SOAP Error: Could not connect to host

Discussion in 'ISPConfig 3 Priority Support' started by atle, Mar 5, 2021.

  1. atle

    atle Member HowtoForge Supporter

    For 6 month I have been working with the API and now after I made a re-install of the ic master server, I can't connect with the API, with the same code I worked with for 6 month.
    So, I have created a remote user with access to all functions. And I get

    Code:
    SOAP Error: Could not connect to host
    its no fw issue, telnet 8080 is no problem. Is there any other setting I have forgotten to enable remote access?
    It does not seem to be a credential issue , it seems to be something else. Could it be any php issues on the ic master server?
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Can you ping the hostname? Is a valid SSL cert in place?
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Might be a SSL issue if it's a self-signed cert. You can tell PHP soap connect via options to accept self signed certs.
     
  4. atle

    atle Member HowtoForge Supporter

  5. atle

    atle Member HowtoForge Supporter

    This is the soap code I used from the very beginning with no issues at all, until now when I did the re-install.

    Code:
            $this->client = new SoapClient(null, array(
                'location'   => $soap_location,
                'uri'        => $soap_uri,
                'trace'      => 1,
                'exceptions' => 1));
     
  6. atle

    atle Member HowtoForge Supporter

    Whao, I put
    Code:
            $opts = [
                'ssl' => [
                    // set some SSL/TLS specific options
                    'verify_peer' => false,
                    'verify_peer_name' => false,
                    'allow_self_signed' => true
                ],
                 'http'=>[
                    'user_agent' => 'PHPSoapClient'
                ]
            ];
    so the soap call, and now got connected,

    Code:
    Array
    (
        [response] =>
        [success] =>
        [message] => SOAP Error: The login is not allowed from *********
    )
    (I will adress this error later), but why did it connect now? Is the LE cert not really ok? It did work before, with the LE cert ISPConfig used to create. N.B., this time I used the auto-install script to install the server.
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Which hostname are you using to connect to? A different one than the one you are using in the browser to visit the panel?

    The not allowed from is probably caused because you did not allow remote access from the IP you are trying to log in from.
     
  8. atle

    atle Member HowtoForge Supporter

    Same hostname as the for the panel. This is strange. Why is the LE cert treated as a self-signed cert?
     
  9. atle

    atle Member HowtoForge Supporter

    And the cert is assigned to the hostname that is called of, "subject=CN = ic.etableraweb.com"

    Code:
    [[email protected] ispconfig]$ openssl s_client -showcerts -connect ic.etableraweb.com:8080  -servername ic.etableraweb.com
    CONNECTED(00000003)
    depth=0 CN = ic.etableraweb.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 CN = ic.etableraweb.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
     0 s:CN = ic.etableraweb.com
       i:C = US, O = Let's Encrypt, CN = R3
    -----BEGIN CERTIFICATE-----
    MIIFKzCCBBOgAwIBAgISBAz6lL7mfUpcqlnUU6UVEIJ9MA0GCSqGSIb3DQEBCwUA
    MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
    EwJSMzAeFw0yMTAzMDQxOTA3NTVaFw0yMTA2MDIxOTA3NTVaMB0xGzAZBgNVBAMT
    EmljLmV0YWJsZXJhd2ViLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
    ggEBAMMIlacsk6l3Hxg7nLATKYh3iPzBiopTxK9uY0MBMqlsulDabpxholvP8Owj
    8Iq4IqdaXlgd2TutNOwW6nGyjyPQoemWLNFkmdtDyYW3AcAkWLIaLuehteyQPG6J
    FPcptfwfzR4qHEc9n56pf+DMDMrAno3Xl8+PgahmllO3VMHEdtSviqx+3bxJSWe4
    gIB2EmGYP55DQX6RAPiYbyChIIq0rzyfFaBBG2h0jMnYFX9ejcYJsn7Ktl8xoVht
    rvELpVvtGUPT+KhuxeSclakpEiZBLOCQG/1+pv55S/BrFH8UzCfKoMGQy0XCbSP7
    +w1e4ISrR+Sny4/Lz4p5ErFVXHcCAwEAAaOCAk4wggJKMA4GA1UdDwEB/wQEAwIF
    oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
    BgNVHQ4EFgQUihEkQC5Wt8glkaZf3J8fuMzpb1MwHwYDVR0jBBgwFoAUFC6zF7dY
    VsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw
    Oi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNy
    Lm9yZy8wHQYDVR0RBBYwFIISaWMuZXRhYmxlcmF3ZWIuY29tMEwGA1UdIARFMEMw
    CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
    cHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYARJRl
    LrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAF3/tqb7gAABAMARzBFAiEA
    +M2SuuSzW9ZgEQioe2I3s+i0O6v2cTGfQllG4NK+mAQCIF7ec8LB/+B2O+dhpt0N
    qNGrkDzxU8i3L20ovmxu9Yi2AHcA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyAL
    zE7xZOMAAAF3/tqb1QAABAMASDBGAiEA9Ec2mPESuQWAtc/XVTpMBWRCo3GIhbqz
    qTs1YBNTBLgCIQCEE4aBeMuhSKJ1uGzrZYN1668d9dj36iwV1p1+qAOf8TANBgkq
    hkiG9w0BAQsFAAOCAQEAolH3lEbUbNYa8emslTjblh/TEGJCfW7yeFzqovg0L39i
    +bQj8FG6sF/1dtLsFURJqh18dhBdIC5bxsdWtYpfIx4MO+XebVzKGlpVijU6vpMT
    8vI/H1eX/pfKPSxKRZTeTEfdGPvxZX/vyNX2b3nFADSwUZ49ZbLV7dZ12dz5NoU8
    3uP+H4qtTfV2B7vWZNipPuVd2yM8Bt8qkhv7ppwjUGplvAV3hvJDyQiTAsbIZ8O2
    udJSZTKe68qURQ3H5MsC6t14LFizPS4iK06jWQ+sFwitry68s4h5IhnBhbNtc58Q
    VWH9ZRy6Hit6zJE2MQBOpmA/fZVPdoYrG1iOJqvrIA==
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=CN = ic.etableraweb.com
    
