Debian 10 Multiserver setup

Discussion in 'Installation/Configuration' started by chief, Mar 22, 2021.

  1. chief

    chief Member HowtoForge Supporter

    Ok. to confirm removal of NGINX - it aint there!!!, never been there.. the script must be confused to assume i have nginx installed...
    Code:
    [email protected]:/etc# apt remove nginx nginx-common
    Reading package lists... Done
    Building dependency tree      
    Reading state information... Done
    Package 'nginx' is not installed, so not removed
    Package 'nginx-common' is not installed, so not removed
    0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
    looked at /etc/nginx - nothing there..
    =========EDIT
    Also, i have checked with external port scanner sites and checked ports 22,80,443,8080,8081 are open.
    They are.. check for your self.. 212.159.153.2
    (see, told you)
     
    Last edited: Aug 10, 2021
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I was not talking about port either. IPV6 could or could not be the issue but that is a mere guessing, though I don't think you understand what I was saying and couldn't write it better. Happy hunting for the real problem.
     
  3. chief

    chief Member HowtoForge Supporter

    I do understand what your trying to get across. I checked and verified the port's both from interface and from externally. Then checked the firewall as you instructed IPV6 was enabled and it was. And then in trying to follow your logic, i disabled the firewall to be 100% sure it isnt IPV6 issue.
    My provider i have internet with hasnt stopped any port previously on other setup, now moving to new faster fiber interweb.. hence the new setup.
    But, thank you for your help
     
