SSL LE not working after many updates

Discussion in 'Installation/Configuration' started by midihipi, Feb 15, 2022.

  1. midihipi

    midihipi New Member HowtoForge Supporter

    Fresh install of ISPC on Ubuntu. See the facts below:
    I have updated using ispconfig_update.sh --force in an effort to correct the problem of "Error code: SSL_ERROR_RX_RECORD_TOO_LONG" when browsing to a hosted website or when logging inot ISPC.
    I can ping the fqdn of the server but when I use nslookup I get the 127 address. my hosts file looks like this:
    `
    # Your system has configured 'manage_etc_hosts' as True.
    # As a result, if you wish for changes to this file to persist
    # then you will need to either
    # a.) make changes to the master file in /etc/cloud/templates/hosts.debian.tmpl
    # b.) change or remove the value of 'manage_etc_hosts' in
    # /etc/cloud/cloud.cfg or cloud-config from user-data
    #
    127.0.1.1 ubuntu-s-1vcpu-1gb-sfo3-01.acmealliedllc.com ubuntu-s-1vcpu-1gb-sfo3-01
    127.0.0.1 localhost

    # The following lines are desirable for IPv6 capable hosts
    ::1 localhost ip6-localhost ip6-loopback
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    `
    Here is my acme log:

    Updating Crontab
    Restarting services ...
    Update finished.
    [email protected]:/var/log/ispconfig# ls
    acme.log auth.log bak.log cron.log httpd ispconfig.log
    [email protected]:/var/log/ispconfig# cat acme.log
    [Tue Feb 15 08:25:12 UTC 2022] Running cmd: setdefaultca
    [Tue Feb 15 08:25:12 UTC 2022] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
    [Tue Feb 15 08:25:13 UTC 2022] Lets find script dir.
    [Tue Feb 15 08:25:13 UTC 2022] _SCRIPT_='/root/.acme.sh/acme.sh'
    [Tue Feb 15 08:25:13 UTC 2022] _script='/root/.acme.sh/acme.sh'
    [Tue Feb 15 08:25:13 UTC 2022] _script_home='/root/.acme.sh'
    [Tue Feb 15 08:25:13 UTC 2022] Using config home:/root/.acme.sh
    [Tue Feb 15 08:25:13 UTC 2022] Running cmd: issue
    [Tue Feb 15 08:25:13 UTC 2022] _main_domain='ubuntu-s-1vcpu-1gb-sfo3-01.acmealliedllc.com'
    [Tue Feb 15 08:25:13 UTC 2022] _alt_domains='no'
    [Tue Feb 15 08:25:13 UTC 2022] Using config home:/root/.acme.sh
    [Tue Feb 15 08:25:13 UTC 2022] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
    [Tue Feb 15 08:25:13 UTC 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Tue Feb 15 08:25:13 UTC 2022] DOMAIN_PATH='/root/.acme.sh/ubuntu-s-1vcpu-1gb-sfo3-01.acmealliedllc.com'
    [Tue Feb 15 08:25:13 UTC 2022] Le_NextRenewTime='1650006689'
    [Tue Feb 15 08:25:13 UTC 2022] _saved_domain='ubuntu-s-1vcpu-1gb-sfo3-01.acmealliedllc.com'
    [Tue Feb 15 08:25:13 UTC 2022] _saved_alt='no'
    [Tue Feb 15 08:25:13 UTC 2022] Domains not changed.
    [Tue Feb 15 08:25:13 UTC 2022] Skip, Next renewal time is: Sat Apr 16 07:11:29 UTC 2022
    [Tue Feb 15 08:25:13 UTC 2022] Add '--force' to force to renew.
    [Tue Feb 15 08:25:13 UTC 2022] Lets find script dir.
    [Tue Feb 15 08:25:13 UTC 2022] _SCRIPT_='/root/.acme.sh/acme.sh'
    [Tue Feb 15 08:25:13 UTC 2022] _script='/root/.acme.sh/acme.sh'
    [Tue Feb 15 08:25:13 UTC 2022] _script_home='/root/.acme.sh'
    [Tue Feb 15 08:25:13 UTC 2022] Using config home:/root/.acme.sh
    [Tue Feb 15 08:25:13 UTC 2022] Running cmd: installcert
    [Tue Feb 15 08:25:13 UTC 2022] Using config home:/root/.acme.sh
    [Tue Feb 15 08:25:13 UTC 2022] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
    [Tue Feb 15 08:25:13 UTC 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Tue Feb 15 08:25:13 UTC 2022] DOMAIN_PATH='/root/.acme.sh/ubuntu-s-1vcpu-1gb-sfo3-01.acmealliedllc.com'
    [Tue Feb 15 08:25:13 UTC 2022] Installing key to: /usr/local/ispconfig/interface/ssl/ispserver.key
    [Tue Feb 15 08:25:13 UTC 2022] Installing full chain to: /usr/local/ispconfig/interface/ssl/ispserver.crt
    [Tue Feb 15 08:26:02 UTC 2022] Running cmd: upgrade
    [Tue Feb 15 08:26:02 UTC 2022] Using config home:/root/.acme.sh
    [Tue Feb 15 08:26:02 UTC 2022] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
    [Tue Feb 15 08:26:02 UTC 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Tue Feb 15 08:26:02 UTC 2022] GET
    [Tue Feb 15 08:26:02 UTC 2022] url='https://api.github.com/repos/acmesh-official/acme.sh/git/refs/heads/master'
    [Tue Feb 15 08:26:02 UTC 2022] timeout=
    [Tue Feb 15 08:26:02 UTC 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g '
    [Tue Feb 15 08:26:03 UTC 2022] ret='0'
    [Tue Feb 15 08:26:03 UTC 2022] Already uptodate!
    [Tue Feb 15 08:26:03 UTC 2022] Upgrade success!
    [Tue Feb 15 08:26:03 UTC 2022] Running cmd: setdefaultca
    [Tue Feb 15 08:26:03 UTC 2022] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory

    And here is the result of a system analysis:

    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Ubuntu 20.04.3 LTS
    [INFO] uptime: 08:11:29 up 21 min, 1 user, load average: 0.00, 0.02, 0.07
    [INFO] memory:
    total used free shared buff/cache available
    Mem: 976Mi 588Mi 123Mi 54Mi 265Mi 185Mi
    Swap: 0B 0B 0B
    [INFO] systemd failed services status:
    UNIT LOAD ACTIVE SUB DESCRIPTION
    ● snap.lxd.activate.service loaded failed failed Service for snap application lxd.activate

    LOAD = Reflects whether the unit definition was properly loaded.
    ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
    SUB = The low-level unit activation state, values depend on unit type.

    1 loaded units listed.

    [INFO] ISPConfig is installed.

    ##### ISPCONFIG #####
    ISPConfig version is 3.2.7p1


    ##### VERSION CHECK #####

    [INFO] php (cli) version is 7.4.27
    [INFO] php-cgi (used for cgi php in default vhost!) is version 7.4.27

    ##### PORT CHECK #####


    ##### MAIL SERVER CHECK #####


    ##### RUNNING SERVER PROCESSES #####

    [INFO] I found the following web server(s):
    Apache 2 (PID 4788)
    [INFO] I found the following mail server(s):
    Postfix (PID 1983)
    [INFO] I found the following pop3 server(s):
    Dovecot (PID 661)
    [INFO] I found the following imap server(s):
    Dovecot (PID 661)
    [INFO] I found the following ftp server(s):
    PureFTP (PID 1169)

