#1  
Old 29th April 2012, 00:19
profm2 profm2 is offline
Junior Member
 
Join Date: Mar 2011
Posts: 12
Thanks: 2
Thanked 2 Times in 2 Posts
Default SSL issues

FIRST ISSUE:

With the recent release of Ubuntu 12.04LTS, I decided to clean off my system and redo my server.

I followed the HOWTO: Perfect Server for Ubuntu 11.10 with Nginx, and everything was good, even with 12.04LTS.

I then went and got a SSL Cert from StartSSL, following the HOWTO: Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL

I only have one host, mine, so I'm thinking that the SSL should work for allowing HTTPS requests to my server. Unfortunately, it does not. Looking through the /etc/nginx/sites-enabled/vhost files, it appears that the only thing that is secured via SSL is ISPConfig ... which is what the second howto does.

Since I'm only hosting one domain, is there a way I can use the same SSL certificate for securing both ISPConfig along with my site?

----------
SECOND ISSUE:

Ok, after going through the two above HOWTO's ... I'm now having issues with connecting to the server with Thunderbird. I can receive emails with IMAPS, my settings are - Connection security: SSL/TLS with a normal password on Port 993 (which is the default per Thunderbird).

On the outgoing (where I'm having issues), I think I've tried every combination available for SSL/TLS, STARTTLS. At this point, my guess is the port isn't open. Per Thunderbird, the default port for SSL/TLS is 465, and STARTTLS is 587. Normal SMTP is 25.

The error message that I'm getting when I use SSL/TLS with default port of 465 is:
Quote:
Sending of message failed.
The message could not be sent because connecting to SMTP server SERVERNAME.com failed. The server may be unavailable or is refusing SMTP connections. Please verify that your SMTP server settings are correct and try again, or contact the server administrator.
This would make it appear that the ports are messed up. When I use STARTTLS, I get the same message.

Any ideas?

Last edited by profm2; 29th April 2012 at 00:46. Reason: added email issues
Reply With Quote
Sponsored Links
  #2  
Old 29th April 2012, 12:47
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

Quote:
Originally Posted by profm2 View Post
Since I'm only hosting one domain, is there a way I can use the same SSL certificate for securing both ISPConfig along with my site?
Yes - just enable SSL for the website and create a self-signed cert through ISPConfig, and afterwards you go to the website's ssl directory, delete the cert, key, csr, and create symlink with the same names to where you stored your StartSSL cert.

Quote:
Originally Posted by profm2 View Post
SECOND ISSUE:

Ok, after going through the two above HOWTO's ... I'm now having issues with connecting to the server with Thunderbird. I can receive emails with IMAPS, my settings are - Connection security: SSL/TLS with a normal password on Port 993 (which is the default per Thunderbird).

On the outgoing (where I'm having issues), I think I've tried every combination available for SSL/TLS, STARTTLS. At this point, my guess is the port isn't open. Per Thunderbird, the default port for SSL/TLS is 465, and STARTTLS is 587. Normal SMTP is 25.

The error message that I'm getting when I use SSL/TLS with default port of 465 is: This would make it appear that the ports are messed up. When I use STARTTLS, I get the same message.

Any ideas?
What's the output of
Code:
netstat -tap
? Any errors in your mail log?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 30th April 2012, 00:59
profm2 profm2 is offline
Junior Member
 
Join Date: Mar 2011
Posts: 12
Thanks: 2
Thanked 2 Times in 2 Posts
Default

Quote:
Yes - just enable SSL for the website and create a self-signed cert through ISPConfig, and afterwards you go to the website's ssl directory, delete the cert, key, csr, and create symlink with the same names to where you stored your StartSSL cert.
Ok, did that. I'm guessing there's just one last step to enable Port 443 under Nginx. I do have the checkbox for SSL under the WebDomain->Domain tab checked, along with the info filled in for the SSL tab. I also verified that the System->Firewall allows port 443.

In the VHOST file under /etc/nginx/sites-enabled/100-SITENAME.vhost, I noticed that
Code:
server {
        listen *:80;
....
There is no "listen *:443;" ... so something is either incorrect, or not updating that vhost file.

Any thoughts? Thanks.

---------------------

EDIT: Ok, just poking around in my /etc/nginx/sites-available and found that I have a SITENAME.vhost.err file that DOES have the Listen 443 as the second line.

EDIT2: Upon further viewing of the log files at /var/log/ispconfig/cron.log, I found:
Code:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] bind() to 75.x.x.x:443 failed (99: Cannot assign requested ad
dress)
nginx: configuration file /etc/nginx/nginx.conf test failed
So, it would appear that my IP address that I told it, is causing the issue. Am I right that the IP should be the static IP of the machine as seen from the outside world? *OR* the static IP of the internal IP on my local network?