    Last edited: Aug 11, 2021
    ahrasis likes this.
  4. chief

    chief Member HowtoForge Supporter

    [email protected]:~# /usr/local/ispconfig/server/server.sh
    11.08.2021-17:00 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    11.08.2021-17:00 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished server.php.
    after following debugging server
    and out put from System-Log
    Code:
    Aug 11 17:17:43 panel ntpd[861]: Soliciting pool server 185.53.93.157
    Aug 11 17:17:43 panel ntpd[861]: Soliciting pool server 90.155.73.34
    Aug 11 17:17:44 panel ntpd[861]: Soliciting pool server 217.155.2.22
    Aug 11 17:17:44 panel ntpd[861]: Soliciting pool server 85.199.214.101
    Aug 11 17:17:48 panel ntpd[861]: receive: Unexpected origin timestamp 0xe4be76ac.b3227930 does not match aorg 0000000000.00000000 from [email protected] xmt 0xe4be76ac.917e4995
    Aug 11 17:17:48 panel ntpd[861]: receive: Unexpected origin timestamp 0xe4be76ac.b3209b22 does not match aorg 0000000000.00000000 from [email protected] xmt 0xe4be76ac.92b699fb
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Limits: Global time limit set to 120000 milliseconds.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Limits: Global size limit set to 104857600 bytes.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Limits: File size limit set to 26214400 bytes.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Limits: Recursion level limit set to 16.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Limits: Files limit set to 10000.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Limits: MaxPartitions limit set to 50.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Limits: MaxIconsPE limit set to 100.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Limits: MaxRecHWP3 limit set to 16.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Limits: PCREMatchLimit limit set to 10000.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Limits: PCRERecMatchLimit limit set to 5000.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Limits: PCREMaxFileSize limit set to 26214400.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Archive support enabled.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> AlertExceedsMax heuristic detection disabled.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Heuristic alerts enabled.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Portable Executable support enabled.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> ELF support enabled.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Mail files support enabled.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> OLE2 support enabled.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> PDF support enabled.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> SWF support enabled.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> HTML support enabled.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> XMLDOCS support enabled.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> HWP3 support enabled.
    Aug 11 17:17:53 panel clamd[798]: Wed Aug 11 17:17:53 2021 -> Self checking every 3600 seconds.
    Aug 11 17:18:01 panel systemd[1]: systemd-fsckd.service: Succeeded.
    Aug 11 17:18:01 panel CRON[1533]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 11 17:18:01 panel CRON[1534]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 11 17:18:02 panel systemd[1]: Created slice User Slice of UID 1000.
    Aug 11 17:18:02 panel systemd[1]: Starting User Runtime Directory /run/user/1000...
    Aug 11 17:18:02 panel systemd[1]: Started User Runtime Directory /run/user/1000.
    Aug 11 17:18:02 panel systemd[1]: Starting User Manager for UID 1000...
    Aug 11 17:18:03 panel pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Aug 11 17:18:03 panel pure-ftpd: ([email protected]::1) [INFO] Logout.
    Aug 11 17:18:03 panel systemd[1598]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
    Aug 11 17:18:03 panel systemd[1598]: Listening on GnuPG cryptographic agent and passphrase cache (restricted).
    Aug 11 17:18:03 panel systemd[1598]: Reached target Paths.
    Aug 11 17:18:03 panel systemd[1598]: Listening on GnuPG network certificate management daemon.
    Aug 11 17:18:03 panel systemd[1598]: Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).
    Aug 11 17:18:03 panel systemd[1598]: Listening on GnuPG cryptographic agent and passphrase cache.
    Aug 11 17:18:03 panel systemd[1598]: Reached target Sockets.
    Aug 11 17:18:03 panel systemd[1598]: Reached target Timers.
    Aug 11 17:18:03 panel systemd[1598]: Reached target Basic System.
    Aug 11 17:18:03 panel systemd[1598]: Reached target Default.
    Aug 11 17:18:03 panel systemd[1598]: Startup finished in 677ms.
    Aug 11 17:18:03 panel systemd[1]: Started User Manager for UID 1000.
    Aug 11 17:18:03 panel systemd[1]: Started Session 3 of user dave.
    Aug 11 17:19:01 panel CRON[1819]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 11 17:19:01 panel CRON[1818]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 11 17:19:05 panel kernel: [  103.154259] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=203.150.102.162 DST=212.159.153.2 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=20948 PROTO=TCP SPT=56352 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
    Aug 11 17:19:06 panel kernel: [  104.157057] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=203.150.102.162 DST=212.159.153.2 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=20949 PROTO=TCP SPT=56352 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
    Aug 11 17:19:08 panel kernel: [  106.161025] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=203.150.102.162 DST=212.159.153.2 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=20950 PROTO=TCP SPT=56352 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
    Aug 11 17:19:14 panel kernel: [  111.627078] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=193.242.145.15 DST=212.159.153.2 LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=37363 PROTO=TCP SPT=51536 DPT=3122 WINDOW=1024 RES=0x00 SYN URGP=0
    Aug 11 17:19:19 panel kernel: [  117.346776] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=212.159.153.1 DST=212.159.153.2 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=6483 DF PROTO=TCP SPT=51938 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0
    Aug 11 17:19:20 panel kernel: [  117.597220] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=212.159.153.1 DST=212.159.153.2 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=45268 DF PROTO=TCP SPT=51940 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0
    Aug 11 17:19:20 panel kernel: [  118.347654] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=212.159.153.1 DST=212.159.153.2 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=6484 DF PROTO=TCP SPT=51938 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0
    Aug 11 17:19:21 panel kernel: [  118.597621] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=212.159.153.1 DST=212.159.153.2 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=45269 DF PROTO=TCP SPT=51940 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0
    Aug 11 17:19:22 panel kernel: [  120.353559] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=212.159.153.1 DST=212.159.153.2 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=6485 DF PROTO=TCP SPT=51938 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0
    Aug 11 17:19:23 panel kernel: [  120.601548] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=212.159.153.1 DST=212.159.153.2 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=45270 DF PROTO=TCP SPT=51940 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0
    Aug 11 17:19:26 panel kernel: [  124.021438] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=212.159.153.1 DST=212.159.153.2 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59126 DF PROTO=TCP SPT=51942 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0
    Aug 11 17:19:46 panel kernel: [  143.944742] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=212.159.153.1 DST=212.159.153.2 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=41075 DF PROTO=TCP SPT=51946 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0
    Aug 11 17:20:01 panel CRON[2016]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 11 17:20:01 panel CRON[2015]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 11 17:20:02 panel pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Aug 11 17:20:02 panel pure-ftpd: ([email protected]::1) [INFO] Logout.
    Aug 11 17:21:01 panel CRON[2117]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 11 17:21:01 panel CRON[2116]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 11 17:22:01 panel CRON[2139]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 11 17:22:01 panel CRON[2138]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 11 17:23:01 panel CRON[2171]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 11 17:23:01 panel CRON[2170]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 11 17:23:09 panel systemd[1]: Reloading.
    Aug 11 17:23:10 panel systemd[1]: /lib/systemd/system/memcached.service:13: PIDFile= references path below legacy directory /var/run/, updating /var/run/memcached/memcached.pid → /run/memcached/memcached.pid; please update the unit file accordingly.
    Aug 11 17:23:10 panel systemd[1]: /lib/systemd/system/fail2ban.service:12: PIDFile= references path below legacy directory /var/run/, updating /var/run/fail2ban/fail2ban.pid → /run/fail2ban/fail2ban.pid; please update the unit file accordingly.
    Aug 11 17:23:10 panel systemd[1]: [email protected]: Current command vanished from the unit file, execution of the command list won't be resumed.
    Aug 11 17:23:27 panel kernel: [  365.319960] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=74.120.14.73 DST=212.159.153.2 LEN=44 TOS=0x00 PREC=0x00 TTL=41 ID=42361 PROTO=TCP SPT=28832 DPT=8589 WINDOW=1024 RES=0x00 SYN URGP=0
    Aug 11 17:23:33 panel crontab[2764]: (root) BEGIN EDIT (root)
    Aug 11 17:23:38 panel crontab[2764]: (root) REPLACE (root)
    Aug 11 17:23:38 panel crontab[2764]: (root) END EDIT (root)
    Aug 11 17:23:50 panel kernel: [  387.505511] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=45.146.165.148 DST=212.159.153.2 LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=36505 PROTO=TCP SPT=40439 DPT=38398 WINDOW=1024 RES=0x00 SYN URGP=0
    Aug 11 17:23:51 panel kernel: [  388.646750] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=103.145.13.80 DST=212.159.153.2 LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=48563 DPT=81 WINDOW=65535 RES=0x00 SYN URGP=0
    Aug 11 17:23:54 panel kernel: [  391.871632] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=178.128.254.111 DST=212.159.153.2 LEN=44 TOS=0x00 PREC=0x00 TTL=246 ID=49840 PROTO=TCP SPT=50002 DPT=2540 WINDOW=1024 RES=0x00 SYN URGP=0
    Aug 11 17:24:01 panel cron[741]: (root) RELOAD (crontabs/root)
    Aug 11 17:24:01 panel CRON[2775]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 11 17:24:18 panel kernel: [  415.752092] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=129.211.87.6 DST=212.159.153.2 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=32820 PROTO=TCP SPT=53364 DPT=6379 WINDOW=29200 RES=0x00 SYN URGP=0
    Aug 11 17:24:41 panel kernel: [  438.945718] [UFW BLOCK] IN=enp7s0f1 OUT= MAC=e8:39:35:0e:ed:3d:14:49:bc:14:e0:60:08:00 SRC=92.118.160.57 DST=212.159.153.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=58195 PROTO=TCP SPT=64714 DPT=554 WINDOW=1024 RES=0x00 SYN URGP=0
    Aug 11 17:25:01 panel CRON[2781]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 11 17:25:02 panel kernel: [  459.837165] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
    Aug 11 17:25:02 panel pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Aug 11 17:25:02 panel pure-ftpd: ([email protected]::1) [INFO] Logout.
    
