problem creating selfsigned or lets encrypt ssl for the only site on new installed ISPC

Discussion in 'Installation/Configuration' started by ragy, Jun 10, 2020.

Tags:
  1. ragy

    ragy New Member

    hello every one and ISPconfig team
    iam a new user and this is my first attempt to install and deal with ispc, so i have followed the ubuntu 18.04 tutorial
    https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/
    with apche to install my first created web site coded with python and after some reading about isp config,
    i thought that the easiest way for me to start is to have two servers running the full isp config (standard mode) with all services installed as in the tutorial (Q: is this setup approach good or bad from problems to face or when adding more sites point of view ?)

    -- for 1st server i used only the mail service for my website with these settings, host name: mail, domain: server.com, runs nat 1:1 with static ip lets say 1.2.3.4, created a record in namecheap dns ( Q: no need to run dns form ispc right ?), the email is running fine although reaching in the spam folder, then created lets encrypt ssl for all services and in the server by following this guide https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/

    -- for 2nd server i need to run the web, db, etc here with these settings: hostname web, domain: server.com, runs nat 1:1 with static ip lets say 1.2.3.5 , added a record for the domin i.e example.com, (Q: do i need to add one for web.domain ?)
    after that i have managed to run mod-wsgi with apache and be able to run the site, but when i try to add ssl and lets encrypt ssl or either one it doesn't work yet it works with http