    ##### LISTENING PORTS #####
    (only ()
    Local (Address)
    [anywhere]:993 (661/dovecot)
    [anywhere]:995 (661/dovecot)
    [localhost]:11332 (695/rspamd:)
    [localhost]:11333 (695/rspamd:)
    [localhost]:11334 (695/rspamd:)
    [localhost]:10023 (1030/postgrey)
    [anywhere]:587 (1983/master)
    [localhost]:6379 (858/redis-server)
    [localhost]:11211 (671/memcached)
    [anywhere]:110 (661/dovecot)
    [anywhere]:143 (661/dovecot)
    [anywhere]:465 (1983/master)
    [anywhere]:21 (1169/pure-ftpd)
    ***.***.***.***:53 (674/named)
    ***.***.***.***:53 (674/named)
    ***.***.***.***:53 (674/named)
    [localhost]:53 (674/named)
    ***.***.***.***:53 (561/systemd-resolve)
    [anywhere]:22 (772/sshd:)
    [anywhere]:25 (1983/master)
    [localhost]:953 (674/named)
    [anywhere]:4190 (661/dovecot)
    *:*:*:*::*:993 (661/dovecot)
    *:*:*:*::*:995 (661/dovecot)
    *:*:*:*::*:11332 (695/rspamd:)
    *:*:*:*::*:11333 (695/rspamd:)
    *:*:*:*::*:11334 (695/rspamd:)
    *:*:*:*::*:10023 (1030/postgrey)
    *:*:*:*::*:3306 (910/mysqld)
    *:*:*:*::*:587 (1983/master)
    *:*:*:*::*:6379 (858/redis-server)
    [localhost]10 (661/dovecot)
    [localhost]43 (661/dovecot)
    *:*:*:*::*:8080 (4788/apache2)
    *:*:*:*::*:80 (4788/apache2)
    *:*:*:*::*:8081 (4788/apache2)
    *:*:*:*::*:465 (1983/master)
    *:*:*:*::*:21 (1169/pure-ftpd)
    *:*:*:*::*747d:f3ff:fe67:53 (674/named)
    *:*:*:*::*b06e:b5ff:fe25:53 (674/named)
    *:*:*:*::*:53 (674/named)
    *:*:*:*::*:22 (772/sshd:)
    *:*:*:*::*:25 (1983/master)
    *:*:*:*::*:953 (674/named)
    *:*:*:*::*:443 (4788/apache2)
    *:*:*:*::*:4190 (661/dovecot)




    ##### IPTABLES #####
    Chain INPUT (policy DROP)
    target prot opt source destination
    ufw-before-logging-input all -- [anywhere]/0 [anywhere]/0
    ufw-before-input all -- [anywhere]/0 [anywhere]/0
    ufw-after-input all -- [anywhere]/0 [anywhere]/0
    ufw-after-logging-input all -- [anywhere]/0 [anywhere]/0
    ufw-reject-input all -- [anywhere]/0 [anywhere]/0
    ufw-track-input all -- [anywhere]/0 [anywhere]/0

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ufw-before-logging-forward all -- [anywhere]/0 [anywhere]/0
    ufw-before-forward all -- [anywhere]/0 [anywhere]/0
    ufw-after-forward all -- [anywhere]/0 [anywhere]/0
    ufw-after-logging-forward all -- [anywhere]/0 [anywhere]/0
    ufw-reject-forward all -- [anywhere]/0 [anywhere]/0
    ufw-track-forward all -- [anywhere]/0 [anywhere]/0

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ufw-before-logging-output all -- [anywhere]/0 [anywhere]/0
    ufw-before-output all -- [anywhere]/0 [anywhere]/0
    ufw-after-output all -- [anywhere]/0 [anywhere]/0
    ufw-after-logging-output all -- [anywhere]/0 [anywhere]/0
    ufw-reject-output all -- [anywhere]/0 [anywhere]/0
    ufw-track-output all -- [anywhere]/0 [anywhere]/0

    Chain ufw-after-forward (1 references)
    target prot opt source destination

    Chain ufw-after-input (1 references)
    target prot opt source destination
    ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:137
    ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:138
    ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:139
    ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:445
    ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:67
    ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:68
    ufw-skip-to-policy-input all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST

    Chain ufw-after-logging-forward (1 references)
    target prot opt source destination
    LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

    Chain ufw-after-logging-input (1 references)
    target prot opt source destination
    LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

    Chain ufw-after-logging-output (1 references)
    target prot opt source destination

    Chain ufw-after-output (1 references)
    target prot opt source destination

    Chain ufw-before-forward (1 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8
    ufw-user-forward all -- [anywhere]/0 [anywhere]/0

