Port 8080 no longer secure

Discussion in 'ISPConfig 3 Priority Support' started by mrbronz, Apr 13, 2021.

  1. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    If there were a problem in a vhost file, I'd expect apachectl to report that, but to answer your question, remove all the symlinks in sites-enabled, then reinstall and reconfigure services - I think that will put the two default ispconfig links (000-ispconfig.conf and 000-ispconfig.vhost) and assuming your ssl certificate files are sane (you could remove the files in /usr/local/ispconfig/interface/ssl/ and let the installer generate new ones), should hopefully get ispconfig ui going again. Then resync websites.
     
  2. mrbronz

    mrbronz Member HowtoForge Supporter

    THanks Till
    Ive tried several times to run the update as you suggested but it always falls over then it comes to restarting the services.

    Code:
    Reconfigure Services? (yes,no,selected) [yes]:
    
    Configuring Postfix
    Configuring Dovecot
    Configuring Mailman
    Configuring Spamassassin
    Configuring Amavisd
    Configuring Getmail
    Configuring BIND
    Configuring Pureftpd
    Configuring Apache
    Configuring vlogger
    Configuring Apps vhost
    Configuring Jailkit
    Configuring Ubuntu Firewall
    Configuring Database
    Updating ISPConfig
    Certificate exists. Not creating a new one.
    Reconfigure Crontab? (yes,no) [yes]:
    
    Updating Crontab
    Restarting services ...
    Job for apache2.service failed because the control process exited with error code.
    See "systemctl status apache2.service" and "journalctl -xe" for details.
    
    I've tried this 3 times but cannot get past starting apache. Surely it cannot be this difficult just because ISPC3 cert went out of date!
     
  3. mrbronz

    mrbronz Member HowtoForge Supporter

    Should I re-install ispc3 or use ispconfig_update.sh ?
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That is the same thing (I didn't mean to install a new server, just rerun the installer).
     
  5. mrbronz

    mrbronz Member HowtoForge Supporter

    Hi Jesse

    Thanks for getting back to me.
    I have re-run the install and taken the reports as quickly as I could these are listed below

    Code:
    # systemctl status apache2.service
    ● apache2.service - The Apache HTTP Server
       Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
       Active: failed (Result: exit-code) since Fri 2021-04-16 09:57:32 BST; 37s ago
         Docs: https://httpd.apache.org/docs/2.4/
      Process: 14756 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
    
    Apr 16 09:56:24 martin systemd[1]: Starting The Apache HTTP Server...
    Apr 16 09:57:26 martin apachectl[14756]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.vhost:7
    Apr 16 09:57:32 martin apachectl[14756]: Action 'start' failed.
    Apr 16 09:57:32 martin apachectl[14756]: The Apache error log may have more information.
    Apr 16 09:57:32 martin systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
    Apr 16 09:57:32 martin systemd[1]: apache2.service: Failed with result 'exit-code'.
    Apr 16 09:57:32 martin systemd[1]: Failed to start The Apache HTTP Server.
    
    *************************************
    Apache error.log
    [ 2021-04-16 09:57:29.7588 14781/7f1784ada980 age/Wat/WatchdogMain.cpp:1291 ]: Starting Passenger watchdog...
    [ 2021-04-16 09:57:31.6642 14784/7f4c5755c980 age/Cor/CoreMain.cpp:982 ]: Starting Passenger core...
    [ 2021-04-16 09:57:31.6644 14784/7f4c5755c980 age/Cor/CoreMain.cpp:235 ]: Passenger core running in multi-application mode.
    [ 2021-04-16 09:57:31.9365 14784/7f4c5755c980 age/Cor/CoreMain.cpp:732 ]: Passenger core online, PID 14784
    [ 2021-04-16 09:57:32.1874 14802/7fb7451f8980 age/Ust/UstRouterMain.cpp:529 ]: Starting Passenger UstRouter...
    [ 2021-04-16 09:57:32.2993 14802/7fb7451f8980 age/Ust/UstRouterMain.cpp:342 ]: Passenger UstRouter online, PID 14802
    [Fri Apr 16 09:57:32.356794 2021] [ssl:emerg] [pid 14760] AH02565: Certificate and private key martin.gregson.me.uk:8080:0 from /usr/local/ispconfig/interface/ssl/ispserve$
    AH00016: Configuration Failed
    
