Problem with Let's Encrypt and Centos 7.6

Discussion in 'Installation/Configuration' started by Bic72, Jul 16, 2019.

  1. Bic72

    Bic72 New Member

    Hi everyone
    I'm sorry for my english :)
    I did a new install of ispconfig with Centos 7.6 as described in howtoforge perfect-server-centos-7.6 ...
    Then I wanted to add the SSL certificate to my main domain "hostname -f: archive.xxxxxxxx.it" and I followed the other howtoforge guide ....... securing ispconfig ...free-lets-encrypt-ssl-certificate.

    After creating the domain equal to the hostname -f on the ispconfig panel I activated the flag on "SSL" and "Let's Encrypt" ..... the Let's Encrypt certificates were created regularly, but seeing the website https://archive.xxxxxxxx.it I receive the usual unsafe certificate error seems to load the self-created certificate that expires 364 days ...
    So I checked and tested the Let's Encrypt certificates and it looks like they were created correctly in the /etc/letsencrypt/live/archive.xxxxxxxx.it/ directory and then I checked the files available for the sites and the sites enabled to see if the links are correct and everything seems ok following the symbolic links ........
    So I tried to put a certificate on the admin panel as a guide:

    ln -s /etc/letsencrypt/live/$ (hostname -f) /fullchain.pem ispserver.crt
    ln -s /etc/letsencrypt/live /$ (hostname -f) /privkey.pem ispserver.key

    and the result ok !! https://archive.xxxxxxxx.it:8080 valid ok certificate!
    instead the host name of the site https://archive.xxxxxxxx.it no! always invalid!
    After reinstalling the entire server twice and several tests I could not understand ....., I have other servers with ubuntu and ispconfig and I never encountered the problem, it's the first time I try Centos ....
    Thanks everyone in advance!
     
    Last edited: Jul 17, 2019
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. Bic72

    Bic72 New Member

    Hi Taleman, thanks for your reply
    I had already seen that post ... but I don't have the problem that I can't create the certificates but only that it is not shown as explained above ... I have not found answers in that post nor on the log because the certificates are created regularly .....
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Have you created a certificate that includes that hostname?
     
  5. Bic72

    Bic72 New Member

    yes I wrote so because the forum does not allow me the links .....
    created domain:
    archive.xxxxxxxx.it
    and activated ssl but if I look at the site https://archive.xxxxxxxx.it invalid certificate, then I copied the certificates x admin panel and if I look at https://archive.xxxxxxxx.it:8080 certificate is ok!
    I hope you understand I'm translating with google .... :-(

    archive.xxxxxxxx.it certified invalid
    archive.xxxxxxxx.it:8080 valid certificate ok

    Yes, the domain for which the certificate was requested is hostname -f:
    archive.xxxxxxxx.it
    already done on other ubuntu servers I had no problems ....
    but following the guide perfect server centos 7.6 happens this ...
     
    Last edited: Jul 16, 2019
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Have you created in ISPConfig website archive.xxxxxxxx.it and turned Let's Encrypt on for that site and it stays turned on? Does it show a certificate in browser, which certificate?
     
  7. Bic72

    Bic72 New Member

    yes in the panel the flags remain correctly active both SSL + LETS ENCRYPT.

    detail certificate in the browser:
    name: archive.xxxxxxx.it
    Organization: someorganisation
    validity:
    started July 14, 2019
    end 13 July 2020
    1 year? ..... seems to be the self-generated certificate during the ispconfig installation ...

    while on archive.xxxxxx.it:8080
    verified by Let's Encrypt
    expires October 13, 2019
    3 months is ok!

    I did not understand how the browser loads the incorrect certificates ..... as I said I checked the apache configuration files and link to the correct folder where there are the correct Let's Encrypt certificates and I also tested the individual certificate files with an online test site and are correct and released by Let's Encrypt.