    • this is my apache2 error log from 2nd server:
    Code:
    [Tue Jun 09 21:13:02.536200 2020] [ssl:error] [pid 24660] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=NEW-CAIRO,ST=CAIRO,C=EG / issuer: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=NEW-CAIRO,ST=CAIRO,C=EG / serial: 7581DA45AEBC70B497E5AD5769A23483856EA31F / notbefore: Jun  1 02:04:47 2020 GMT / notafter: May 30 02:04:47 2030 GMT]
    [Tue Jun 09 21:13:02.536212 2020] [ssl:error] [pid 24660] AH02604: Unable to configure certificate web.rasnix.com:8080:0 for stapling
    [Tue Jun 09 21:13:02.543132 2020] [mpm_prefork:notice] [pid 24660] AH00163: Apache/2.4.29 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/1.1.1 mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
    [Tue Jun 09 21:13:02.543178 2020] [core:notice] [pid 24660] AH00094: Command line: '/usr/sbin/apache2'
    [Tue Jun 09 21:17:02.435922 2020] [mpm_prefork:notice] [pid 24660] AH00169: caught SIGTERM, shutting down
    [Tue Jun 09 21:17:09.793742 2020] [ssl:warn] [pid 25005] AH01906: web.rasnix.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Tue Jun 09 21:17:09.793907 2020] [ssl:error] [pid 25005] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=NEW-CAIRO,ST=CAIRO,C=EG / issuer: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=NEW-CAIRO,ST=CAIRO,C=EG / serial: 7581DA45AEBC70B497E5AD5769A23483856EA31F / notbefore: Jun  1 02:04:47 2020 GMT / notafter: May 30 02:04:47 2030 GMT]
    [Tue Jun 09 21:17:09.793931 2020] [ssl:error] [pid 25005] AH02604: Unable to configure certificate web.rasnix.com:8080:0 for stapling
    [Tue Jun 09 21:17:09.793957 2020] [suexec:notice] [pid 25005] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
    [Tue Jun 09 21:17:09.848358 2020] [ssl:warn] [pid 25009] AH01906: web.rasnix.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Tue Jun 09 21:17:09.848504 2020] [ssl:error] [pid 25009] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=NEW-CAIRO,ST=CAIRO,C=EG / issuer: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=NEW-CAIRO,ST=CAIRO,C=EG / serial: 7581DA45AEBC70B497E5AD5769A23483856EA31F / notbefore: Jun  1 02:04:47 2020 GMT / notafter: May 30 02:04:47 2030 GMT]
    [Tue Jun 09 21:17:09.848515 2020] [ssl:error] [pid 25009] AH02604: Unable to configure certificate web.rasnix.com:8080:0 for stapling
    [Tue Jun 09 21:17:09.855499 2020] [mpm_prefork:notice] [pid 25009] AH00163: Apache/2.4.29 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/1.1.1 mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
    [Tue Jun 09 21:17:09.855548 2020] [core:notice] [pid 25009] AH00094: Command line: '/usr/sbin/apache2'
    • this is my apache2 error log from 2nd server:
    Code:
    2020-06-09 22:33:39,267:DEBUG:acme.client:Storing nonce: 0102UBsPQxGKfjxLGchy3w7GYcvuIvNtjRz81AOn_OHt0J0
    2020-06-09 22:33:39,268:DEBUG:acme.client:JWS payload:
    b''
    2020-06-09 22:33:39,290:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/cert/0469c00abf61f8a9c0061da5c2a2d16b0f62:
    {
      "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODg0MTg1NzUiLCAibm9uY2UiOiAiMDEwMlVCc1BReEdLZmp4TEdjaHkzdzdHWWN2dUl2TnRqUno4MUFPbl9PSHQwSjAiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NlcnQvMDQ2OWMwMGFiZjYxZjhhOWMwMDYxZGE1YzJhMmQxNmIwZjYyIn0",
      "signature": "O-QeROqIDiL2T4G75X-_c8B_G5lsK9O3q4nYjMJl_OZDKOk62ak_22lrN5FQVd94EGR8OIQZWKNjTYwqZXlWXG0YoZ8q7dNJQKZKdB8N0it9kXg01nmqmCv8GWlFTJ37vIX2WO_l-ZAI536iZRu8zZki4Z5BrqkmO3jV0eU1PNk7VOHNG_DVH15hwx4U3cszmslTIBSmGCrwn3Jm9w5dqR0T08WsLcrph_UakCCRS9Kg7Ah_XeXYngZNmpJos3mkC5aDrfXhbG4zZY8uj4Rq43eCHk7X0ZdJnMh3GKbyAf8GPS3fdpzd_ADvYQs-JoYBAth2Adkm-KDHopm1kYTSsypOH2R8xykddZCY-M1_vaYr0eGSN22RrYREHH7dGwtFtHpY8tBijQ8rMyt_5-Owtgcc2eM_xq0W7hHl-14qpY7Rygl0XCvHAY4b4znuMwl__G8UOcMWbMFsfXk3eawvRFURg7drNiUuDe7Vd-ihZGDLbhTVWjCDx-7y7x_Mn8FBbM-WyoUI2m1-wQ81LSUKLIxJpN35Q4Fbf_0ONLtHQgTRWyXQeRsCyB-jQm8nfji6p--NOC-rzUURYraAECmJinnfYFCH1XyRDxJy_IHO1-iChn8nvs1Pyc8NsZCckZ4q_3ivvO5OsX4ZsGgAcvXfhOIPXpaPRtHJ2xRT1Cbm6PA",
      "payload": ""
    }
    2020-06-09 22:33:39,539:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/cert/0469c00abf61f8a9c0061da5c2a2d16b0f62 HTTP/1.1" 200 3912
    2020-06-09 22:33:39,539:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Date: Tue, 09 Jun 2020 22:33:39 GMT
    Content-Type: application/pem-certificate-chain
    Content-Length: 3912
    Connection: keep-alive
    Cache-Control: public, max-age=0, no-cache
    Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    Replay-Nonce: 0101MANnVtr4asKQTuMdhqRQu0OmXp_8hDSYTMFhqAavJk0
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    
    -----BEGIN CERTIFICATE-----
    
