Control Panel inaccessible following update 3.1 --> 3.2.4

Discussion in 'Installation/Configuration' started by RickTrev, May 3, 2021.

  1. RickTrev

    RickTrev New Member

    I proceeded with an update via the Ispconfig3 dashboard. The Control Panel is now no longer accessible.
    *****
    This site can’t provide a secure connection
    192.168.1.70 sent an invalid response.
    • Try running Windows Network Diagnostics.
    ERR_SSL_PROTOCOL_ERROR
    *****
    This Ispconfig3 setup is in place solely for managing email accounts.
    I understand this is very little information to work with. I am relatively new to this and would appreciate some guidance.
    I followed instructions for doing a forced update (ispconfig_update.sh --force) and tried to generate a new certificate but received:

    Unable to find renew-hook command letsencrypt_renew_hook.sh in the PATH.
    (PATH is /usr/local/sbin:/usr/local/sbin:/usr/bin:/root/bin). Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by Letsencrypt.


    Below is contents of letsencrypt.log:
    2021-05-03 03:00:10,768: DEBUG:certbot._internal.main:certbot version: 1.11.0
    2021-05-03 03:00:10,768: DEBUG:certbot._internal.main:Location of certbot entry point: /bin/letsencrypt
    2021-05-03 03:00:10,768: DEBUG:certbot._internal.main: Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"]
    2021-05-03 03:00:10,768: DEBUG:certbot._internal.main: Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2021-05-03 03:00:10,845: DEBUG:certbot._internal.log:Root logging level set at 20
    2021-05-03 03:00:10,846: INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2021-05-03 03:00:10,847: DEBUG:certbot.display.util:Notifying user:
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    2021-05-03 03:00:10,847: DEBUG:certbot.display.util:Notifying user: No renewals were attempted.
    2021-05-03 03:00:10,847: DEBUG:certbot.display.util:Notifying user: No hooks were run.
    2021-05-03 03:00:10,847: DEBUG:certbot.display.util:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    2021-05-03 03:00:10,847: DEBUG:certbot._internal.renewal:no renewal failures


    I should probably mention that email and Roundcube are working without issue.
    Can anyone provide some insight?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Does it work when you use http:// instead of https:// ?
     
  3. RickTrev

    RickTrev New Member

    http:// gives default Apache page
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

  5. RickTrev

    RickTrev New Member

    I should have been clearer

    1) http: //internalIP gives Apache default page

    2) https: //internalIP: 8080 gives
    *****
    This site can’t provide a secure connection
    INTERNALIP sent an invalid response.
    • Try running Windows Network Diagnostics.
    ERR_SSL_PROTOCOL_ERROR
    *****

    3) https: //internalIP gives
    ***
    Your connection isn't private
    Attackers might be trying to steal your information from INTERNALIP (for example, passwords, messages, or credit cards).

    NET::ERR_CERT_AUTHORITY_INVALID
    ***

    Followed by

    This server couldn't prove that it's INTERNALIP; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

    Continue to 1internalIP (unsafe)

    Followed by Apache default page (unsecured)
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      137.4 KB
      Views:
      3
    • 2.jpg
      2.jpg
      File size:
      38.7 KB
      Views:
      4
    • 3a.jpg
      3a.jpg
      File size:
      40.2 KB
      Views:
      4
    • 3b.jpg
      3b.jpg
      File size:
      32.3 KB
      Views:
      4
    • 3c.jpg
      3c.jpg
      File size:
      127.7 KB
      Views:
      3
  6. till

    till Super Moderator Staff Member ISPConfig Developer

  7. RickTrev

    RickTrev New Member

  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Follow these instructions, read the complete article from beginning to end.
    https://www.howtoforge.com/community/threads/please-read-before-posting.58408/

    I did not know ISPConfig 3 can be updated via the dasboard? You do mean the ISPConfig Panel in browser when you write dashboard?

    Seems that ISPConfig 3 server is in an intranet, and uses non routable IP-number 192.168.1.70. This means it is not reachable from the public internet and Let's Encrypt can not issue a certificate for it. At least not with extra hoops to set up to make it work. Did you during ispconfig_update.sh check it is trying to create a self-signed certificate (that should work and you can access the panel after accepting security exeption in the browser).
     