    [ 2021-04-16 09:57:32.5529 14784/7f4c56c23700 age/Cor/CoreMain.cpp:532 ]: Signal received. Gracefully shutting down... (send signal 2 more time(s) to force shutdown)
    
    [ 2021-04-16 09:57:32.5530 14802/7fb7450f9700 age/Ust/UstRouterMain.cpp:422 ]: Signal received. Gracefully shutting down... (send signal 2 more time(s) to force shutdown)
    [ 2021-04-16 09:57:32.5532 14802/7fb7451f8980 age/Ust/UstRouterMain.cpp:492 ]: Received command to shutdown gracefully. Waiting until all clients have disconnected...
    [ 2021-04-16 09:57:32.5532 14802/7fb744877700 Ser/Server.h:817 ]: [UstRouterApiServer] Freed 0 spare client objects
    [ 2021-04-16 09:57:32.5532 14802/7fb744877700 Ser/Server.h:464 ]: [UstRouterApiServer] Shutdown finished
    [ 2021-04-16 09:57:32.5532 14784/7f4c5755c980 age/Cor/CoreMain.cpp:901 ]: Received command to shutdown gracefully. Waiting until all clients have disconnected...
    [ 2021-04-16 09:57:32.5533 14784/7f4c563a1700 Ser/Server.h:817 ]: [ServerThr.2] Freed 128 spare client objects
    [ 2021-04-16 09:57:32.5533 14784/7f4c563a1700 Ser/Server.h:464 ]: [ServerThr.2] Shutdown finished
    [ 2021-04-16 09:57:32.5538 14784/7f4c56c23700 Ser/Server.h:817 ]: [ServerThr.1] Freed 128 spare client objects
    [ 2021-04-16 09:57:32.5538 14784/7f4c56c23700 Ser/Server.h:464 ]: [ServerThr.1] Shutdown finished
    [ 2021-04-16 09:57:32.5539 14802/7fb7450f9700 Ser/Server.h:464 ]: [UstRouter] Shutdown finished
    [ 2021-04-16 09:57:32.5547 14802/7fb7451f8980 age/Ust/UstRouterMain.cpp:523 ]: Passenger UstRouter shutdown finished
    [ 2021-04-16 09:57:32.6428 14784/7f4c55b1f700 Ser/Server.h:817 ]: [ApiServer] Freed 0 spare client objects
    [ 2021-04-16 09:57:32.6428 14784/7f4c55b1f700 Ser/Server.h:464 ]: [ApiServer] Shutdown finished
    [ 2021-04-16 09:57:32.7110 14784/7f4c5755c980 age/Cor/CoreMain.cpp:967 ]: Passenger core shutdown finished
    
    
    ***************************************************
    journalctl -xe
    Apr 16 09:57:46 martin named[14855]: managed-keys-zone: loaded serial 5
    Apr 16 09:57:46 martin named[14855]: zone 0.in-addr.arpa/IN: loaded serial 1
    Apr 16 09:57:46 martin named[14855]: zone 127.in-addr.arpa/IN: loaded serial 1
    Apr 16 09:57:46 martin named[14855]: zone 255.in-addr.arpa/IN: loaded serial 1
    Apr 16 09:57:46 martin named[14855]: zone localhost/IN: loaded serial 2
    Apr 16 09:57:46 martin named[14855]: all zones loaded
    Apr 16 09:57:46 martin systemd[1]: Started BIND Domain Name Server.
    -- Subject: A start job for unit bind9.service has finished successfully
    -- Defined-By: systemd
    -- Support: https://www.debian.org/support
    --
    -- A start job for unit bind9.service has finished successfully.
    --
    -- The job identifier is 23439.
    Apr 16 09:57:46 martin named[14855]: running
    Apr 16 09:58:03 martin CRON[14867]: pam_unix(cron:session): session opened for user root by (uid=0)
    Apr 16 09:58:03 martin CRON[14868]: pam_unix(cron:session): session opened for user root by (uid=0)
    Apr 16 09:58:03 martin CRON[14870]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; do
    Apr 16 09:58:03 martin CRON[14871]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
    Apr 16 09:58:17 martin postfix/smtpd[14882]: warning: cannot get RSA private key from file "/etc/postfix/smtpd.key": disabling TLS support
    Apr 16 09:58:17 martin postfix/smtpd[14882]: warning: TLS library problem: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:../crypto/x50
    Apr 16 09:58:19 martin CRON[14867]: pam_unix(cron:session): session closed for user root
    Apr 16 09:58:20 martin CRON[14868]: pam_unix(cron:session): session closed for user root
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Limits: Global time limit set to 120000 milliseconds.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Limits: Global size limit set to 104857600 bytes.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Limits: File size limit set to 26214400 bytes.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Limits: Recursion level limit set to 16.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Limits: Files limit set to 10000.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Limits: MaxPartitions limit set to 50.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Limits: MaxIconsPE limit set to 100.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Limits: MaxRecHWP3 limit set to 16.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Limits: PCREMatchLimit limit set to 10000.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Limits: PCRERecMatchLimit limit set to 5000.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Limits: PCREMaxFileSize limit set to 26214400.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Archive support enabled.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> AlertExceedsMax heuristic detection disabled.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Heuristic alerts enabled.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Portable Executable support enabled.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> ELF support enabled.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Mail files support enabled.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> OLE2 support enabled.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> PDF support enabled.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> SWF support enabled.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> HTML support enabled.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> XMLDOCS support enabled.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> HWP3 support enabled.
    Apr 16 09:58:20 martin clamd[14745]: Fri Apr 16 09:58:20 2021 -> Self checking every 3600 seconds.
    