    -----END CERTIFICATE-----
    
    -----BEGIN CERTIFICATE-----
    
    -----END CERTIFICATE-----
    
    2020-06-09 22:33:39,540:DEBUG:acme.client:Storing nonce: 0101MANnVtr4asKQTuMdhqRQu0OmXp_8hDSYTMFhqAavJk0
    2020-06-09 22:33:39,541:DEBUG:certbot.storage:Creating directory /etc/letsencrypt/archive.
    2020-06-09 22:33:39,541:DEBUG:certbot.storage:Creating directory /etc/letsencrypt/live.
    2020-06-09 22:33:39,541:DEBUG:certbot.storage:Archive directory /etc/letsencrypt/archive/rasnix.com and live directory /etc/letsencrypt/live/rasnix.com created.
    2020-06-09 22:33:39,542:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/live/rasnix.com/cert.pem.
    2020-06-09 22:33:39,542:DEBUG:certbot.storage:Writing private key to /etc/letsencrypt/live/rasnix.com/privkey.pem.
    2020-06-09 22:33:39,542:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/live/rasnix.com/chain.pem.
    2020-06-09 22:33:39,543:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/live/rasnix.com/fullchain.pem.
    2020-06-09 22:33:39,543:DEBUG:certbot.storage:Writing README to /etc/letsencrypt/live/rasnix.com/README.
    2020-06-09 22:33:39,559:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer <certbot.cli._Default object at 0x7f5cc49b0c88>
    2020-06-09 22:33:39,560:DEBUG:certbot.cli:Var server=https://acme-v02.api.letsencrypt.org/directory (set by user).
    2020-06-09 22:33:39,560:DEBUG:certbot.cli:Var account={'server'} (set by user).
    2020-06-09 22:33:39,564:DEBUG:certbot.cli:Var rsa_key_size=4096 (set by user).
    2020-06-09 22:33:39,574:DEBUG:certbot.cli:Var server=https://acme-v02.api.letsencrypt.org/directory (set by user).
    2020-06-09 22:33:39,575:DEBUG:certbot.cli:Var authenticator=webroot (set by user).
    2020-06-09 22:33:39,582:DEBUG:certbot.cli:Var webroot_path=/usr/local/ispconfig/interface/acme (set by user).
    2020-06-09 22:33:39,583:DEBUG:certbot.cli:Var webroot_path=/usr/local/ispconfig/interface/acme (set by user).
    2020-06-09 22:33:39,583:DEBUG:certbot.cli:Var webroot_map={'webroot_path'} (set by user).
    2020-06-09 22:33:39,584:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/rasnix.com.conf.
    2020-06-09 22:33:39,586:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/rasnix.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/rasnix.com/privkey.pem
    Your cert will expire on 2020-09-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
    2020-06-09 22:33:39,586:DEBUG:certbot.reporter:Reporting to user: If you like Certbot, please consider supporting our work by:
    
    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
    Donating to EFF:                    https://eff.org/donate-le
    please advise ...
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Verify you have completed all steps to use the LE certificate for ISPConfig panel.
    That looks like the certificate is not installed correctly.
    What is sending the signals to that process?
    Code:
    [Tue Jun 09 21:17:02.435922 2020] [mpm_prefork:notice] [pid 24660] AH00169: caught SIGTERM, shutting down
     
    ragy likes this.
  3. ragy

    ragy New Member

    really thank you Taleman for your support, i should have noticed that but i was awake for 2 days trying to complete (my bad).

    even though i have access to isp config interface through https from domain name and subdomain, i ran
    Code:
    ispconfig_update.sh
    to recreate ispconfig ssl , but also with same problem.
    finally i find out the source of the problem which was the mod_wsgi (apache module), so i had to comment the wsgi daemon lines in order for the ssl to be generated correctly then comment out the wsgi lines.

    yet i still have an issue showing in the apache error log
    i don't understand this, so if i have a server host name like web then for every added site in isp config the web should be a sub domain ?

    could you mr. Taleman or any one give me an opinion on these questions
     
  4. ahrasis

    ahrasis Well-Known Member

  5. Steini86

    Steini86 Active Member

    If both servers should share the same users, etc.. you should go for a master/slave setup. If you have two masters, they become independent servers (could be fine, depends on what you want to achieve)
    correct
    I do not understand that question. Are you asking if you should create a vhost for web.domain.com? Only if you want to have a website there. Or if you want ispc to create and update a letsencrypt cert for that. ISPC only does certs for webs.
    You are using a self-signed certificate that does (obviously) not contain an issuers cert. If you get a letsencrypt cert for the web.domain.com domain then you will get a "fullchain" file which includes the letsencrypt issuer cert. So it looks like you made a mistake in following the guide to get your server a letsencrypt cert. Look again carefully on the steps at https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
     
