Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 8th November 2011, 14:12
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Unhappy Problem after grading to 3.0.4

As instructed by Till (http://www.howtoforge.com/forums/sho...3&postcount=40) I am creating this new thread (similar to http://www.howtoforge.com/forums/sho...4&postcount=38 and http://www.howtoforge.com/forums/sho...4&postcount=40).


Since ISPConfig 3.0.4 supports SNI, I upgraded but the upstream CentOS5 repository does not provide Apache above 2.2.12 and Openssl-0.9.8f upwards. So I manually compiled the binaries from source and upgraded to Apache 2.2.21 and 1 with backward compatibility to 0.9.8f.


But when I tried to create a ssl certificate from the ISPCOnfig3 panel, it goes well but nothing seems to have been created as the SSL Certificate field not only remained blank, but the webserver died. Or I just missed something.

The error log follows:

Quote:
# tail -n 50 /var/log/httpd/error_log
[Mon Nov 07 03:27:07 2011] [notice] Digest: done
[Mon Nov 07 03:27:08 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Nov 07 03:27:08 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
[Mon Nov 07 03:27:08 2011] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations
[Mon Nov 07 04:04:20 2011] [notice] mod_fcgid: call /var/www/MYDOMAIN.TLD/web/index.php with wrapper /var/www/php-fcgi-scripts/web11/.php-fcgi-starter
[Mon Nov 07 10:10:35 2011] [notice] caught SIGTERM, shutting down
[Mon Nov 07 10:10:35 2011] [notice] mod_fcgid: process /var/www/MYDOMAIN.TLD/web/index.php(26991) exit(shutting down), terminated by calling exit(), return code: 0
[Mon Nov 07 10:10:36 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Nov 07 10:10:36 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Nov 07 10:10:36 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
[Mon Nov 07 10:10:36 2011] [notice] Digest: generating secret for digest authentication ...
[Mon Nov 07 10:10:36 2011] [notice] Digest: done
[Mon Nov 07 10:10:37 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Nov 07 10:10:37 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
[Mon Nov 07 10:10:37 2011] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations
[Mon Nov 07 10:34:42 2011] [notice] mod_fcgid: call /var/www/MYDOMAIN.TLD/web/index.php with wrapper /var/www/php-fcgi-scripts/web11/.php-fcgi-starter
[Tue Nov 08 00:36:44 2011] [notice] caught SIGTERM, shutting down
[Tue Nov 08 00:36:44 2011] [notice] mod_fcgid: process /var/www/MYDOMAIN.TLD/web/index.php(19240) exit(shutting down), terminated by calling exit(), return code: 0
[Tue Nov 08 00:36:45 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Nov 08 00:36:46 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 00:36:46 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
[Tue Nov 08 00:36:46 2011] [notice] Digest: generating secret for digest authentication ...
[Tue Nov 08 00:36:46 2011] [notice] Digest: done
[Tue Nov 08 00:36:46 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 00:36:46 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
[Tue Nov 08 00:36:47 2011] [notice] Apache/2.2.21 (Unix) DAV/2 PHP/5.3.8 mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 configured -- resuming normal operations
[Tue Nov 08 00:37:50 2011] [notice] mod_fcgid: call /var/www/MYDOMAIN.TLD/web/index.php with wrapper /var/www/php-fcgi-scripts/web11/.php-fcgi-starter
[Tue Nov 08 00:42:43 2011] [notice] caught SIGTERM, shutting down
[Tue Nov 08 00:42:43 2011] [notice] mod_fcgid: process /var/www/MYDOMAIN.TLD/web/index.php(11177) exit(shutting down), terminated by calling exit(), return code: 0
[Tue Nov 08 00:42:44 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Nov 08 00:42:45 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 00:42:45 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
Use of uninitialized value in alarm at /usr/local/ispconfig/server/scripts/vlogger line 538.
[Tue Nov 08 00:42:45 2011] [notice] Digest: generating secret for digest authentication ...
[Tue Nov 08 00:42:45 2011] [notice] Digest: done
[Tue Nov 08 00:42:45 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 00:42:45 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
[Tue Nov 08 00:42:45 2011] [notice] Apache/2.2.21 (Unix) DAV/2 PHP/5.3.8 mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 configured -- resuming normal operations
[Tue Nov 08 00:51:02 2011] [notice] caught SIGTERM, shutting down
[Tue Nov 08 00:51:03 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Nov 08 00:51:04 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 00:51:04 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
[Tue Nov 08 00:51:04 2011] [notice] Digest: generating secret for digest authentication ...
[Tue Nov 08 00:51:04 2011] [notice] Digest: done
[Tue Nov 08 00:51:05 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 00:51:05 2011] [warn] RSA server certificate CommonName (CN) `HOSTDOMAIN.TLD' does NOT match server name!?
[Tue Nov 08 00:51:05 2011] [notice] Apache/2.2.21 (Unix) DAV/2 PHP/5.3.8 mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 configured -- resuming normal operations
[Tue Nov 08 00:52:06 2011] [notice] caught SIGTERM, shutting down
[Tue Nov 08 00:52:07 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Nov 08 00:52:10 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
Please note that in Centos5, I patched the libraries from Version 6 openssl.

