SSL issues

[profm2]

FIRST ISSUE:

With the recent release of Ubuntu 12.04LTS, I decided to clean off my system and redo my server.

I followed the HOWTO: Perfect Server for Ubuntu 11.10 with Nginx, and everything was good, even with 12.04LTS.

I then went and got a SSL Cert from StartSSL, following the HOWTO: Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL

I only have one host, mine, so I'm thinking that the SSL should work for allowing HTTPS requests to my server. Unfortunately, it does not. Looking through the /etc/nginx/sites-enabled/vhost files, it appears that the only thing that is secured via SSL is ISPConfig ... which is what the second howto does.

Since I'm only hosting one domain, is there a way I can use the same SSL certificate for securing both ISPConfig along with my site?

----------
SECOND ISSUE:

Ok, after going through the two above HOWTO's ... I'm now having issues with connecting to the server with Thunderbird. I can receive emails with IMAPS, my settings are - Connection security: SSL/TLS with a normal password on Port 993 (which is the default per Thunderbird).

On the outgoing (where I'm having issues), I think I've tried every combination available for SSL/TLS, STARTTLS. At this point, my guess is the port isn't open. Per Thunderbird, the default port for SSL/TLS is 465, and STARTTLS is 587. Normal SMTP is 25.

The error message that I'm getting when I use SSL/TLS with default port of 465 is:

Quote:

Sending of message failed.
The message could not be sent because connecting to SMTP server SERVERNAME.com failed. The server may be unavailable or is refusing SMTP connections. Please verify that your SMTP server settings are correct and try again, or contact the server administrator.

This would make it appear that the ports are messed up. When I use STARTTLS, I get the same message.

Any ideas?

[falko]

Quote:

Originally Posted by profm2

Since I'm only hosting one domain, is there a way I can use the same SSL certificate for securing both ISPConfig along with my site?

Yes - just enable SSL for the website and create a self-signed cert through ISPConfig, and afterwards you go to the website's ssl directory, delete the cert, key, csr, and create symlink with the same names to where you stored your StartSSL cert.

Quote:

Originally Posted by profm2

SECOND ISSUE:

Ok, after going through the two above HOWTO's ... I'm now having issues with connecting to the server with Thunderbird. I can receive emails with IMAPS, my settings are - Connection security: SSL/TLS with a normal password on Port 993 (which is the default per Thunderbird).

On the outgoing (where I'm having issues), I think I've tried every combination available for SSL/TLS, STARTTLS. At this point, my guess is the port isn't open. Per Thunderbird, the default port for SSL/TLS is 465, and STARTTLS is 587. Normal SMTP is 25.

The error message that I'm getting when I use SSL/TLS with default port of 465 is: This would make it appear that the ports are messed up. When I use STARTTLS, I get the same message.

Any ideas?

What's the output of

Code:

netstat -tap

? Any errors in your mail log?

[profm2]

Quote:

Yes - just enable SSL for the website and create a self-signed cert through ISPConfig, and afterwards you go to the website's ssl directory, delete the cert, key, csr, and create symlink with the same names to where you stored your StartSSL cert.

Ok, did that. I'm guessing there's just one last step to enable Port 443 under Nginx. I do have the checkbox for SSL under the WebDomain->Domain tab checked, along with the info filled in for the SSL tab. I also verified that the System->Firewall allows port 443.

In the VHOST file under /etc/nginx/sites-enabled/100-SITENAME.vhost, I noticed that

Code:

server {
        listen *:80;
....

There is no "listen *:443;" ... so something is either incorrect, or not updating that vhost file.

Any thoughts? Thanks.

---------------------

EDIT: Ok, just poking around in my /etc/nginx/sites-available and found that I have a SITENAME.vhost.err file that DOES have the Listen 443 as the second line.

EDIT2: Upon further viewing of the log files at /var/log/ispconfig/cron.log, I found:

Code:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] bind() to 75.x.x.x:443 failed (99: Cannot assign requested ad
dress)
nginx: configuration file /etc/nginx/nginx.conf test failed

So, it would appear that my IP address that I told it, is causing the issue. Am I right that the IP should be the static IP of the machine as seen from the outside world? *OR* the static IP of the internal IP on my local network?

[falko]

Quote:

Originally Posted by profm2

So, it would appear that my IP address that I told it, is causing the issue. Am I right that the IP should be the static IP of the machine as seen from the outside world? *OR* the static IP of the internal IP on my local network?

It must be an IP from the output of

Code:

ifconfig

[profm2]

Ok, finally got the SSL cert working, and both HTTP and HTTPS work fine as well.

Onto the EMail issue. After much digging around, it appears that the issues in this HOWTO has came back to be a pain. However, following the comments below (and changing the /etc/postfix/sasl/smtpd.conf) seems to have cleared everything up.

Thanks again for the help.

[ras]

How did you get SSL working?

I have the same problems here, tried both setting the internal and external IP (now using the internal), creating an SSL certificate. But it writes an .err file into sites-available. For testing purposes I exchanged that .err file (which included a 443 section) with the vhost file (without 443 section) and apache was not able to restart. The only relevant error message I could find was:
[Tue May 01 22:35:12 2012] [error] [client 10.47.48.3] client denied by server configuration: /htdocs

[profm2]

Ok, the steps that I took were:

1) Clean install from 12.04 (not required, but that iswhat I did) following the instructions from the Perfect Server for Ubuntu 11.10 w/ Nginx.

2) Follow the instructions for installing a Cert from StartSSL.

(both steps' Howto are in the first post)

3) In ISPConfig, in the System -> Server IP Addresses, created an entry for my server, using the internal address. In my case it's 192.168.1.100, the ifconfig address as mentioned by Falko. Make sure the ports specified are 80, 443.

4) In ISPConfig, in the Sites -> Websites, setup my webserver with the IP address from #3 in the IPv4 spot, and check the SSL checkbox a little lower down.

5) Go to the SSL tab in the Sites -> Website and type in your info that you used already to create the Cert and at the bottom of the screen for SSL Action select Create Certificate, and then Save.

6) The certificate is created (from ISPConfig) in /var/www/clients/clientX/webX/ssl

7) Take the certs created from step #2 and link them here ... so for instance I have a cert: URL.com.crt -> /usr/local/ispconfig/interface/ssl/ispserver.crt
(do a 'ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt /var/www/clients/clientX/webX/ssl')

At this point, it SHOULD be setup. While doing mine, I had rebooted several times, so I would recommend after #7, reboot the server. You may not have to, but it never hurts.

NOTE: I just realized you were asking about Apache. I used Nginx for my webserver, however, with ISPConfig as a wrapper around us manually configuring the files, I believe the directories would be the same as far as the clients and such go. If you go into ISPConfig on the Sites -> Website -> Options tab, it'll tell you the actual directory for your client in "PHP open_basedir"

[ras]

Thank you for the quick reply. Now I got it working. It seems it was a matter of doing it in the right order:

1. Define the IP address with an IP shown by ifconfig (you can limit it to provide port 443 only).
2. Create site, create SSL certificate (do not use long organisation names, no spcial characters, be patient).
3. Certs must be here, 4 files with the same timestamp: ls -al /var/www/clients/client4/web6/ssl
4. On the Site page, click on SSL and save
5. Check, if the vhost is here: /etc/apache2/sites-available and there is no .err file. The vhost file should have a 443 section.

You should be able to connect via https now.