Can't access websites via HTTP

Discussion in 'General' started by Erik Damber, May 14, 2020.

  1. Erik Damber

    Erik Damber New Member

    Hello,
    I have a problem, we setup a new ISPconfig enviroment with a host panel server and 2 webservers. Everything worked great and I could create websites and get SSL to work. Now all of a sudden the sites we create doesn't work.

    Every site I create get 400 - Bad request when accessing through HTTP. I can't enable Lets encrypt but pretty sure I have to solve the problem with reaching default site via HTTP first. Tried creating on our old setup and that sends me to default page "Welcome to your website..."
    I have compared every config file but it's excatly the same, Ive also updated ispconfig and reconfigured services. There is nothing in the log files.
    I have one website that was created before this and it works without problems and has a Lets encrypt cert.

    Our setup is a HA cluster with web-01 and web-02 and haproxy for load balancing. Last thing I did was configure and install HAproxy. Even tested creating a website and DNS for it and it worked fine. We also use web-02 Is a mirror of web-01 so that the websites we create also appears on web-02. Can also note that I enabled sticky sessions on haproxy so it stays on one server.

    Any ideas? I'll gladly check more logs and stuff like that if there is something Ive missed.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Please check isf the option to connect user id's to web id's is enabled for all web nodes under System > server config. If not, it might be that the Linux system users of the websites got different numeric uid's
     
  3. Erik Damber

    Erik Damber New Member

    It was not checked, tried enableing it but changes nothing. I've tried to look at all the options from our new and old ISPconfig panel and they seem to be the same. Difference is that in the old one we have around 25 servers standalone and no HA. The new setup uses HA cluster with LB and the option "Is a mirror of" in ISPconfig.
     
  4. Erik Damber

    Erik Damber New Member

    I can mention too that I tried to close down web-02 to bring down the gluster and create a new website with dns but same problem. Don't know if its worth testing but I could uncheck the "Is a mirror of" option and try to create a website on web-02 to see if the issue is with web-01 config. I don't 100% understand what the mirror option does except create files for websites/clients on slave server.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    This option needs to be enabled in cluster setups before the first website gets added, see multiserver installation tutorials in the manual. enabling it later will not change anything as the web users with potentially wrong ID's exist at that point already. To check if there is already some damage, compare the numeric uid's in the /etc/passwd files of the web* users.
     
  6. Erik Damber

    Erik Damber New Member

    Ok so I deleted the websites+clients. Check the option on both web-01 and web-02. Created client+website. They get different values in /etc/passwd and site still gets error 400. I get web13:10013:10012 on master and web13:10013:1009 on slave.

    Anyway to solve this? Like reset it? I have one site that I want to keep thats on web4 and already works, was setup before Mirror option got checked. When I look at the /etc/passwd file the only difference is that last number on web13. It has the exact same content and number of rows.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The second value is the group, which is associated to the client. You probably removed just the sites but not the client that owned the sites, which means the client group was not removed and therefore still contains the wrong GID. The problem with the wrong UID or GID is that you get permission problems on the shared file system when not all nodes agree on the same numerical UID/GID for the same Linux user name.
     
  8. Erik Damber

    Erik Damber New Member

    I removed everything again and created a client then a website. Now they have the same values in /etc/passwd. Still get the 400 - Bad request though. What's different now is that I dont get errors in the letsencrypt log, before I got certbot.errors.FailedChallenges: Failed authorization procedure. Now the boxes just unchecks without errors.

    I did a ispconfig update on web-01 before do I need to reconfigure services on the slave node too? They are both running the same version. I also have a lsync on the /var/www folder for php installations via svn so it updates all files on both servers.
     
  9. Erik Damber

    Erik Damber New Member

    Can I somehow disable the 400* pages to see something more about the problem? 400 - Bad request doesnt give me much and the logs in Ubuntu doesn't have anything.
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Just do not enable the custom error pages option in website settings.
     
  11. Erik Damber

    Erik Damber New Member

    Still get the 400 - Bad request page even though I disabled Own error documents. Tried shutting down the whole cluster and create a website on only web-01, still get bad request. Must be a misconfig somewhere.
     
  12. Erik Damber

    Erik Damber New Member

    I even tried to remove sites and clients and uncheck the option Is a mirror of and create website. Still same error. Old setup with ISPconfig and 25 non-clustered servers works without issue.
     
  13. Erik Damber

    Erik Damber New Member

    Ok so sites work now, issue is we can't create Lets encrypt certs with ISPconfig. It just unchecks after adding it. Tried adding cert manually but seems it can't connect through port 80. I get
    StandaloneBindError: Problem binding to port 80: Could not bind to IPv4 or IPv6.

    Is this something in HAproxy or can I use the Server config option for Enableing proxy protocol?
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    When it can't bind to port 80, then port 80 is probably already in use. Or you try to bind a software twice by having something duplicated in the config.
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    there is a FAQ which explains you all possible causes:

    https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/

    Don't try that, certbot will destroy the config in a way that the site can not be managed anymore with ISPConfig afterwards.
     
  16. Erik Damber

    Erik Damber New Member

    So I deleted everything and the manual cert. Still get error trying to create cert.
    Failed authorization procedure. cluster.kulturhotell.se (http-01): urn:ietf:params:acme:error:unauthorized
    Invalid response from http://cluster.kulturhotell.se/.wel...e/_SnNDvDEBfq6a-Q8zKgPKLhf3m5QYUBEyd5gVpGbU4c

    Tried changing the apache listen port to 8090, no diff. Seems like haproxy is doing a redirect because I get the "Welcome to your website" if I use a local DNS.
     

Share This Page