ISPConfig3 Not Creating SSL in Web Domain->SSL Panel

Discussion in 'Installation/Configuration' started by bpmee, Oct 5, 2017.

  1. bpmee

    bpmee Member

    I enabled SSL and auto subdomain www. on my Website's configuration page.

    Then I clicked "SSL", filled in my information and clicked "Create Certificate".

    Waited 2-3 minutes, no certificate info listed on the page.

    Is there a permission problem or mis-configuration somewhere? Does the website SSL info have to *exactly* match ISPConfig SSL certificate info?

    Extra: Just need a CSR from web domain SSL page for Godaddy SSL.
    Last edited: Oct 5, 2017
  2. adamjedgar

    adamjedgar Member

    This isnt a solution to your problem...are you paying for the godaddy SSL certificate???

    If you are, stuff that and get a free one from Letsencrypt.
  3. ISPConfig Developer ISPConfig Developer

    If you want to have letsencrypt-certificate for free, don't touch the SSL-tab, just enable ssl and enable letsencrypt.

    The SSL tab usually works like this:
    you enter your details, and choose request certificate,
    you give this certificate request to someone you are paying too much money for high level secure certificate, he provides you
    with the cert which you then put in the other boxes and save/install.

    Edit: as adamjedgar stated, don't go for any authority who's owned or accompanied with Symantec at the moment, because of trust issues, google kicks their certs out of the browser, symantec sells the part of the company, who knows what'll happen
  4. bpmee

    bpmee Member

    Thanks very much for your reply. The problem is the SSL tab won't create a website CSR for me to submit to Godaddy. I've followed tutorials for creating SSL with Ispconfig3 and they all start with the simple process of adding info and clicking "create certificate". Nothing appears after I click "create certificate"!

    Yes, I'm aware of trust issues. Godaddy informed me they are correcting problems with old certificates if necessary. All new certificates are to standard.
  5. ISPConfig Developer ISPConfig Developer

    hmm just tried that, entering data up to country, choose create certificate on bottom, save, wait
    and uhm yeah, check your webdomains ssl/ folder for the needed files - should have updated that into the according fields but somehow fails
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    girthh and bpmee like this.
  7. ISPConfig Developer ISPConfig Developer

    he, interesting it works now as expected dunno why
    latest ispconfig, just did a perfect setup this morning
    might have been an issue of clicking too much around in website-tab, it requests changes everytime you switch tabs, it may have confused the schedule?
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    All changes are put into a log which is processed sequentially, so the processing part could not be the problem here. But what might have happened is that you created a cert, switched back to ssl tab immediately, waited (the background process saved the cert into the database fields), you then switched to another tab and that way you overwrote the cert in the database with an 'empty' cert. The cert in the website is not affected by that, so it shuld be included into the site and existed in the ssl folder anyway (unless you have chosen 'save certificate' in the action select box. Btw. auto save when switching tabs can be disabled under system > interface config, in case you don't like the defaultbehaviorr.
  9. ISPConfig Developer ISPConfig Developer

    oh I like the behaviour but it causes issues on rara circumstances which was likely exact what happened ;) issue sits on front of screen this time :D
  10. bpmee

    bpmee Member

    Hi Till,

    I followed the debugging process. Warnings were listed for symlinks. The SSL process could not complete.
    Note, I had to modify my links due to server partitioning. Everything has worked fine for months until now!

    Can this be edited in Server Config->Web->Wesite Path or Website Symlinks? Maybe change server security level to permit this operation?

    06.10.2017-12:40 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/random_file
    06.10.2017-12:40 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/openssl.conf
    06.10.2017-12:40 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/
  11. ISPConfig Developer ISPConfig Developer

    /usr/local/ispconfig/server/plugins-available/ starting from line 252 is using $app->system->functions like mkdir/file_get_contents which do have an unused param which would them to allow symlinked files to be altered, however it's not used so this would need to be modified.

    Other thing would be to change the path where the files really are in ... many configurations or you might succeed by temporarily changing the document_root for the given site in the database for the time of the operation.

    But you aswell might just create a ssl request for yourself ... uhm dunno, same issue might come with saving ssl cert using interface. You'd need to manually insert the ssl data in your web_domain table for that domain I guess, unless @till knows better since he's deeper into the code he's written.
  12. bpmee

    bpmee Member

    I checked Server Config-> Web for paths and directories. I remember updating these *after* creating some websites when I had to change partitions. Here are the current settings (remember, I updated to the following):

    Website basedir /home/www
    Website path /home/www/clients/client[client_id]/web[website_id]
    Website symlinks /home/www/[website_domain]/:/var/www/clients/client[client_id]/[website_domain]/

    Next I checked my problem website's document root: /var/www/clients/client1/web2
    Compared to a test site I created now: /home/www/clients/client1/web3

    SSL creation worked for! It seems the older site's document root needs to be changed. Or can I provide an alternate root for the old site in server config? (Should be in /home/www/clients/client1 dir like test site)
  13. ISPConfig Developer ISPConfig Developer

    check your
    document_root and php_open_basedir tuple in web_domain table in dbispconfig database, change that for ssl creation
  14. bpmee

    bpmee Member

    Thanks for the idea. Is it wise to manually edit IspConfig3 DB?
  15. ISPConfig Developer ISPConfig Developer

    probably not, but if you revert the change afterwards it should be fine
  16. bpmee

    bpmee Member

    Ok, will see if Till responds. There might be a ISPconfig change which could fix this.

    Otherwise, will backup and edit DB. I'm on a production server, have to be careful.
  17. bpmee

    bpmee Member

    Is there a way to change website's document root after it has been active for many months?

    See my replies below. It seems sites with my old /var/www/... root do NOT create SSLs. But the new ones under /home/www/... worked.
  18. ISPConfig Developer ISPConfig Developer

    honestly, I don't see an issue with tampering in the database in this case for the process of SSL creation.

    If you want to change it permantly you have to edit your /etc/passwd ( easy to guess what needs to be changed, search for the webx user and change the path accordingly )
    if you have cronjobs or other specific stuff set, you might want to peak into these tables aswell and spot any path if it exists.

    to let ISPConfig write the new vhost-file go to Tools -> Resync and check Websites
  19. bpmee

    bpmee Member

    I tried this now. It worked. Also re-synced websites.

    Will monitor the system closely to see if there are any problems. Do you recommend changing paths on php_openbase_dir in the DB? They are still the old /var/www. They seem to work fine, though.
  20. ISPConfig Developer ISPConfig Developer

    you can change php paths in ispconfig tab anyway, should do the proper actions to update all files aswell. I'd change them since symlinks can cause all sorts of issues, there have been some in the opcode cache in the past, not applicable to this case but who knows what's yet to come ;)
    bpmee likes this.

Share This Page