403 and SSL Issues

Discussion in 'General' started by Cknight2020, May 12, 2021.

Tags:
  1. Cknight2020

    Cknight2020 New Member

    Hi since upgrading my host to Ubuntu 18.04 LTS and running the ispconfig update. ssl has stopped working when I add a new domain to the control panel I'm getting a 403 page and the ssl boxes stay unticked once I look back at the settings.
     
  2. Cknight2020

    Cknight2020 New Member

    I also went to tools > resync as well with no luck.
     
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  4. Cknight2020

    Cknight2020 New Member

    Thanks for the reply,

    Code:
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Ubuntu 18.04.5 LTS
     
    [INFO] uptime:  19:01:31 up  5:26,  1 user,  load average: 0.13, 0.09, 0.02
     
    [INFO] memory:
                  total        used        free      shared  buff/cache   available
    Mem:           3.4G        1.6G        449M         31M        1.4G        1.6G
    Swap:          2.1G        2.2M        2.1G
     
    [INFO] ISPConfig is installed.
    
    ##### ISPCONFIG #####
    ISPConfig version is 3.2.4
    
    
    ##### VERSION CHECK #####
    
    [INFO] php (cli) version is 7.2.24-0ubuntu***.***.***.***
    [INFO] php-cgi (used for cgi php in default vhost!) is version 7.2.24
    
    ##### PORT CHECK #####
    
    
    ##### MAIL SERVER CHECK #####
    
    
    ##### RUNNING SERVER PROCESSES #####
    
    [INFO] I found the following web server(s):
        Apache 2 (PID 27143)
    [INFO] I found the following mail server(s):
        Postfix (PID 2127)
    [INFO] I found the following pop3 server(s):
        Dovecot (PID 1324)
    [INFO] I found the following imap server(s):
        Dovecot (PID 1324)
    [INFO] I found the following ftp server(s):
        PureFTP (PID 4177)
    
    ##### LISTENING PORTS #####
    (only        ()
    Local        (Address)
    [anywhere]:993        (1324/dovecot)
    [anywhere]:995        (1324/dovecot)
    [localhost]:10024        (7729/amavisd-new)
    [localhost]:10025        (2127/master)
    [localhost]:10026        (7729/amavisd-new)
    [localhost]:10027        (2127/master)
    [anywhere]:587        (2127/master)
    [localhost]:11211        (1106/memcached)
    [localhost]:6379        (1218/redis-server)
    [anywhere]:110        (1324/dovecot)
    [anywhere]:143        (1324/dovecot)
    [anywhere]:465        (2127/master)
    [anywhere]:21        (4177/pure-ftpd)
    ***.***.***.***:53        (1032/named)
    [localhost]:53        (1032/named)
    ***.***.***.***:53        (819/systemd-resolve)
    [anywhere]:22        (1349/sshd)
    [anywhere]:25        (2127/master)
    [localhost]:953        (1032/named)
    *:*:*:*::*:993        (1324/dovecot)
    *:*:*:*::*:995        (1324/dovecot)
    *:*:*:*::*:10023        (4216/postgrey)
    *:*:*:*::*:10024        (7729/amavisd-new)
    *:*:*:*::*:3306        (3785/mysqld)
    *:*:*:*::*:10026        (7729/amavisd-new)
    *:*:*:*::*:587        (2127/master)
    *:*:*:*::*:6379        (1218/redis-server)
    [localhost]10        (1324/dovecot)
    [localhost]43        (1324/dovecot)
    *:*:*:*::*:8080        (27143/apache2)
    *:*:*:*::*:80        (27143/apache2)
    *:*:*:*::*:8081        (27143/apache2)
    *:*:*:*::*:465        (2127/master)
    *:*:*:*::*:21        (4177/pure-ftpd)
    *:*:*:*::*:53        (1032/named)
    *:*:*:*::*:22        (1349/sshd)
    *:*:*:*::*:25        (2127/master)
    *:*:*:*::*:953        (1032/named)
    *:*:*:*::*:443        (27143/apache2)
    
    
    
    
    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    f2b-postfix-sasl  tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 25,465
    f2b-sshd   tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 22
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain f2b-postfix-sasl (1 references)
    target     prot opt source               destination         
    REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
    RETURN     all  --  [anywhere]/0            [anywhere]/0           
    