  6. ragy

    ragy New Member

    first of all thanks to all ispconfig team member and supporters for your guidance and help.
    i haven't fixed all the issue but most of it as i do now have lets encrypt for mydomain(dot)com, www(dot)mydomain(dot)com, but not working with the server host name web(dot)mydomain(dot)com

    so this is my system setup
    OS: ubuntu 18.04, hostname: web
    ISPConfig Version: 3.1.15p3, Skip Lets Encrypt Check (checked)
    ISPConfig sites: 1 , used domain: mydomain(dot)com (not web(dot)mydomain(dot)com as i don't need web to be visible in site name)
    namecheap regestrar dns records:
    [cname record] www > mydomain(dot)com ,
    [a record] mydomain(dot)com > my_pub_ip ,
    [a record] web > my_pub_ip ,
    [a record] www(dot)web > my_pub_ip ,
    [cname record] web > mydomain(dot)com ,
    [cname record] www(dot)web > mydomain(dot)com
    i can neglect that web(dot)mydomain is only having self signed ssl not lets encrypt and make apache rewrite redirect rule so web(dot)mydomain get redirected to www(dot)mydomain which has lets encrypt working fine, but i just need to understand what did i do wrong .

    this my lets encrypt log
    Code:
    2020-06-11 17:51:40,082:DEBUG:certbot.main:certbot version: 0.27.0
    2020-06-11 17:51:40,083:DEBUG:certbot.main:Arguments: ['-q']
    2020-06-11 17:51:40,084:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2020-06-11 17:51:40,095:DEBUG:certbot.log:Root logging level set at 30
    2020-06-11 17:51:40,096:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2020-06-11 17:51:40,122:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7ff28e463940> and installer <certbot.cli._Default object at 0x7ff28e463940>
    2020-06-11 17:51:40,131:INFO:certbot.renewal:Cert not yet due for renewal
    2020-06-11 17:51:40,131:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2020-06-11 17:51:40,135:INFO:certbot.renewal:Cert not yet due for renewal
    2020-06-11 17:51:40,136:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2020-06-11 17:51:40,136:DEBUG:certbot.renewal:no renewal failures
    and this apache error log
    Code:
    [Thu Jun 11 17:45:04.927756 2020] [ssl:warn] [pid 30410] AH01906: web.rasnix.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Thu Jun 11 17:45:04.927893 2020] [ssl:error] [pid 30410] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=CAIRO,ST=CAIRO,C=EG / issuer: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=CAIRO,ST=CAIRO,C=EG / serial: 6E8F46EC471949635AFDBCD0330A7F2FE3604A9C / notbefore: Jun 10 13:45:52 2020 GMT / notafter: Jun  8 13:45:52 2030 GMT]
    [Thu Jun 11 17:45:04.927904 2020] [ssl:error] [pid 30410] AH02604: Unable to configure certificate web.rasnix.com:8080:0 for stapling
    [Thu Jun 11 17:45:04.935017 2020] [mpm_prefork:notice] [pid 30410] AH00163: Apache/2.4.29 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/1.1.1 mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
    [Thu Jun 11 17:45:04.935062 2020] [core:notice] [pid 30410] AH00094: Command line: '/usr/sbin/apache2'
    [Thu Jun 11 18:06:09.302909 2020] [mpm_prefork:notice] [pid 30410] AH00169: caught SIGTERM, shutting down
    [Thu Jun 11 18:06:09.492649 2020] [ssl:warn] [pid 8826] AH01906: web.rasnix.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Thu Jun 11 18:06:09.492819 2020] [ssl:error] [pid 8826] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=CAIRO,ST=CAIRO,C=EG / issuer: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=CAIRO,ST=CAIRO,C=EG / serial: 6E8F46EC471949635AFDBCD0330A7F2FE3604A9C / notbefore: Jun 10 13:45:52 2020 GMT / notafter: Jun  8 13:45:52 2030 GMT]
    [Thu Jun 11 18:06:09.492832 2020] [ssl:error] [pid 8826] AH02604: Unable to configure certificate web.rasnix.com:8080:0 for stapling
    [Thu Jun 11 18:06:09.492855 2020] [suexec:notice] [pid 8826] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
    [Thu Jun 11 18:06:09.550348 2020] [ssl:warn] [pid 8839] AH01906: web.rasnix.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Thu Jun 11 18:06:09.550491 2020] [ssl:error] [pid 8839] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=CAIRO,ST=CAIRO,C=EG / issuer: [email protected],CN=web.rasnix.com,OU=IT Department,O=RASNIX,L=CAIRO,ST=CAIRO,C=EG / serial: 6E8F46EC471949635AFDBCD0330A7F2FE3604A9C / notbefore: Jun 10 13:45:52 2020 GMT / notafter: Jun  8 13:45:52 2030 GMT]
    [Thu Jun 11 18:06:09.550502 2020] [ssl:error] [pid 8839] AH02604: Unable to configure certificate web.rasnix.com:8080:0 for stapling
    [Thu Jun 11 18:06:09.556919 2020] [mpm_prefork:notice] [pid 8839] AH00163: Apache/2.4.29 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/1.1.1 mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
    [Thu Jun 11 18:06:09.556964 2020] [core:notice] [pid 8839] AH00094: Command line: '/usr/sbin/apache2'
     