     
    Last edited: Aug 11, 2021
  5. chief

    chief Member HowtoForge Supporter

    Hi Till,
    Please can you answer this question. When installing from script, should the panel.servname get a letsencrypt certificate or a self generated one, and how should letsencrypt receive and write the answer back to the acme-challenge directory.
    and also.. reading https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh mentions a api key, do i need one?
    thanks
     
    Last edited: Aug 11, 2021
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    By script you mean ISPConfig autoinstaller? It tries to get Let's Encrypt certificate for the server FQDN. If that fails I think it creates a self signed certificate.
    I have never used acme.sh so about that I know nothing.
     
    ahrasis likes this.
  7. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    It should get an LE cert if it passes the challenge (dns/acme)

    You are correct, acme.sh fails, ispc reverts to self signed as an option, but you have to configure the cert so would know if you had.
     
  8. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

  9. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    ahrasis likes this.
  10. chief

    chief Member HowtoForge Supporter

    Hi, thanks for reply..
    It failed because i powered it down last night, try it now and it'll work. helps if its on
     
    Chris_UK likes this.
  11. chief

    chief Member HowtoForge Supporter

    Update..
    So, Have verified that....
    1. The provider DONT block any port or mess around with any traffic
    2. Spoken to Draytek and im using IP Routed subnet which doesnt 100% get firewalled, all ports are open. its down to machines behind it to protect themselves.
    3. Verified with ispconfig UFW firewall
    Code:
    [email protected]:~# ufw status numbered
    Status: active
         To                         Action      From
         --                         ------      ----
    [ 1] 22/tcp                     ALLOW IN    Anywhere                 
    [ 2] 80/tcp                     ALLOW IN    Anywhere                 
    [ 3] 443/tcp                    ALLOW IN    Anywhere                 
    [ 4] 8080/tcp                   ALLOW IN    Anywhere                 
    [ 5] 8081/tcp                   ALLOW IN    Anywhere                 
    [ 6] 3306/tcp                   ALLOW IN    212.159.153.0/24         
    [ 7] 22/tcp (v6)                ALLOW IN    Anywhere (v6)             
    [ 8] 80/tcp (v6)                ALLOW IN    Anywhere (v6)             
    [ 9] 443/tcp (v6)               ALLOW IN    Anywhere (v6)             
    [10] 8080/tcp (v6)              ALLOW IN    Anywhere (v6)             
    [11] 8081/tcp (v6)              ALLOW IN    Anywhere (v6)
    and then disabled IPV6, tried again. then firewall back on.
    4. put ispconfig in debug mode and tried again.
    5. installed on new machine tried again.
    every time ispconfig_update.sh --force runs or from fresh installation the acme fails on getting a cert