    Last edited: May 4, 2021
  9. RickTrev

    RickTrev New Member

    Taleman / Till

    I have read the httxx://www.howtoforge.com/community/threads/please-read-before-posting.58408/
    Unfortunately I am using a non-GUI environment so I could not run the test script as per instruction provided. I did, however, examine the contents of the php file to see what you are looking for. Below is what I can provide:
    1) OS
    CentOS Linux release 7.4.1708 (Core)
    *****
    2) PHP version
    PHP 5.4.16 (cli) (built: Apr 1 2020 04:07:17)
    *****
    3) Listening on Ports
    LISTENING ON PORTS
    tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 1713/amavisd (maste
    tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1029/php-fpm: maste
    tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 2205/smtpd
    tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 1713/amavisd (maste
    tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1374/mysqld
    tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 2198/smtpd
    tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 42165/dovecot
    tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 42165/dovecot
    tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
    tcp 0 0 192.168.1.70:53 0.0.0.0:* LISTEN 1350/named
    tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1350/named
    tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1060/pure-ftpd (SER
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 977/sshd
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2333/smtpd
    tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1350/named
    tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 42165/dovecot
    tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 42165/dovecot
    tcp6 0 0 ::1:10024 :::* LISTEN 1713/amavisd (maste
    tcp6 0 0 ::1:10026 :::* LISTEN 1713/amavisd (maste
    tcp6 0 0 :::110 :::* LISTEN 42165/dovecot
    tcp6 0 0 :::143 :::* LISTEN 42165/dovecot
    tcp6 0 0 :::111 :::* LISTEN 1/systemd
    tcp6 0 0 :::8080 :::* LISTEN 699/httpd
    tcp6 0 0 :::80 :::* LISTEN 699/httpd
    tcp6 0 0 :::53 :::* LISTEN 1350/named
    tcp6 0 0 :::21 :::* LISTEN 1060/pure-ftpd (SER
    tcp6 0 0 :::22 :::* LISTEN 977/sshd
    tcp6 0 0 :::25 :::* LISTEN 2333/smtpd
    tcp6 0 0 ::1:953 :::* LISTEN 1350/named
    tcp6 0 0 :::443 :::* LISTEN 699/httpd
    tcp6 0 0 :::993 :::* LISTEN 42165/dovecot
    tcp6 0 0 :::995 :::* LISTEN 42165/dovecot
    udp 0 0 192.168.1.70:53 0.0.0.0:* 1350/named
    udp 0 0 127.0.0.1:53 0.0.0.0:* 1350/named
    udp 0 0 127.0.0.1:323 0.0.0.0:* 746/chronyd
    udp6 0 0 :::53 :::* 1350/named
    udp6 0 0 ::1:323 :::* 746/chronyd
    *****
    4) IP_Tables
    IP_TABLES
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    f2b-postfix-sasl tcp -- anywhere anywhere multiport dports smtp,urd,submission
    f2b-dovecot tcp -- anywhere anywhere multiport dports pop3,pop3s,imap,imaps
    f2b-FTP tcp -- anywhere anywhere tcp dpt:ftp
    f2b-sshd tcp -- anywhere anywhere tcp dpt:ssh

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain f2b-FTP (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain f2b-dovecot (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain f2b-postfix-sasl (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain f2b-sshd (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere
    *****
    I realize that this is probably not entirely what you are looking for and will provide whatever I can.
     
  10. RickTrev

    RickTrev New Member

    1) I did not know ISPConfig 3 can be updated via the dasboard? You do mean the ISPConfig Panel in browser when you write dashboard?
    Yes, I meant to say Control Panel


    2) Seems that ISPConfig 3 server is in an intranet, and uses non routable IP-number 192.168.1.70. This means it is not reachable from the public internet and Let's Encrypt can not issue a certificate for it. At least not with extra hoops to set up to make it work. Did you during ispconfig_update.sh check it is trying to create a self-signed certificate (that should work and you can access the panel after accepting security exeption in the browser).
    Yes, during ispconfig_update.sh I proceeded with the self-signed certificate (see below)
    **

    Create new ISPConfig SSL certificate (yes,no) [no]: yes

    Checking / creating certificate for my.IMapServer.com
    Using certificate path /etc/letsencrypt/live/my.IMapServer.com
    PHP Warning: symlink(): No such file or directory in /tmp/update_runner.sh.bv3LohT1tw/install/lib/installer_base.lib.php on line 2912
    PHP Warning: chown(): No such file or directory in /tmp/update_runner.sh.bv3LohT1tw/install/lib/installer_base.lib.php on line 2913
    PHP Warning: chmod(): No such file or directory in /tmp/update_runner.sh.bv3LohT1tw/install/lib/installer_base.lib.php on line 2914
    PHP Warning: symlink(): No such file or directory in /tmp/update_runner.sh.bv3LohT1tw/install/lib/installer_base.lib.php on line 2917
    PHP Warning: chown(): No such file or directory in /tmp/update_runner.sh.bv3LohT1tw/install/lib/installer_base.lib.php on line 2918
    PHP Warning: chmod(): No such file or directory in /tmp/update_runner.sh.bv3LohT1tw/install/lib/installer_base.lib.php on line 2919
    PHP Warning: symlink(): No such file or directory in /tmp/update_runner.sh.bv3LohT1tw/install/lib/installer_base.lib.php on line 2922
    PHP Warning: chown(): No such file or directory in /tmp/update_runner.sh.bv3LohT1tw/install/lib/installer_base.lib.php on line 2923
    PHP Warning: chmod(): No such file or directory in /tmp/update_runner.sh.bv3LohT1tw/install/lib/installer_base.lib.php on line 2924
    which: no certbot in (/opt/eff.org/certbot/venv/bin)
    which: no acme.sh in (/usr/local/ispconfig/server/scripts)
    which: no acme.sh in (/root/.acme.sh)
    Using apache for certificate validation
    Unable to find renew-hook command letsencrypt_renew_hook.sh in the PATH.
    (PATH is /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
    Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus
    ...................++
    .......................................................................................++
    e is 65537 (0x10001)
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CA
    State or Province Name (full name) []:XXXXXXXXX
    Locality Name (eg, city) [Default City]:XXXXXXXXX
    Organization Name (eg, company) [Default Company Ltd]:XXXXXXXXX
    Organizational Unit Name (eg, section) []:IT
    Common Name (eg, your name or your server's hostname) []:
    Email Address []:[email protected]

