Problem after grading to 3.0.4

[zenny]

As instructed by Till (http://www.howtoforge.com/forums/sho...3&postcount=40) I am creating this new thread (similar to http://www.howtoforge.com/forums/sho...4&postcount=38 and http://www.howtoforge.com/forums/sho...4&postcount=40).


Since ISPConfig 3.0.4 supports SNI, I upgraded but the upstream CentOS5 repository does not provide Apache above 2.2.12 and Openssl-0.9.8f upwards. So I manually compiled the binaries from source and upgraded to Apache 2.2.21 and 1 with backward compatibility to 0.9.8f.


But when I tried to create a ssl certificate from the ISPCOnfig3 panel, it goes well but nothing seems to have been created as the SSL Certificate field not only remained blank, but the webserver died. Or I just missed something.

The error log follows:

Quote:

# tail -n 50 /var/log/httpd/error_log
[Mon Nov 07 03:27:07 2011] [notice] Digest: done
[Mon Nov 07 03:27:08 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Nov 07 03:27:08 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
[Mon Nov 07 03:27:08 2011] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations
[Mon Nov 07 04:04:20 2011] [notice] mod_fcgid: call /var/www/MYDOMAIN.TLD/web/index.php with wrapper /var/www/php-fcgi-scripts/web11/.php-fcgi-starter
[Mon Nov 07 10:10:35 2011] [notice] caught SIGTERM, shutting down
[Mon Nov 07 10:10:35 2011] [notice] mod_fcgid: process /var/www/MYDOMAIN.TLD/web/index.php(26991) exit(shutting down), terminated by calling exit(), return code: 0
[Mon Nov 07 10:10:36 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Nov 07 10:10:36 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Nov 07 10:10:36 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
[Mon Nov 07 10:10:36 2011] [notice] Digest: generating secret for digest authentication ...
[Mon Nov 07 10:10:36 2011] [notice] Digest: done
[Mon Nov 07 10:10:37 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Nov 07 10:10:37 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
[Mon Nov 07 10:10:37 2011] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations
[Mon Nov 07 10:34:42 2011] [notice] mod_fcgid: call /var/www/MYDOMAIN.TLD/web/index.php with wrapper /var/www/php-fcgi-scripts/web11/.php-fcgi-starter
[Tue Nov 08 00:36:44 2011] [notice] caught SIGTERM, shutting down
[Tue Nov 08 00:36:44 2011] [notice] mod_fcgid: process /var/www/MYDOMAIN.TLD/web/index.php(19240) exit(shutting down), terminated by calling exit(), return code: 0
[Tue Nov 08 00:36:45 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Nov 08 00:36:46 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 00:36:46 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
[Tue Nov 08 00:36:46 2011] [notice] Digest: generating secret for digest authentication ...
[Tue Nov 08 00:36:46 2011] [notice] Digest: done
[Tue Nov 08 00:36:46 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 00:36:46 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
[Tue Nov 08 00:36:47 2011] [notice] Apache/2.2.21 (Unix) DAV/2 PHP/5.3.8 mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 configured -- resuming normal operations
[Tue Nov 08 00:37:50 2011] [notice] mod_fcgid: call /var/www/MYDOMAIN.TLD/web/index.php with wrapper /var/www/php-fcgi-scripts/web11/.php-fcgi-starter
[Tue Nov 08 00:42:43 2011] [notice] caught SIGTERM, shutting down
[Tue Nov 08 00:42:43 2011] [notice] mod_fcgid: process /var/www/MYDOMAIN.TLD/web/index.php(11177) exit(shutting down), terminated by calling exit(), return code: 0
[Tue Nov 08 00:42:44 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Nov 08 00:42:45 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 00:42:45 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
Use of uninitialized value in alarm at /usr/local/ispconfig/server/scripts/vlogger line 538.
[Tue Nov 08 00:42:45 2011] [notice] Digest: generating secret for digest authentication ...
[Tue Nov 08 00:42:45 2011] [notice] Digest: done
[Tue Nov 08 00:42:45 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 00:42:45 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
[Tue Nov 08 00:42:45 2011] [notice] Apache/2.2.21 (Unix) DAV/2 PHP/5.3.8 mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 configured -- resuming normal operations
[Tue Nov 08 00:51:02 2011] [notice] caught SIGTERM, shutting down
[Tue Nov 08 00:51:03 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Nov 08 00:51:04 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 00:51:04 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
[Tue Nov 08 00:51:04 2011] [notice] Digest: generating secret for digest authentication ...
[Tue Nov 08 00:51:04 2011] [notice] Digest: done
[Tue Nov 08 00:51:05 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 00:51:05 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
[Tue Nov 08 00:51:05 2011] [notice] Apache/2.2.21 (Unix) DAV/2 PHP/5.3.8 mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 configured -- resuming normal operations
[Tue Nov 08 00:52:06 2011] [notice] caught SIGTERM, shutting down
[Tue Nov 08 00:52:07 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Nov 08 00:52:10 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

Please note that in Centos5, I patched the libraries from Version 6 openssl.

Quote:

# openssl version -a
OpenSSL 1.0.0d-fips 8 Feb 2011
built on: Mon Nov 7 23:51:57 CET 2011
platform: linux-elf
options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORT$
OPENSSLDIR: "/etc/pki/tls"
engines: dynamic

I saw this thread (http://www.howtoforge.com/forums/showthread.php?t=41597) and to solve above problem, I tried with:

1) replacing the httpd.conf from the previous installation, didn't work! :-(
2) removing the NameVirutalhost:*.80 NameVirtualhost: *.443 and Include lines and changed the Directory to /var/www from default /var/www/html, the webserver starts, but gave me the default apache index pages to my domains.
3) So I did 'php -q update' with new ssl certificate, but when it reconfigures services, the running webserver segfaults.
4) Also tried to disable default certificates in /etc/httpd/conf.d/ssl.conf, but it prevents the server from starting.

