some issues with centos 8 perfect server et alia....

Discussion in 'ISPConfig 3 Priority Support' started by craig baker, Sep 28, 2020.

  1. craig baker

    craig baker Member HowtoForge Supporter

    been setting up a new server (trying to take my mind off my horrible recent experiences so I DONT hang myself!) and I seem to get errors at phpmyadmin and roundcube.

    phpmyadmin gives a You don't have permission to access /phpmyadmin on this server.
    when I try serverip/phpmyadmin.

    and seliux is set permissive (question - we always disabled it before in centos 7 perfect, why do we set it permissive in 8? needed? or disable as well?)
    from sestatus:
    [[email protected] config]# sestatus
    SELinux status: enabled
    SELinuxfs mount: /sys/fs/selinux
    SELinux root directory: /etc/selinux
    Loaded policy name: targeted
    Current mode: permissive
    Mode from config file: permissive
    Policy MLS status: enabled
    Policy deny_unknown status: allowed
    Memory protection checking: actual (secure)
    Max kernel policy version: 31
    [[email protected] config]#

    and in roundcube the web installer says:
    --snip--
    Checking PHP version
    Version: OK(PHP 7.4.10 detected)
    Checking PHP extensions
    The following modules/extensions are required to run Roundcube:

    PCRE: OK
    DOM: OK
    Session: OK
    XML: OK
    JSON: OK
    PDO: OK
    Multibyte: OK
    OpenSSL: OK
    Filter: OK
    Ctype: OK
    The next couple of extensions are optional and recommended to get the best performance:

    FileInfo: OK
    Libiconv: OK
    Intl: OK
    Exif: OK
    LDAP: OK
    GD: OK
    Imagick: OK
    Zip: NOT AVAILABLE(See http://www.php.net/manual/en/book.zip.php)
    Checking available databases
    Check which of the supported extensions are installed. At least one of them is required.

    MySQL: OK
    PostgreSQL: NOT AVAILABLE(See http://www.php.net/manual/en/ref.pdo-pgsql.php)
    SQLite: OK
    SQLite (v2): NOT AVAILABLE(See http://www.php.net/manual/en/ref.pdo-sqlite.php)
    SQL Server (SQLSRV): NOT AVAILABLE(See http://www.php.net/manual/en/ref.pdo-sqlsrv.php)
    SQL Server (DBLIB): NOT AVAILABLE(See http://www.php.net/manual/en/ref.pdo-dblib.php)
    Oracle: NOT AVAILABLE(See http://www.php.net/manual/en/book.oci8.php)
    Check for required 3rd party libs
    This also checks if the include path is set correctly.

    PEAR: OK
    Auth_SASL: OK
    Net_SMTP: OK
    Net_IDNA2: OK
    Mail_mime: OK
    Net_LDAP3: OK
    Checking php.ini/.htaccess settings
    The following settings are required to run Roundcube:

    file_uploads: OK
    session.auto_start: OK
    mbstring.func_overload: OK
    suhosin.session.encrypt: OK
    The following settings are optional and recommended:

    allow_url_fopen: OK
    date.timezone: NOT OK(not set)
    --snip--

    note it says ZIP is not found (its there) and says date.timezone NOT SET - it is!
    from php.ini in /etc: date.timezone = 'America/New_York'
    which matches php.ini on my centos 7.
    am I missing something? dont want to go to next page till get these resolved?
    I've systemctl restart httpd plenty of times!

    also is 3.2 now stable enough to go ahead and use? you install 3.2beta in Perfect Centos 8 :)
    thanks!
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I wouldn't update production systems to it yet unless you're up for potentially troubleshooting yet-to-be-found issues. For any Centos 8 system it is of course required, so in general, grab the latest nightly build and keep an eye on both issues and merge requests, as things are still being found and fixed. I'm running one production server... and spending a good bit of time troubleshooting these last days. :)
     
  3. craig baker

    craig baker Member HowtoForge Supporter

    so it is REQUIRED for centos 8? I missed that somewhere :)
     
  4. craig baker

    craig baker Member HowtoForge Supporter

    okey dokey guess I'm going to be doing some troubleshooting as 3.2 is required for centos 8 :)
    not a problem :)
     
  5. craig baker

    craig baker Member HowtoForge Supporter

    one quick question... I WAS intending to migrate my existing production server to the new centos 8 shiny server!...
    ahem I was going to use that wonderful ispconfig migration script. will that migrate from centos7/3.1 to centos8/3.2? or will it wind up as a hot mess? <grin>
     
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    My guess is the version of Migration tool that is released after ISPConfig 3.2 officially releases does support that migration. Before that, it may not work.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    You can try disabling SELinux if it causes you issues.

