Rewrite HTTP to HTTPS disables lets encrypt

Discussion in 'ISPConfig 3 Priority Support' started by atle, Oct 19, 2020.

  1. atle

    atle Member HowtoForge Supporter

  2. atle

    atle Member HowtoForge Supporter

    When "Rewrite HTTP to HTTPS" is enabled the whole 443 VirtualHost container is missing in the vhost file, and the acme lines are added (to the 80 container).
     
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Do you have a custom vhost in /usr/local/ispconfig/server/conf-custom? If so, replace that with the new one in /usr/local/ispconfig/server/conf and tweak it to your needs.

    You could try doing a force reload aswell.

    I can't reproduce this issue on a system with 3.2 installed.
     
  4. atle

    atle Member HowtoForge Supporter

    No, nothing here. This is not a production system, its a multiserver environment I have put up to evaluate ISPConfig. The install is very native.
    Assume you are referring to apache, and I have done several test including restarting apache.

    I attach the vhost file (changed IP and hostname) that is created after the user enables the https redirect. As you can see there is no 443 container. Furthermore the https directive is still there, despite it was disabled:
    Code:
            RewriteCond %{HTTPS} off
                    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]
    and acme lines are added:
    Code:
                    RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
                    RewriteRule ^ - [END]
    which I dont understand since these are absent when there is a working le 443 container, assume you use another method for le to verify.

    Very strange, I have made several tests with the same result. Well, will have to re-install the server if the root cause cant be find. Since there is no multiserver Debian 10 ISPConfig 3.2 manual for install, I had to combine the ones there are.
     

    Attached Files:

  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I meant force reloading the panel, to see if any code was cached from 3.1.15p3 (which should not be possible, but still)

    You can also try running a update:
    Code:
    cd /tmp
    wget https://www.ispconfig.org/downloads/ISPConfig-3.2.tar.gz
    tar xvfz ISPConfig-3.2.tar.gz
    cd ispconfig3_install/install
    php -q update.php
     
  6. atle

    atle Member HowtoForge Supporter

    I have testes to enable "Rewrite HTTP to HTTPS" as admin, and in that case, no problem.
    The problem occurs when the user, logged in as the user, enables it.
     
  7. atle

    atle Member HowtoForge Supporter

    Doing this, I am logged in on Safari as admin and as the user on Vivaldi, same computer. Will do test with only user logged in.
     
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Just tested that, can't reproduce it as user either. But will double check the code to see if I find something weird. Thanks for sharing the vhost, thats helpful.
     
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Just tested on safari, can't reproduce it.

    This is a shot in the dark, but maybe it is disabled because Let's Encrypt verification failed? Any errors under Monitor -> System-log?
     
  10. atle

    atle Member HowtoForge Supporter

    Have you tested as the user, that is, login as the user? For me, this is when it failes.
    This is a 3.2 install from scratch.
    Nothing there that say Let's Encrypt verification failes. When "Rewrite HTTP to HTTPS" is disabled, https works as it should with lets encrypt certificate.
     
  11. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Yes

    No other issues either?

    Can you go through these steps: https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/, enable LE, run the server.sh script, enable the redirect, and then run the script again, and share the outputs here within code tags?
     
  12. atle

    atle Member HowtoForge Supporter

  13. atle

    atle Member HowtoForge Supporter

  14. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I have seen it, thanks.

    It seems like the user has no rights for SSL and LE, can you add SSL and LE to their limits and test again? If that works correctly, can you try again after removing rights to LE, but keep SSL enabled in the client limits?

    It might be this issue but just for SSL: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4511
     
  15. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Did you enable debug logging in the server settings?
     