    Complete log of acme.sh.log - too big for this post
    https://www.tlsystems.co.uk/fail.txt

    in that output states errors..
    Code:
    urn:ietf:params:acme:error:malformed
    [Thu 12 Aug 10:35:48 BST 2021] responseHeaders='HTTP/1.1 400 Bad Request
    [Thu 12 Aug 10:35:48 BST 2021] wget returns 8, the server returns a 'Bad request' response, lets process the response later.
    and this one
    Code:
    {"type":"urn:ietf:params:acme:error:connection","detail":"Fetching http://panel.tlwebservices.co.uk/.well-known/acme-challenge/4LuMank3n4BwoDCDv6yBhj_QOi_PtHhbniYuDtlwfuQ: Connection refused","status": 400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/21163845820/ot7zrw","token":"4LuMank3n4BwoDCDv6yBhj_QOi_PtHhbniYuDtlwfuQ","validationRecord":[{"url":"http://panel.tlwebservices.co.uk/.well-known/acme-challenge
    what is status 400? why would ispconfig script refuse to receive the api output...
    so, i went to letsencrypt and posted output of log, they replied with this::
    https://community.letsencrypt.org/t/ispconfig-install-detects-nginx-but-apache-installed/157516
    I can only assume the api sending to letsencrypt is faulty. love to solve this. late this morning will attempt a manual install and bypass using the script to see results.
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig is not involved in communicating with let's encrypt, this is done by acme.sh

    I guess you ran into this issue:

    https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6121

    The issue does not occur when you install a system that has a correct working hostname, it occurs only when you try to enable an LE cert for the GUI after initial install by doing a forced update when the initial install had a wrong hostname which caused the initial install to create a self-signed SSL cert as fallback.
     
  13. chief

    chief Member HowtoForge Supporter

    Thanks Till,
    Ill try and follow work around.
     
  14. chief

    chief Member HowtoForge Supporter

    Till, This bug is still there as im experiencing some of that issue. It generates a self cert after install (not LE) and when updating also fails to generate (LE) and falls back to self cert. in my log i posted the output above, it does read that the data is wrong, maybe something to follow and help your devs to fix issue.
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    As I mentioned above, this bug is only about updating, not about the initial install. And yes, it's marked as open, so it exists in the current stable release. I'll install servers myself regularly using the auto-installer and perfect server guide and I'll always get an LE cert and not a self-signed cert, so there is something wrong with your base system that prevents that your hostname can be verified either by ISPConfig or acme.sh.
     
  16. chief

    chief Member HowtoForge Supporter

    Till, does the bug just appear if i run the auto installer.. does it happen if i manually install everything??
     
  17. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    Hi, I spotted this in that log:

    Code:
    "detail": "Fetching http://panel.tlwebservices.co.uk/.well-known/acme-challenge/4LuMank3n4BwoDCDv6yBhj_QOi_PtHhbniYuDtlwfuQ: Connection refused",
    
    Have you tested that an external source can access a file in that directory. You will have a few not founds from me in your logs as i checked to see if I could access that file. I assume its no longer in there.
     
  18. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    As mentioned, the bug is in the updater, so if the conditions for it exist (ie. you have a self-signed certificate in use on the panel), it doesn't matter if you used the autoinstaller or installed manually to get in that state.
     
  19. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    So removal of the offending certs and re-running the installer should resolve his issue?

    If that is the case, then it's a quickish fix, check hostname is correct, dns correct, http acme accessible from remote host, remove/rename the certs and run the installer.
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    It's a bug in ISPConfig, not in the auto-installer. But it's a bug in the update function, not the installer. So it won't happen at install time, it happens only when you update a system using ispconfig_update.sh.

    That#s actually what the updater is doing currently and which causes the failure. The failure is triggered because the cert's don't exist at a certain point during update when an intermediate reload of the web server is triggered before the new certs are there. You have basically 3 options:

    1) Take care that hostname, dns etc. is ok before you install ISPConfig, then you'll never hit that issue as a LE cert gets issues right away.
    2) if you have installed ispconfig already without a working hostname setup so you have got a self-signed SSL cert, then you have two options:

    a) edit the ispconfig vhost file and comment out everything that's SSL related and restart the web server, test if ispconfig is available by HTTP:// now instead of https://. If that's the case, then you can remove the SSL certs and run a forced update to create a new LE cert.

    b) The other option is to download the ispconfig branch which contains the fix and use that for the update:

    https://git.ispconfig.org/ispconfig...eady-exist-for-ispconfig-web-interface.tar.gz

    unpack it and run the update.php script that's in the install folder of the unpacked ispconfig.
     
    nhybgtvfr likes this.

Share This Page