    Chain f2b-sshd (1 references)
    target     prot opt source               destination         
    REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***      [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***      [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***      [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
    RETURN     all  --  [anywhere]/0            [anywhere]/0           
    
    
    
    
    ##### LET'S ENCRYPT #####
    Certbot is installed in /usr/bin/letsencrypt
     
  5. Cknight2020

    Cknight2020 New Member

    Letsencrypt log:
    Code:
    2021-05-12 13:44:14,609:DEBUG:certbot.main:certbot version: 0.27.0
    2021-05-12 13:44:14,610:DEBUG:certbot.main:Arguments: []
    2021-05-12 13:44:14,610:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2021-05-12 13:44:14,618:DEBUG:certbot.log:Root logging level set at 20
    2021-05-12 13:44:14,618:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2021-05-12 13:44:14,619:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
    2021-05-12 13:44:14,619:DEBUG:certbot.plugins.selection:No candidate plugin
    2021-05-12 13:44:14,619:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
    2021-05-12 13:46:35,172:DEBUG:certbot.main:certbot version: 0.27.0
    2021-05-12 13:46:35,173:DEBUG:certbot.main:Arguments: ['--apache']
    2021-05-12 13:46:35,174:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2021-05-12 13:46:35,183:DEBUG:certbot.log:Root logging level set at 20
    2021-05-12 13:46:35,183:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2021-05-12 13:46:35,184:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
    2021-05-12 13:46:35,184:DEBUG:certbot.plugins.selection:No candidate plugin
    2021-05-12 13:46:35,184:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
    2021-05-12 13:47:46,021:DEBUG:certbot.main:certbot version: 0.27.0
    2021-05-12 13:47:46,022:DEBUG:certbot.main:Arguments: []
    2021-05-12 13:47:46,023:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2021-05-12 13:47:46,047:DEBUG:certbot.log:Root logging level set at 20
    2021-05-12 13:47:46,048:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2021-05-12 13:47:46,049:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
    2021-05-12 13:47:46,168:DEBUG:certbot_apache.configurator:Apache version is 2.4.29
    2021-05-12 13:47:47,806:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
    Description: Apache Web Server plugin - Beta
    Interfaces: IAuthenticator, IInstaller, IPlugin
    Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
    Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f4a74328c50>
    Prep: True
    2021-05-12 13:47:47,808:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0x7f4a74328c50> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7f4a74328c50>
    2021-05-12 13:47:47,808:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
    2021-05-12 13:47:56,312:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
      File "/usr/bin/certbot", line 11, in <module>
        load_entry_point('certbot==0.27.0', 'console_scripts', 'certbot')()
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
        return config.func(config, plugins)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1116, in run
        le_client = _init_le_client(config, authenticator, installer)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 641, in _init_le_client
        acc, acme = _determine_account(config)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 528, in _determine_account
        config.account = acc.id
    AttributeError: 'NoneType' object has no attribute 'id'
    2021-05-12 13:47:56,313:ERROR:certbot.log:An unexpected error occurred:
    2021-05-12 13:50:06,905:DEBUG:certbot.main:certbot version: 0.27.0
    2021-05-12 13:50:06,906:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v02.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'wptestdomain.xyz', '--domains', 'www.wptestdomain.xyz', '--webroot-path', '/usr/local/ispconfig/interface/acme']
    2021-05-12 13:50:06,907:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2021-05-12 13:50:06,934:DEBUG:certbot.log:Root logging level set at 20
    2021-05-12 13:50:06,940:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2021-05-12 13:50:06,941:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-05-12 13:50:06,941:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
    Description: Place files in webroot directory
    Interfaces: IAuthenticator, IPlugin
    Entry point: webroot = certbot.plugins.webroot:Authenticator
    Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f5f0c7a4cc0>
    Prep: True
    2021-05-12 13:50:06,942:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f5f0c7a4cc0> and installer None
    2021-05-12 13:50:06,942:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
    2021-05-12 13:50:06,960:DEBUG:certbot.log:Exiting abnormally:
     
  6. Cknight2020

    Cknight2020 New Member

    Code:
    /var/log$ php -v
    PHP 7.2.24-0ubuntu0.18.04.7 (cli) (built: Oct  7 2020 15:24:25) ( NTS )
    Copyright (c) 1997-2018 The PHP Group
    Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
        with Zend OPcache v7.2.24-0ubuntu0.18.04.7, Copyright (c) 1999-2018, by Zend Technologies
    
    Code:
    apache2 -v
    Server version: Apache/2.4.29 (Ubuntu)
    Server built:   2020-08-12T21:33:25
    

    Add a new domain and it also redirects to another website in the list. there is no redirection on this domain at all. I'm pretty lost what is going on. adding a domain and ssl seems to be not working. I'm currently now on version 18.04. Do you think upgrading to the lastest 20.04lts release would make a difference or is the issue still going to be there.
     