    Regarding RoundCube installer, it should be ok. If not, you can install the zip module later anyway and timezone can be ignored for now as well.

    Yes.

    It will most likely work, but we have not tested it yet as ISPConfig 3.2 is still in beta.
     
  8. craig baker

    craig baker Member HowtoForge Supporter

    ok I fixed/ phpmyadmin by putting in:
    <IfModule mod_authz_core.c>
    # Apache 2.4
    Require all granted
    # <RequireAny>
    # Require ip 74.
    ## Require ip ::1
    # </RequireAny>
    </IfModule>

    that let me login as root.
    when installing ISPConfig 3.2 -- I received some unexpected errors:
    Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:

    Checking / creating certificate for ns10
    Using certificate path /etc/letsencrypt/live/ns10
    which: no letsencrypt in (/home/cdb/.local/bin:/home/cdb/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin)
    which: no certbot in (/home/cdb/.local/bin:/home/cdb/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin)
    which: no letsencrypt in (/root/.local/share/letsencrypt/bin)
    which: no acme.sh in (/usr/local/ispconfig/server/scripts)
    which: no acme.sh in (/root/.acme.sh)
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Unable to register an account with ACME server
    Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.


    also:

    Restarting services ...
    Job for amavisd.service failed because the control process exited with error code.
    See "systemctl status amavisd.service" and "journalctl -xe" for details.

    the amavisd.conf file needed $myhostname to have a FQDN 'ns10.cdbsystems.com' not 'ns10' as it was set...

    anything to worry about? cerbot did not work peroperly.....
     
  9. craig baker

    craig baker Member HowtoForge Supporter

    seems somewhere ns10 should have been ns10.cdbsystems.com I'll poke around more :)
     
  10. craig baker

    craig baker Member HowtoForge Supporter

    ok php uninstall.php then php -q install.php and put in ns10.cdbsystem.com
    (might check its a FQDN before continuing??? else amavisd etc fails.
    but it still does not like letsencrypt:
    checking / creating certificate for ns10.cdbsystems.com
    Using certificate path /etc/letsencrypt/live/ns10.cdbsystems.com
    which: no letsencrypt in (/home/cdb/.local/bin:/home/cdb/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin)
    which: no certbot in (/home/cdb/.local/bin:/home/cdb/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin)
    which: no letsencrypt in (/root/.local/share/letsencrypt/bin)
    which: no acme.sh in (/usr/local/ispconfig/server/scripts)
    which: no acme.sh in (/root/.acme.sh)
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Unable to register an account with ACME server
    Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)
    ... etc.

    in the letsencrypt.log:
    2020-09-29 19:57:32,679:DEBUG:certbot._internal.log:Exiting abnormally:
    Traceback (most recent call last):
    File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/client.py", line 218, in perform_registration
    return acme.new_account_and_tos(newreg, tos_cb)
    File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py", line 861, in new_account_and_tos
    return self.client.new_account(regr)
    File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py", line 603, in new_account
    response = self._post(self.directory['newAccount'], new_account)
    File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py", line 97, in _post
    return self.net.post(*args, **kwargs)
    File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py", line 1201, in post
    return self._post_once(*args, **kwargs)
    File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py", line 1214, in _post_once
    response = self._check_response(response, content_type=content_type)
    File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py", line 1072, in _check_response
    raise messages.Error.from_json(jobj)
    acme.messages.Error: urn:ietf:params:acme:error:invalidEmail :: The provided email for a registration was invalid :: Error creating new account :: contact email "[email protected]$hostname" has invalid domain : Domain name contains an invalid character

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
    File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/main.py", line 519, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
    File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/client.py", line 175, in register
    regr = perform_registration(acme, config, tos_cb)
    File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/client.py", line 225, in perform_registration
    raise errors.Error(msg)
    certbot.errors.Error: The ACME server believes [email protected]$hostname is an invalid email address. Please ensure it is a valid email and attempt registration again.

