IPSCONFIG 3.1 Create certificat lets encrypt -> crash apache

Discussion in 'Installation/Configuration' started by ewkilian, Oct 13, 2017.

  1. ewkilian

    ewkilian New Member

    Hello,
    I have create certicate lets encrypt with ipsconfig, et then apache Crash !

    Icheck the config :
    [email protected]:/# apache2ctl configtest
    AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:69
    Syntax OK

    When I try to start apache2 : (no problem, but don’t run)
    [email protected]:/# service apache2 start
    [email protected]:/#

    status :

    [email protected]:/# service apache2 status
    â apache2.service - LSB: Apache2 web server
    Loaded: loaded (/etc/init.d/apache2)
    Drop-In: /lib/systemd/system/apache2.service.d
    ââforking.conf
    Active: inactive (dead) since Fri 2017-10-13 09:11:14 CEST; 24s ago
    Process: 9710 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS)
    Process: 25446 ExecReload=/etc/init.d/apache2 reload (code=exited, status=0/SUCCESS)
    Process: 9657 ExecStart=/etc/init.d/apache2 start (code=exited, status=0/SUCCESS)

    Oct 13 09:11:08 axesshost apache2[9657]: Starting web server: apache2AH00548: NameVirtualHost has no effect and will be removed in t....conf:69
    Oct 13 09:11:08 axesshost apache2[9657]: Action 'start' failed.
    Oct 13 09:11:08 axesshost apache2[9657]: The Apache error log may have more information.
    Oct 13 09:11:08 axesshost apache2[9657]: .
    Oct 13 09:11:08 axesshost systemd[1]: Started LSB: Apache2 web server.
    Oct 13 09:11:14 axesshost apache2[9710]: Stopping web server: apache2.
    Hint: Some lines were ellipsized, use -l to show in full.
    [email protected]:/#


    can you help me please, is very important. (product server)
    thank you
     
  2. ewkilian

    ewkilian New Member

    to start my apache2, i have move
    --> sites-available
    mv mydomain.vhost.err /tmp/
    mv mydomain.vhost.err /tmp/

    --> sites-enabled
    mv 100-mydomain.vhost /tmp/

    Now apache is RUN.

    What can I do, to retur on a good situation with the webiste "mydomain"
    thanks you
     
  3. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    I wonder why I only see one warning about NameVirtualhost, is the ssl module for that apahce instance even enabled?
     
  4. ewkilian

    ewkilian New Member

    (sorry my english Is very bad)
    Do you can me give te command to see if the ssl module is active.
    At present, since I have move the vhost “mydomain”, the other websites with HTTPS is running
    Thanks for you help
     
  5. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    if other vhosts wits ssl on the very same machine are running, it might not be the issue.
    another thing to check would be wether the created key-files are beeing created.
    check the vhost.conf for SSLCertificateFile,SSLCertificateKeyFile ( and maybe / optional SSLCertificateChainFile ) entries and verfy the iven file-locations exists.

    What would happen if you follow the advice?
    there should be some infos about startup details which usually explains the issue.

    If not, you might need to disable SSL for that vhost and enable it again, before that maybe enable ispconfig debug-level logging to later see what is causing the issue.
     
  6. ewkilian

    ewkilian New Member

    I have that in the log :
    Code:
    [Fri Oct 13 08:59:03.960022 2017] [mpm_prefork:notice] [pid 8392] AH00169: caught SIGTERM, shutting down
    [ 2017-10-13 08:59:05.0805 1076/7fec62e9b740 agents/Watchdog/Main.cpp:538 ]: Options: { 'analytics_log_user' => 'nobody', 'default_group' => 'nogroup', 'default_python' => 'python', 'default_ruby' => '/usr/bin/ruby', 'default_user' => 'nobody', 'log_level' => '0', 'max_pool_size' => '6', 'passenger_root' => '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini', 'passenger_version' => '4.0.53', 'pool_idle_time' => '300', 'temp_dir' => '/tmp', 'union_station_gateway_address' => 'gateway.unionstationapp.com', 'union_station_gateway_port' => '443', 'user_switching' => 'true', 'web_server_passenger_version' => '4.0.53', 'web_server_pid' => '1074', 'web_server_type' => 'apache', 'web_server_worker_gid' => '33', 'web_server_worker_uid' => '33' }
    [ 2017-10-13 08:59:05.0835 1079/7fe3f9a79740 agents/HelperAgent/Main.cpp:650 ]: PassengerHelperAgent online, listening at unix:/tmp/passenger.1.0.1074/generation-0/request
    [ 2017-10-13 08:59:05.0888 1086/7f7e0e560780 agents/LoggingAgent/Main.cpp:321 ]: PassengerLoggingAgent online, listening at unix:/tmp/passenger.1.0.1074/generation-0/logging
    [ 2017-10-13 08:59:05.0890 1076/7fec62e9b740 agents/Watchdog/Main.cpp:728 ]: All Phusion Passenger agents started!
    AH00016: Configuration Failed
    I such the difference on the vhost et my backup vhost
     