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Based on your logs, I guess you have certbot problems, so follow this FAQ: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/

    Yes, it would make a difference but it won't resolve your certbot issues unless you follow the above mentioned FAQ.
     
  8. Cknight2020

    Cknight2020 New Member

    i've run certbot from the cli and it's creating the certifcates but there is some certs is could'nt renew when I used the --dry-run option.
    this is a new domain today that has generated a cert.
    Code:
    total 12K
    4.0K drwxr-xr-x 2 root root 4.0K May 13 13:05 .
    4.0K drwx------ 8 root root 4.0K May 13 13:05 ..
       0 lrwxrwxrwx 1 root root   44 May 13 13:05 cert.pem -> ../../archive/www.wptestdomain.xyz/cert1.pem
       0 lrwxrwxrwx 1 root root   45 May 13 13:05 chain.pem -> ../../archive/www.wptestdomain.xyz/chain1.pem
       0 lrwxrwxrwx 1 root root   49 May 13 13:05 fullchain.pem -> ../../archive/www.wptestdomain.xyz/fullchain1.pem
       0 lrwxrwxrwx 1 root root   47 May 13 13:05 privkey.pem -> ../../archive/www.wptestdomain.xyz/privkey1.pem
    4.0K -rw-r--r-- 1 root root  682 May 13 13:05 README
    [email protected]:/etc/letsencrypt/live/www.wptestdomain.xyz#
    
    But it's still not ticking the check boxes in the panel and the domain is pointing to another. [EDIT] seems to be my chrome cache. just checked on mobile and it's going to the green page without no ssl, that's on http.
    soon as you go to https://wptestdomain.xyz then the domain says invalid cert and goes to another domain.
     
  9. Cknight2020

    Cknight2020 New Member

    when I do tick the boxes under the panel I do notice under the letsencrypt log:

    Code:
    certbot.errors.missingcommandlineflag: Missing command line flag or config entry for this setting:
    please choose an account
    choices: ['[email protected]:23:14Z (aae3)', '[email protected]:35:10Z (45c3)']
     
  10. Cknight2020

    Cknight2020 New Member

    running certbot from cli:
    Code:
    Error while running apache2ctl configtest.
    Action 'configtest' failed.
    The Apache error log may have more information.
    
    [Thu May 13 13:37:57.184093 2021] [pagespeed:warn] [pid 3436] ModPagespeedInheritVHostConfig is deprecated.  Please remove it from your configuration.
    AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.vhost:7
    AH00526: Syntax error on line 71 of /etc/apache2/sites-enabled/wptestdomain.xyz.vhost-le-ssl.conf:
    FastCgiExternalServer: redefinition of previously defined class "/var/www/clients/client0/web11/cgi-bin/php-fcgi-*-80-wptestdomain.xyz"
    
    Rolling back to previous server configuration...
    Error while running apache2ctl configtest.
    Action 'configtest' failed.
    The Apache error log may have more information.
    
    [Thu May 13 13:37:57.184093 2021] [pagespeed:warn] [pid 3436] ModPagespeedInheritVHostConfig is deprecated.  Please remove it from your configuration.
    AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.vhost:7
    AH00526: Syntax error on line 71 of /etc/apache2/sites-enabled/wptestdomain.xyz.vhost-le-ssl.conf:
    FastCgiExternalServer: redefinition of previously defined class "/var/www/clients/client0/web11/cgi-bin/php-fcgi-*-80-wptestdomain.xyz"
    
    
    IMPORTANT NOTES:
     - We were unable to install your certificate, however, we
       successfully restored your server to its prior configuration.
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/www.wptestdomain.xyz/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/www.wptestdomain.xyz/privkey.pem
       Your cert will expire on 2021-08-11. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot again
       with the "certonly" option. To non-interactively renew *all* of
       your certificates, run "certbot renew"
    
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    This means you have to accounts created in LE, but there should be just one account, so one account must be removed, preferably the one without certs or with the least certs as all certs of the other account can not be renewed.
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Don't do that, it breaks your setup and websites in ISPConfig will stop working nd can't be managed anymore from within ISPConfig due to certbot duplicating config files.
     