  16. atle

    atle Member HowtoForge Supporter

    Hm, to fast, here is is

    Code:
    [email protected]:~/tmp/problem_httpsredir# /usr/local/ispconfig/server/server.sh
    19.10.2020-20:21 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    19.10.2020-20:21 - DEBUG - Found 2 changes, starting update process.
    19.10.2020-20:21 - DEBUG - Calling function 'server_ip' from plugin 'apache2_plugin' raised by event 'server_update'.
    19.10.2020-20:21 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    19.10.2020-20:21 - DEBUG - Writing the conf file: /etc/apache2/sites-available/ispconfig.conf
    19.10.2020-20:21 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'.
    19.10.2020-20:21 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    19.10.2020-20:21 - DEBUG - Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'.
    19.10.2020-20:21 - DEBUG - Network configuration disabled in server settings.
    19.10.2020-20:21 - DEBUG - Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'.
    19.10.2020-20:21 - DEBUG - safe_exec cmd: postconf -e 'smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, reject_rbl_client zen.spamhaus.org, permit_sasl_authenticated, reject_unauth_pipelining, permit' - return code: 0
    19.10.2020-20:21 - DEBUG - safe_exec cmd: postconf -e 'smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit' - return code: 0
    19.10.2020-20:21 - DEBUG - safe_exec cmd: which 'dovecot' 2> /dev/null - return code: 0
    19.10.2020-20:21 - DEBUG - Calling function 'server_update' from plugin 'webserver_plugin' raised by event 'server_update'.
    19.10.2020-20:21 - DEBUG - Processed datalog_id 367
    19.10.2020-20:21 - DEBUG - Calling function 'server_ip' from plugin 'apache2_plugin' raised by event 'server_update'.
    19.10.2020-20:21 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    19.10.2020-20:21 - DEBUG - Writing the conf file: /etc/apache2/sites-available/ispconfig.conf
    19.10.2020-20:21 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'.
    19.10.2020-20:21 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    19.10.2020-20:21 - DEBUG - Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'.
    19.10.2020-20:21 - DEBUG - Network configuration disabled in server settings.
    19.10.2020-20:21 - DEBUG - Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'.
    19.10.2020-20:21 - DEBUG - safe_exec cmd: postconf -e 'smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, reject_rbl_client zen.spamhaus.org, permit_sasl_authenticated, reject_unauth_pipelining, permit' - return code: 0
    19.10.2020-20:21 - DEBUG - safe_exec cmd: postconf -e 'smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit' - return code: 0
    19.10.2020-20:21 - DEBUG - safe_exec cmd: which 'dovecot' 2> /dev/null - return code: 0
    19.10.2020-20:21 - DEBUG - Calling function 'server_update' from plugin 'webserver_plugin' raised by event 'server_update'.
    19.10.2020-20:21 - DEBUG - Processed datalog_id 368
    19.10.2020-20:21 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    19.10.2020-20:21 - DEBUG - Restarting httpd: systemctl restart apache2.service
    19.10.2020-20:21 - DEBUG - Calling function 'restartPostfix' from module 'mail_module'.
    19.10.2020-20:21 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished server.php.
     
  17. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I see quite some changes, but nothing on your website. Did you change settings and run the command after? Remember to comment out the cronjobs aswell.
     
  18. atle

    atle Member HowtoForge Supporter

    This is what template Basic says
    https://xxa.se/i/20n60s2115rjei25.png
    Is this wrong, should both be enabled?
    The template Basic has been assigned to the client. However, the custom settings below says something else, but I assume that part is obsolete.
    https://xxa.se/i/20hy484343plg128.png
     
  19. atle

    atle Member HowtoForge Supporter

    Here we are
    Code:
    [email protected]:~/tmp/problem_httpsredir# /usr/local/ispconfig/server/server.sh
    19.10.2020-20:34 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    19.10.2020-20:34 - DEBUG - Found 1 changes, starting update process.
    19.10.2020-20:34 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    19.10.2020-20:34 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    19.10.2020-20:34 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client2/web10' - return code: 0
    19.10.2020-20:34 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client2/web10' - return code: 0
    19.10.2020-20:34 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client2/web10'|awk 'END{print $2,$NF}' - return code: 0
    19.10.2020-20:34 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    19.10.2020-20:34 - DEBUG - safe_exec cmd: setquota -u 'web10' '102400' '103424' 0 0 -a &> /dev/null - return code: 0
    19.10.2020-20:34 - DEBUG - safe_exec cmd: setquota -T -u 'web10' 604800 604800 -a &> /dev/null - return code: 0
    19.10.2020-20:34 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client2/web10' - return code: 0
    19.10.2020-20:34 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    19.10.2020-20:34 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/wjk.se.vhost
    19.10.2020-20:34 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    19.10.2020-20:34 - DEBUG - Writing the PHP-FPM config file: /etc/php/7.3/fpm/pool.d/web10.conf
    19.10.2020-20:34 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'.
    19.10.2020-20:34 - DEBUG - Restarting php-fpm: systemctl reload php7.3-fpm.service
    19.10.2020-20:34 - DEBUG - Apache status is: running
    19.10.2020-20:34 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    19.10.2020-20:34 - DEBUG - Restarting httpd: systemctl restart apache2.service
    19.10.2020-20:34 - DEBUG - Apache restart return value is: 0
    19.10.2020-20:34 - DEBUG - Apache online status after restart is: running
    19.10.2020-20:34 - DEBUG - Processed datalog_id 376
    19.10.2020-20:34 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished server.php.
     
  20. atle

    atle Member HowtoForge Supporter

    After that the website ceased to work.
     

Share This Page