Quote:
# openssl version -a
OpenSSL 1.0.0d-fips 8 Feb 2011
built on: Mon Nov 7 23:51:57 CET 2011
platform: linux-elf
options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORT$
OPENSSLDIR: "/etc/pki/tls"
engines: dynamic
I saw this thread (http://www.howtoforge.com/forums/showthread.php?t=41597) and to solve above problem, I tried with:

1) replacing the httpd.conf from the previous installation, didn't work! :-(
2) removing the NameVirutalhost:*.80 NameVirtualhost: *.443 and Include lines and changed the Directory to /var/www from default /var/www/html, the webserver starts, but gave me the default apache index pages to my domains.
3) So I did 'php -q update' with new ssl certificate, but when it reconfigures services, the running webserver segfaults.
4) Also tried to disable default certificates in /etc/httpd/conf.d/ssl.conf, but it prevents the server from starting.

Any hints or help appreciated! Thanks!
Reply With Quote
Sponsored Links
  #2  
Old 8th November 2011, 14:16
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,488
Thanks: 813
Thanked 5,258 Times in 4,122 Posts
Default

I guess the problem is related to your new openssl / apache etc. packages and not to the uspconfig update. Have you tried to to create a new ssl cert manually to see if openssl works at all?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 8th November 2011, 15:39
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Default

Yes, I did create the ssl manaully by creating /etc/httpd/ssl directory and openssl works fine. Also made ssl related changes in the /etc/httpd/conf/sites-available/ispconfig.vhost, yet the server dies with the following log:

Quote:
[Tue Nov 08 15:20:01 2011] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www/
[Tue Nov 08 15:25:02 2011] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www/
[Tue Nov 08 15:28:06 2011] [error] [client 61.135.249.162] Directory index forbidden by Options directive: /var/www/
[Tue Nov 08 15:30:02 2011] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www/
[Tue Nov 08 15:31:51 2011] [notice] caught SIGTERM, shutting down
[Tue Nov 08 15:32:02 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
Continue to dig the problem, anyway because this is in production server :-(
Reply With Quote
  #4  
Old 8th November 2011, 15:42
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,488
Thanks: 813
Thanked 5,258 Times in 4,122 Posts
Default

The file /etc/httpd/conf/sites-available/ispconfig.vhost is managed by the ispconfig installer and should not be edited manually. So which exact changes did you do there that caused apache to fail?

The messages in the log you posted are not related to ssl and they are no errors that may cause apache to fail.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 8th November 2011, 15:52
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,488
Thanks: 813
Thanked 5,258 Times in 4,122 Posts
Default

If a server fails due to a ssl certificate problem, then follow these steps to resolve that:

1) Delete the symlink of the website where you enabled the ssl certificate in the sites-enabled directory.
2) Start apache
3) Login to ispconfig and idsable the ssl checkbox for the site and click save.

Then you can create new ssl certificates in ispconfig. Almost all errors related to ssl certificate creation are caused by using any special chars in the ssl fields as openssl is picky about that and will not create a ssl cert then. Better use only characters a-z and 0-9.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
zenny (8th November 2011)
  #6  
Old 8th November 2011, 16:00
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Exclamation

Quote:
Originally Posted by till View Post
The file /etc/httpd/conf/sites-available/ispconfig.vhost is managed by the ispconfig installer and should not be edited manually. So which exact changes did you do there that caused apache to fail?

The messages in the log you posted are not related to ssl and they are no errors that may cause apache to fail.
I followed http://www.faqforge.com/linux/contro...-controlpanel/ to make the changes.

Actually I tried to create a certificate for a virtual domain and it created problem.

