SSL issues

Discussion in 'Installation/Configuration' started by profm2, Apr 29, 2012.

  1. profm2

    profm2 New Member

    FIRST ISSUE:

    With the recent release of Ubuntu 12.04LTS, I decided to clean off my system and redo my server.

    I followed the HOWTO: Perfect Server for Ubuntu 11.10 with Nginx, and everything was good, even with 12.04LTS.

    I then went and got a SSL Cert from StartSSL, following the HOWTO: Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL

    I only have one host, mine, so I'm thinking that the SSL should work for allowing HTTPS requests to my server. Unfortunately, it does not. Looking through the /etc/nginx/sites-enabled/vhost files, it appears that the only thing that is secured via SSL is ISPConfig ... which is what the second howto does.

    Since I'm only hosting one domain, is there a way I can use the same SSL certificate for securing both ISPConfig along with my site?

    ----------
    SECOND ISSUE:

    Ok, after going through the two above HOWTO's ... I'm now having issues with connecting to the server with Thunderbird. I can receive emails with IMAPS, my settings are - Connection security: SSL/TLS with a normal password on Port 993 (which is the default per Thunderbird).

    On the outgoing (where I'm having issues), I think I've tried every combination available for SSL/TLS, STARTTLS. At this point, my guess is the port isn't open. Per Thunderbird, the default port for SSL/TLS is 465, and STARTTLS is 587. Normal SMTP is 25.

    The error message that I'm getting when I use SSL/TLS with default port of 465 is:
    This would make it appear that the ports are messed up. When I use STARTTLS, I get the same message.

    Any ideas?
     
    Last edited: Apr 29, 2012
  2. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Yes - just enable SSL for the website and create a self-signed cert through ISPConfig, and afterwards you go to the website's ssl directory, delete the cert, key, csr, and create symlink with the same names to where you stored your StartSSL cert.

    What's the output of
    Code:
    netstat -tap
    ? Any errors in your mail log?
     
  3. profm2

    profm2 New Member

    Ok, did that. I'm guessing there's just one last step to enable Port 443 under Nginx. I do have the checkbox for SSL under the WebDomain->Domain tab checked, along with the info filled in for the SSL tab. I also verified that the System->Firewall allows port 443.

    In the VHOST file under /etc/nginx/sites-enabled/100-SITENAME.vhost, I noticed that
    Code:
    server {
            listen *:80;
    ....
    
    There is no "listen *:443;" ... so something is either incorrect, or not updating that vhost file.

    Any thoughts? Thanks.

    ---------------------

    EDIT: Ok, just poking around in my /etc/nginx/sites-available and found that I have a SITENAME.vhost.err file that DOES have the Listen 443 as the second line.

    EDIT2: Upon further viewing of the log files at /var/log/ispconfig/cron.log, I found:
    Code:
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: [emerg] bind() to 75.x.x.x:443 failed (99: Cannot assign requested ad
    dress)
    nginx: configuration file /etc/nginx/nginx.conf test failed
    
    So, it would appear that my IP address that I told it, is causing the issue. Am I right that the IP should be the static IP of the machine as seen from the outside world? *OR* the static IP of the internal IP on my local network?
     
    Last edited: Apr 30, 2012
  4. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    It must be an IP from the output of
    Code:
    ifconfig
     
  5. profm2

    profm2 New Member

    Ok, finally got the SSL cert working, and both HTTP and HTTPS work fine as well.

    Onto the EMail issue. After much digging around, it appears that the issues in this HOWTO has came back to be a pain. However, following the comments below (and changing the /etc/postfix/sasl/smtpd.conf) seems to have cleared everything up.

    Thanks again for the help.
     
  6. ras

    ras New Member

    Apache error with SSL enabled

    How did you get SSL working?

    I have the same problems here, tried both setting the internal and external IP (now using the internal), creating an SSL certificate. But it writes an .err file into sites-available. For testing purposes I exchanged that .err file (which included a 443 section) with the vhost file (without 443 section) and apache was not able to restart. The only relevant error message I could find was:
    [Tue May 01 22:35:12 2012] [error] [client 10.47.48.3] client denied by server configuration: /htdocs
     
  7. profm2

    profm2 New Member

    Ok, the steps that I took were:

    1) Clean install from 12.04 (not required, but that iswhat I did) following the instructions from the Perfect Server for Ubuntu 11.10 w/ Nginx.

    2) Follow the instructions for installing a Cert from StartSSL.

    (both steps' Howto are in the first post)

    3) In ISPConfig, in the System -> Server IP Addresses, created an entry for my server, using the internal address. In my case it's 192.168.1.100, the ifconfig address as mentioned by Falko. Make sure the ports specified are 80, 443.

    4) In ISPConfig, in the Sites -> Websites, setup my webserver with the IP address from #3 in the IPv4 spot, and check the SSL checkbox a little lower down.

    5) Go to the SSL tab in the Sites -> Website and type in your info that you used already to create the Cert and at the bottom of the screen for SSL Action select Create Certificate, and then Save.

    6) The certificate is created (from ISPConfig) in /var/www/clients/clientX/webX/ssl

    7) Take the certs created from step #2 and link them here ... so for instance I have a cert: URL.com.crt -> /usr/local/ispconfig/interface/ssl/ispserver.crt
    (do a 'ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt /var/www/clients/clientX/webX/ssl')

    At this point, it SHOULD be setup. While doing mine, I had rebooted several times, so I would recommend after #7, reboot the server. You may not have to, but it never hurts. ;)

    NOTE: I just realized you were asking about Apache. I used Nginx for my webserver, however, with ISPConfig as a wrapper around us manually configuring the files, I believe the directories would be the same as far as the clients and such go. If you go into ISPConfig on the Sites -> Website -> Options tab, it'll tell you the actual directory for your client in "PHP open_basedir"
     
    Last edited: May 2, 2012
  8. ras

    ras New Member

    Right order

    Thank you for the quick reply. Now I got it working. It seems it was a matter of doing it in the right order:

    1. Define the IP address with an IP shown by ifconfig (you can limit it to provide port 443 only).
    2. Create site, create SSL certificate (do not use long organisation names, no spcial characters, be patient).
    3. Certs must be here, 4 files with the same timestamp: ls -al /var/www/clients/client4/web6/ssl
    4. On the Site page, click on SSL and save
    5. Check, if the vhost is here: /etc/apache2/sites-available and there is no .err file. The vhost file should have a 443 section.

    You should be able to connect via https now.
     

Share This Page