  7. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    And if you set your LogLevel in apache2.conf to debug or even trace ?
     
  8. ewkilian

    ewkilian New Member

    The vhost file /etc/apache2/site-available/mydomain is the same that vhost backup file “mydomain” but when I put the vhost file on site-available/enable Apache2 don’t run. A present, I have move the vhost file
     
  9. ewkilian

    ewkilian New Member

    I try to change le log level from apache2
     
  10. ewkilian

    ewkilian New Member

    You can see the log with the max level status from apache2

    Code:
    [Fri Oct 13 15:49:23.657799 2017] [mpm_prefork:notice] [pid 30620] AH00169: caught SIGTERM, shutting down
    [ 2017-10-13 15:49:24.7595 19481/7fe40c203740 agents/Watchdog/Main.cpp:538 ]: Options: { 'analytics_log_user' => 'nobody', 'default_group' => 'nogroup', 'default_python' => 'python', 'default_ruby' => '/usr/bin/ruby', 'default_user' => 'nobody', 'log_level' => '0', 'max_pool_size' => '6', 'passenger_root' => '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini', 'passenger_version' => '4.0.53', 'pool_idle_time' => '300', 'temp_dir' => '/tmp', 'union_station_gateway_address' => 'gateway.unionstationapp.com', 'union_station_gateway_port' => '443', 'user_switching' => 'true', 'web_server_passenger_version' => '4.0.53', 'web_server_pid' => '19479', 'web_server_type' => 'apache', 'web_server_worker_gid' => '33', 'web_server_worker_uid' => '33' }
    [ 2017-10-13 15:49:24.7622 19484/7fe079fa6740 agents/HelperAgent/Main.cpp:650 ]: PassengerHelperAgent online, listening at unix:/tmp/passenger.1.0.19479/generation-0/request
    [ 2017-10-13 15:49:24.7679 19491/7fcb4cd85780 agents/LoggingAgent/Main.cpp:321 ]: PassengerLoggingAgent online, listening at unix:/tmp/passenger.1.0.19479/generation-0/logging
    [ 2017-10-13 15:49:24.7680 19481/7fe40c203740 agents/Watchdog/Main.cpp:728 ]: All Phusion Passenger agents started!
    AH00016: Configuration Failed
    [ 2017-10-13 15:50:38.5147 20417/7fe1efbed740 agents/Watchdog/Main.cpp:538 ]: Options: { 'analytics_log_user' => 'nobody', 'default_group' => 'nogroup', 'default_python' => 'python', 'default_ruby' => '/usr/bin/ruby', 'default_user' => 'nobody', 'log_level' => '0', 'max_pool_size' => '6', 'passenger_root' => '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini', 'passenger_version' => '4.0.53', 'pool_idle_time' => '300', 'temp_dir' => '/tmp', 'union_station_gateway_address' => 'gateway.unionstationapp.com', 'union_station_gateway_port' => '443', 'user_switching' => 'true', 'web_server_passenger_version' => '4.0.53', 'web_server_pid' => '20415', 'web_server_type' => 'apache', 'web_server_worker_gid' => '33', 'web_server_worker_uid' => '33' }
    [ 2017-10-13 15:50:38.5175 20420/7f9b68843740 agents/HelperAgent/Main.cpp:650 ]: PassengerHelperAgent online, listening at unix:/tmp/passenger.1.0.20415/generation-0/request
    [ 2017-10-13 15:50:38.5230 20427/7fea62018780 agents/LoggingAgent/Main.cpp:321 ]: PassengerLoggingAgent online, listening at unix:/tmp/passenger.1.0.20415/generation-0/logging
    [ 2017-10-13 15:50:38.5232 20417/7fe1efbed740 agents/Watchdog/Main.cpp:728 ]: All Phusion Passenger agents started!
    [Fri Oct 13 15:50:38.525099 2017] [ssl:warn] [pid 20415] AH01906: MyServer:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Fri Oct 13 15:50:38.525307 2017] [ssl:warn] [pid 20415] AH01906: MyServer:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Fri Oct 13 15:50:38.525339 2017] [ssl:error] [pid 20415] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=MyServer,OU=Informatique,O=Informatique,L=Bas-Rhin,ST=France,C=FR / issuer: CN=MyServer,OU=Informatique,O=Informatique,L=Bas-Rhin,ST=France,C=FR / serial: F1C96BE542F9C014 / notbefore: Nov 23 12:15:57 2016 GMT / notafter: Nov 21 12:15:57 2026 GMT]