Your second reply above helped me to restart the httpd server. However, SNI/SSL does not seem to be working with the newly created certificate.

/var/log/httpd/error.log states:

Quote:
[Tue Nov 08 16:01:18 2011] [notice] Apache/2.2.21 (Unix) DAV/2 PHP/5.3.8 mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 configured -- resuming normal operations
[Tue Nov 08 16:01:52 2011] [notice] mod_fcgid: call /var/www/thehumanape.org/web/index.php with wrapper /var/www/php-fcgi-scripts/web11/.php-fcgi-starter
[Tue Nov 08 16:02:02 2011] [notice] caught SIGTERM, shutting down
[Tue Nov 08 16:02:03 2011] [notice] mod_fcgid: process /var/www/mydomain.tld/web/index.php(6375) exit(shutting down), terminated by calling exit(), return code: 0
[Tue Nov 08 16:02:13 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Nov 08 16:02:16 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Nov 08 16:02:16 2011] [notice] Digest: generating secret for digest authentication ...
[Tue Nov 08 16:02:16 2011] [notice] Digest: done
[Tue Nov 08 16:02:17 2011] [notice] Apache/2.2.21 (Unix) DAV/2 PHP/5.3.8 mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 configured -- resuming normal operations
and /var/log/httpd/ssl_error.log states almost nothing (last few lines among several):

Quote:
[Tue Nov 08 16:01:14 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 16:01:17 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 16:01:18 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 16:02:16 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Nov 08 16:02:17 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
Just wondering how to make SNI work with a single IP to cater several ssl connections to virtual domains?

Last edited by zenny; 8th November 2011 at 16:12.
Reply With Quote
  #7  
Old 8th November 2011, 16:04
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,488
Thanks: 813
Thanked 5,258 Times in 4,122 Posts
Default

Quote:
I followed http://www.faqforge.com/linux/contro...-controlpanel/ to make the changes.
Thats for ISPConfoig < 3.0.3 only (see first sentence of the guide), as ISPConfig 3.0.3 and later use different ssl paths and have the ssl cert creation included into the installer. Please undo the changes that you did in the ispconfig.vhost file.

Quote:
Actually I tried to create a certificate for a virtual domain and it created problem.
I posted you instructions to solve that above.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
zenny (8th November 2011)
  #8  
Old 8th November 2011, 16:39
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Default

While trying to fix the SNI stuffs, now the mailserver broke down with:

Quote:
Nov 8 16:35:17 server1 postfix/smtpd[12310]: warning: SASL: Connect to private/auth failed: No such file or directory
Nov 8 16:35:17 server1 postfix/smtpd[12310]: fatal: no SASL authentication mechanisms
Nov 8 16:35:18 server1 postfix/master[12303]: warning: process /usr/libexec/postfix/smtpd pid 12310 exit status 1
Nov 8 16:35:18 server1 postfix/master[12303]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
:-( fyi
Reply With Quote
  #9  
Old 8th November 2011, 17:13
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,488
Thanks: 813
Thanked 5,258 Times in 4,122 Posts
Default

The dovecot auth socket is missing which normally means that dovecot is not running, try to restart dovecot and check the maillog for errors. The openssl library is used by many services on a system, so if you updated it this might break other applications that use openssl.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #10  
Old 8th November 2011, 17:34
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
 
Default

nope, I am using courier-imap. and it is running:

Quote:
[root@server1 install]# netstat -ntlp | grep courier*
tcp 0 0 :::993 :::* LISTEN 15102/couriertcpd
tcp 0 0 :::995 :::* LISTEN 15114/couriertcpd
tcp 0 0 :::110 :::* LISTEN 15108/couriertcpd
tcp 0 0 :::143 :::* LISTEN 15095/couriertcpd
I also tried to remove the imap and pop certificates and recreated new in /usr/lib/courier-imap/share/ folder, but the problem persists. :-(
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mailserver problem after upgrading to 3.0.4 zenny Installation/Configuration 3 7th November 2011 10:20
Strange email problem for one of my domains... any help appreciated paulrobert_a Installation/Configuration 5 9th August 2010 14:15
ISPConfig3 Mail Warn Errors reason8 General 3 25th November 2009 13:58
BIG Problem Postfix issue admins Installation/Configuration 11 13th November 2009 10:05
postfix mysql on fedora core5 igongora Installation/Configuration 7 17th April 2007 04:40


All times are GMT +2. The time now is 11:57.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.