Monit and ispconfig3.2

Discussion in 'Installation/Configuration' started by francoisPE, Oct 30, 2020.

  1. francoisPE

    francoisPE Member HowtoForge Supporter

    Hello,
    my conf ispc3.2, ubuntu 18.04, 2 servers
    I talk about Monit issue in another post but was not appropriate forum.
    I figure out the concern.
    Monit stop due to :
    "
    [email protected]:/etc/monit# service monit status
    ● monit.service - LSB: service and resource monitoring daemon
    Loaded: loaded (/etc/init.d/monit; generated)
    Active: failed (Result: exit-code) since Wed 2020-10-28 23:21:58 CET; 1 day 16h ago
    Docs: man:systemd-sysv-generator(8)
    Process: 28570 ExecStop=/etc/init.d/monit stop (code=exited, status=0/SUCCESS)
    Process: 28577 ExecStart=/etc/init.d/monit start (code=exited, status=1/FAILURE)

    Oct 28 23:21:58 serv1.domain.fr systemd[1]: Starting LSB: service and resource monitoring daemon...
    Oct 28 23:21:58 serv1.domain.fr monit[28577]: * Starting daemon monitor monit
    Oct 28 23:21:58 serv1.domain.fr monit[28577]: The SSL server PEM file '/etc/ssl/private/pure-ftpd.pem' permission 0750 is wrong, ma
    Oct 28 23:21:58 serv1.domain.fr monit[28577]: /etc/monit/monitrc:11: SSL server PEM file permissions check failed 'check process '
    Oct 28 23:21:58 serv1.domain.fr monit[28600]: The SSL server PEM file '/etc/ssl/private/pure-ftpd.pem' permission 0750 is wrong, ma
    Oct 28 23:21:58 serv1.domain.fr monit[28600]: /etc/monit/monitrc:11: SSL server PEM file permissions check failed 'check process '
    Oct 28 23:21:58 serv1.domain.fr monit[28577]: ...fail!
    Oct 28 23:21:58 serv1.domain.fr systemd[1]: monit.service: Control process exited, code=exited status=1
    Oct 28 23:21:58 serv1.domain.fr systemd[1]: monit.service: Failed with result 'exit-code'.
    Oct 28 23:21:58 serv1.domain.fr systemd[1]: Failed to start LSB: service and resource monitoring daemon.

    [email protected]:/etc/monit# ld /etc/ssl/private/pure-ftpd.pem
    lrwxrwxrwx 1 root root 48 Oct 28 17:07 /etc/ssl/private/pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem
    "
    Then, I assume a daemon is modifying (creating ?) /usr/local/ispconfig/interface/ssl/ispserver.pem file as cat of .key and .crt, assigning too high permissions ! 750 instead of 700...

    if I do chmod 700 on /usr/local/ispconfig/interface/ssl/ispserver.pem and restart.
    It works but for few time ! up to daemon coming... ;-)

    Do you share ?
    Is there a simple workaround ?

    Thanks
     
    Last edited: Dec 24, 2020
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Either change the permissions of the file to what monit is expecting, or change monit's config so it expects the new (correct?) permissions.
     
  3. francoisPE

    francoisPE Member HowtoForge Supporter

    I did that and it works.
    But, permissions are modified when ispconfig .pem file is created : /usr/local/ispconfig/interface/ssl/ispserver.pem
    May be a cron job that creats this file (in a tuto I find : cat < {.key,.crt} > .pem)
    Do you know where is that creating with wrong permission job ?

    Definitely, I have no idea on how to do that !
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    It might be the letsencrypt-post hook script (I can't check on this phone).

    Monit's config should be under /etc/monit/
     
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I don't think so since there is nothing in there or in any of other LE hook scripts that touch any permissions since they were written or even after your fixes.

    My best guess is that he didn't remove the previous LE4ISPC setup prior to update to 3.2 which may disturb the process since it has different process if compared to 3.2 LE default setup.

    Edited: To note, the installer_base.lib.php is already designed to chmod the ispserver.pem file permission to 600.
     