  7. ahrasis

    ahrasis Well-Known Member

    First you have to fix your issue failing which you may not get anywhere. One of which I already posted:
    And do troubleshoot all LE errors by reading and following the given FAQ first: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/

    There is a saying that said: "repeating the same things won't give you a different result".
     
  8. ragy

    ragy New Member

    i have tried to reinstall every thing, so after installing ubuntu 18.04 and following the ispconfig installation tutorial
    and after the final step in the tutorial (installing ispconfig with ssl to interface), i have checked the apache error log to see the same errors again even i haven't added any sites or anything
    i also tried to reinstall one more time and even added a AAAA record in dns pointing [server-hostname].[domain-dot-com] to this server public ip even though there is A record, but also found the same errors after ispconfig install
    ahrasis i have looked at this seach link without help so can you be more specific to what can i try to do or test
     
  9. ahrasis

    ahrasis Well-Known Member

    The link is to help solving stapling issue as per your info. Did you troubleshoot as per the faq mentioned above? Did you disable LE check? We don't really know how to help you solve your problems unless you follow the advised steps and provide us with useful details.
     
  10. ragy

    ragy New Member

    dear i ahrasis,thank you for taking time to help me i have looked at the search you gave me many times and opened all of its

    links in the first page of the result and here is what i have found :
    1st search result concludes that i need to open debug mode in ispconfig to get more information and i did that but didn't get any error form the debug command line, but the conversation ended without a solution.
    Code:
    [email protected]:~# /usr/local/ispconfig/server/server.sh
    
    15.06.2020-00:18 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    15.06.2020-00:18 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished.
    
    2nd search result says that i need to have AAAA record to fix this error, which i did mention but also didn't help
    some search result are about installing OSCP stapling on apache, i have no idea what that is and the tutorial didn't mention it.
    4th search result solved the issue by removing a alias in apache conf, and in my case i didn't have any and even disabled rewrites or redirects

