https on new v3 port 8080

Discussion in 'Developers' Forum' started by tom88, Oct 13, 2008.

  1. tom88

    tom88 New Member

    installed ispconfig v3.0.0.7 and noticed that access to admin interface was clear text ..
    Wanting ssl, I did some research and came up with the following quick how to.
    I'm using ubuntu 8.04 and had followed falko's perfect install.... yeah I now read I shouldn't have, but I didn't know at the time that v3beta didn't want this :).
    It seems to be working... had to change out proftpd for pureftp etc ..
    any way .. the steps I used to get the admin interface to be on https was:
    mkdir /etc/apache2/ssl
    cd /etc/apache2/ssl
    openssl genrsa -des3 -out server.key 4096
    openssl req -new -key server.key -out server.csr
    openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
    openssl rsa -in server.key -out server.key.insecure
    mv server.key server.key.secure
    mv server.key.insecure server.key
    a2enmod ssl
    vi /etc/apache2/sites-available/ispconfig.vhost
    insert the fallowing near the top:
    <VirtualHost _default_:8080>
    ServerAdmin webmaster@localhost
    DocumentRoot /usr/local/ispconfig/interface/web/

    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl/server.key
    restart apache2
    /etc/init.d/apache2 restart
    https://myispconfig.ipaddress:8080
     
  2. vogelor

    vogelor ISPConfig Developer

    attention

    if you are doing a update, then the "default" vhost-file overrides the old one. to avoid these, do not change the ispconfig.vhost but create your OWN file (with a different name). do this inside the sites-available. then CHANGE the soft-link inside the sites-enabled - directory (to link to YOUR file instead of the default one.).

    the update.php script overrdes the ispcongif-FILE but NEVER the soft-link. so after a update, the FILE ist overriden, but not the link (pointing to YOUR file).

    hope it is clear, what i mean. if not - ask!

    Olli
     
  3. bazza

    bazza New Member

    SSL Enforced

    Thanks for the above info. Personally I think https should be the default for a connection to a control panel. I think this could be done in a htaccess file but I'm new to ISPC3 and I need to have a poke around to see why its configured the way it is before I start bending it.
     
  4. Master One

    Master One New Member

    I guess the described method is still the only valid way to do it, right?

    I also think, that ISPConfig should only be accessible by https, the same goes for phpmyadmin and webmail.
     
  5. TokyNET

    TokyNET New Member

    Is this still the way to do this? I ask because all of this is already in my conf file (or maybe im not clear if that is "add the following AFTER this lines...)

    Code:
    <VirtualHost _default_:8080>
    ServerAdmin webmaster@localhost
    DocumentRoot /usr/local/ispconfig/interface/web/
    So, this is the top of my ispconfig.vhost file, please tell me what and where i should add what you mentioned on the "how-to".

    Code:
    <VirtualHost _default_:8080>
    ServerAdmin webmaster@localhost
      <IfModule mod_fcgid.c>
        DocumentRoot /var/www/ispconfig/
        SuexecUserGroup ispconfig ispconfig
        <Directory /var/www/ispconfig/>
          Options Indexes FollowSymLinks MultiViews +ExecCGI
          AllowOverride AuthConfig Indexes Limit Options FileInfo
          AddHandler fcgid-script .php
          FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
          Order allow,deny
          Allow from all
        </Directory>
      </IfModule>
    
      <IfModule mod_php5.c>
        DocumentRoot /usr/local/ispconfig/interface/web/
        AddType application/x-httpd-php .php
        <Directory /usr/local/ispconfig/interface/web>
          Options FollowSymLinks
          AllowOverride None
          Order allow,deny
          Allow from all
              php_value magic_quotes_gpc        0
        </Directory>
      </IfModule>
    
      # ErrorLog /var/log/apache2/error.log
      # CustomLog /var/log/apache2/access.log combined
      ServerSignature Off
    
    </VirtualHost>

    Besides that, now I get this from apache when i try to start it:
    Code:
    [root@cornpops ~]# /etc/init.d/httpd start
    Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:443
    (98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
    no listening sockets available, shutting down
    Unable to open logs
                                                               [FAILED]
    
    Thanks for any assistance in this matter.
     
