SSL problem - error 12263

[chillifire]

Hi,

I have server with Ubuntu 7.10, went through perfect server allright and tried to load ISPConfig 2.2.18 with my domain chillifire.net

That worked after some trials and tribulations and a first failed install (see below), so now http://www.chillifire.net work, https://www.chillifire.net:81 works and gets me to the panel, which seems to work fine. However, https://www.chillifire.net gets me the treaded 12263 error in the browser.

Yes, there has been a lot of postings, but all seem to deal with the issue of more than one certificate per IP or multiple IPs and certificates etc. These posts do not apply as I have one IP only and (should) have only one certificate.

Now, I did notice a few things:
- I have entries apache2.conf.06-12-07_16-21-50, and ports.conf.06-12-07_16-21-50 and under mods-enabled every file seems to have a copy with a .06-12-07_16-21-50. Should these files be there? If not, could they have been created by a failed ISPConfig installation attempt? I installed twice - the first time the system aborted after creating the certificates, complaining php was not available. So I made php globally available (reversing 16.1 of the perfect server setup) and rerun the install - and it worked.
Could it be that there is a dud certificate flying around somewhere that wrecks the whole thing?
If so where?
And should I get rid of all the *.06-12-07_16-21-50 entries? Where else do I need to llok for them?
- Port 81 did not work at first. I had to recreate the certificate manually as per the instructions in this forum. Once that was done, 81 worked and I can get to the panel.
- I noticed there is no module ssl under /etc/apach2/modules-available and modules-enabled. Also, under /etc/apache2/vhosts I have the files
Vhosts_ispconfig.conf Vhosts_ispconfig.conf~ They look like this:

Code:

###################################
#
# ISPConfig vHost Configuration File
#         Version 1.0
#
###################################
#
NameVirtualHost 210.48.62.30:80
<VirtualHost 210.48.62.30:80>
  ServerName localhost
  ServerAdmin root@localhost
  DocumentRoot /var/www/sharedip
</VirtualHost>
NameVirtualHost 210.48.62.30:80
<VirtualHost 210.48.62.30:80>
  ServerName localhost
  ServerAdmin root@localhost
  DocumentRoot /var/www/sharedip
</VirtualHost>
#
#
######################################
# Vhost: www.chillifire.net:80
######################################
#
#
<VirtualHost 210.48.62.30:80>
SuexecUserGroup web3_contact web3
ServerName www.chillifire.net:80
ServerAdmin webmaster@chillifire.net
DocumentRoot /var/www/web3/web
ServerAlias chillifire.net
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
ScriptAlias  /cgi-bin/ /var/www/web3/cgi-bin/
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
ErrorLog /var/www/web3/log/error.log
AddType application/x-httpd-php .php .php3 .php4 .php5
<Files *.php>
    SetOutputFilter PHP
    SetInputFilter PHP
</Files>
<Files *.php3>
    SetOutputFilter PHP
    SetInputFilter PHP
</Files>
<Files *.php4>
    SetOutputFilter PHP
    SetInputFilter PHP
</Files>
<Files *.php5>
    SetOutputFilter PHP
    SetInputFilter PHP
</Files>
php_admin_flag safe_mode Off
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Alias /error/ "/var/www/web3/web/error/"
ErrorDocument 400 /error/invalidSyntax.html
ErrorDocument 401 /error/authorizationRequired.html
ErrorDocument 403 /error/forbidden.html
ErrorDocument 404 /error/fileNotFound.html
ErrorDocument 405 /error/methodNotAllowed.html
ErrorDocument 500 /error/internalServerError.html
ErrorDocument 503 /error/overloaded.html
AliasMatch ^/~([^/]+)(/(.*))? /var/www/web3/user/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web3/user/$1/web/$3
</VirtualHost>

There is nothing anywhere I can see that would tell the system how to deal with port 443 (other than ports.conf, which says:

Code:

Listen 80

<IfModule mod_ssl.c>
    Listen 443
</IfModule>

- This is what is in directory /root/ispconfig/httpd/conf/ssl.crt

Code:

0cf14d7d.0  544fc7bf.1  82ab5372.0  README.CRT     ca.crt      server.crt           snakeoil-ca-rsa.crt  snakeoil-rsa.crt
544fc7bf.0  5d8360e1.0  Makefile    ca-bundle.crt  e52d41d0.0  snakeoil-ca-dsa.crt  snakeoil-dsa.crt

Is that what should be there? The server.crt file is the one I manually recreated.

Again, I suspect it has something to do with the failed installation, but then again, what do I know? So for starters, where should I look for dud certificates. And why are there no ssl modules and for Vhost? Any input/advice is welcome.