    issuer=C = US, O = Let's Encrypt, CN = R3
    
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    Server Temp Key: X25519, 253 bits
    ---
    SSL handshake has read 1887 bytes and written 396 bytes
    Verification error: unable to verify the first certificate
    ---
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 21 (unable to verify the first certificate)
    ---
    ---
    Post-Handshake New Session Ticket arrived:
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS_AES_256_GCM_SHA384
        Session-ID: F8E6DDB546A2B39A8D5F5F274AC2AA0E2C8A5649E0C38A73D86A93E925988444
        Session-ID-ctx:
        Resumption PSK: 163584B2CBEC3A989735109EF64C1FBFACA99C4621F0389BAEBF6DB462AC0A6B9F72B8CBBCB5DDAAF8FFE471BD995590
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 5a 39 42 23 78 4b 81 c3-08 10 b4 1d 7f 43 46 ab   Z9B#xK.......CF.
        0010 - 7a af 06 d7 53 b4 07 99-a8 ba b6 8b 76 d2 be a3   z...S.......v...
        0020 - 13 43 22 c5 4b 70 30 b3-f4 45 c2 be 6b 72 71 17   .C".Kp0..E..krq.
        0030 - 61 c1 f7 e7 3d 3e 3e 63-e2 14 3d b7 c9 fe 3b 8a   a...=>>c..=...;.
        0040 - 24 d8 ff 31 db 2f 86 bb-e2 b1 d7 82 06 99 0c 8f   $..1./..........
        0050 - cb 0a 25 f3 70 04 f4 8a-ae ac 02 ab a2 c8 94 60   ..%.p..........`
        0060 - 20 6f c7 61 45 82 26 f8-d5 0b ee 06 ea 5f a1 17    o.aE.&......_..
        0070 - 85 bd fc a1 87 e5 3a c7-c2 da 58 d6 d1 19 31 6e   ......:...X...1n
        0080 - 66 ab c7 6c 22 f2 57 2b-92 55 ed 8f 1a be 34 65   f..l".W+.U....4e
        0090 - cb a7 e5 37 ab d4 1b ae-ef 39 d8 10 d2 e9 68 8f   ...7.....9....h.
        00a0 - 18 09 8a aa 3c 34 f3 ad-5a 7d bd f5 b5 bb cd 5d   ....<4..Z}.....]
        00b0 - fa 9d b4 c4 a6 ef 11 cb-1a 1f f5 1c 79 69 3d 81   ............yi=.
        00c0 - 9b c1 d4 21 35 0b 5a eb-bc 1a 79 f4 4c d7 f4 33   ...!5.Z...y.L..3
        00d0 - 97 08 ae af eb 08 92 fc-1d 85 ce 13 c4 09 03 14   ................
        00e0 - ca a1 1a 28 51 b7 f1 4e-cd 2d d1 13 33 92 9a 7f   ...(Q..N.-..3...
        00f0 - 1a 5f fa e3 9b de c5 9d-43 24 42 ed 3d 88 e1 59   ._......C$B.=..Y
    