  6. TokyNET

    TokyNET New Member

    BTW, this is the output of netstat -an, oddly enough, there is nothing listening on 80 or 443....

    Code:
    netstat -an | grep LISTEN | grep -v ACC
    tcp        0      0 XX.XX.189.148:53           0.0.0.0:*                   LISTEN
    tcp        0      0 XX.XXX.189.123:53           0.0.0.0:*                   LISTEN
    tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN
    tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN
    tcp        0      0 127.0.0.1:10024             0.0.0.0:*                   LISTEN
    tcp        0      0 127.0.0.1:10025             0.0.0.0:*                   LISTEN
    tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN
    tcp        0      0 127.0.0.1:3310              0.0.0.0:*                   LISTEN
    tcp        0      0 ::1:53                      :::*                        LISTEN
    tcp        0      0 :::21                       :::*                        LISTEN
    tcp        0      0 :::22                       :::*                        LISTEN
    tcp        0      0 :::993                      :::*                        LISTEN
    tcp        0      0 :::995                      :::*                        LISTEN
    tcp        0      0 :::110                      :::*                        LISTEN
    tcp        0      0 :::143                      :::*                        LISTEN
    
     
    Last edited: Jun 27, 2009
  7. TokyNET

    TokyNET New Member

    Since it seems i'm the only one reading this post.

    I found my problem for apache not starting...

    I had installed mod_ssl through yum...and it started to conflict with something that was already installed for ssl, although I have NFI of what can be providing ssl to apache if not mod_ssl... so anyways, I uninstalled the mod_ssl that I installed through yum and that was it. Now apache starts again.

    However, I still don't have ssl enabled anywhere...This is really upsetting. I'm not sure what the major malfunction is. I don't seem to find any meaningful errors from apache when I try to access anything https on my server.

    I have not dealt with apache besides getting it up and running...(and usually it just comes up with ssl working).

    It seems to me that THIS ISSUE is a great candidate for a good How-to.
    (If I do figure it out, I will post my steps here)

    My previous questions still stand.
     
  8. bazza

    bazza New Member

    Assuming you have ISPCONFIG installed correctly just do as it says.
    The first part of the howto deals with generating a key pair using OPENSSL and loading the apache mod ssl.

    Then edit your conf file so that the begining of it looks the same as the howto.
     
  9. TokyNET

    TokyNET New Member

    Did you read and see what I pasted?

    Assumption correct, however your post does not help the situation...

    Besides changing the path (changing /etc/apache2/ to /etc/httpd/)
    I have installed a bunch of apps and have had to create crazy ssh-tunnels to be able to login to the control pannels since I won't login in plain text to them.

    So, when I put the content mentioned above and it fails misserably...meanning that apache won't start at all...

    Also the line for with "a2enmod ssl" wont run at all...

    Thanks in advance for any help.


    Edit: "a2enmod" seems to be for debian based systems...
     
    Last edited: Jun 28, 2009
  10. vogelor

    vogelor ISPConfig Developer

    if your apache will not restart it is in most cases because of a dammaged ssl-certificate (the private key and the public key do not correspond together). So try to comment our the ssl section in the vhost file and restart the apache2. if this works, try regenerating your ssl-files (for me, this works fine!)

    Olli
     
  11. bazza

    bazza New Member

    When I find someone asking for help in a thread about a howto written for Ubuntu I naturally assume that person is running Ubuntu or Debian or another Debian derivative. However now that you have stated that you have been changing apache2 to read httpd then you are probably running Centos or Fedora and those distros store the keys in a different location /etc/pki/ not /etc/apache2/ssl. If you read /etc/httpd/conf.d/ssl.conf you will find out exactly where your httpd expects to find the keys.
     
  12. TokyNET

    TokyNET New Member

    Thanks for the reply, I'm looking at this thread since this is the only one i've found that had a "how-to" to get ssl working on the control panel. I however, have no ssl.conf on /etc/http/conf.d (or under any directory under /etc/http/ )

    So, it looks like that is part of my probelm, also like I mentioned before, im not sure where I'm supposed to add the content stated on this how-to about the ispconfig.vhost. I have pasted my vhost file.

