ERR_SSL_PROTOCOL_ERROR on second ip

Discussion in 'ISPConfig 3 Priority Support' started by Alessandro, May 8, 2017.

  1. Alessandro

    Alessandro New Member HowtoForge Supporter

    Hi,
    I have installed ispconfig on ubuntu server 16,04 following the tutorial. I have added a second ip for hosting two https site. I have also forwarded two public ip to the server. I have created some test site on the main ip address and i try to create an https site on the second ip address.
    I make this test:
    - opening main private ip address i can access to test site in http and https
    - opening main public ip address i can access to test site in http and https
    - opening second private ip address i can access to site in http but on https i have ERR_SSL_PROTOCOL_ERROR
    - opening second public address i can access to http site but on https i receive ERR_SSL_PROTOCOL_ERROR
    Where am I wrong?
    thank you
     
    Last edited: May 8, 2017
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Most likely the second IP (site that is hosted on the second IP) has no SSL cert yet.
     
  3. Alessandro

    Alessandro New Member HowtoForge Supporter

    Thank you for your reply. Sorry I'm a newbie.
    In the ssl tab of the site on the secondary ip I have create a certificate and the box request ssl, certificate ssl, ssl key are full of text :)
    but nothing
    opening with firefox I have also SSL_ERROR_RX_RECORD_TOO_LONG
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Take a look at the generated vhost file of this website, does it contain an SSL section?
     
  5. Alessandro

    Alessandro New Member HowtoForge Supporter

    No there isn't any 443 section
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, this normally means that there is no valid SSL cert and therefore, SSL could not be activated. You can try to save the ssl cert again by selecting "save certificate" as action on the SSL tab and then press save. If it does not work after about 1-2 minutes, then check if there a copy of the vhost file in the sites-enabled directory with .err file ending?
     
  7. Alessandro

    Alessandro New Member HowtoForge Supporter

    Thank you for your reply. I try with save certificate but nothing. Yes there is .err file for that vhost
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to rename the .vhost file to e.f. vhost.bak, then rename the vhost.err file to .vhost. Then try to restart apache, it will show you the error message then why the restart fails (which is the error why ISPConfig is not able to save / activate the SSL cert).
     
  9. Alessandro

    Alessandro New Member HowtoForge Supporter

    this is the error.log file
    Code:
    [Tue May 16 06:11:02.401728 2017] [auth_digest:notice] [pid 22801] AH01757: generating secret for digest authentication ...
    [Tue May 16 06:11:02.403579 2017] [:notice] [pid 5027] FastCGI: process manager initialized (pid 5027)
    [Tue May 16 06:11:02.454698 2017] [:error] [pid 22801] python_init: Python version mismatch, expected '2.7.6', found '2.7.12'.
    [Tue May 16 06:11:02.454903 2017] [:error] [pid 22801] python_init: Python executable found '/usr/bin/python'.
    [Tue May 16 06:11:02.454923 2017] [:error] [pid 22801] python_init: Python path being used '/usr/lib/python2.7/:/usr/lib/python2.7/plat-x86_64-linux-gnu:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload'.
    [Tue May 16 06:11:02.454967 2017] [:notice] [pid 22801] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
    [Tue May 16 06:11:02.454992 2017] [:notice] [pid 22801] mod_python: using mutex_directory /tmp
    [Tue May 16 06:11:02.480189 2017] [ssl:warn] [pid 22801] AH01906: ***.it:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Tue May 16 06:11:02.480391 2017] [ssl:error] [pid 22801] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected]***.it,CN=***.it,O=
    [Tue May 16 06:11:02.480422 2017] [ssl:error] [pid 22801] AH02604: Unable to configure certificate ***.it:8080:0 for stapling
    [Tue May 16 06:11:02.480590 2017] [mpm_prefork:notice] [pid 22801] AH00163: Apache/2.4.18 (Ubuntu) mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_fcgid/2.3.9 mod_python/3.3.1 Python/2.7.12 OpenSSL/1.0.2g configured -- resuming normal operations
    [Tue May 16 06:11:02.480618 2017] [core:notice] [pid 22801] AH00094: Command line: '/usr/sbin/apache2'
    [Tue May 16 06:11:02.480710 2017] [mpm_prefork:warn] [pid 22801] AH00167: long lost child came home! (pid 22804)
    [Tue May 16 10:46:08.142573 2017] [mpm_prefork:notice] [pid 22801] AH00169: caught SIGTERM, shutting down
    
     
    Last edited: Jun 7, 2017
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Normally the error is shown on the shell, not in the log for SSL errors. Did apache start without issues? If not, then the SSL cert is broken or the ssl cert and key do not match as apache fails silently then and ispconfig detects that and prevents that the new broken config is written.

    If apache did not start, rename the config files back to their original names, then login to ispconfg and delete the current SSL cert and create a new one or in case you created the ssl cert outside, then cehcl what you copied as the ssl cert is either incomplete or you entered a wrong ssl cert / key pair.
     