        Start Time: 1614961770
        Timeout   : 7200 (sec)
        Verify return code: 21 (unable to verify the first certificate)
        Extended master secret: no
        Max Early Data: 0
    ---
    read R BLOCK
    ---
    Post-Handshake New Session Ticket arrived:
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS_AES_256_GCM_SHA384
        Session-ID: 6766AB01EF834B3666DB010893BA3ACFEABB2D8A8CB99CD9065A4EC55B26A4A3
        Session-ID-ctx:
        Resumption PSK: 683CCDA4CF93F7118BDD1755A28DE7B9583EDFD080C00C7FF65EAD8EC00AB3CB44D978C8BFA17B7B16BE3C37FC1AACCD
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 5a 39 42 23 78 4b 81 c3-08 10 b4 1d 7f 43 46 ab   Z9B#xK.......CF.
        0010 - ed 77 c6 ef f8 8d 75 c2-04 5d f8 ed 2f d5 b5 f9   .w....u..]../...
        0020 - 02 d7 43 8d 32 c3 74 dc-10 0c 21 04 cf 53 0d 27   ..C.2.t...!..S.'
        0030 - f9 17 b4 dd 0f 03 b0 12-46 98 c8 09 4b 62 ad 16   ........F...Kb..
        0040 - 76 d4 b9 c4 a7 8d 8b 45-33 3d 8b 11 2b e2 3d fb   v......E3=..+.=.
        0050 - b9 cb 9b ef 97 3d 16 be-fe 0d 80 ea 19 4f ba de   .....=.......O..
        0060 - 7c eb 3e ae e0 7a de 2b-d7 5c 05 06 29 43 2b ca   |.>..z.+.\..)C+.
        0070 - 36 7d 40 d9 d8 ff 46 a0-c9 fe d1 d5 ba ab fc ef   6}@...F.........
        0080 - c3 66 7f 51 e8 5e 93 e8-62 68 59 6c f7 cb 20 15   .f.Q.^..bhYl.. .
        0090 - 83 a1 ac a3 80 29 54 8d-5e e3 23 e5 98 ed 4f 06   .....)T.^.#...O.
        00a0 - c6 5f 7a a2 12 3c f4 86-20 18 47 5d 1b bf 8f 96   ._z..<.. .G]....
        00b0 - df 63 1e 31 26 8d 81 e7-ab ca 56 5a 38 11 17 18   .c.1&.....VZ8...
        00c0 - da 30 2a c1 f9 6e ab b9-99 61 1e 4a 96 03 b5 17   .0*..n...a.J....
        00d0 - 0e 95 fd 40 31 42 bf df-fb 69 0f a3 2d 02 37 a6   [email protected]
        00e0 - 07 87 12 39 29 e2 f5 5e-bd a8 3f cd 0f f8 77 e9   ...9)..^..?...w.
        00f0 - 65 b0 39 33 8d 85 8c a5-4f 05 ac 65 ef a8 ba 1f   e.93....O..e....
    
        Start Time: 1614961770
        Timeout   : 7200 (sec)
        Verify return code: 21 (unable to verify the first certificate)
        Extended master secret: no
        Max Early Data: 0
    ---
    read R BLOCK
     
  10. atle

    atle Member HowtoForge Supporter

    When I look closer to the cert, it says the first certificates can't be verified.
    I did test to connect with only
    Code:
    'verify_peer' => false,
    set, and it connects. Hence the issue is the cert that has been created by acme.
    There were issues with the certs when the server was installed with the auto-install script, see https://www.howtoforge.com/communit...sexception-php-error.86530/page-2#post-419365
    I hade to do a forced update to generate new certs.
     
  11. atle

    atle Member HowtoForge Supporter

    I did the same test on one of our DA servers that also use le certs, and with these there are no issues to verify peers. There is something not so good with the le certs created by ISPConfig
    Code:
    [[email protected] ispconfig]$ openssl s_client -showcerts -connect ronin2.etableraweb.com:443  -servername ronin2.etableraweb.com
    CONNECTED(00000003)
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = R3
    verify return:1
    depth=0 CN = ronin2.etableraweb.com
    verify return:1
     
  12. atle

    atle Member HowtoForge Supporter

    Well, now I did on a hosted domain on the ISPConfig server, and that domain did get a proper cert. It is the ISPConfig portal, dovecot, postfix and ftp that has poor certs.

    Code:
    [[email protected] ispconfig]$ openssl s_client -showcerts -connect blogg.click:443  -servername blogg.click
    CONNECTED(00000003)
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = R3
    verify return:1
    depth=0 CN = blogg.click
    verify return:1
     
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Something is wrong with the chain of trust.
    In your other post, you were messing with the cert. It is likely something went wrong there. You noted you copied the cert from the acme.sh folder, this can lead to problems. What is the output of
    Code:
    ls -la /usr/local/ispconfig/interface/ssl
    now?
     
  14. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You most likely copied the "server1.example.com.cer" cert instead of the fullchain "fullchain.cer"
    Copy the fullchain.cer from /root/.acme.sh/server1.example.com/ to /usr/local/ispconfig/interface/ssl/ispserver.crt

    The reason it works in most browsers is that they search for the missing parts (the root certificates), but PHP does not.

    This was not fixed when you ran the forced upgrade, because you already placed "valid" cert in the ssl folder.
     
  15. atle

    atle Member HowtoForge Supporter

    You are the man Thom, wonderful,
    Code:
    [email protected]:~/.acme.sh/ic.etableraweb.com# openssl s_client -showcerts -connect ic.etableraweb.com:8080  -servername ic.etableraweb.com
    CONNECTED(00000003)
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = R3
    verify return:1
    depth=0 CN = ic.etableraweb.com
    verify return:1
    ---
    I suspected it was because there is ni CAA record for the hostname, and the current DNS provider we use for the domain, enom, do not support can records, so just startd to setup DNS for this domain elsewhere, and since this domain is crucial for our whole infrastructure , its not a small task. Glad I got your reply now, so I can stop that task.
     
  16. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    No problem, glad to hear.
     

Share This Page