    I have been using ispconfig on other servers for several years and I have hundreds of active domains but in this case after having reinstalled everything 2 times without errors, it seems to me a bug or they have changed something in the latest updates of centos 7.6 which causes this error, with centos I have not experience I have only done new clean installation created the domain as hostname and activated ssl .....
    thanks Taleman for help :)
     
  8. ahrasis

    ahrasis Well-Known Member

    The linux structure for centos is not the same with debian or its derivatives (ubuntu etc). You must make necessary modifications where and when they are needed.
     
  9. Bic72

    Bic72 New Member

  10. Bic72

    Bic72 New Member

    this is what I get if I test the site with https://www.sslshopper.com/ssl-checker.html:
    ------------------------------------------------------------------------------------------------------
    The hostname (archive.xxxxxxxxxx.it) is correctly listed in the certificate.

    The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.
    [​IMG] Common name: archive.xxxxxxx.it
    Organization: SomeOrganization Org. Unit: SomeOrganizationalUnit
    Location: SomeCity, SomeState, --
    Valid from July 14, 2019 to July 13, 2020
    Serial Number: 10588 (0x295c)
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: archive.xxxxxxxxx.it
    [​IMG]
    [​IMG] Common name: Let's Encrypt Authority X3
    Organization: Let's Encrypt
    Location: US
    Valid from March 17, 2016 to March 17, 2021
    Serial Number: 0a0141420000015385736a0b85eca708
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: DST Root CA X3

    Server Type: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 mod_python/3.5.0- Python/2.7.5 PHP/7.2.20
    The certificate will expire in 363 days.
    ------------------------------------------------------------------------------------------------------
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you select * or the IP address in the website archive.xxxxxxxx.it in ISPConfig? Most likely you have an additional default ssl vhost which sues the self-signed certificate and has a higher priority.
     
  12. Bic72

    Bic72 New Member

    Hi, Till thanks for your reply ...
    I had selected the IP address now I have tried also with * but the problem is not solved ...

    in the httpd/site-anable folder there are:
    000-apps.vhost
    000-ispconfig.vhost
    000-ispconfig.conf
    100-archive.xxxxxxxxxxx.it.vhost

    in the httpd/site-avaiable folder there are:
    apps.vhost
    ispconfig.vhost
    ispconfig.conf
    archive.xxxxxxxxxxx.it.vhost

    can I try to delete ispconfig.vhost? or freezes everything?
    are there other ways to force the priority? ...
    thank you
     
    Last edited: Jul 17, 2019
  13. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    The website setting "IPv4-Address" must be the same on all websites. Have you checked it is now "*" in all websites?
     
  14. Bic72

    Bic72 New Member

    hi Taleman
    The server is new, there are no other sites, only one of the hostname and is set with * ....
    if it helps to understand the problem I can send user and password if in private ...
    thank you
     
  15. ahrasis

    ahrasis Well-Known Member

    I am not familiar with centos though securing ISPConfig should be straight forward.

    What I think you should check is - if there exist any minor mistake / difference in your hostname fqdn both in server or letsencrypt folder.
     
  16. Bic72

    Bic72 New Member

    hi Ahrasis
    I tried to see but it all seems ok with the hostname, can you be more precise about what files you mean?
    I don't know what to look at or how to proceed to a solution, I didn't want to format and reinstall everything with ubuntu ... but I'm losing hope ... :)

    ps:Is it not possible to force the use of the correct certificate?
     
    Last edited: Jul 18, 2019
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    Try editing the /etc/httpd/conf.d/ssl.conf file, set the paths to the ssl cert to the ones from your LE ssl cert (/etc/letsencrypt/live/...... ) and restart httpd.
     
    ahrasis likes this.
  18. Bic72

    Bic72 New Member

    Great Till ....... ok it works!
    I don't think I have problems with automatic renewal certified so right?

    Thanks again Till
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    there should be no renewal issues.
     

Share This Page