    Last edited: Nov 1, 2020
  6. francoisPE

    francoisPE Member HowtoForge Supporter

    ok
    I restart my servers (again) because trying to move to ubuntu 20. I faced a crash !
    I will set up ubuntu 20 and see... this issue and database remote access issue
    Learning again and again...
    Thank you
     
  7. francoisPE

    francoisPE Member HowtoForge Supporter

    I set up a monit alert :
    in monitrc
    "
    check file ispserver.pem path /usr/local/ispconfig/interface/ssl/ispserver.pem
    if failed permission 600 then alert
    "
    This morning I moved to ispconfig v3.2.2... Monit alerted me : permission changed on cert...
    Would it be possible to add 'chmod 600 /usr/local/ispconfig/interface/ssl/ispserver.pem' somewhere in the code ?
     
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    In my hypothesis, I blamed unclean removal of the old code in securing the server prior to ISPConfig 3.2 (which may or may not include LE4ISPC script) though I actually couldn't find any proof on that matter. Whether at the end, the hypothesis is proven true or otherwise not, I would always recommend the clean removal of the old code including the LE SSL certs for the server and its services (but not all other websites).
     
  9. francoisPE

    francoisPE Member HowtoForge Supporter

    In my above post, I mention a behavior on a fresh install without LE4ISPC...
     
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    On a fresh install, you added monit config which checks for file permissions on the certificate which differ from the actual file permissions on the system. Unless there's a problem with one of the services not running because of the permissions, you simply need to change your custom monit config to look for the correct permissions.
     
  11. francoisPE

    francoisPE Member HowtoForge Supporter

    @jesse : I use a symlink to '/usr/local/ispconfig/interface/ssl/ispserver.pem' for monit cert. Monit cert must be 600. Ispconfig create .pem with 750.
    I set up monit config to 'chmod 600 /usr/local/ispconfig/interface/ssl/ispserver.pem'. If not, monit stop working when I look at in my browser.
    Is there any need to create ispserver.pem with 750 ? If 600, it would be helpful for my config which is quite classical in forum.

    It is a proposal. My workaround is working
     
    Last edited: Jan 18, 2021
  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I use something like yours in monitrc too, because I did face the same problem as yours and I even opened an issue at the git but closed it back as I cannot pin down the right cause. However, after a thorough clean up, it has never occurred again, so that is why I am making such a hypothesis but also said (which may or may not include LE4ISPC script).

    As said above, installer_base.lib.php file in creating ispserver.pem already set permission to 600:
    Code:
            // Build ispserver.pem file and chmod it
            if(file_exists($ssl_key_file)) {
                exec("cat $ssl_key_file $ssl_crt_file > $ssl_pem_file; chmod 600 $ssl_pem_file");
    

    And in the letsencrypt_renew_hook.sh, it also set to 600:
    Code:
        cd /usr/local/ispconfig/interface/ssl; ibak=ispserver.*.bak; ipem=ispserver.pem; icrt=ispserver.crt; ikey=ispserver.key
        if ls $ibak 1> /dev/null 2>&1; then rm $ibak; fi
        if [ -e "$ipem" ]; then mv $ipem $ipem-$(date +"%y%m%d%H%M%S").bak; cat $ikey $icrt > $ipem; chmod 600 $ipem; fi
    

    I have inspected the code, again and again, but I still couldn't pin down the cause. Do highlight any other thing that you think is causing this, I'll check them all, one by one.
     
  13. francoisPE

    francoisPE Member HowtoForge Supporter

    Could I suggest to move to
    Code:
    exec("cat $ssl_key_file $ssl_crt_file > $ssl_pem_file && chmod 600 $ssl_pem_file");'
    if [ -e "$ipem" ]; then mv $ipem $ipem-$(date +"%y%m%d%H%M%S").bak; cat $ikey $icrt > $ipem && chmod 600 $ipem; fi
    
    Normally, with &&, it should do both write file and chmod in same "operation"...
     
  14. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Sorry @francoisPE, I misunderstood - I thought you were monitoring your pure-ftpd.pem certificate with monit in order to restart pure-ftpd, but you are rather using the pure-ftpd.pem file as the certificate file in monit (much more clear reading on a full screen, not smartphone....).