    [Fri Oct 13 15:50:38.525342 2017] [ssl:error] [pid 20415] AH02567: Unable to configure certificate MyServer:8080:0 for stapling
    [Fri Oct 13 15:50:38.525507 2017] [ssl:warn] [pid 20415] AH01906: MyServer:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Fri Oct 13 15:50:38.525560 2017] [suexec:notice] [pid 20415] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
    [Fri Oct 13 15:50:38.546824 2017] [auth_digest:notice] [pid 20437] AH01757: generating secret for digest authentication ...
    [Fri Oct 13 15:50:38.547270 2017] [:notice] [pid 20441] FastCGI: process manager initialized (pid 20441)
    [ 2017-10-13 15:50:38.5498 20443/7fd919f06740 agents/Watchdog/Main.cpp:538 ]: Options: { 'analytics_log_user' => 'nobody', 'default_group' => 'nogroup', 'default_python' => 'python', 'default_ruby' => '/usr/bin/ruby', 'default_user' => 'nobody', 'log_level' => '0', 'max_pool_size' => '6', 'passenger_root' => '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini', 'passenger_version' => '4.0.53', 'pool_idle_time' => '300', 'temp_dir' => '/tmp', 'union_station_gateway_address' => 'gateway.unionstationapp.com', 'union_station_gateway_port' => '443', 'user_switching' => 'true', 'web_server_passenger_version' => '4.0.53', 'web_server_pid' => '20437', 'web_server_type' => 'apache', 'web_server_worker_gid' => '33', 'web_server_worker_uid' => '33' }
    [ 2017-10-13 15:50:38.5525 20446/7f3afa731740 agents/HelperAgent/Main.cpp:650 ]: PassengerHelperAgent online, listening at unix:/tmp/passenger.1.0.20437/generation-0/request
    [ 2017-10-13 15:50:38.5582 20453/7fb38fe91780 agents/LoggingAgent/Main.cpp:321 ]: PassengerLoggingAgent online, listening at unix:/tmp/passenger.1.0.20437/generation-0/logging
    [ 2017-10-13 15:50:38.5583 20443/7fd919f06740 agents/Watchdog/Main.cpp:728 ]: All Phusion Passenger agents started!
    [Fri Oct 13 15:50:38.576332 2017] [:error] [pid 20437] python_init: Python version mismatch, expected '2.7.5+', found '2.7.9'.
    [Fri Oct 13 15:50:38.576376 2017] [:error] [pid 20437] python_init: Python executable found '/usr/bin/python'.
    [Fri Oct 13 15:50:38.576379 2017] [:error] [pid 20437] python_init: Python path being used '/usr/lib/python2.7/:/usr/lib/python2.7/plat-x86_64-linux-gnu:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload'.
    [Fri Oct 13 15:50:38.576389 2017] [:notice] [pid 20437] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
    [Fri Oct 13 15:50:38.576390 2017] [:notice] [pid 20437] mod_python: using mutex_directory /tmp
    [Fri Oct 13 15:50:38.583109 2017] [ssl:warn] [pid 20437] AH01906: MyServer:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Fri Oct 13 15:50:38.583301 2017] [ssl:warn] [pid 20437] AH01906: MyServer:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Fri Oct 13 15:50:38.583339 2017] [ssl:error] [pid 20437] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=MyServer,OU=Informatique,O=Informatique,L=Bas-Rhin,ST=France,C=FR / issuer: CN=MyServer,OU=Informatique,O=Informatique,L=Bas-Rhin,ST=France,C=FR / serial: F1C96BE542F9C014 / notbefore: Nov 23 12:15:57 2016 GMT / notafter: Nov 21 12:15:57 2026 GMT]
    [Fri Oct 13 15:50:38.583342 2017] [ssl:error] [pid 20437] AH02567: Unable to configure certificate MyServer:8080:0 for stapling
    [Fri Oct 13 15:50:38.583508 2017] [ssl:warn] [pid 20437] AH01906: MyServer:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Fri Oct 13 15:50:38.586239 2017] [mpm_prefork:notice] [pid 20437] AH00163: Apache/2.4.10 (Debian) mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_fcgid/2.3.9 Phusion_Passenger/4.0.53 mod_python/3.3.1 Python/2.7.9 OpenSSL/1.0.1t configured -- resuming normal operations
    [Fri Oct 13 15:50:38.586253 2017] [core:notice] [pid 20437] AH00094: Command line: '/usr/sbin/apache2'
    