    I have added the extralines in a bunch of places and it does not work (only 1 at a time though) this is what I get when I have the lines enabled on my conf:

    Code:
    |root@cornpops|____|Tue Jul 07|____|19:44:50|____| jobs:0/pts:1/users:2/sites-available/ 
    # -->/etc/init.d/httpd start
    Starting httpd: Syntax error on line 14 of /etc/httpd/conf/sites-enabled/000-ispconfig.vhost:
    Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration
                                                               [FAILED]
    
    This is the current state of my ispconfig.vhost:
    Code:
    Listen 8080
    NameVirtualHost *:8080
    
    <VirtualHost _default_:8080>
    ServerAdmin webmaster@localhost
      <IfModule mod_fcgid.c>
        DocumentRoot /var/www/ispconfig/
        SuexecUserGroup ispconfig ispconfig
        SSLEngine On
        SSLCertificateFile /etc/httpd/ssl/server.crt
        SSLCertificateKeyFile /etc/httpd/ssl/server.key
        <Directory /var/www/ispconfig/>
          Options Indexes FollowSymLinks MultiViews +ExecCGI
          AllowOverride AuthConfig Indexes Limit Options FileInfo
          AddHandler fcgid-script .php
          FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
          Order allow,deny
          Allow from all
        </Directory>
      </IfModule>
    
      <IfModule mod_php5.c>
        DocumentRoot /usr/local/ispconfig/interface/web/
        AddType application/x-httpd-php .php
        <Directory /usr/local/ispconfig/interface/web>
          Options FollowSymLinks
          AllowOverride None
          Order allow,deny
          Allow from all
          php_value magic_quotes_gpc        0
        </Directory>
      </IfModule>
      <IfModule mod_php5.c>
        DocumentRoot /usr/local/ispconfig/interface/web/
        AddType application/x-httpd-php .php
        <Directory /usr/local/ispconfig/interface/web>
          Options FollowSymLinks
          AllowOverride None
          Order allow,deny
          Allow from all
          php_value magic_quotes_gpc        0
        </Directory>
      </IfModule>
    
      # ErrorLog /var/log/apache2/error.log
      # CustomLog /var/log/apache2/access.log combined
      ServerSignature Off
    
    </VirtualHost>
    
    <Directory /var/www/php-cgi-scripts>
        AllowOverride None
        Order Deny,Allow
        Deny from all
    </Directory>
    
    <Directory /var/www/php-fcgi-scripts>
        AllowOverride None
        Order Deny,Allow
        Deny from all
    </Directory>
    I will look into creating the ssl.conf file, but that error when I try to start apache when the conf file is edited makes me believe that even once I get the file created, its not going to work.
     
    Last edited: Jul 8, 2009
  13. TokyNET

    TokyNET New Member

    I got it working!!!!!!!!!!!!!!

    I turns out that I did have the ssl.conf file (I was looking on a diff server when I was not able to find ssl.conf before... :rolleyes: )

    So, my problem was that there were duplicate directives on httpd.conf and ssl.conf, so httpd.conf would load mod_ssl and then ssl.conf would try to do the same (the same with the listening port)

    All I had to do was to fix the path on ssl.conf (for where it expected to find the certs to the one I created while doing this how-to) and comment out the duplicate directives ( I opted to comment out on httpd.conf anything that had to do with ssl and leave ssl.conf as the ruler of all ssl-related configs)

    Now I have https on control-panel!!!!

    Thanks for the how-to and my apologies if I seemed like an ass... I just get upset when I see replies to questions that do not really help the situation (not only when its on questions posted by me... :eek: )
     
  14. bazza

    bazza New Member

    Glad to hear you've got it working.

    There's an old saying that goes 'ask a stupid question and you'll get a stupid answer'.

    Next time you feel yourself getting upset check your question before you start venting your frustration on people who are trying to help you.
     

Share This Page