    Checking the current letsencrypt_renew_hook.sh it does perform a chmod 600 on the /etc/ssl/private/pure-ftpd.pem if that file exists. That is done if the "$lelive" directory exists, which is either "/root/.acme.sh/${hostname}" or "/etc/letsencrypt/live/${hostname}" depending on if you're using acme.sh or certbot. So, what does "hostname -f" output, and does the corresponding directory exist? (It seems it must if ispserver.pem is being updated when your certificate renews, as that is done immediately above on line 31.)

    I'd almost not recommend it, but as a workaround till the actual issue is sorted out here, you can create a bash script named /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh to do the chmod, then "exit 124" from that to signal that ispconfig's own post hook should run.
     
  15. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    No, the two lines you propose changing are from different files and run at entirely different time; plus you have changed the logic from "create pem file if key file exists" to "create a broken pem file if the key file doesn't exist" (not that it matters, if the key file doesn't exist there are problems that retaining the old pem doesn't fix, but...).
     
  16. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Agreed, I don't see anything that would create a pem file which is not mode 600. @francoisPE, you said you have IPSConfig version 3.2 - is that the latest 3.2.2, or the actual 3.2 release from last fall? What have you setup other than what the Perfect Server guide shows? (I agree with @ahrasis, it seems like it's being affected by something outside of ISPConfig's code, like monit or incron rebuilding the pem file?)
     
  17. francoisPE

    francoisPE Member HowtoForge Supporter

    Thanks a lot for the interest you have in that topic.
    1. in /etc/letsencrypt/live/$(hostname -f)
    total 4
    -rw-r--r-- 1 root root 692 Jan 14 20:49 README
    lrwxrwxrwx 1 root root 38 Jan 14 20:49 privkey.pem -> ../../archive/ns1.domain.tld/privkey1.pem
    lrwxrwxrwx 1 root root 40 Jan 14 20:49 fullchain.pem -> ../../archive/ns1.domain.tld/fullchain1.pem
    lrwxrwxrwx 1 root root 36 Jan 14 20:49 chain.pem -> ../../archive/ns1.domain.tld/chain1.pem
    lrwxrwxrwx 1 root root 35 Jan 14 20:49 cert.pem -> ../../archive/ns1.domain.tld/cert1.pem
    It seems ok and I understand your point. But, I want easy maintenance so as much as possible no custom !

    2. For code modification. My mistake, I shortcut my explanaition. My idea was to change ';' into '&&' in both line of code, between file creation and chmod command. As an example :
    Code:
    exec("cat $ssl_key_file $ssl_crt_file > $ssl_pem_file ; chmod 600 $ssl_pem_file");
    would become
    Code:
    exec("cat $ssl_key_file $ssl_crt_file > $ssl_pem_file && chmod 600 $ssl_pem_file");
    idem for the other line.
    Code:
    if [ -e "$ipem" ]; then mv $ipem $ipem-$(date +"%y%m%d%H%M%S").bak; cat $ikey $icrt > $ipem ; chmod 600 $ipem; fi
    would become
    Code:
    if [ -e "$ipem" ]; then mv $ipem $ipem-$(date +"%y%m%d%H%M%S").bak; cat $ikey $icrt > $ipem && chmod 600 $ipem; fi
    In that case, I don't see what you mean : '&&' instead of ';' has no impact on logic... ?

    3. I use ISPConfig3.2.2.
    It can be monit conf, but what is sure is that I set monitrc like :
    "
    check file ispserver.pem path /usr/local/ispconfig/interface/ssl/ispserver.pem
    if failed permission 600 then alert
    if failed permission 600 then chmod 600 /usr/local/ispconfig/interface/ssl/ispserver.pem
    "
    when I update from 3.2.1 to 3.2.2, monit alerts me (and correct the problem)

    NB: 'chmod 600 /usr/local/ispconfig/interface/ssl/ispserver.pem' is identical to 'chmod 600 /etc/ssl/private/pure-ftpd.pem'
    as I have
    rwxrwxrwx 1 root root 48 Oct 28 17:07 /etc/ssl/private/pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem
     
  18. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    This is fine but I'll personally use double quote in there. Others, I have no further comment but I seemed to see one thing that may cause the problem though I am not very sure about it yet. I'll deal with it in the closed MR in the git and will reopen it or open a new MR once it is finalized.
     

Share This Page