    I think that the origin from the problem is a certificate from a vhost on error (build with ispconfig3.1)… But I don’t know what search.

    thanks for your help
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Apache will not start when an ssl cert that is used in a vhost does not exist. ispconfig tests for that when you save changes in a website. I guess: either you disabled the apache config tests in ispconfig or the ssl cert was removed manually. To fix your problem, create the ssl cert or disable ssl in that website in ISPConfig.
     
  12. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    hmm the only error I can see there is
    Code:
     ssl_stapling_init_cert: can't retrieve issuer certificate!
    Unable to configure certificate MyServer:8080:0 for stapling
    however I'm not quiet sure right now if that's not a real issue like the python version missmatch, I think it'll be silently ignored aswell so that's not the real issue - especially since I can't see any shutting down message in your last log.

    edit: try what @till said - he's usualy right regarding ISPConfig behaviour ;)
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    The problem with SSL issues in apache is that apache does not throw any errors, that's not ISPConfig specific btw. :). So when you see that apache can't be started but nothing in the log about a config error, then most likely an ssl cert is missing. And what is even worse, even an apache config check will tell you that there are no issues.
     
    ztk.me likes this.
  14. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    yeah I stumbled across that from time to time but usually uhm actually dunno what the log said, I knew what I was doing before and simply guessed what's wrong ^^
     
  15. ewkilian

    ewkilian New Member

    For this website, I have a file on the path /etc/letsencrypt/renewal : mydomain.conf

    Code:
    # renew_before_expiry = 30 days
    version = 0.10.2
    archive_dir = /etc/letsencrypt/archive/mydomain.com
    cert = /etc/letsencrypt/live/mydomain.com/cert.pem
    privkey = /etc/letsencrypt/live/mydomain.com/privkey.pem
    chain = /etc/letsencrypt/live/mydomain.com/chain.pem
    fullchain = /etc/letsencrypt/live/mydomain.com/fullchain.pem
    
    # Options used in the renewal process
    [renewalparams]
    account = xxxxxxxxxxxxxxxxxafcf189f33301b
    server = https://acme-v01.api.letsencrypt.org/directory
    authenticator = webroot
    rsa_key_size = 4096
    installer = None
    webroot_path = /usr/local/ispconfig/interface/acme,
    [[webroot_map]]
    www.mydomain.com = /usr/local/ispconfig/interface/acme
    mydomain.com = /usr/local/ispconfig/interface/acme
    On the path LIVE I can see the certicat. then I think that the certicat exist.
    and on the path /var/www/mydomain.com/SSL , I can see mydomain.crt, mydomain.bundle, mydomain.csr.

    But on IPSCONFIG in the Webdimain -> Site -> SSL -> the input Key SSL, Certificate SSL and SSL Bundle are Empty.
    What can y for action "create", "save", "delete' ?

    what do you think ? What the way to search this problem ?

    Thank you for your help.
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    That's exactly as it has to be. These fields are for manually created SSL certs and not for Letsencrypt certs.
     
  17. ewkilian

    ewkilian New Member

    ok then what is the method to create a certicat with Lets Encrypt ?
    Just Enable the case SSL and Lets Encrypt ?
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    yes. and in case that the checkboxes get unchecked after a minute or two, then take a look at the lets encrypt faq post here in the forum to find the reason why.
     
  19. ewkilian

    ewkilian New Member

    Ok thanks you for your help, now how can y delete all SSL certifcat for this website ? What can I delete ?
    Thansk you
     

Share This Page