[SOLVED] strange behaviour with SSL Letsencrypt. All sites try to access with the same cert

Discussion in 'Installation/Configuration' started by recin, Jun 6, 2018.

  1. recin

    recin Member

    I just installed Ispconfig on Ubuntu 18.04 following the perfect server guide (using port 81 instead of 8080), then I installed PHP-FPM 5.6 following this: https://tecadmin.net/install-multiple-php-version-apache-ubuntu/
    then I upgraded ispconfig and go from 3.1dev to 3.1.12
    and finally I follow this one: https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/ to hace secure access to ispconfig.

    I have srv.domain1.com (this is the server hostname), domain2.com and domain3.com

    I have a strange error because all sites try to access with https, even if it's not checked on her config. Then, if i check letsencrypt on several sites they access via https using the wrong cert:
    If I have letsencrypt only for srv.domain1.com, then the other webs try to access via https with this cert, with error because cert is for domain1, not domain2 nor domain3.
    If I check letsencrypt for domain2, in addition to 1, then I have good https access to domain 1 and 2, but 3 try to access with domain2 cert
    If I check LE for domain3, in addition to 1 and 2, then I have good https access to domain 1 and 3, but 2 try to access with domain3 cert.

    It seems all sites are always trying to access with the last cert created, all but the main one, who always is OK.
    In /etc/letsencrypt all certs seems ok.
    What can I do for repair this?
    Thanks in advance
     
    Last edited: Jun 6, 2018
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    First, when SSL is not active for a site and you use that domain to access the site with https, then apache must show the content of a different site, so that's normal. Apache will show the content of the first site that it finds which has SSL enabled. To fix that, enable SSL on all sites that use the same IP address. If you can't enable LE SSL for a site, then look at the letsencrypt.log to see why it fails. The most likely reasons are dns errors and custom rewrite rules which prevent LE from finding the verification token.

    And one last thing, never mix IP and * in the IP field on your server. either use the IP for all sites or * for all sites.
     
  3. recin

    recin Member

    I had mixed IP and * in site Ip field. I fixed it and now it seems to working fine with some domains with SSL and other not.

    But I have another problem. Now I can access webmail only with https://srv.domain1.com/webmail (the server hostname). If I tray accessing with another domain or even with server IP i get a browser error.
    The apache log show error 500.
     
  4. recin

    recin Member

    I still had problems with SSL (it seems putting IP on IP field didn't work).

    But finally I could solved it. It seems there was a problem deleting one cert and when creating it appears like domain2.com-0001 in /etc/letsencrypt/live/

    So in ispconfig I uncheck SSL field of problematic domains and then delete them from command line like this:
    certbot revoke --cert-path /etc/letsencrypt/live/domain2.com-0001/fullchain.pem
    certbot delete --cert-name domain2.com-0001
     

Share This Page