    but now as i said i have only fresh install of ubuntu and ispconfig on it without creating any clients / sites / domains / subdomains and the issue happend because ispconfig made ssl for itself, that means i didn't add new site and try to get it working with lets encrypt.
    if there is any log i can provide to clarify the situation more please tell me
    and this is apache error from new unbuntu and ispc install
    Code:
    [Sun Jun 14 20:02:43.187396 2020] [mpm_prefork:notice] [pid 17090] AH00163: Apache/2.4.29 (Ubuntu) mod_fcgid/2.3.9 mod_python/3.3.1 Python/2.7.17 OpenSSL/1.1.1 configured -- resuming normal operations
    [Sun Jun 14 20:02:43.187442 2020] [core:notice] [pid 17090] AH00094: Command line: '/usr/sbin/apache2'
    [Mon Jun 15 00:18:02.469417 2020] [mpm_prefork:notice] [pid 17090] AH00169: caught SIGTERM, shutting down
    [Mon Jun 15 00:18:02.614724 2020] [ssl:warn] [pid 28717] AH01906: web.rasnix.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Mon Jun 15 00:18:02.614966 2020] [ssl:error] [pid 28717] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=web.rasnix.com,OU=RASNIX IT Department,O=RASNIX IT Department,L=NEW-CAIRO,ST=CAIRO,C=EG / issuer: [email protected],CN=web.rasnix.com,OU=RASNIX IT Department,O=RASNIX IT Department,L=NEW-CAIRO,ST=CAIRO,C=EG / serial: 1E79DF5BCFBB7FEEAE771029D8B01FA25FDF672E / notbefore: Jun 14 20:02:34 2020 GMT / notafter: Jun 12 20:02:34 2030 GMT]
    [Mon Jun 15 00:18:02.614982 2020] [ssl:error] [pid 28717] AH02604: Unable to configure certificate web.rasnix.com:8080:0 for stapling
    [Mon Jun 15 00:18:02.615017 2020] [suexec:notice] [pid 28717] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
    [Mon Jun 15 00:18:02.670171 2020] [:error] [pid 28730] python_init: Python version mismatch, expected '2.7.6', found '2.7.17'.
    [Mon Jun 15 00:18:02.670239 2020] [:error] [pid 28730] python_init: Python executable found '/usr/bin/python'.
    [Mon Jun 15 00:18:02.670246 2020] [:error] [pid 28730] python_init: Python path being used '/usr/lib/python2.7:/usr/lib/python2.7/plat-x86_64-linux-gnu:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload'.
    [Mon Jun 15 00:18:02.670267 2020] [:notice] [pid 28730] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
    [Mon Jun 15 00:18:02.670274 2020] [:notice] [pid 28730] mod_python: using mutex_directory /tmp
    [Mon Jun 15 00:18:02.680365 2020] [ssl:warn] [pid 28730] AH01906: web.rasnix.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Mon Jun 15 00:18:02.680513 2020] [ssl:error] [pid 28730] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=web.rasnix.com,OU=RASNIX IT Department,O=RASNIX IT Department,L=NEW-CAIRO,ST=CAIRO,C=EG / issuer: [email protected],CN=web.rasnix.com,OU=RASNIX IT Department,O=RASNIX IT Department,L=NEW-CAIRO,ST=CAIRO,C=EG / serial: 1E79DF5BCFBB7FEEAE771029D8B01FA25FDF672E / notbefore: Jun 14 20:02:34 2020 GMT / notafter: Jun 12 20:02:34 2030 GMT]
    [Mon Jun 15 00:18:02.680525 2020] [ssl:error] [pid 28730] AH02604: Unable to configure certificate web.rasnix.com:8080:0 for stapling
    can this be an issue because i setup another server that uses the same domain so there may be some kind of conflict in creating certificate or may be ?
     
  11. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    The certificate certifies that the domain browser goes to really is web.rasnix.com. If you have same FQDN on two hosts, that can not be certified.
    Check that the IP number name service gives for web.rasnix.com really goes to the host where you are creating the certificate.
    Code:
    $ nslookup  web.rasnix.com
    Server:        192.168.42.4
    Address:    192.168.42.4#53
    
    Non-authoritative answer:
    Name:    web.rasnix.com
    Address: 197.50.241.59
    Name:    web.rasnix.com
    Address: ::ffff:197.50.241.59
    
     
  12. ragy

    ragy New Member

    they do not have the same FQDN one is mail.rasnix.com and the other is web.rasnix.com and each have different public ip address.
    i am thinking about adding another site to the working server which has only mail site for mail.rasnix.com, i have followed exactly your great guide https://www.howtoforge.com/how-to-install-an-email-server-with-ispconfig-on-debian-10/
    but with ubuntu, so can i add another site from ispconfig interface for rasnix.com and are there extra steps or notes.
     
