HORRIBLE week continues!!!

Discussion in 'ISPConfig 3 Priority Support' started by craig baker, Sep 1, 2020.

  1. craig baker

    craig baker Member HowtoForge Supporter

    I thought maybe the ispconfig_update would help updating from p2 to p3, but now i'm down COMPLETELY!!!
    I put in a passphrase when asked for a phrase for the ns9.cdbsystems.com:443 as I told it to redo the ssl cert from ispconfig and now http cannot run.
    fails completely.
    systemctl status httpd
    give me failed to start apache server.
    when I try to run it manually /usr/sbin/httpd
    it gives!
    password entry required for 'Enter SSL pass phrase for ns9.cdbsystems.com:443' and the passord I entered does not work.
    it talks about a systemd-tty-ask-password-agent tool.
    how to I disable this and let httpd come up???
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    You can just rerun the update to generate a new certificate and hit enter for no passphrase.
     
  4. craig baker

    craig baker Member HowtoForge Supporter

    ah both the above are a big NO!!!!!
    1) rerunning the update wont work 'says there are no updates to 15p3'
    2) till I did as you say ran all the steps did NOT put a passphrase at 'Enter SSL pass phrase'
    and completed.
    httpd wont start same error asks for phrase
    running /usr/sbin/httpd still has 'password entry required for 'Enter SSL pass phrase for ns9.cdbsystems.com:443 (RSA)'

    and systemctl restart httpd still asks
    Enter SSL pass phrase for ns9.cdbsystems.com:443 (RSA):

    i'm truly hosed :(
     
  5. craig baker

    craig baker Member HowtoForge Supporter

    horrible horrible.
    ispconfig.PNG
     
  6. craig baker

    craig baker Member HowtoForge Supporter

    till above was the php -q update run in install folder.
    I did not put any challenge password - but httpd still asks for one.
    is it in the vhost file for ns9.cdbsystems.com I assume? or in ispconfig somewhere?
    all websites down :(
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    What kind of SSL cert did you use before for the ns9? Was it an LE cert? if yes, then you can not generate a new cert using the ispconfig updater as an le cert is a manually configured symlink outside of ispconfig.

    probably in the ispconfig.vhost. But I don't know your exact setup, so might be that the ns9 vhost is affected too.
     
  8. craig baker

    craig baker Member HowtoForge Supporter

    I redid the LE process as per here:
    cd /usr/local/ispconfig/interface/ssl/
    mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
    ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
    ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
    cat ispserver.{key,crt} > ispserver.pem
    chmod 600 ispserver.pem


    but nothing changes. all sites down.
    /usr/sbin/httpd still demands a phrase
    people are starting to notice! what a day.
    maybe a bit of documentation in theupdater script?
    add a 'IF YOU USE LE YOU WILL WRECK SYSTEM' note?
    or "NEVER ADD A PASSPHRASE BELOW OR YOU ARE HOSED"?
    <trying to see humour in situation>

    so .. how do I dig myself out?
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    This would be plain wrong as it does not cause any damage under normal circumstances on systems that are installed according to perfect server guide.


    Disable the symlinks of the ns9 vhost and ispconfig vhost in apache sites-enabled directory and then restart apache. When the sites are up again, check if the paths to the ssl certs in those two files are correct and if any of them points to a password protected cert.
     
  10. craig baker

    craig baker Member HowtoForge Supporter

    only ispconfig.conf and ispconfig.vhost have current date sept1. ns9 has not been altered today...

    ive moved 100-isp* and 000-isp* out of sites-enabled and sites-available up one folder but httpd still wont start.
     
  11. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    First, try removing the /etc/apache2/sites-enabled/000-ispconfig.vhost symlink and see if apache will start. If so, customer sites are up and you can work on the certificate for the panel.
     
  12. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    Nevermind, already done, I'm slow in responding today. :)
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    This does not matter as it might be that you replaced the SSL cert of the ns9 site trough their symlinks with a different SSL cert.
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    And I asked you to remove the ns9 and ispconfig vhost symlinks only and not 000-isp* as this would remove the ispconfig.conf symlink as well which might cause your other sites to fail.
     
  15. craig baker

    craig baker Member HowtoForge Supporter

    now roundcube says cant connect to storage database. I'm truly $*[email protected] I just moved the 000-links one level higher. didnt remove them.
    the pem with the password appears to be a letsencrypt cert /etc/letsencrypt/live/ns9.cdbsystems.com
    can I force letsencrypt to create just that cert without a passphrase? and why could roundcube not connect??
     
  16. craig baker

    craig baker Member HowtoForge Supporter

    and why did redoing the install from your instructions WITHOUT a passphrase not help? I'm desperate.
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    That's ok, but not what I asked you to do. I asked you to remove (or copy one level higher if you prefer that) the symlink for the ispconfig vhost and the ns9 vhost, you have to do that for BOTH vhosts and to NOT copy or remove the ispconfig.conf symlink. Then restart apache.

    If it would have been a standard install, it would have worked. Due to the use of Let's encrypt and symlinks, there seem to be some interference between le and the SSL cert.

    That's what I guessed, it's not a le cert, its the manually created cert which overwrote the le cert trough the symlinks that point the ispconfig cert to le on your system.

    You wiped out the SSL cert used by the whole system, so all services are affected by that that use the cert.
     
  18. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    Have you tried what Till suggested in #2, run the update but select no when asked if you want to create a new SSL cert?
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    you can try these commands to create a new self signed SSL cert for ispconfig:

    Code:
    cd /usr/local/ispconfig/interface/ssl
    mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
    openssl genrsa -des3 -out ispserver.key 4096
    openssl req -new -key ispserver.key -out ispserver.csr
    openssl x509 -req -days 3650 -in ispserver.csr \
    -signkey ispserver.key -out ispserver.crt
    openssl rsa -in ispserver.key -out ispserver.key.insecure
    mv ispserver.key ispserver.key.secure
    mv ispserver.key.insecure ispserver.key
    cat ispserver.{key,crt} > ispserver.pem
    chmod 600 ispserver.pem
    
    this should give you a new self-signed SSL cert for ispconfig. Then copy back the ispconfig vhost symlink, restart apache, login to ispconfig, disable the letsencrypt checkbox in the ns9 website, press save, enable the le checkbox for ns9 vhost again, press save, then check if ns9 works again with a new and correct le cert. if that's ok, run the commands:

    Code:
    mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
    ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
    ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
    cat ispserver.{key,crt} > ispserver.pem
    chmod 600 ispserver.pem
    to enable le back for ispconfig and the other services.
     
    Th0m likes this.
  20. craig baker

    craig baker Member HowtoForge Supporter

    ok out of desperation (and a wtf?) I loked in /etc/letsencrypt and I see that the live ns9.cdbsystems points to archive/ns9.cdbsystems.com/pem14xxxx (4files with 14 in them).
    I saved them and copied the 4 matching slightly older files with 13 in place of 14.
    replaced all the 000* and 100* files and httpd can now start!
    however of course the certificates are out of date now.
    how can I force just ns9.cdbsystem.com to be renewed by letsencrypt? dont see helpful instructions anywhere :(
    ps roundcube fails because dovecot is not running properly complaining about the passphrase so its obviously still pointing at the wrong cert.
    how can
     

Share This Page