How To ISP Server setup with Ubuntu 5.10 (Breezy Badger)

Discussion in 'HOWTO-Related Questions' started by gymsmoke, Mar 27, 2006.

  1. gymsmoke

    gymsmoke New Member

    I followed all of the steps here very carefully, save one. I went through the ispconfig installation with "standard" rather than "expert" mode. I'm hoping that this is the solution to the problem I'm having. Everything in the How To went very smoothly.
    At the end. Since this is a test environment, the system has a hostname, but is setup as localhost.localdomain. After the completion of the install, I went to
    "https://my_ip_address:81", and got this message (firefox 1.5)
    "Could not establish an encrypted connection because certificate presented by 'my_ip_address' is invalid or corrupted. Error code: -8182 ...

    Any input to this would be greatly appreciated. I'm sure I followed every step here quite carefully (with the noted exception above). This is my first server install, so I was really quite pleased with the progress I had made until this.
     
  2. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

  3. gymsmoke

    gymsmoke New Member

    fallko~
    Thank you for the reply. That certainly helped. The keys now show up in the directory where they should have showed before (although for some reason I don't recall doing the steps you outlined as part of the how-to)...
    Now, whether I use https://my_ip_address:81 or http , I get
    "The connection was refused when attempting to contact my_ip_address:81"
    the box is alive, and it can be ping-ed...
    the logs don't have any strange entries in them, so according to the installation and setup, everything "looks" as though it went fine.

    I appreciate your feedback.
     
  4. gymsmoke

    gymsmoke New Member

    Falko~
    I went back through all of my notes on the installation and found one deviation that I made - it seems relatively minor, but I'm wondering if this has anything to do with the problem of not being able to connect...
    When installing ispconfig, i didn't choose "expert" mode. So, apache2 sees the doc root in /var/www , while ispconfig sees it in its default, which I believe is /home/www ...
    /home/www is empty, and /var/www contains: apache2-default sharedip webalizer

    Could this be the problem ?
     
  5. gymsmoke

    gymsmoke New Member

    Falko~
    ok... more good news. If I access the site by ip address (port 80), I get a directory listing as above (apache2-default sharedip webalizer). If I select apache2-default, I get the expected Apache default index.html . If I select sharedip, I get this:
    "SharedIP"
    This IP address is shared. For access to the web site which you look for, enter its address instead of its IP.
    For questions or problems please contact the server administrator.
    --------------------------------------
    powered by ISPConfig

    So, apparently I can see the server and at least get to the default page(s)...

    It feels like a config problem to me.
     
  6. Parcye

    Parcye New Member

    I am stuck in the same position. I have done a re-install, but still get stuck in the same position.

    If I use lynx to view ispconfig on the ispconfig machine, I get want I want to see.
     
  7. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    The original certificate was generated during the ISPConfig installation. I guess you entered wrong values there.

    Please post the output of
    Code:
    netstat -tap
    Also make sure that no firewall blocks port 81.
     
  8. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Then I guess it's a firewall problem. Make sure your firewall doesn't block port 81.
    Is your ISPConfig system inside a LAN, and you're trying to access it from the outside? Then the problem could be that some providers block port 81.
     
  9. gymsmoke

    gymsmoke New Member

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 localhost.localdo:mysql *:* LISTEN 7901/mysqld
    tcp 0 0 *:ftp *:* LISTEN 14588/proftpd: (acc
    tcp 0 0 216.215.55.21:domain *:* LISTEN 14574/named
    tcp 0 0 localhost.locald:domain *:* LISTEN 14574/named
    tcp 0 0 localhost.localdoma:953 *:* LISTEN 14574/named
    tcp 0 0 *:smtp *:* LISTEN 14544/master
    tcp6 0 0 *:imaps *:* LISTEN 9520/couriertcpd
    tcp6 0 0 *:pop3s *:* LISTEN 9423/couriertcpd
    tcp6 0 0 *:pop3 *:* LISTEN 9360/couriertcpd
    tcp6 0 0 *:imap2 *:* LISTEN 9465/couriertcpd
    tcp6 0 0 *:www *:* LISTEN 22114/apache2
    tcp6 0 0 *:ssh *:* LISTEN 6915/sshd
    tcp6 0 0 ip6-localhost:953 *:* LISTEN 14574/named
    tcp6 0 0 *:https *:* LISTEN 22114/apache2
    tcp6 0 352 ::ffff:216.215.55.2:ssh ::ffff:209.208.34:50709 ESTABLISHED21892/sshd: gymsmoke
     
  10. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    ISPConfig isn't running at all. Please start it:
    Code:
    /etc/init.d/ispconfig_server start
     
  11. gymsmoke

    gymsmoke New Member

    root@viperidae:/etc/apache2/sites-available# /etc/init.d/ispconfig_server start
    Starting ISPConfig system...
    /root/ispconfig/httpd/bin/apachectl startssl: httpd started
    FreshClam is already running!
    ISPConfig system is now up and running!