Any hints or help appreciated! Thanks!

[till]

I guess the problem is related to your new openssl / apache etc. packages and not to the uspconfig update. Have you tried to to create a new ssl cert manually to see if openssl works at all?

[zenny]

Yes, I did create the ssl manaully by creating /etc/httpd/ssl directory and openssl works fine. Also made ssl related changes in the /etc/httpd/conf/sites-available/ispconfig.vhost, yet the server dies with the following log:

Quote:

[Tue Nov 08 15:20:01 2011] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www/
[Tue Nov 08 15:25:02 2011] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www/
[Tue Nov 08 15:28:06 2011] [error] [client 61.135.249.162] Directory index forbidden by Options directive: /var/www/
[Tue Nov 08 15:30:02 2011] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www/
[Tue Nov 08 15:31:51 2011] [notice] caught SIGTERM, shutting down
[Tue Nov 08 15:32:02 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

Continue to dig the problem, anyway because this is in production server :-(

[till]

The file /etc/httpd/conf/sites-available/ispconfig.vhost is managed by the ispconfig installer and should not be edited manually. So which exact changes did you do there that caused apache to fail?

The messages in the log you posted are not related to ssl and they are no errors that may cause apache to fail.

[till]

If a server fails due to a ssl certificate problem, then follow these steps to resolve that:

1) Delete the symlink of the website where you enabled the ssl certificate in the sites-enabled directory.
2) Start apache
3) Login to ispconfig and idsable the ssl checkbox for the site and click save.

Then you can create new ssl certificates in ispconfig. Almost all errors related to ssl certificate creation are caused by using any special chars in the ssl fields as openssl is picky about that and will not create a ssl cert then. Better use only characters a-z and 0-9.

[zenny]

Quote:

Originally Posted by till

The file /etc/httpd/conf/sites-available/ispconfig.vhost is managed by the ispconfig installer and should not be edited manually. So which exact changes did you do there that caused apache to fail?

The messages in the log you posted are not related to ssl and they are no errors that may cause apache to fail.

I followed http://www.faqforge.com/linux/contro...-controlpanel/ to make the changes.

Actually I tried to create a certificate for a virtual domain and it created problem.

Your second reply above helped me to restart the httpd server. However, SNI/SSL does not seem to be working with the newly created certificate.

/var/log/httpd/error.log states:

Quote:

[Tue Nov 08 16:01:18 2011] [notice] Apache/2.2.21 (Unix) DAV/2 PHP/5.3.8 mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 configured -- resuming normal operations
[Tue Nov 08 16:01:52 2011] [notice] mod_fcgid: call /var/www/thehumanape.org/web/index.php with wrapper /var/www/php-fcgi-scripts/web11/.php-fcgi-starter
[Tue Nov 08 16:02:02 2011] [notice] caught SIGTERM, shutting down
[Tue Nov 08 16:02:03 2011] [notice] mod_fcgid: process /var/www/mydomain.tld/web/index.php(6375) exit(shutting down), terminated by calling exit(), return code: 0
[Tue Nov 08 16:02:13 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Nov 08 16:02:16 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Nov 08 16:02:16 2011] [notice] Digest: generating secret for digest authentication ...
[Tue Nov 08 16:02:16 2011] [notice] Digest: done
[Tue Nov 08 16:02:17 2011] [notice] Apache/2.2.21 (Unix) DAV/2 PHP/5.3.8 mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 configured -- resuming normal operations

and /var/log/httpd/ssl_error.log states almost nothing (last few lines among several):

Quote:

[Tue Nov 08 16:01:14 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 16:01:17 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 16:01:18 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 16:02:16 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 16:02:17 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

Just wondering how to make SNI work with a single IP to cater several ssl connections to virtual domains?

[till]

Quote:

I followed http://www.faqforge.com/linux/contro...-controlpanel/ to make the changes.

Thats for ISPConfoig < 3.0.3 only (see first sentence of the guide), as ISPConfig 3.0.3 and later use different ssl paths and have the ssl cert creation included into the installer. Please undo the changes that you did in the ispconfig.vhost file.

Quote:

Actually I tried to create a certificate for a virtual domain and it created problem.

I posted you instructions to solve that above.

[zenny]

While trying to fix the SNI stuffs, now the mailserver broke down with:

Quote:

Nov 8 16:35:17 server1 postfix/smtpd[12310]: warning: SASL: Connect to private/auth failed: No such file or directory
Nov 8 16:35:17 server1 postfix/smtpd[12310]: fatal: no SASL authentication mechanisms
Nov 8 16:35:18 server1 postfix/master[12303]: warning: process /usr/libexec/postfix/smtpd pid 12310 exit status 1
Nov 8 16:35:18 server1 postfix/master[12303]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

:-( fyi

[till]

The dovecot auth socket is missing which normally means that dovecot is not running, try to restart dovecot and check the maillog for errors. The openssl library is used by many services on a system, so if you updated it this might break other applications that use openssl.

[zenny]

nope, I am using courier-imap. and it is running:

Quote:

[root@server1 install]# netstat -ntlp | grep courier*
tcp 0 0 :::993 :::* LISTEN 15102/couriertcpd
tcp 0 0 :::995 :::* LISTEN 15114/couriertcpd
tcp 0 0 :::110 :::* LISTEN 15108/couriertcpd
tcp 0 0 :::143 :::* LISTEN 15095/couriertcpd

I also tried to remove the imap and pop certificates and recreated new in /usr/lib/courier-imap/share/ folder, but the problem persists. :-(