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:XXXXXXXXX
    An optional company name []:
    writing RSA key
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: y

    Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: y

    Generating DH parameters, 2048 bit long safe prime, generator 2
    This is going to take a long time
    ***
    which: no acme.sh in (/usr/local/ispconfig/server/scripts)
    which: no acme.sh in (/root/.acme.sh)
    Reconfigure Crontab? (yes,no) [yes]: yes

    Updating Crontab
    Update finished.
     
  11. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    When your browser informs you
    have you accepted the security exception to let browser continue to the control panel? Since the certificate is self signed, the browser does not trust it and you must allow that security exception.
    Seems neither certbot nor acme.sh is installed on that ISPConfig host. Is this intentional? How was ISPConfig installed on this host?
     
  12. RickTrev

    RickTrev New Member

    1) https://192.168.1.70:8080 throws the "ERR_SSL_PROTOCOL_ERROR" message immediately. There is no option to accept the security exception

    2) https://192.168.1.70 DOES go to the security exception but when I click on "Proceed to 192.168.1.70 (unsafe)" I am directed to the Apache default page
     
  13. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  14. RickTrev

    RickTrev New Member

    Yes, I have completely read the information on the page.

    The parts that seem relevant to the problem:
    1) How to run test script
    This cannot be done because I am working in a non-GUI environment. I previously posted what information I could - after examining the script code.
    2) When visiting domain B, the content of domain A is showing
    This server does not host multiple domains. Its sole purpose is for handling email. I have a separate web server which I use for our domains and subdomains.
    3) Something is not working after updating ISPConfig
    I used the ispconfig_update.sh --force command. However, when asked to update services I used the "selected" option and responded no the postfix Imap/POP3 option. This is my production mail server and I cannot risk the update destroying my ability to send/receive mail. My assumption is that the postfix option should have no bearing on the ability to display the Control Panel.
    4) Panel not showing up /server.sh script error
    OS: CentOS7
    PHP version: 5.4.16
    5) Problems with websites or PHP
    Using Apache server. No websites hosted on this machine.
     
  15. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    That I do not understand. I do not have GUI on any of my servers, and I can run the script just fine. Can you not write commands on the terminal on your server? If you just can not copy-paste the command, write the command to a file, copy that file to your server and issue the command that way.
     
  16. RickTrev

    RickTrev New Member

    I SSH into the server and run : wget -q -O htf-common-issues.php "http://gitplace.net/pixcept/ispconfig-tools/raw/stable/htf-common-issues.php" && php -q htf-common-issues.php

    It hangs...does nothing at all...after about 20 minutes I force out of SSH, sign back in through SSH and run cat htf_report.txt | more. Below is the result:

    [[email protected] ~]# cat htf_report.txt | more

    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [[email protected] ~]#
     
  17. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    How has that failure anything to do with having or not having GUI?
    Looks like the php script fails to run. Maybe you have not installed some component it needs? Or the PHP 5.4 version is too old for running the script?
     
  18. RickTrev

    RickTrev New Member

    You are correct...it doesn't...I look at so many php scripts running inside an html shell every day that I just projected into this one...

    In any event, it is not worth quibbling about.

    Perhaps I will try updating/reinstalling php. Current version is 5.4.16...according to documentation it is the correct version for ispconfig running on centos 7.

    At this point I am close to giving up.
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    On centOS, you can use a newer PHP version like PHP 7.4 as all PHP versions use the exact same path. But you should consider not install a new server by using such an outdated OS. Either use centOS 8 or even better, use one of the OS that is recommended to be used for ISPConfig: Debian 10 or Ubuntu 20.04. Your server will be easier to install, run smoother and will be easier to update and more stable when you switch to Debian or Ubuntu. Plus the installation process is much easier by using the auto installer: https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/
     
  20. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    But why does the report common issues script not run on that CentOS?
     

Share This Page