    Ok... ispconfig is up and running... here is the re-do of netstat -tap
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 localhost.localdo:mysql *:* LISTEN 7901/mysqld
    tcp 0 0 *:ftp *:* LISTEN 3550/proftpd: (acce
    tcp 0 0 216.215.55.21:domain *:* LISTEN 3536/named
    tcp 0 0 localhost.locald:domain *:* LISTEN 3536/named
    tcp 0 0 localhost.localdoma:953 *:* LISTEN 3536/named
    tcp 0 0 *:smtp *:* LISTEN 3506/master
    tcp6 0 0 *:imaps *:* LISTEN 9520/couriertcpd
    tcp6 0 0 *:pop3s *:* LISTEN 9423/couriertcpd
    tcp6 0 0 *:pop3 *:* LISTEN 9360/couriertcpd
    tcp6 0 0 *:imap2 *:* LISTEN 9465/couriertcpd
    tcp6 0 0 *:www *:* LISTEN 3409/apache2
    tcp6 0 0 *:ssh *:* LISTEN 6915/sshd
    tcp6 0 0 ip6-localhost:953 *:* LISTEN 3536/named
    tcp6 0 0 *:https *:* LISTEN 3409/apache2
    tcp6 0 448 ::ffff:216.215.55.2:ssh ::ffff:209.208.34:50709 ESTABLISHED21892/sshd: gymsmok

    Using Firefox 1.5 on Ubuntu 5.10, I go to https://216.215.55.21:81 , and get this:
    Unable to connect
    Firefox can't establish a connection to the server at 216.215.55.21:81.
    * The site could be temporarily unavailable or too busy. Try again in a few
    moments.
    * If you are unable to load any pages, check your computer's network
    connection.
    * If your computer or network is protected by a firewall or proxy, make sure
    that Firefox is permitted to access the Web.

    There is no firewall on the box running ispconfig
    I;m running firestarter locally and have allowed incoming connections from this box.
     
  12. gymsmoke

    gymsmoke New Member

    I tried the other suggestion of using lynx on the local machine to access the page as:
    root@viperidae:/etc/apache2/sites-available# lynx https://216.215.55.21:81
    Looking up 216.215.55.21:81
    Making HTTPS connection to 216.215.55.21:81
    Alert!: Unable to connect to remote host.

    lynx: Can't access startfile https://216.215.55.21:81/
    And again as:
    root@viperidae:/etc/apache2/sites-available# lynx https://127.0.0.1:81

    Looking up 127.0.0.1:81
    Making HTTPS connection to 127.0.0.1:81
    Alert!: Unable to connect to remote host.

    lynx: Can't access startfile https://127.0.0.1:81/

    I hope this doesn't sound too n00b-ish, but, as i said in an earlier post, this machine is setup as localhost.localdomain ...
    Does ispconfig need to have a public domain in order for it to work at all?
     
  13. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    It seems as if ISPConfig doesn't start for some reason. Can you find errors in /root/ispconfig/httpd/logs?
     
  14. gymsmoke

    gymsmoke New Member

    Yes, there are...
    error_log:
    [Wed Mar 29 05:23:58 2006] [warn] pid file /root/ispconfig/httpd/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
    [Wed Mar 29 05:23:58 2006] [error] mod_ssl: Init: (localhost.localdomain:81) Unable to configure RSA server private key (OpenSSL library error follows)
    [Wed Mar 29 05:23:58 2006] [error] OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