  11. Alessandro

    Alessandro New Member HowtoForge Supporter

    Code:
    mag 16 10:46:08 systemd[1]: Stopped LSB: Apache2 web server.
    mag 16 10:46:08 systemd[1]: Starting LSB: Apache2 web server...
    mag 16 10:46:08 apache2[15043]:  * Starting Apache httpd web server apache2
    mag 16 10:46:09 apache2[15043]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:69
    mag 16 10:46:09  apache2[15043]: Action 'start' failed.
    mag 16 10:46:09  apache2[15043]: The Apache error log may have more information.
    mag 16 10:46:09  apache2[15043]:  *
    mag 16 10:46:09  apache2[15061]:  * Stopping Apache httpd web server apache2
    mag 16 10:46:09  apache2[15061]:  *
    mag 16 10:46:09  systemd[1]: Started LSB: Apache2 web server.
    
    this is the output on console.
    I renamed vhost and I deleted, created and saved a new certificate from ssl tab, but nothing, sorry
     
    Last edited: Jun 7, 2017
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok. That there is no further error indicates that the SSL cert is broken or has a wrong key and therefore can not be read by apache. ou can e.g. check if the ssl cert files exist and if they contain a valid cert and you can e.g. test if ssl cert and key match.
     
  13. Alessandro

    Alessandro New Member HowtoForge Supporter

    Sorry I'm a newbie,
    this is the output of ls on ssl folder

    Code:
    drwxr-xr-x 2 root root   21 mag 16 11:39 .
    drwxr-xr-x 9 root root    9 mag  8 16:48 ..
    -rw-r--r-- 1 root root 1387 mag 16 11:39***.it.crt
    -rw-r--r-- 1 root root 1363 mag 16 11:39 ***.it.crt~
    -rw-r--r-- 1 root root 1082 mag 16 11:39 ***.it.csr
    -rw-r--r-- 1 root root 1100 mag 16 11:39 ***.it.csr.err
    -r-------- 1 root root 1702 mag 16 11:39 ***.it.key
    -r-------- 1 root root 1675 mag 16 11:39 ***.it.key~
    -r-------- 1 root root 1706 mag 15 21:19 ***.it.key.bak
    -r-------- 1 root root 1743 mag 16 11:37 ***it.key.org
    -r-------- 1 root root 1743 mag 16 11:39 ***.it.key.org~
    -r-------- 1 root root 1751 mag  8 18:54 ***.it.key.org.bak
    lrwxrwxrwx 1 root root   52 mag  8 17:51 ***.it-le.bundle -> /etc/letsencrypt/live/***.it/chain.pem
    -rw-r--r-- 1 root root 1647 mag 16 11:39 ***.it-le.bundle.err
    -r-------- 1 root root 1647 mag  8 17:51 ***.it-le.bundle.old.20170508155117
    lrwxrwxrwx 1 root root   51 mag  8 17:51 ***.it-le.crt -> /etc/letsencrypt/live/***.it/cert.pem
    -rw-r--r-- 1 root root 2191 mag 16 11:39 ***.it-le.crt.err
    -r-------- 1 root root 2191 mag  8 17:51 ***.it-le.crt.old.20170508155117
    lrwxrwxrwx 1 root root   54 mag  8 17:51 ***.it-le.key -> /etc/letsencrypt/live/***it/privkey.pem
    -r-------- 1 root root 1679 mag 16 11:39***.it-le.key.err
    -r-------- 1 root root 1679 mag  8 17:51 ***.it-le.key.old.20170508155117
    
    which file I have to compare?
     
    Last edited: Jun 7, 2017
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    You seem to use LE for SSL plus the SSL tab settings, but these may not be mixed. Either use lE or create an SSL cert on the SSL tab but don't mix it or you might get SSL problems like the ones described in this thread. When LE is on, then the SSL tab may not be used at all and when you use the SSL tab to create an SSL cert, then do not enable LE. To find out which certs are actually used at the moment, take a look into vhost.err file, you can find the path of the currently used SSL cert in the port 443 vhost.
     
  15. Alessandro

    Alessandro New Member HowtoForge Supporter

    Sorry!
    Code:
    SSLCertificateFile /var/www/clients/client1/web6/ssl/***.it-le.crt
    SSLCertificateKeyFile /var/www/clients/client1/web6/ssl/***.it-le.key
    SSLCertificateChainFile /var/www/clients/client1/web6/ssl/***.it-le.bundle
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    
     
    Last edited: Jun 7, 2017
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so you ae using Letsencrypt here and not a self created SSL certificate. It might be that letsencrypt has changed the file names due to multiple tries and switching between ssl modes.

    Check with:

    ls -la /var/www/clients/client1/web6/ssl/clienti.madsystem.it-le.crt
    ls -la /var/www/clients/client1/web6/ssl/clienti.madsystem.it-le.key

    to which file in /etc/letsencrypt/live/ the symlinks are pointing and if that target file exists. If it does not exists, then check in /etc/letsencrypt/live/ how the current file for this subdomain is named.
     