Last edited by profm2; 30th April 2012 at 01:41. Reason: more info
Reply With Quote
  #4  
Old 30th April 2012, 10:52
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

Quote:
Originally Posted by profm2 View Post
So, it would appear that my IP address that I told it, is causing the issue. Am I right that the IP should be the static IP of the machine as seen from the outside world? *OR* the static IP of the internal IP on my local network?
It must be an IP from the output of
Code:
ifconfig
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
profm2 (1st May 2012)
  #5  
Old 1st May 2012, 06:36
profm2 profm2 is offline
Junior Member
 
Join Date: Mar 2011
Posts: 12
Thanks: 2
Thanked 2 Times in 2 Posts
Default

Ok, finally got the SSL cert working, and both HTTP and HTTPS work fine as well.

Onto the EMail issue. After much digging around, it appears that the issues in this HOWTO has came back to be a pain. However, following the comments below (and changing the /etc/postfix/sasl/smtpd.conf) seems to have cleared everything up.

Thanks again for the help.
Reply With Quote
  #6  
Old 1st May 2012, 23:25
ras ras is offline
Junior Member
 
Join Date: Jul 2011
Posts: 7
Thanks: 2
Thanked 2 Times in 1 Post
Question Apache error with SSL enabled

How did you get SSL working?

I have the same problems here, tried both setting the internal and external IP (now using the internal), creating an SSL certificate. But it writes an .err file into sites-available. For testing purposes I exchanged that .err file (which included a 443 section) with the vhost file (without 443 section) and apache was not able to restart. The only relevant error message I could find was:
[Tue May 01 22:35:12 2012] [error] [client 10.47.48.3] client denied by server configuration: /htdocs
Reply With Quote
  #7  
Old 2nd May 2012, 03:19
profm2 profm2 is offline
Junior Member
 
Join Date: Mar 2011
Posts: 12
Thanks: 2
Thanked 2 Times in 2 Posts
Default

Ok, the steps that I took were:

1) Clean install from 12.04 (not required, but that iswhat I did) following the instructions from the Perfect Server for Ubuntu 11.10 w/ Nginx.

2) Follow the instructions for installing a Cert from StartSSL.

(both steps' Howto are in the first post)

3) In ISPConfig, in the System -> Server IP Addresses, created an entry for my server, using the internal address. In my case it's 192.168.1.100, the ifconfig address as mentioned by Falko. Make sure the ports specified are 80, 443.

4) In ISPConfig, in the Sites -> Websites, setup my webserver with the IP address from #3 in the IPv4 spot, and check the SSL checkbox a little lower down.

5) Go to the SSL tab in the Sites -> Website and type in your info that you used already to create the Cert and at the bottom of the screen for SSL Action select Create Certificate, and then Save.

6) The certificate is created (from ISPConfig) in /var/www/clients/clientX/webX/ssl

7) Take the certs created from step #2 and link them here ... so for instance I have a cert: URL.com.crt -> /usr/local/ispconfig/interface/ssl/ispserver.crt
(do a 'ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt /var/www/clients/clientX/webX/ssl')

At this point, it SHOULD be setup. While doing mine, I had rebooted several times, so I would recommend after #7, reboot the server. You may not have to, but it never hurts.

NOTE: I just realized you were asking about Apache. I used Nginx for my webserver, however, with ISPConfig as a wrapper around us manually configuring the files, I believe the directories would be the same as far as the clients and such go. If you go into ISPConfig on the Sites -> Website -> Options tab, it'll tell you the actual directory for your client in "PHP open_basedir"

Last edited by profm2; 2nd May 2012 at 03:30. Reason: Apache v Nginx
Reply With Quote
  #8  
Old 2nd May 2012, 11:02
ras ras is offline
Junior Member
 
Join Date: Jul 2011
Posts: 7
Thanks: 2
Thanked 2 Times in 1 Post
 
Wink Right order

Thank you for the quick reply. Now I got it working. It seems it was a matter of doing it in the right order:

1. Define the IP address with an IP shown by ifconfig (you can limit it to provide port 443 only).
2. Create site, create SSL certificate (do not use long organisation names, no spcial characters, be patient).
3. Certs must be here, 4 files with the same timestamp: ls -al /var/www/clients/client4/web6/ssl
4. On the Site page, click on SSL and save
5. Check, if the vhost is here: /etc/apache2/sites-available and there is no .err file. The vhost file should have a 443 section.

You should be able to connect via https now.
Reply With Quote
The Following 2 Users Say Thank You to ras For This Useful Post:
falko (2nd May 2012), till (2nd May 2012)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
haproxy with stunnel problem abubin Server Operation 6 10th April 2012 15:08
Need help with ISPConfig 3 Update midcarolina Installation/Configuration 36 8th November 2011 22:07
SSL Issues on Client Websites deezone General 1 24th December 2008 17:06
SSL for virtual hosts on one certificate rbartz Tips/Tricks/Mods 8 20th November 2007 17:59
SSL and ISPConfig/Apache issues (Help!) isalandr Installation/Configuration 18 16th November 2007 15:53


All times are GMT +2. The time now is 21:09.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.