[SOLVED]HTTPS not accessible, no errors letsencrypt

Discussion in 'General' started by Xase, Aug 31, 2018.

  1. Xase

    Xase Member

    So... let's encrypt seems to be working... But I cannot seem to access any pages with https. With or without a cert. http works fine
    I followed this tutorial https://www.howtoforge.com/tutorial...sl-pureftpd-bind-postfix-doveot-and-ispconfig
    With the small exception of making sure I got the latest ispconfig from the downloads page. That's the only difference
    and my currently configured sites are childrenofatom.church and myzera.com as reference. I couldn't really find anything pertaining to this conundrum, so I figured I'd ask.

    Willing to provide whatever other information that'll help.
     
  2. ahrasis

    ahrasis Well-Known Member

    Dig your domains and see whether their public ip is the same as your web server ip.
     
    Xase likes this.
  3. Xase

    Xase Member

    Code:
    [email protected]  ~  dig gethosting.today. any @174.105.101.49     
    
    ; <<>> DiG 9.13.2 <<>> gethosting.today. any @174.105.101.49
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60031
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 4
    ;; WARNING: recursion requested but not available
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: e677b0db049bb0bebb65ed3f5b889b12ef610cb07ca80a17 (good)
    ;; QUESTION SECTION:
    ;gethosting.today.        IN    ANY
    
    ;; ANSWER SECTION:
    gethosting.today.    3600    IN    NS    ns2.gethosting.today.
    gethosting.today.    3600    IN    NS    ns1.gethosting.today.
    gethosting.today.    3600    IN    MX    10 mail.gethosting.today.
    gethosting.today.    3600    IN    TXT    "v=spf1 mx a ~all"
    gethosting.today.    3600    IN    SOA    ns1.gethosting.today. admin.thehost.ninja. 2018083103 7200 540 604800 3600
    gethosting.today.    3600    IN    A    174.105.101.49
    
    ;; ADDITIONAL SECTION:
    ns1.gethosting.today.    3600    IN    A    174.105.101.49
    ns2.gethosting.today.    3600    IN    A    174.105.101.49
    mail.gethosting.today.    3600    IN    A    174.105.101.49
    
    ;; Query time: 62 msec
    ;; SERVER: 174.105.101.49#53(174.105.101.49)
    ;; WHEN: Thu Aug 30 21:34:10 EDT 2018
    ;; MSG SIZE  rcvd: 278
     ✘ [email protected]  ~  dig myzera.com. any @174.105.101.49
    
    ; <<>> DiG 9.13.2 <<>> myzera.com. any @174.105.101.49
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27792
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 4
    ;; WARNING: recursion requested but not available
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 17ff9194fdf8de3c1d6922225b88ba09142ef3711e851cf7 (good)
    ;; QUESTION SECTION:
    ;myzera.com.            IN    ANY
    
    ;; ANSWER SECTION:
    myzera.com.        3600    IN    MX    10 mail.myzera.com.
    myzera.com.        3600    IN    NS    ns1.gethosting.today.
    myzera.com.        3600    IN    NS    ns2.gethosting.today.
    myzera.com.        3600    IN    TXT    "v=spf1 mx a ~all"
    myzera.com.        3600    IN    A    174.105.101.49
    myzera.com.        3600    IN    SOA    ns1.gethosting.today. admin.thehost.ninja. 2018083101 7200 540 604800 3600
    
    ;; ADDITIONAL SECTION:
    mail.myzera.com.    3600    IN    A    174.105.101.49
    ns1.gethosting.today.    3600    IN    A    174.105.101.49
    ns2.gethosting.today.    3600    IN    A    174.105.101.49
    
    ;; Query time: 59 msec
    ;; SERVER: 174.105.101.49#53(174.105.101.49)
    ;; WHEN: Thu Aug 30 23:46:17 EDT 2018
    ;; MSG SIZE  rcvd: 288
    
     [email protected]  ~ 
    
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Please run this command on the server and post the output:

    grep SSL /etc/apache2/sites-enabled/gethosting.today.vhost
     
    Xase and ahrasis like this.
  5. Xase

    Xase Member

    Will do, I had run `sudo ufw enable` without checking if it was setup at all, and locked myself out. Should be back in shortly... been down since Thursday :(
     
  6. Xase

    Xase Member

    [email protected]:~# grep SSL /etc/apache2/sites-enabled/gethosting.today.vhost
    grep: /etc/apache2/sites-enabled/gethosting.today.vhost: No such file or directory

    I have not added it as a site, because last time that's where my previous conflict arose.

    Could it be because I don't have that site setup and SSL'd?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    You want to access a website by SSL but have not added the website yet? This can not work.

    1) Add the website in ISPconfig, press save.
    2) Open the website settings again, enable Let's encrypt for that site and press save.
     
  8. Xase

    Xase Member

    I understand that. Childrenofatom.church has let's encrypt enabled. I'm not trying to access gethosting today over SSL at the moment. I'm trying to confirm that https:// will open and throw an error for sites with no cert like gethosting.today or Myzera.com.

    I have certed childrenofatom.church. None of the sites do anything with https:// not even error.

    I was under the assumption childrenofatom.church would work since it does have the SSL.


    [email protected]:~# grep SSL /etc/apache2/sites-enabled/900-childrenofatom.church.vhost
    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3
    # SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    SSLHonorCipherOrder on
    SSLCertificateFile /var/www/clients/client1/web1/ssl/childrenofatom.church-le.crt
    SSLCertificateKeyFile /var/www/clients/client1/web1/ssl/childrenofatom.church-le.key
    SSLCertificateChainFile /var/www/clients/client1/web1/ssl/childrenofatom.church-le.bundle
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:/var/run/ocsp(128000)

    Accessing Anything on the server over https results in nothing.