Thanks

chillifire
Auckland, New Zealand


PS: Here is some more output you will ask me for:

Code:

root@blackbird:~# netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:81              0.0.0.0:*               LISTEN
tcp        0      0 210.48.62.30:53         0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp        0      0 210.48.62.30:81         60.234.129.51:56569     TIME_WAIT
tcp        0      0 210.48.62.30:81         60.234.129.51:56567     TIME_WAIT
tcp6       0      0 :::993                  :::*                    LISTEN
tcp6       0      0 :::995                  :::*                    LISTEN
tcp6       0      0 :::110                  :::*                    LISTEN
tcp6       0      0 :::143                  :::*                    LISTEN
tcp6       0      0 :::21                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 :::25                   :::*                    LISTEN
tcp6       0      0 ::1:953                 :::*                    LISTEN
tcp6       0   2112 ::ffff:210.48.62.30:22  ::ffff:60.234.129:56685 ESTABLISHED

[chillifire]

Hi everyone,

Out of sheer desparation I deinstalled ISPConfig. Interesting: it does not remove those funny files with date/time appended and it also does not get used to vhosts directories and files and vost roots. I deleted these all manually and then reinstalled ISPConfig. The result was interesting:
The same certificate error (unvalid signature) occured again and I had to employ www.howtoforge.com/faq/14_63_en.html to fix that. After that at least port 81 works and I can access the ISPConfig admin site. But SSL still does not work (leads to 12263 error) and new date and time appended files have been created.

So now I am thinking these files were not created by the fialed install but obviouslyare created by a 'successful' install.

So something must be in the setup of the system that upsets ISPConfig enough to do somehing very funny and not cope with SSL.

Any thoughts?

chillifire

[till]

Please have a look here:

http://www.howtoforge.com/forums/showthread.php?t=13596

[chillifire]

Thanks till for your quick response. Much appreciated.

I had seen the thread, but it does not really apply and it does not provide a solution.

As I stated, there is only
Vhosts_ispconfig.conf Vhosts_ispconfig.conf~
in the vhosts folder. There is no file with date/time appendage that I could rename. So therefore this approach does not provide a fix.

There were indeed an apache2.conf and ports.conf file with date/time appendage as reported (ports was indetnical though, not sure about apache2). I renamed them and restarted apache2 and ispconfig_server. No change.

Admittedly there are also all these date/time appended files in mods-available next to 'normal' files. it looks like this:

Code:

alias.conf                              include.load.07-12-07_15-41-46
alias.conf.07-12-07_15-41-46            mime.conf
alias.load                              mime.conf.07-12-07_15-41-46
alias.load.07-12-07_15-41-46            mime.load
auth_basic.load                         mime.load.07-12-07_15-41-46
auth_basic.load.07-12-07_15-41-46       negotiation.conf
authn_file.load                         negotiation.conf.07-12-07_15-41-46
authn_file.load.07-12-07_15-41-46       negotiation.load
authz_default.load                      negotiation.load.07-12-07_15-41-46
authz_default.load.07-12-07_15-41-46    php5.conf
authz_groupfile.load                    php5.conf.07-12-07_15-41-46
authz_groupfile.load.07-12-07_15-41-46  php5.load
authz_host.load                         php5.load.07-12-07_15-41-46
authz_host.load.07-12-07_15-41-46       rewrite.load
authz_user.load                         rewrite.load.07-12-07_15-41-46
authz_user.load.07-12-07_15-41-46       setenvif.conf
autoindex.conf                          setenvif.conf.07-12-07_15-41-46
autoindex.conf.07-12-07_15-41-46        setenvif.load
autoindex.load                          setenvif.load.07-12-07_15-41-46
autoindex.load.07-12-07_15-41-46        ssl.conf
cgi.load                                ssl.conf.07-12-07_15-41-46
cgi.load.07-12-07_15-41-46              ssl.load
dir.conf                                ssl.load.07-12-07_15-41-46
dir.conf.07-12-07_15-41-46              status.conf
dir.load                                status.conf.07-12-07_15-41-46
dir.load.07-12-07_15-41-46              status.load
env.load                                status.load.07-12-07_15-41-46
env.load.07-12-07_15-41-46              suexec.load
include.load                            suexec.load.07-12-07_15-41-46

The files without date/time are in a light turquios, so I assume they are symlinks. Also, I checked the pairs ssl.load / ssl.load.07-12-07_15-41-46 and ssl.conf / ssl.conf.07-12-07_15-41-46 and they are exactely the same. So for now I don't see how renaming all these files would change anything (as they should be just symlinks to mods-available anyway, right?)

Any more clues?

chillifire

[till]

Please undoi the renaming of these other files. I talked just about the file Vhost_ispconfig.conf and not any other file.

Please recreate the SSL cert of the website where you have SSL enabled in ISPConfig (not the ecrt for port 81!).

[chillifire]

Thanks again for the quick response.

I have to ask in that case where does ISPConfig store these website related SSL certifiactes? I assume these website related keys were created during the ISP config install? But where are they? I assume they are not in /root/ispconfig/httpd/conf/ssl.* which holds the ispconfig certificates?

I would not even know where to look, as there is no ssl module in either /etc/apache2/mods-available nor /etc/apache2/mods-enabled, nor are there any port 443 instructions in the vhosts files. So where apache2 even would know where to look for certificates is beyond my limited knowledge.

BTW, I am also playing around with DNS entries at the same time, so this link may be required for testing at the moment.

Thanks again for your support.

Hanno

[daveb]

a sites cert should be in /var/www/web#/ssl

[chillifire]

/var/www/web1/ssl is empty

[daveb]

did you enable ssl for web1 and create a certificate from the ispconfig control panel for web1?

[chillifire]

This might be a misunderstanding on my part then.

Yes, I did enable SSL with that switch.

No, I did not create a certificate for the site through the panel, I thought this was for certificates signed by agents only. Is this required for self signed certificates as well?