    
     
  6. mrbronz

    mrbronz Member HowtoForge Supporter

    Any Ideas or should I reinsall?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to remove
    But you remove the symlinks in sites-enabled like jesse described before you ran the update?
     
  8. mrbronz

    mrbronz Member HowtoForge Supporter

    yes I did
     
  9. mrbronz

    mrbronz Member HowtoForge Supporter

    Ive just re-run the install removing the symlinks again recreated the SSL certs

    Here is the output
    Code:
    # ispconfig_update.sh --force
    
    
    --------------------------------------------------------------------------------
     _____ ___________   _____              __ _
    |_   _/  ___| ___ \ /  __ \            / _(_)
      | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _
      | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |
     _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| |
     \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, |
                                                  __/ |
                                                 |___/
    --------------------------------------------------------------------------------
    
    
    >> Update
    
    Please choose the update method. For production systems select 'stable'.
    WARNING: The update from GIT is only for development systems and may break your current setup. Do not use the GIT version on servers that host any live websites!
    Note: On Multiserver systems, enable maintenance mode and update your master server first. Then update all slave servers, and disable maintenance mode when all servers are updated.
    
    Select update method (stable,nightly,git-develop) [stable]:
    
    Downloading ISPConfig update.
    Unpacking ISPConfig update.
    
    
    --------------------------------------------------------------------------------
     _____ ___________   _____              __ _         ____
    |_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
      | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
      | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |  |_ |
     _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
     \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
                                                  __/ |
                                                 |___/
    --------------------------------------------------------------------------------
    
    
    >> Update
    
    Operating System: Debian 10.0 (Buster) or compatible
    
    This application will update ISPConfig 3 on your server.
    
    Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: n
    Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: no
    
    Checking ISPConfig database .. OK
    Starting incremental database update.
    Loading SQL patch file: /tmp/update_runner.sh.zIkGVQcT1N/install/sql/incremental/upd_dev_collection.sql
    Reconfigure Permissions in master database? (yes,no) [no]:
    
    Reconfigure Services? (yes,no,selected) [yes]:
    
    Configuring Postfix
    Configuring Dovecot
    Configuring Mailman
    Configuring Spamassassin
    Configuring Amavisd
    Configuring Getmail
    Configuring BIND
    Configuring Pureftpd
    Configuring Apache
    Configuring vlogger
    Configuring Apps vhost
    Configuring Jailkit
    Configuring Ubuntu Firewall
    Configuring Database
    Updating ISPConfig
    ISPConfig Port [8080]:
    
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    
    Checking / creating certificate for martin.gregson.me.uk
    Using certificate path /root/.acme.sh/martin.gregson.me.uk
    Using apache for certificate validation
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/martin.gregson.me.uk
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]:
    
    Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]:
    
    Reconfigure Crontab? (yes,no) [yes]:
    
    Updating Crontab
    Restarting services ...
    Job for apache2.service failed because the control process exited with error code.
    See "systemctl status apache2.service" and "journalctl -xe" for details.
    