    I am understood that gethosting does not have an ssl.

    Are you saying I - HAVE - to setup and SSL all sites? What if I wish not to ssl one hypothetically?

    Again. My inquiry is not why I can't access gethosting.today via ssl. It points to apache root for now. I'm concerned as to why I can't access childrenofatom.church over https with a cert enabled. Did I miss some sort of step perhaps? I will setup gethosting.today when I get home. But I don't think that's the issue here. Because they should still throw an error without a cert? Am I wrong?
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Apache will not throw an error in that case. When you run multiple sites on the same IP address then either all sites should use SSL or no site should use SSL, if you mix that, then apache will start to show the content of the first site it finds with SSL on the same IP address for the site where you did not have SSL enabled. That's the normal behavior of apache and nginx web servers as a port has precedence over a domain name.

    a) Enable SSL for all sites (which makes sense as all browser start to warn users to not access a site when it has no SSL).
    b) Do not enable SSL for a site.
    c) Use two IP addresses, one for SSL sites and one for non-ssl sites.
     
  10. Xase

    Xase Member

    Okay. I will take your advice once I get home. So basically, I need a second server with its own dedicated ip to host and serve non ssl sites. That's fine. We plan on getting a second server. The ip problem is a bit more difficult at the moment. It's not really an issue, since we do plan to SSL all sites. I just assumed it would throw an error at least instead of not loading at all.

    I will report back with results. Thank you Till for your timely, and respectful responses. I apologize if any of mine come off edgy. I'm not all that great with social matters.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    The problem might be something different though, I just run some tests on your childrenofatom.church domain and I get a network timeout. My guess is that you might have closed port 443 in a firewall or router in front of that server.

    The other problem I explained above is a general issue when mixing SSL and non SSL sites which you should consider anyway, even if it's not the source of the current problem.
     
  12. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Is that only for some special case of SSL? I use Let's Encrypt and do have host with only one IP-address, and both http and httpS sites. Both work OK. All websites have "*" for IP-address in the website settings, though.
     
  13. Xase

    Xase Member

    Well port 443 is forwarded and ufw is currently disabled, since I clearly need to configure that so I don't lock myself out again. I'll consider the mystery of SSL partially solved... but I should open a new thread for other problem? Another reason I didn't set up gethosting.today as a site yet, is because when I do... it works for a short while... then it drops. As it seems to be competing for the resources for directing at apache root AND ispConfig directory.

    I plan on restarting from scratch... and reinstalling via the perfect tutorial again for my distro. Maybe that will solve issues.
    I am trying to use gethosting.today as a webpage AND NS access.

    This is more of a trial run/learning experience, this is not a production setup, so whatever we can do to check anything out is fine.
     
    Last edited: Sep 4, 2018
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    The issue occurs when you try to enter https:// instead of http:// for one of the sites which don't have ssl. What happens is that apache looks trough its vhosts to find a vhost where IP or *, port (443) and the domain name match. As there is no vhost where all three criteria match, apache will show the content of the next best matching vhost, which is basically the first vhost in alphabetical order that has SSL enabled.

    Example:

    You have website a.tld with http and https and b.tld with just http. If you would enter https://b.tld in the browser now, then you get the content of a.tld (plus an SSL warning as the cert of a.tld does not contain b.tld).
     
    Taleman and Xase like this.
  15. ahrasis

    ahrasis Well-Known Member

    I noted that you are using one ip to build your dns server but it is really not advisable as it will defeat its original purpose. As an alternative for your second dns server, if you can't afford one, you may check and use free services like http://freedns.afraid.org/secondary.

    By the way, I noted that not many company is offering free dns services nowadays though I think there is a lot of demands for it. I think DNS servers properly built with ISPConfig are capable of handling these demands but I am not sure I have bumped into one in the markets.
     
    Xase likes this.
  16. Xase

    Xase Member

    Well, I started from scratch, and now I think I'm missing some step that I accidentally stumbled upon before.
    I can't seem to bring up my main site... I'll report back once I figure it out. I had the issue before I started over actually... We moved the server's location on the network, which reset the internal ip on the router, and I never bothered to set one statically, so I did, and it did not work, so I reformatted and started from scratch after applying the static lease at the router level, because I had also installed a BUNCH of DEs messing around because the owner wanted to see what linux desktops were like.

    @ahrasis, thanks for pointing that out, yes I plan to use freedns for a secondary, but will that work for all the other sites on my config was my qualm when I was deciding. I am trying to get all the kinks out. It's not so much I can't afford additional servers, I can't currently afford the static IPs. They wanna sell them in packs of [email protected] 15 apiece, that's 80 dollars on top of having to shell out for business class internet. This is currently a private host for our personal domains to get them online and doing stuff, whilst learning.

    Do you know of any valid config outline for using secondary servers from freedns, it seems straightforward enough, but their instructions are vague.

    Sorry to derail my own topic, I will start a new topic shortly once I get my main site functioning again.
     
  17. Xase

    Xase Member

    Okay, so, I had put my internal ip in /etc/hosts. I dunno if I'm supposed to put my external IP there for my hostname, but it started working after I did it seems. Though I just realized I wasn't getting live results from google chrome. Finally decided to check in firefox, and both SSL and regular HTTP are working !! if I should revert to internal ip and revert dns zones to internal ip instead of external, I'd like to know, or if it's fine to continue as is I will.
     
  18. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Thanks for the explanation. I created 00aa.mydomain.fi website, made LE sertificate and created an index.html file which explains visitor why they ended up on an unintended page, and advices to remove the S from HTTPS://.
    I was up to now ignorant about this feature with HTTPS. I had to test on my server this really happens, and it is really a "feature". Hopefully my shiny new website 00.aa helps avoiding total confusion with visitors.
     

Share This Page