NET::ERR_CERT_AUTHORITY_INVALID for ispconfig 3.1.12

Discussion in 'ISPConfig 3 Priority Support' started by Frost, Jun 17, 2018.

  1. Frost

    Frost Member

    I followed the manual for multiserver setup on debian 8 but when I visited ispconfig url on port 8080, I was prompted that the connection is not private. Does the certbot setup in the manual only for the domains to be added on ispconfig admin and doesn't include ispconfig url?
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. Frost

    Frost Member

    Last edited: Jun 17, 2018
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Depends on what you want.
    The easy way is to tell your bowser to accept the self signed cert you presumably made during installation.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    By default, an ISPConfig setup uses a self signed SSL cert for the controlpanel. A self signed cert is not less secure encryption wise, it is just not issues by a known SSL authority. You can switch to LE by using the guide @Taleman posted a link to. The first step is that you create a website in ispconfig which has the hostname of the server as domain name and enable LE in that website, after this step, you should have an /etc/letsencrypt/live directory.
     
  6. Frost

    Frost Member

    I added a website on ISPConfig as discuss in that link and it created /etc/letsencrypt/live. When I access the ISPConfig panel using ip, I received NET::ERR_CERT_COMMON_NAME_INVALID. Because the certificate is issue to my FQDN and not my ip. I check the certificate it shows my FQDN. But when I visit via FQDN it shows ERR_SSL_PROTOCOL_ERROR.

    On the Domain tab it shows the Document Root as /var/www/clients/client0/web1 which is not the root of ISPConfig
    When creating website in ISP config. Do I need to fill up the SSL tab?
     
    Last edited: Jun 18, 2018
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    SSL Certificates are always issued for a domain name and not for an IP, you have to use the server hostname (FQDN) to access it.
    Protocol errors are shown when you e.g. try to access an https website with http. Ensure that you use https:// in front of the FQDN. Example:

    https://server1.yourdomain.tld:8080
     
  8. Frost

    Frost Member

  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, does it work when you use http:// instead of https:// in the exact same URL?
     
  10. Frost

    Frost Member

    no. it shows this error
    Bad Request
    Your browser sent a request that this server could not understand.
    Reason: You're speaking plain HTTP to an SSL-enabled server port.
    Instead use the HTTPS scheme to access this URL, please.
     
  11. Enrique García

    Enrique García Member HowtoForge Supporter

    I try but fail at the cat line:

    [email protected]:/usr/local/ispconfig/interface/ssl# cat ispserver.{key,crt} > ispserve r.pem
    cat: ispserver.key: No such file or directory
    cat: ispserver.crt: No such file or directory
    [email protected]:/usr/local/ispconfig/interface/ssl#

    The folder:
    [email protected]:/usr/local/ispconfig/interface/ssl# ls -l
    total 20
    -rwxr-x--- 1 root root 45 Feb 21 09:56 empty.dir
    lrwxrwxrwx 1 root root 51 May 22 21:32 ispserver.crt -> /etc/letsencrypt/live/www.fyde.com.mx/fullchain.pem
    -rwxr-x--- 1 root root 2122 Jan 14 2018 ispserver.crt-190522213034.bak
    -rwxr-x--- 1 root root 1748 Jan 14 2018 ispserver.csr
    lrwxrwxrwx 1 root root 49 May 22 21:32 ispserver.key -> /etc/letsencrypt/live/www.fyde.com.mx/privkey.pem
    -rwxr-x--- 1 root root 3243 Jan 14 2018 ispserver.key-190522213048.bak
    -rwxr-x--- 1 root root 3311 Jan 14 2018 ispserver.key.secure
    -rw------- 1 root root 0 May 22 22:34 ispserver.pem
    [email protected]:/usr/local/ispconfig/interface/ssl#

    Please help :)
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

  13. Enrique García

    Enrique García Member HowtoForge Supporter

    Here the info:
    [email protected]:~# ls -la /etc/letsencrypt/live/www.fyde.com.mx/fullchain.pem
    ls: cannot access '/etc/letsencrypt/live/www.fyde.com.mx/fullchain.pem': No such file or directory
    [email protected]:~# ls -la /etc/letsencrypt/live/www.fyde.com.mx/privkey.pem
    ls: cannot access '/etc/letsencrypt/live/www.fyde.com.mx/privkey.pem': No such file or directory

    Regards,
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, that explains the problem. Seems as if you did not got an SSL cert from LE. Check the letsencryp.log to find out why LE did not issue a cert to you.
     
  15. Enrique García

    Enrique García Member HowtoForge Supporter

    There's no letsencryp.log. But it's works the https://fyde.com.mx is ok
    But the https://fyde.com.mx:8080 is not, I have problems with antivirus an another plataforms that do not access to my server because the self signed certificate.
    The SSL lets's encrypt check box in the ispconfig is activated.

    Please help.
     
    Last edited: May 23, 2019
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, you say you have a LE cert for fyde.com.mx but above you use the path www.fyde.com.mx. So probably the LE cert has a different name.

    Post the output of:

    ls -la /etc/letsencrypt/live/fyde.com.mx/
     
  17. Enrique García

    Enrique García Member HowtoForge Supporter


    [email protected]:~# ls -la /etc/letsencrypt/live/fyde.com.mx/
    total 12
    drwxr-xr-x 2 root root 4096 May 23 03:00 .
    drwx------ 7 root root 4096 Jan 19 01:04 ..
    lrwxrwxrwx 1 root root 35 May 23 03:00 cert.pem -> ../../archive/fyde.com.mx/cert6.pem
    lrwxrwxrwx 1 root root 36 May 23 03:00 chain.pem -> ../../archive/fyde.com.mx/chain6.pem
    lrwxrwxrwx 1 root root 40 May 23 03:00 fullchain.pem -> ../../archive/fyde.com.mx/fullchain6.pem
    lrwxrwxrwx 1 root root 38 May 23 03:00 privkey.pem -> ../../archive/fyde.com.mx/privkey6.pem
    -rw-r--r-- 1 root root 543 Jul 26 2018 README

    :)
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Run these commands to fix it:

    Code:
    cd /usr/local/ispconfig/interface/ssl/
    rm ispserver.crt
    rm ispserver.key
    rm ispserver.pem
    ln -s /etc/letsencrypt/live/fyde.com.mx/fullchain.pem ispserver.crt
    ln -s /etc/letsencrypt/live/fyde.com.mx/privkey.pem ispserver.key
    cat ispserver.{key,crt} > ispserver.pem
    chmod 600 ispserver.pem
     
  19. Enrique García

    Enrique García Member HowtoForge Supporter

    Done, ok.
    Chrome display:
    NET::ERR_CERT_AUTHORITY_INVALID
    Subject: www.fyde.com.mx

    Issuer: www.fyde.com.mx

    Expires on: 12 ene 2028

    Current date: 23 may 2019

    PEM encoded chain:-----BEGIN CERTIFICATE-----
    MIIF8jCCA9qgAwIBAgIJAPxWq4w8UB6zMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYD
    VQQGEwJNWDELMAkGA1UECAwCTkwxEjAQBgNVBAcMCU1PTlRFUlJFWTENMAsGA1UE
    ..
    ..

    -----END CERTIFICATE-----



    Internet explorer:
    Código de error: DLG_FLAGS_INVALID_CA
    DLG_FLAGS_SEC_CERT_CN_INVALID

    Firefox:
    Código de error: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT


    Please help
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    restart apache afterwards.
     

Share This Page