  13. Cknight2020

    Cknight2020 New Member

    this client ssl folder is empty, shouldn't the certs be copied here by the panel:

    Code:
    [email protected]:/var/www/clients/client0/wptestdomain.xyz# ls
    cgi-bin  log  private  ssl  tmp  web  webdav
    [email protected]:/var/www/clients/client0/wptestdomain.xyz# cd ssl
    [email protected]:/var/www/clients/client0/wptestdomain.xyz/ssl# ls -lash
    total 8.0K
    4.0K drwxr-xr-x  2 root root 4.0K May 12 14:21 .
    4.0K drwxr-xr-x 10 root root 4.0K May 12 14:21 ..
    [email protected]:/var/www/clients/client0/wptestdomain.xyz/ssl#
    
     
  14. Cknight2020

    Cknight2020 New Member

    shall I remove all certificates from the domains manually? would they be under /var/www/client0/domain/ssl?
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    There are no certs when certbot fails to create certs, that's why the folder is empty. Fix certbot by removing the duplicate account and then able let#s encrypt in the website again to let certbot create a cert.
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    No, just fix the duplicate account issue and in case you used certbot manually on the shell, then remove the duplicate vhost files with '-le' in file name that certbot created in the apache / nginx config directory.
     
  17. Cknight2020

    Cknight2020 New Member

    it's created soe manual web11 ,web3 directories as well for some reason:

    Code:
    4.0K drwxr-xr-x  7 root root 4.0K May 12 22:41 .
    4.0K drwxr-xr-x  3 root root 4.0K Nov 29  2017 ..
       0 lrwxrwxrwx  1 root root   30 Feb  1  2018 csal.co.uk -> /var/www/clients/client0/web4/
       0 lrwxrwxrwx  1 root root   30 Aug 20  2018 electricbluelight.co.uk -> /var/www/clients/client0/web6/
       0 lrwxrwxrwx  1 root root   30 Jan  2  2018 newsite.csal.co.uk -> /var/www/clients/client0/web3/
       0 lrwxrwxrwx  1 root root   30 May  9  2018 standrewswestcliff.org -> /var/www/clients/client0/web5/
    4.0K drwxr-xr-x 10 root root 4.0K May 12 14:21 web11
    4.0K drwxr-xr-x 10 root root 4.0K Jan  2  2018 web3
    4.0K drwxr-xr-x 11 root root 4.0K May 13 00:03 web4
    4.0K drwxr-xr-x 10 root root 4.0K May  9  2018 web5
    4.0K drwxr-xr-x 10 root root 4.0K Aug 20  2018 web6
       0 lrwxrwxrwx  1 root root   31 May 12 14:21 wptestdomain.xyz -> /var/www/clients/client0/web11/
    
    could the duplicates be under them, there are no duplicate accounts inside the panel
     
    Last edited: May 13, 2021
  18. Cknight2020

    Cknight2020 New Member

    nope I can see they are symbolic links
     
  19. Cknight2020

    Cknight2020 New Member

    Code:
    Please choose an account
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1: [email protected]:23:14Z (aae4)
    2: [email protected]:35:10Z (45c3)
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
    
    Which names would you like to activate HTTPS for?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1: csal.co.uk
    2: newsite.csal.co.uk
    3: www.newsite.csal.co.uk
    4: www.csal.co.uk
    5: electricbluelight.co.uk
    6: www.electricbluelight.co.uk
    7: standrewswestcliff.org
    8: www.standrewswestcliff.org
    9: wptestdomain.xyz
    10: www.wptestdomain.xyz
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Select the appropriate numbers separated by commas and/or spaces, or leave input
    blank to select all options shown (Enter 'c' to cancel):
    
    Is the 2 web panel accounts in certbot what you mean? these two:
    1: [email protected]:23:14Z (aae4)
    2: [email protected]:35:10Z (45c3)

    They both have all domains listed under them. is that's the problem how do I know which one to remove and how?
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, that's what I was talking about.

    Delete the one which has the least number of domains.

    certbot unregister

    command to delete the account.
     

Share This Page