    ssl_engine_log:
    [29/Mar/2006 05:23:57 07298] [info] Server: Apache/1.3.34, Interface: mod_ssl/2.8.25, Library: OpenSSL/0.9.8a
    [29/Mar/2006 05:23:57 07298] [info] Init: 1st startup round (still not detached)
    [29/Mar/2006 05:23:57 07298] [info] Init: Initializing OpenSSL library
    [29/Mar/2006 05:23:57 07298] [info] Init: Loading certificate & private key of SSL-aware server localhost.localdomain:81
    [29/Mar/2006 05:23:57 07298] [info] Init: Seeding PRNG with 136 bytes of entropy
    [29/Mar/2006 05:23:57 07298] [info] Init: Generating temporary RSA private keys (512/1024 bits)
    [29/Mar/2006 05:23:58 07298] [info] Init: Configuring temporary DH parameters (512/1024 bits)
    [29/Mar/2006 05:23:58 07299] [info] Init: 2nd startup round (already detached)
    [29/Mar/2006 05:23:58 07299] [info] Init: Reinitializing OpenSSL library
    [29/Mar/2006 05:23:58 07299] [info] Init: Seeding PRNG with 136 bytes of entropy
    [29/Mar/2006 05:23:58 07299] [info] Init: Configuring temporary RSA private keys (512/1024 bits)
    [29/Mar/2006 05:23:58 07299] [info] Init: Configuring temporary DH parameters (512/1024 bits)
    [29/Mar/2006 05:23:58 07299] [info] Init: Initializing (virtual) servers for SSL
    [29/Mar/2006 05:23:58 07299] [info] Init: Configuring server localhost.localdomain:81 for SSL protocol
    [29/Mar/2006 05:23:58 07299] [warn] Init: (localhost.localdomain:81) RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [29/Mar/2006 05:23:58 07299] [warn] Init: (localhost.localdomain:81) RSA server certificate CommonName (CN) `gymsmoke' does NOT match server name!?
    [29/Mar/2006 05:23:58 07299] [error] Init: (localhost.localdomain:81) Unable to configure RSA server private key (OpenSSL library error follows)
    [29/Mar/2006 05:23:58 07299] [error] OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

    Obviously, I borked something up generating the keys... But I didn't see anything here that indicated an error on generating them...
     
  15. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    I guess you entered something wrong when you created the new certificate. Create another one and accept the default values.
     
  16. gymsmoke

    gymsmoke New Member

    falko~
    Okay. Here's what I did...
    root@viperidae:/# openssl genrsa -des3 -passout pass:xXxXxX -out /root/ispconfig/httpd/conf/ssl.key/server.key2 1024
    Generating RSA private key, 1024 bit long modulus
    ..................++++++
    .........................................................++++++
    e is 65537 (0x10001)
    root@viperidae:/#

    root@viperidae:/# openssl req -new -passin pass:xXxXxX -passout pass:xXxXxX -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.csr/server.csr -days 365
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:
    State or Province Name (full name) [Some-State]:
    Locality Name (eg, city) []:
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:
    Email Address []:

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    root@viperidae:/#

    root@viperidae:/# openssl req -x509 -passin pass:xXxXxX -passout pass:xXxXxX -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -in /root/ispconfig/httpd/conf/ssl.csr/server.csr -out /root/ispconfig/httpd/conf/ssl.crt/server.crt -days 365
    root@viperidae:/#

    root@viperidae:/# openssl rsa -passin pass:xXxXxX -in /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.key/server.key
    writing RSA key
    root@viperidae:/#

    root@viperidae:/# chmod 400 /root/ispconfig/httpd/conf/ssl.key/server.key
    root@viperidae:/#

    root@viperidae:/root/ispconfig/httpd/logs# cat /dev/null > ./error_log
    root@viperidae:/root/ispconfig/httpd/logs# cat /dev/null > ./ssl_engine_log
    root@viperidae:/root/ispconfig/httpd/logs# /etc/init.d/ispconfig_server restart
    Shutting down ISPConfig system...
    /root/ispconfig/httpd/bin/apachectl stop: httpd stopped
    ISPConfig system stopped!
    Starting ISPConfig system...
    /root/ispconfig/httpd/bin/apachectl startssl: httpd started
    ISPConfig system is now up and running!

    root@viperidae:/root/ispconfig/httpd/logs# more error_log
    [Wed Mar 29 12:21:37 2006] [notice] caught SIGTERM, shutting down
    [Wed Mar 29 12:21:44 2006] [notice] Apache/1.3.34 (Unix) PHP/5.1.2 mod_ssl/2.8.25 OpenSSL/0.9.8a configured -- resuming normal operations
    [Wed Mar 29 12:21:44 2006] [notice] Accept mutex: sysvsem (Default: sysvsem)

