reinstall postfix after securing-short question

Discussion in 'Installation/Configuration' started by fxs, Jan 24, 2012.

  1. fxs

    fxs New Member

    Hi,

    I'm on debian 6 ispconfig3.042 roundcube apache2 (kernel version OVH)
    The background (in short):
    I follow the tuto Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL.
    Apache 2 failed and everything was down.

    To restart i had to use:
    Code:
    cd /tmp
    wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
    tar xvfz ISPConfig-3-stable.tar.gz
    cd ispconfig3_install/install
    php -q update.php
    The short urgent question
    webmail is down because he wants certificates. How can I cancel these lines
    By now I would like to restart postfix/dovecot

    Thanks for your help
    best regards
     
  2. fxs

    fxs New Member

    This night I try a couple of times to secure ISPconfig 3 and failed.
    In addition the websites were down for hours. I got these lines:
    My feeling is that they are two (coincidental?) problems:

    1) the computer doesn’t understand the key given by startssl (he looks for something written like that xxxxxxx.ovh.net.crt and xxxxxxx.ovh.net.key and not for something including the domain name (apache log).
    Then this error forces apache2 to crash.
    So that I decided to disable SSL

    2) in the apache log, there is also this message:
    What’s wrong? What does it mean? How to solve that?

    To disable SSl I comment some lines (defaut-ssl):
    Code:
            #   SSL Engine Switch:
            #   Enable/Disable SSL for this virtual host.
            >>>>>>>># SSLEngine on
    
            #   A self-signed (snakeoil) certificate can be created by installing
            #   the ssl-cert package. See
            #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
            #   If both key and certificate are stored in the same file, only the
            #   SSLCertificateFile directive is needed.
            # SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
            # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
            >>>>>>>#  SSLCertificateFile /etc/ssl/certs/xxxxxxx.ovh.net.crt
            >>>>>>>#  SSLCertificateKeyFile /etc/ssl/private/xxxxxxx.ovh.net.key
    
    and ispconfigvhost
    Code:
    # SSL Configuration
    >>>>>>>>#  SSLEngine On
    >>>>>>>#  SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
    >>>>>>>#  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.ke
    
    Is it safe to do that?
    Is there a better way to disable SSL?

    Do I have something else to do?

    thanks for any inputs

    best regards
     
  3. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Can you post the outputs of ls -la /usr/local/ispconfig/interface/ssl/ and ls -la /etc/postfix/?

    What's in your ISPConfig vhost?
     
  4. fxs

    fxs New Member

    hello

    ls -la /usr/local/ispconfig/interface/ssl/

    ls -la /etc/postfix/

    content of ISPConfig vhost

    Code:
    ######################################################
    # This virtual host contains the configuration
    # for the ISPConfig controlpanel
    ######################################################
    
     Listen 8080
    NameVirtualHost *:8080
    
    <VirtualHost _default_:8080>
      ServerAdmin webmaster@localhost
    
      <IfModule mod_fcgid.c>
        DocumentRoot /var/www/ispconfig/
        SuexecUserGroup ispconfig ispconfig
        <Directory /var/www/ispconfig/>
          Options Indexes FollowSymLinks MultiViews +ExecCGI
          AllowOverride AuthConfig Indexes Limit Options FileInfo
          AddHandler fcgid-script .php
          FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
          Order allow,deny
          Allow from all
        </Directory>
      </IfModule>
    
      <IfModule mod_php5.c>
        DocumentRoot /usr/local/ispconfig/interface/web/
        AddType application/x-httpd-php .php
        <Directory /usr/local/ispconfig/interface/web>
          Options FollowSymLinks
          AllowOverride None
          Order allow,deny
          Allow from all
              php_value magic_quotes_gpc        0
        </Directory>
      </IfModule>
    
      # ErrorLog /var/log/apache2/error.log
      # CustomLog /var/log/apache2/access.log combined
      ServerSignature Off
    
      <IfModule mod_security2.c>
        SecRuleEngine Off
      </IfModule>
    
      # SSL Configuration
    #  SSLEngine On
    #  SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
    #  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
    # ## must be re-added after an ISPConfig update!!!
    #  SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt
    
    </VirtualHost>
    
    <Directory /var/www/php-cgi-scripts>
        AllowOverride None
        Order Deny,Allow
        Deny from all
    </Directory>
    
    <Directory /var/www/php-fcgi-scripts>
        AllowOverride None
        Order Deny,Allow
        Deny from all
    </Directory>
    
    Thanks

    best regards
     
  5. fxs

    fxs New Member

    I thought there was a mistake here: sub.class1.server.ca.pem.1
    (see prev thread)
    Then I correct
    and get again
    Comments again and restart. This is the apache log
    I see again the double errors.
    Looks also like discussion: http://http://www.howtoforge.com/forums/showthread.php?t=55522.
     
  6. fxs

    fxs New Member

    I forget to display these error messages:
    Thanks for your help
     
  7. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Where are smtpd.key and smtpd.cert? They are not in your output...
     
  8. fxs

    fxs New Member

    Hello,

    I made a clean installation starting from point zero.
    Then I follow the tutorial from point 1 to 4
    Then there's a crash.
    Then I stop at point 4

    Point 6: cd /etc/postfix
    mv smtpd.cert smtpd.cert_bak
    mv smtpd.key smtpd.key_bak
    ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
    ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key

    The following morning I forget to create again smtpd.cert and ispserver.key smtpd.key.

    I will try at midnight again with theses keys before to see if any change.
    In addition, I'll give a try on a second server whith the same config to see what happens.

    Thanks
     
  9. fxs

    fxs New Member

    On the second server (smallest but with debian 6, Isp 3 (ovh) upgd to 3.042, this is what I get

    and later

    And inside ispconfig.vhost I see

     
  10. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    What do you mean with "crash"?

    Why do you want to create these again? :confused:
     
  11. fxs

    fxs New Member

    You're absolutely right. In this sitation, this term is minommer. The computer works well, but Apache2 is down.

    We have two servers withe debian 6 and ispconfiger. The other has version 3, we upgrade it and we try again your tuto to see what happens. We get the same same error messages and problems.
     
  12. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Please check Apache's error log.

    My guess is you did something wrong when you concatenated the intermediate certificates from StartSSL.
     
  13. fxs

    fxs New Member

    You have the apache.log above.

    In addition, I saw in the apache.log the string:
    Invalid method in request \x16\x03\x01
    That means there is probably an arror in httpd.conf. The fix could be to specify the port in all of the VirtualHost & NameVirtualHost directives in the apache httpd config or something else.

    Maybe it explains the lines (in apache.log):
    Is this file (port.conf) correct?
    Code:
    # If you just change the port or add more ports here, you will likely also
    # have to change the VirtualHost statement in
    # /etc/apache2/sites-enabled/000-default
    # This is also true if you have upgraded from before 2.2.9-3 (i.e. from
    # Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
    # README.Debian.gz
    
    NameVirtualHost *:80
    Listen 80
    
    <IfModule mod_ssl.c>
        # If you add NameVirtualHost *:443 here, you will also have to change
        # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
        # to <VirtualHost *:443>
        # Server Name Indication for SSL named virtual hosts is currently not
        # supported by MSIE on Windows XP.
    Listen 443
    </IfModule>
    
    <IfModule mod_gnutls.c>
    Listen 443
    </IfModule>
    Thank you to give me your inputs
     

Share This Page