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
    File "/opt/eff.org/certbot/venv/bin/certbot", line 11, in <module>
    sys.exit(main())
    File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
    File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/main.py", line 1358, in main
    return config.func(config, plugins)
    File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/main.py", line 1225, in certonly
    le_client = _init_le_client(config, auth, installer)
    File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/main.py", line 603, in _init_le_client
    acc, acme = _determine_account(config)
    File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/main.py", line 525, in _determine_account
    "Unable to register an account with ACME server")
    certbot.errors.Error: Unable to register an account with ACME server
    2020-09-29 19:57:32,680:ERROR:certbot._internal.log:Unable to register an account with ACME server


    I assume I'm missing something simple? how to fix??
    cdb
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    When you use a wrong (non-fqdn) hostname on your server, then amavis will fail plus other things like let's encrypt during ISPConfig installation must fail too.

    That's an issue in the beta version and has been fixed already in the nightly releases:

    https://www.ispconfig.org/downloads/ISPConfig-3-nightly.tar.gz
     
  12. craig baker

    craig baker Member HowtoForge Supporter

    ok I redid ispconfig with ns10.cdbsystems.com and still fails with letsencrypt errors! I can try the nightly version, but dont I need to do something about the letsencrypt install? it never asked for a fqdn where does it get it??
     
  13. craig baker

    craig baker Member HowtoForge Supporter

    tried again - deleted ispconfig install (including db) - and installed the nightly.
    also deleted and reran letsencrypt certbot-auto.
    but still get errors from ispconfig:
    Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:

    Checking / creating certificate for ns10.cdbsystems.com
    Using certificate path /etc/letsencrypt/live/ns10.cdbsystems.com
    PHP Warning: symlink(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2857
    PHP Warning: chown(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2858
    PHP Warning: chmod(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2859
    PHP Warning: symlink(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2862
    PHP Warning: chown(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2863
    PHP Warning: chmod(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2864
    PHP Warning: symlink(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2867
    PHP Warning: chown(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2868
    PHP Warning: chmod(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2869
    which: no letsencrypt in (/home/cdb/.local/bin:/home/cdb/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin)
    which: no certbot in (/home/cdb/.local/bin:/home/cdb/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin)
    which: no letsencrypt in (/root/.local/share/letsencrypt/bin)
    which: no acme.sh in (/usr/local/ispconfig/server/scripts)
    which: no acme.sh in (/root/.acme.sh)
    Using apache for certificate validation
    Unable to find renew-hook command letsencrypt_renew_hook.sh in the PATH.
    (PATH is /home/cdb/.local/bin:/home/cdb/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin)
    Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)
    ............................................................................................................................++++
    ............++++
    e is 65537 (0x010001)
    etc.... :)
     
  14. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Looks like the installer didn't find any letsencrypt clients to issue a certificate.

    The installer could be improved to not create all those "no such file..." errors, which just distract from the more relevant error messages.
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

  16. till

    till Super Moderator Staff Member ISPConfig Developer

    and please post the output of:

    ls -la /opt/eff.org/certbot/venv/bin/certbot
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    And did you run the ISPConfig installer as root user? I wonder why the which commands show /home/cdb as path components while it should show something like "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin" as path on CentOS 8 when logged in as root user.
     
  18. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Checking the latest installer, this is incorrect, it would clearly state if no candidate clients were found.
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    Btw, tested the current nightly on a centos 8 perfect server system, the system I used for this test can't get a le cert as it uses server1.example.com as hostname and is not reachable from the internet, but nonetheless certbot is executed on my system and tries to verify the domain "http-01 challenge for server1.example.com", so something must be wrong with your installation.

    Code:
    Checking / creating certificate for server1.example.com
    Using certificate path /etc/letsencrypt/live/server1.example.com
    Server's public ip(s) (91.48.249.96, 91.48.249.96) not found in A/AAAA records for server1.example.com:
    Ignore DNS check and continue to request certificate? (y,n) [n]: y
    
    which: no letsencrypt in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
    which: no certbot in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
    which: no letsencrypt in (/root/.local/share/letsencrypt/bin)
    which: no acme.sh in (/usr/local/ispconfig/server/scripts)
    which: no acme.sh in (/root/.acme.sh)
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for server1.example.com
    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
    Waiting for verification...
    Challenge failed for domain server1.example.com
    http-01 challenge for server1.example.com
    Cleaning up challenges
    Some challenges have failed.
    Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)
    ...............................................................................................................................................++++
    ........................++++
    e is 65537 (0x010001)
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
     
  20. craig baker

    craig baker Member HowtoForge Supporter

    I sshed in as cdb and sued to root before running the scripts... so I guess it still keeps the home/cdb directories? guess I need to actually log in as root....
     

Share This Page