    root@viperidae:/root/ispconfig/httpd/logs# more ssl_engine_log
    [29/Mar/2006 12:21:43 13272] [info] Server: Apache/1.3.34, Interface: mod_ssl/2.8.25, Library: OpenSSL/0.9.8a
    [29/Mar/2006 12:21:43 13272] [info] Init: 1st startup round (still not detached)
    [29/Mar/2006 12:21:43 13272] [info] Init: Initializing OpenSSL library
    [29/Mar/2006 12:21:43 13272] [info] Init: Loading certificate & private key of SSL-aware server localhost.localdomain:81
    [29/Mar/2006 12:21:43 13272] [info] Init: Seeding PRNG with 136 bytes of entropy
    [29/Mar/2006 12:21:43 13272] [info] Init: Generating temporary RSA private keys (512/1024 bits)
    [29/Mar/2006 12:21:43 13272] [info] Init: Configuring temporary DH parameters (512/1024 bits)
    [29/Mar/2006 12:21:44 13273] [info] Init: 2nd startup round (already detached)
    [29/Mar/2006 12:21:44 13273] [info] Init: Reinitializing OpenSSL library
    [29/Mar/2006 12:21:44 13273] [info] Init: Seeding PRNG with 136 bytes of entropy
    [29/Mar/2006 12:21:44 13273] [info] Init: Configuring temporary RSA private keys (512/1024 bits)
    [29/Mar/2006 12:21:44 13273] [info] Init: Configuring temporary DH parameters (512/1024 bits)
    [29/Mar/2006 12:21:44 13273] [info] Init: Initializing (virtual) servers for SSL
    [29/Mar/2006 12:21:44 13273] [info] Init: Configuring server localhost.localdomain:81 for SSL protocol
    [29/Mar/2006 12:21:44 13273] [warn] Init: (localhost.localdomain:81) RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    root@viperidae:/# netstat -tap
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 localhost.localdo:mysql *:* LISTEN 7098/mysqld
    tcp 0 0 *:81 *:* LISTEN 13273/ispconfig_htt
    tcp 0 0 *:ftp *:* LISTEN 13448/proftpd: (acc
    tcp 0 0 216.215.55.21:domain *:* LISTEN 13434/named
    tcp 0 0 localhost.locald:domain *:* LISTEN 13434/named
    tcp 0 0 localhost.localdoma:953 *:* LISTEN 13434/named
    tcp 0 0 *:smtp *:* LISTEN 13404/master
    tcp6 0 0 *:imaps *:* LISTEN 7008/couriertcpd
    tcp6 0 0 *:pop3s *:* LISTEN 7043/couriertcpd
    tcp6 0 0 *:pop3 *:* LISTEN 7023/couriertcpd
    tcp6 0 0 *:imap2 *:* LISTEN 6988/couriertcpd
    tcp6 0 0 *:www *:* LISTEN 13309/apache2
    tcp6 0 0 *:ssh *:* LISTEN 7238/sshd
    tcp6 0 0 ip6-localhost:953 *:* LISTEN 13434/named
    tcp6 0 0 *:https *:* LISTEN 13309/apache2
    tcp6 0 0 ::ffff:216.215.55.2:ssh ::ffff:209.208.34:50022 ESTABLISHED7537/sshd: gymsmoke

    lynx https://216.215.55.21:81
    SSL error:Can't find common name in certificate-Continue? (y) y

    [login_logo.png]
    Here you can log in:
    Username: ____________________
    Password: ____________________
    Login
    (a message comes up saying "Location URL is not absolute") and then an Invalid username... (I don't know what to use here to login initially) ...

    Looks like I'm a step closer, since Lynx (local machine) can access this. I still get "Operation timed out when attempting to contact 216.215.55.21" from the remote laptop...

    Howerver - Woot!!! After asking me 3 or 4 times to accept a certificate (I tried permanent, but Firefox 1.5 on Ubuntu wouldn't allow that so I took "for this session")... I got the ispconfig Login Screen!!!!!
    How do I login initially? And, even more importantly, how to I set the certificates up so they are more applicable than just having all "blanks" and defaults?
     
  17. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Username admin, password: admin.

    By using other values during the certificate creation. The "Common Name" is your URL (e.g. www.example.com), not your name.
     
  18. gymsmoke

    gymsmoke New Member

    I'm becoming more convinced that this really needs a public domain to act properly.
    The certs are a little out of whack, but, after logging in, I notice that the status icons and graphics don't show up, and when selecting 'log out' I get this error:
    Unable to connect
    Firefox can't establish a connection to the server at localhost.localdomain:81.

    * The site could be temporarily unavailable or too busy. Try again in a few
    moments.

    * If you are unable to load any pages, check your computer's network
    connection.

    * If your computer or network is protected by a firewall or proxy, make sure
    that Firefox is permitted to access the Web.
     
  19. gymsmoke

    gymsmoke New Member

    Also, from anywhere within ISPConfig, if you click the select-able links (which check the local system), they all give a 404 error, along with an error that "localhost.localdomain" cannot be reached.

    Can you please tell me if this needs to be installed in a publicly registered domain in order to test it? I'm getting a little frustrated wasting my time with this.

    If it has to be tested in a "live" environment, I need to know it so that I can make arrangements to try it out, or just dump it from the server and only test the Ubuntu server characteristics/packages
     
  20. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    You will have to use another domain as localhost. The problem with localhost.localdomain is, that it alwyas point to the local computer. This means if your firefox runs on another pc, localhost for firefox is its own pc, not your server.
     

Share This Page