  17. Alessandro

    Alessandro New Member HowtoForge Supporter

    thank you for your reply!
    Code:
    ls -la /var/www/clients/client1/web6/ssl/clienti.madsystem.it-le.crt
    lrwxrwxrwx 1 root root 51 mag 17 08:11 /var/www/clients/client1/web6/ssl/clienti.madsystem.it-le.crt -> /etc/letsencrypt/live/clienti.madsystem.it/cert.pem
    [email protected]:~$ ls -la /var/www/clients/client1/web6/ssl/clienti.madsystem.it-le.key
    lrwxrwxrwx 1 root root 54 mag 17 08:11 /var/www/clients/client1/web6/ssl/clienti.madsystem.it-le.key -> /etc/letsencrypt/live/clienti.madsystem.it/privkey.pem
    [email protected]:~$
    
    Code:
     ls -al /etc/letsencrypt/live
    totale 19
    drwx------ 5 root root 5 mag  8 17:51 .
    drwxr-xr-x 8 root root 9 ago 27  2016 ..
    drwxr-xr-x 2 root root 6 apr 25 05:00 clienti.madsystem.it
    drwxr-xr-x 2 root root 6 mag  8 17:51 clienti.madsystem.it-0001
    
    Code:
     ls -al /etc/letsencrypt/live/clienti.madsystem.it
    totale 3
    drwxr-xr-x 2 root root  6 apr 25 05:00 .
    drwx------ 5 root root  5 mag  8 17:51 ..
    lrwxrwxrwx 1 root root 44 apr 25 05:00 cert.pem -> ../../archive/clienti.madsystem.it/cert5.pem
    lrwxrwxrwx 1 root root 45 apr 25 05:00 chain.pem -> ../../archive/clienti.madsystem.it/chain5.pem
    lrwxrwxrwx 1 root root 49 apr 25 05:00 fullchain.pem -> ../../archive/clienti.madsystem.it/fullchain5.pem
    lrwxrwxrwx 1 root root 47 apr 25 05:00 privkey.pem -> ../../archive/clienti.madsystem.it/privkey5.pem
    
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Looks fine so far. Do you have any custom apache directives in the apache directives field of the website?

    and please post the output of:

    apachectl -S
     
  19. Alessandro

    Alessandro New Member HowtoForge Supporter

    Code:
     apachectl -S
    AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:69
    VirtualHost configuration:
    192.168.200.47:80      *****.***it (/etc/apache2/sites-enabled/100-***.***.it.vhost:7)
    192.168.200.48:443     ###.it (/etc/apache2/sites-enabled/100-###.it.vhost:121)
    192.168.200.48:80      is a NameVirtualHost
             default server ###.it (/etc/apache2/sites-enabled/100-###.it.vhost:7)
             port 80 namevhost ###.it (/etc/apache2/sites-enabled/100-###.it.vhost:7)
                     alias www.###.it
             port 80 namevhost ***1.***.it (/etc/apache2/sites-enabled/900-***1.***.it.vhost:7)
                     wild alias *.***1.***.it
             port 80 namevhost test2.madsystem.it (/etc/apache2/sites-enabled/900-test2.madsystem.it.vhost:7)
                     wild alias *.test2.madsystem.it
    *:8081                 madws.cgillaspezia.it (/etc/apache2/sites-enabled/000-apps.vhost:9)
    *:8080                 madws.cgillaspezia.it (/etc/apache2/sites-enabled/000-ispconfig.vhost:9)
    *:80                   is a NameVirtualHost
             default server madws.cgillaspezia.it (/etc/apache2/sites-enabled/000-default.conf:1)
             port 80 namevhost madws.cgillaspezia.it (/etc/apache2/sites-enabled/000-default.conf:1)
             port 80 namevhost test3.madsystem.it (/etc/apache2/sites-enabled/900-test3.madsystem.it.vhost:7)
                     wild alias *.test3.madsystem.it
    ServerRoot: "/etc/apache2"
    Main DocumentRoot: "/var/www/html"
    Main ErrorLog: "/var/log/apache2/error.log"
    Mutex default: dir="/var/lock/apache2" mechanism=fcntl
    Mutex mpm-accept: using_defaults
    Mutex fcgid-pipe: using_defaults
    Mutex authdigest-opaque: using_defaults
    Mutex watchdog-callback: using_defaults
    Mutex rewrite-map: using_defaults
    Mutex ssl-stapling-refresh: using_defaults
    Mutex authdigest-client: using_defaults
    Mutex fcgid-proctbl: using_defaults
    Mutex ssl-stapling: using_defaults
    Mutex ssl-cache: using_defaults
    PidFile: "/var/run/apache2/apache2.pid"
    Define: DUMP_VHOSTS
    Define: DUMP_RUN_CFG
    Define: ENABLE_USR_LIB_CGI_BIN
    User: name="www-data" id=33
    Group: name="www-data" id=33
     
    Last edited: Jun 7, 2017
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    Looks ok so far. What about my first question?
     

Share This Page