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so we have to test this more systematically. Move all symlinks in sites-enabled folder to a different directory, e.g. /tmp. then try to restart apache. if ist restarts successfully, then move back one by one so that we can see which vhost is causing this.
     
  11. mrbronz

    mrbronz Member HowtoForge Supporter

    Good call Till
    It's the 000-apps.vhost link that is stopping apache from running
    How do I fix the problem?
     
    Last edited: Apr 16, 2021
  12. mrbronz

    mrbronz Member HowtoForge Supporter

    WHat is the 000-apps.vhost for... I mean what should be in it?
     
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It is for the apps on port 8081 - what is the error?
     
  14. mrbronz

    mrbronz Member HowtoForge Supporter

    Well Thom that's the problem
    I cannot work out what the error is..
    My gut feeling is that it has something to do with the certs
     
  15. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You say the problem is the 000-apps vhost, why do you think that?
     
  16. mrbronz

    mrbronz Member HowtoForge Supporter

    I followed tills advice and when I removed it from sites-enabled apache2 started
     
  17. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Alright, can you share the content of that file?
     
  18. mrbronz

    mrbronz Member HowtoForge Supporter

    Code:
    ######################################################
    # This virtual host contains the configuration
    # for the ISPConfig apps vhost
    ######################################################
    
     Listen 8081
    # NameVirtualHost *:8081
    
    <VirtualHost _default_:8081>
      ServerAdmin [email protected]
    
    
      <FilesMatch "\.ph(p3?|tml)$">
        SetHandler None
      </FilesMatch>
    
      # SSL Configuration
      SSLEngine On
        SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
        SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
      SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
      #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
    
      SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA$
      SSLHonorCipherOrder On
    
      <IfModule mod_headers.c>
        # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
        Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
        Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
        Header set X-Content-Type-Options: nosniff
        Header set X-Frame-Options: SAMEORIGIN
        Header set X-XSS-Protection: "1; mode=block"
        Header always edit Set-Cookie (.*) "$1; HTTPOnly"
        Header always edit Set-Cookie (.*) "$1; Secure"
        <IfVersion >= 2.4.7>
            Header setifempty Strict-Transport-Security "max-age=15768000"
        </IfVersion>
        <IfVersion < 2.4.7>
            Header set Strict-Transport-Security "max-age=15768000"
        </IfVersion>
        RequestHeader unset Proxy early
     </IfModule>
    
      <IfModule mod_php5.c>
        DocumentRoot /var/www/apps
        AddType application/x-httpd-php .php
        <Directory /var/www/apps>
                    Options FollowSymLinks
                    AllowOverride None
                                    Require all granted
                        </Directory>
      </IfModule>
    
      <IfModule mod_php7.c>
        DocumentRoot /var/www/apps
        AddType application/x-httpd-php .php
        <Directory /var/www/apps>
                    Options FollowSymLinks
                    AllowOverride None
                                    Require all granted
                        </Directory>
      </IfModule>
    
      <IfModule mod_fcgid.c>
        DocumentRoot /var/www/apps
        SuexecUserGroup ispapps ispapps
        <Directory /var/www/apps>
                    Options +Indexes +FollowSymLinks +MultiViews +ExecCGI
                    AllowOverride AuthConfig Indexes Limit Options FileInfo
                <FilesMatch "\.php$">
                      SetHandler fcgid-script
                </FilesMatch>
                    FCGIWrapper /var/www/php-fcgi-scripts/apps/.php-fcgi-starter .php
                                    Require all granted
                        </Directory>
      </IfModule>
    
    
    
    </VirtualHost>
    
    <IfModule mod_ssl.c>
      SSLStaplingCache shmcb:/var/run/ocsp(128000)
    </IfModule>
    
     
  19. mrbronz

    mrbronz Member HowtoForge Supporter

    I also get the same outcome if I put 000-ispconfig.vhost into the sites-enabled
     
  20. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    So apache does not start if that file is in sites-enabled? Or what?
    What Till asked you to do was to move every file that is a symling from sites-enabled to somewhere else, test that apache start. Then move them back one at the time to see which of them break apache. There may be several, so move the first failing one back to the somewhere else, and test the remaining symlinks the same way.

     

Share This Page