  13. Steini86

    Steini86 Active Member

    Then you had an error in one of the steps. Your Apache error shows you are not using the LetsEncrypt fullchain certificate.
    Your error will be gone when you correctly implement a LE certificate for ispc.
    What is the output of
    Code:
    grep ssl /etc/apache2/sites-enabled/isp000-ispconfig.vhost
    ls -al /usr/local/ispconfig/interface/ssl/
    You also have a problem with your python install. Are you sure this is a new install and you followed the guide? Is your system up to date ("sudo apt update && sudo apt upgrade")

    Anyway, a problem of the guide is that mod_python is installed, which is not maintained since 2013. You should use mod_wsgi instead if you need python. If you don't need python, just remove it with:
    Code:
    sudo apt remove libapache2-mod-python
    If you need python, install mod_wsgi after removing:
    Code:
    sudo apt install libapache2-mod-wsgi
     
    Last edited: Jun 15, 2020
  14. ragy

    ragy New Member

    i think you are right Steini86 as i also have found a similar issue in the dutch forum of ispconfig in this link "translated"
    https://www.translatetheweb.com/?fr...owtoforge.de/threads/probleme-mit-ssl.12083/#
    wich has a reply from (till adminstrator) saying :
    so back to my issue the output of
    Code:
    grep ssl /etc/apache2/sites-enabled/isp000-ispconfig.vhost
    ls -al /usr/local/ispconfig/interface/ssl/
    from the other server that doesn't have this issue is
    Code:
    grep ssl /etc/apache2/sites-enabled/000-ispconfig.vhost
        SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
      SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
      #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
    <IfModule mod_ssl.c>
    Code:
    ls -al /usr/local/ispconfig/interface/ssl/
    total 36
    drwxr-x--- 2 root      root      4096 Jun  9 11:35 .
    drwxr-x--- 9 ispconfig ispconfig 4096 May 28 22:39 ..
    -rwxr-x--- 1 root      root        45 May 28 22:39 empty.dir
    lrwxrwxrwx 1 root      root        51 Jun  9 11:29 ispserver.crt -> /etc/letsencrypt/live/mail.rasnix.com/fullchain.pem
    lrwxrwxrwx 1 root      root        51 Jun  4 22:24 ispserver.crt-200609112809.bak -> /etc/letsencrypt/live/mail.rasnix.com/fullchain.pem
    -rwxr-x--- 1 root      root      1760 May 28 22:39 ispserver.csr
    lrwxrwxrwx 1 root      root        49 Jun  9 11:29 ispserver.key -> /etc/letsencrypt/live/mail.rasnix.com/privkey.pem
    lrwxrwxrwx 1 root      root        49 Jun  4 22:26 ispserver.key-200609112823.bak -> /etc/letsencrypt/live/mail.rasnix.com/privkey.pem
    -rwxr-x--- 1 root      root      3311 May 28 22:37 ispserver.key.secure
    -rw------- 1 root      root      7204 Jun  9 11:29 ispserver.pem
    -rw------- 1 root      root      7175 Jun  4 22:27 ispserver.pem-200609112853.bak
    so if i want link LetsEncrypt fullchain certificate from the workingserver holding mail.mydomain.com to other server holding web.mydomain.com, how to do this?
     
  15. Steini86

    Steini86 Active Member

    A certificate valid for mail.domain.com can not be used for a domain web.domain.com, except it is a wildcard certificate for *.domain.com.
    You can use dns challenge or simply create a web to get a certificate.

    1) Create a website web.domain.com
    2) Activate letsencrypt for that website
    3) Verify that you get certificates in /etc/letsencrypt/live/web.domain.com
    4) Create symlinks like done in the guide https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
    Code:
    cd /usr/local/ispconfig/interface/ssl/
    ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
    ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
    cat ispserver.{key,crt} > ispserver.pem
    chmod 600 ispserver.pem
     
  16. ragy

    ragy New Member

    thank you for your quick answer steini86, i will try that and report .
     

Share This Page