorLog /var/log/apache2/error.log
  # CustomLog /var/log/apache2/access.log combined
  ServerSignature Off

  <IfModule mod_security2.c>
    SecRuleEngine Off
  </IfModule>

  # SSL Configuration
#  SSLEngine On
#  SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
#  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
# ## must be re-added after an ISPConfig update!!!
#  SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt

</VirtualHost>

<Directory /var/www/php-cgi-scripts>
    AllowOverride None
    Order Deny,Allow
    Deny from all
</Directory>

<Directory /var/www/php-fcgi-scripts>
    AllowOverride None
    Order Deny,Allow
    Deny from all
</Directory>
Thanks

best regards
Reply With Quote
  #5  
Old 26th January 2012, 02:01
fxs fxs is offline
Junior Member
 
Join Date: Jan 2012
Posts: 27
Thanks: 2
Thanked 1 Time in 1 Post
Default

I thought there was a mistake here: sub.class1.server.ca.pem.1
(see prev thread)
Then I correct
Quote:
ls -l /usr/local/ispconfig/interface/ssl/
total 52
-rwxr-x--- 1 ispconfig ispconfig 2963 24 janv. 23:49 ispserver.crt
-rwxr-x--- 1 ispconfig ispconfig 2963 24 janv. 08:23 ispserver.crt_bak
-rwxr-x--- 1 ispconfig ispconfig 1760 24 janv. 23:30 ispserver.csr
-rwxr-x--- 1 ispconfig ispconfig 3243 24 janv. 23:30 ispserver.key
-rwxr-x--- 1 ispconfig ispconfig 3311 24 janv. 23:29 ispserver.key.secure
-rwxr-x--- 1 ispconfig ispconfig 11178 24 janv. 23:51 ispserver.pem
-rwxr-x--- 1 ispconfig ispconfig 2760 7 mai 2008 startssl.ca.crt
-rwxr-x--- 1 ispconfig ispconfig 4972 24 janv. 23:51 startssl.chain.class1.server.crt
-rwxr-x--- 1 ispconfig ispconfig 2212 18 avril 2010 startssl.sub.class1.server.ca.crt
-rwxr-x--- 1 ispconfig ispconfig 2212 18 avril 2010 sub.class1.server.ca.pem
and get again
Quote:
Restarting web server: apache2[Thu Jan 26 01:28:09 2012] [warn] NameVirtualHost xxxxxx:80 has no Virtual Hosts
[Thu Jan 26 01:28:09 2012] [warn] NameVirtualHost xxxxxxxx:443 has no VirtualHosts
... waiting [Thu Jan 26 01:28:10 2012] [warn] NameVirtualHost xxxxx:80 has no VirtualHosts
[Thu Jan 26 01:28:10 2012] [warn] NameVirtualHost xxxxxxx:443 has no VirtualHosts
Action 'start' failed.
The Apache error log may have more information.
failed!
Comments again and restart. This is the apache log
Quote:
[Thu Jan 26 01:28:10 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Thu Jan 26 01:32:13 2012] [warn] Init: (nsxxxxxx.ovh.net:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Thu Jan 26 01:32:13 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Thu Jan 26 01:32:13 2012] [notice] Digest: generating secret for digest authentication ...
[Thu Jan 26 01:32:13 2012] [notice] Digest: done
[Thu Jan 26 01:32:13 2012] [warn] Init: (xxxxxxx.ovh.net:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Thu Jan 26 01:32:13 2012] [notice] Apache/2.2.16 (Debian) DAV/2 mod_fcgid/2.3.6 PHP/5.3.3-7+squeeze3 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.7(2010-08-16) mod_ssl/2.2.16 OpenSSL/0.9.8o configured -- resuming normal operations
I see again the double errors.
Looks also like discussion: http://http://www.howtoforge.com/for...ad.php?t=55522.
Reply With Quote
  #6  
Old 26th January 2012, 08:15
fxs fxs is offline
Junior Member
 
Join Date: Jan 2012
Posts: 27
Thanks: 2
Thanked 1 Time in 1 Post
Default

I forget to display these error messages:
Quote:
Mail - Log
an 26 07:15:01 nsxxxx postfix/smtpd[18716]: warning: TLS library problem: 18716:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:406:
Mail-Warn - Log
Jan 26 03:30:01 nsxxxxx postfix/smtpd[26337]: warning: cannot get RSA private key from file /etc/postfix/smtpd.key: disabling TLS support
Mail-Error - Log
Jan 25 01:31:45 xxxxx dovecot: pop3-login: Fatal: Can't load private key file /etc/postfix/smtpd.key: Key is for a different cert than /etc/postfix/smtpd.cert
Thanks for your help
Reply With Quote
  #7  
Old 27th January 2012, 11:42
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Quote:
Originally Posted by fxs View Post
ls -la /etc/postfix/
Where are smtpd.key and smtpd.cert? They are not in your output...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #8  
Old 27th January 2012, 18:24
fxs fxs is offline
Junior Member
 
Join Date: Jan 2012
Posts: 27
Thanks: 2
Thanked 1 Time in 1 Post
Default

Quote:
Where are smtpd.key and smtpd.cert? They are not in your output...
Hello,

I made a clean installation starting from point zero.
Then I follow the tutorial from point 1 to 4
Then there's a crash.
Then I stop at point 4

Point 6: cd /etc/postfix
mv smtpd.cert smtpd.cert_bak
mv smtpd.key smtpd.key_bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key

The following morning I forget to create again smtpd.cert and ispserver.key smtpd.key.

I will try at midnight again with theses keys before to see if any change.
In addition, I'll give a try on a second server whith the same config to see what happens.

Thanks
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Catchall and Forwarding not working simmo General 6 22nd March 2014 00:54
How cai remove amavis from postfix ? gabrix Server Operation 16 2nd October 2012 09:58
Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail-Problema jz_ HOWTO-Related Questions 9 14th September 2011 13:31
CGI and FormMail Cracklefish Installation/Configuration 17 13th October 2009 13:40
postfix, pop3 uvbnserved Server Operation 22 24th May 2009 21:00


All times are GMT +2. The time now is 14:45.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.