some issues with centos 8 perfect server et alia....

Discussion in 'ISPConfig 3 Priority Support' started by craig baker, Sep 28, 2020.

  1. till

    till Super Moderator Staff Member ISPConfig Developer

    How did you su to root? The correct commands for recent Linux distributions are:

    su -

    or

    sudo -s

    While just 'su' without the '-' might cause issues and a wrong path variable will be loaded.
     
  2. craig baker

    craig baker Member HowtoForge Supporter

    yep change 'might cause issues' to 'DOES cause issues" - didnt realize the - was REQUIRED. anyone using ssh to do a perfect server might want to be apprised that if they are not infact root they need to "su -" to make required path variable paths correct! I NEVER like sshing as root directly, but it would have saved problems here!

    I've done that, redone certbot, ripped ispconfig out by the root reinstalled, and now get another error - I can bring up the apache test page fine (and I put an explicit ServerName in httpd.conf to get rid of that warning). but I cant get port 8080 to respond even though apache is listening on 8080 - the error log /var/log/httpd/error_log has:
    [Thu Oct 01 09:27:25.730281 2020] [autoindex:error] [pid 505216:tid 139701520426752] [client ::1:47996] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.php) found, and server-generated directory index forbidden by Options directive
    [[email protected] httpd]# [Thu Oct 01 09:27:25.730281 2020] [autoindex:error] [pid 505216:tid 139701520426752] [client ::1:47996] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.php) found, and server-generated directory index forbidden by Options directive

    I'm almost ready to just wipe and start over! it IS a new server after all :)
    one other point httpd gives a warning on our mailman.conf file about the second scriptalias directive.
     
  3. craig baker

    craig baker Member HowtoForge Supporter

    More issues and enlightenment!
    seems the uninstall.php does not clean up with right. did failed install, then uninstall would not clean up after a failed install. more rm -f -R entertainment and redid certbot-auto, and finally saw some light - /etc/letsencrypt/live/ns10.cdbsystems.com was there not just ns10 :)
    did ISPconfig install, and everything SEEMED to work. but didnt really.
    here was output:
    [[email protected] install]# php uninstall.php


    --------------------------------------------------------------------------------
    _____ ___________ _____ __ _ ____
    |_ _/ ___| ___ \ / __ \ / _(_) /__ \
    | | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ /
    | | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ |
    _| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \
    \___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/
    __/ |
    |___/
    --------------------------------------------------------------------------------


    >> Uninstall

    Are you sure you want to uninstall ISPConfig? [no]yes


    >> Uninstalling ISPConfig 3...

    Backups in /var/backup/ and log files in /var/log/ispconfig are not deleted.Finished uninstalling.
    [[email protected] install]#
    [[email protected] install]#
    [[email protected] install]# php -q install.php


    --------------------------------------------------------------------------------
    _____ ___________ _____ __ _ ____
    |_ _/ ___| ___ \ / __ \ / _(_) /__ \
    | | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ /
    | | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ |
    _| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \
    \___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/
    __/ |
    |___/
    --------------------------------------------------------------------------------


    >> Initial configuration

    Operating System: CentOS 8.2

    Following will be a few questions for primary configuration so be careful.
    Default values are in [brackets] and can be accepted with <ENTER>.
    Tap in "quit" (without the quotes) to stop the installer.


    Select language (en,de) [en]:

    Installation mode (standard,expert) [standard]:

    Full qualified hostname (FQDN) of the server, eg server1.domain.tld [ns10]: ns10.cdbsystems.com

    MySQL server hostname [localhost]:

    MySQL server port [3306]:

    MySQL root username [root]:

    MySQL root password []: NOTREALLYMYPASSWORD

    MySQL database to create [dbispconfig]:

    MySQL charset [utf8]:

    Configuring Postgrey
    Configuring Postfix
    Generating a RSA private key
    ...................................................................................................................................................................++++
    ..........................................................................++++
    writing new private key to 'smtpd.key'
    req: Can't open "smtpd.key" for writing, No such file or directory
    Configuring Mailman
    Configuring Dovecot
    Configuring Spamassassin
    Configuring Amavisd
    [INFO] service Rspamd not detected
    Configuring Getmail
    Configuring Jailkit
    Configuring Pureftpd
    Configuring BIND
    Configuring Apache
    Configuring vlogger
    [INFO] service OpenVZ not detected
    Configuring Bastille Firewall
    [INFO] service Metronome XMPP Server not detected
    [INFO] service Fail2ban not detected
    Installing ISPConfig
    ISPConfig Port [8080]:

    Admin password [5bee9bf0]: NOTREALLYMYPASSWORD

    Re-enter admin password []: NOTREALLYMYPASSWORD

    Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: y

    Checking / creating certificate for ns10.cdbsystems.com
    Using certificate path /etc/letsencrypt/live/ns10.cdbsystems.com
    which: no letsencrypt in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
    which: no certbot in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
    which: no letsencrypt in (/root/.local/share/letsencrypt/bin)
    which: no acme.sh in (/usr/local/ispconfig/server/scripts)
    which: no acme.sh in (/root/.acme.sh)
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Cert not yet due for renewal
    Keeping the existing certificate
    cat: /usr/local/ispconfig/interface/ssl/ispserver.key: No such file or directory
    cat: /usr/local/ispconfig/interface/ssl/ispserver.crt: No such file or directory
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: y

    Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: y

    Do you want to create SSL certs for your server? (y,n) [y]: y

    Checking / creating certificate for ns10.cdbsystems.com
    Using certificate path /etc/letsencrypt/live/ns10.cdbsystems.com
    which: no letsencrypt in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
    which: no certbot in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
    which: no letsencrypt in (/root/.local/share/letsencrypt/bin)
    which: no acme.sh in (/usr/local/ispconfig/server/scripts)
    which: no acme.sh in (/root/.acme.sh)
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Cert not yet due for renewal
    Keeping the existing certificate
    cat: /usr/local/ispconfig/interface/ssl/ispserver.key: No such file or directory
    cat: /usr/local/ispconfig/interface/ssl/ispserver.crt: No such file or directory
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: y

    Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: y

    Configuring Apps vhost
    Configuring DBServer
    Installing ISPConfig crontab
    Installing ISPConfig crontab
    Detect IP addresses
    Restarting services ...
    Installation completed.

    --snip--
    well, note the cat failures:
    cat: /usr/local/ispconfig/interface/ssl/ispserver.key: No such file or directory
    cat: /usr/local/ispconfig/interface/ssl/ispserver.crt: No such file or directory

    turns out the symlinks in these folders - were symlinked to themselves!
    'too many symlinks' was the cry from the script.
    so -- deleted symlinks from the folder, reran the little script from perfect3.1centos:
    --snip--
    cd /usr/local/ispconfig/interface/ssl/
    mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
    ln -s /etc/letsencrypt/live/ns10.cdbsystems.com/fullchain.pem ispserver.crt
    ln -s /etc/letsencrypt/live/ns10.cdbsystems.com/privkey.pem ispserver.key
    cat ispserver.{key,crt} > ispserver.pem
    chmod 600 ispserver.pem
    --snip--
    and I had my symlinks.

    BUT - https://ns10.cdbsystems.com:8080 still would not load (yes I reran systemctl restart httpd)
    looking at error_log led me to look at
    /etc/httpd/sites-available/000-ispconfig.vhost
    and I found the SSH section was comented out!!
    --snip--
    # SSL Configuration
    # SSLEngine On
    # SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
    # SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
    #@ SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
    #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle

    # SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    # SSLHonorCipherOrder On
    --snip--
    well this explains much! I DID say I wanted an SSL for ispconfig bit it did not update this file...
    I vi-ed it removing the # from all but the bundle line, systemctl restart httpd and
    VOILA!!!
    ns10 is up and running ispconfig on SSL. and WITHOUT throwing it all out!

    maybe some things to look at for the scripts? symlinking the certs to themselves was obviously done somewhere and ought not have been done!
    and the SSL parts of ispconfig.vhost clearly needed to be activated and were not...

    one comment to it said at various points the cert did not need renewal we should probably FORCE a new cert in case it is messed up?
    anyway tired, but victorious.
    curious the install script said Rspamd not detected. do I want it?
    and XMPP server not detected and service OpenVZ not detected. are they desired?
    I left fail2ban because (of course) I'm getting ISPPROTECT to protect this sucker :)

    happy centos 8 /ispconfig3 user :)
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Was this an install of beta2 or a nightly build? The self referencing symlinks issue was being looked at, if you have a way to reproduce then, try beta3 and see if that's fixed.

    I expect you still want fail2ban along with ispprotect.

    rspamd isn't needed if you use amavis for spam scanning, nor on non-mail-server nodes.
     
  5. craig baker

    craig baker Member HowtoForge Supporter

    just for a note here was the ssl folder before I deleted the links:

    drwxr-x--- 9 ispconfig ispconfig 121 Oct 1 11:22 ..
    -rwxr-x--- 1 root root 45 Oct 1 11:22 empty.dir

    lrwxrwxrwx 1 root root 48 Oct 1 11:22 ispserver.crt -> /usr/local/ispconfig/interface/ssl/ispserver.crt
    lrwxrwxrwx 1 root root 48 Oct 1 11:22 ispserver.crt-20201001112212.bak -> /usr/local/ispconfig/interface/ssl/ispserver.crt
    lrwxrwxrwx 1 root root 48 Oct 1 11:22 ispserver.key -> /usr/local/ispconfig/interface/ssl/ispserver.key
    lrwxrwxrwx 1 root root 48 Oct 1 11:22 ispserver.key-20201001112212.bak -> /usr/local/ispconfig/interface/ssl/ispserver.key
    -rwxr-x--- 1 root root 0 Oct 1 11:22 ispserver.pem
    -rwxr-x--- 1 root root 0 Oct 1 11:21 ispserver.pem-20201001112212.bak

    as you see the symlinks were to themselves!
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    This has been fixed in beta 3.

    It gets activated when the SSL cert was created successfully.

    Rspamd is not needed, the setup uses amavis for spam scanning.

    No, both won't work on CentOS 8 anyway and get removed from ISPConfig soon.

    Leaving out fail2ban if you use ISPProtect ban daemon instead is fine, just take care to install it when you install the ISPProtect malware scan. The Ban Daemon is a separate application, which is included in the ISPProtect license.
     

Share This Page