    Chain ufw-before-input (1 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0
    ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED
    ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 ctstate INVALID
    DROP all -- [anywhere]/0 [anywhere]/0 ctstate INVALID
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8
    ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp spt:67 dpt:68
    ufw-not-local all -- [anywhere]/0 [anywhere]/0
    ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:5353
    ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:1900
    ufw-user-input all -- [anywhere]/0 [anywhere]/0

    Chain ufw-before-logging-forward (1 references)
    target prot opt source destination

    Chain ufw-before-logging-input (1 references)
    target prot opt source destination

    Chain ufw-before-logging-output (1 references)
    target prot opt source destination

    Chain ufw-before-output (1 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0
    ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED
    ufw-user-output all -- [anywhere]/0 [anywhere]/0

    Chain ufw-logging-allow (0 references)
    target prot opt source destination
    LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

    Chain ufw-logging-deny (2 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0 ctstate INVALID limit: avg 3/min burst 10
    LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

    Chain ufw-not-local (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type LOCAL
    RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type MULTICAST
    RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST
    ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain ufw-reject-forward (1 references)
    target prot opt source destination

    Chain ufw-reject-input (1 references)
    target prot opt source destination

    Chain ufw-reject-output (1 references)
    target prot opt source destination

    Chain ufw-skip-to-policy-forward (0 references)
    target prot opt source destination
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain ufw-skip-to-policy-input (7 references)
    target prot opt source destination
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain ufw-skip-to-policy-output (0 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0

    Chain ufw-track-forward (1 references)
    target prot opt source destination

    Chain ufw-track-input (1 references)
    target prot opt source destination

    Chain ufw-track-output (1 references)
    target prot opt source destination
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 ctstate NEW
    ACCEPT udp -- [anywhere]/0 [anywhere]/0 ctstate NEW

    Chain ufw-user-forward (1 references)
    target prot opt source destination

    Chain ufw-user-input (1 references)
    target prot opt source destination
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:22
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:25
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:53
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:80
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:110
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:143
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:443
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:465
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:587
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:993
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:995
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:3306
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:4190
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8080
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8081
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 multiport dports 40110:40210
    ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:53

    Chain ufw-user-limit (0 references)
    target prot opt source destination
    LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
    REJECT all -- [anywhere]/0 [anywhere]/0 reject-with icmp-port-unreachable

    Chain ufw-user-limit-accept (0 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0

    Chain ufw-user-logging-forward (0 references)
    target prot opt source destination

    Chain ufw-user-logging-input (0 references)
    target prot opt source destination

    Chain ufw-user-logging-output (0 references)
    target prot opt source destination

    Chain ufw-user-output (1 references)
    target prot opt source destination




    ##### LET'S ENCRYPT #####
    acme.sh is installed in /root/.acme.sh/acme.sh
     
  2. midihipi

    midihipi New Member HowtoForge Supporter

    I am lost here thanks for any assistance you can be!
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    First, not being able to access ispconfig by SSL and not being able to access a website by SSL are two completely independent topics. Let#s start with the first one, not being able to access ISPConfig by SSL. According to the log, the SSL certificate has been issued successfully d has been copied to the right place. Please post the result of the commands:

    ls -la /usr/local/ispconfig/interface/ssl/

    and

    cat /etc/apache2/sites-available/ispconfig.vhost
     
    midihipi likes this.
  4. midihipi

    midihipi New Member HowtoForge Supporter

    Thanks for the reply! Here is the result of :
    ls -la /usr/local/ispconfig/interface/ssl/
    [email protected]:~# ls -la /usr/local/ispconfig/interface/ssl/
    total 68
    drwxr-x--- 2 root root 4096 Feb 15 08:25 .
    drwxr-x--- 9 ispconfig ispconfig 4096 Feb 15 03:30 ..
    -rwxr-x--- 1 root root 45 Feb 15 08:26 empty.dir
    -rwxr-x--- 1 root root 5674 Feb 15 08:25 ispserver.crt
    -rwxr-x--- 1 root root 1919 Feb 15 07:11 ispserver.crt-20220215071111.bak
    -rwxr-x--- 1 root root 5674 Feb 15 08:25 ispserver.crt-20220215082457.bak
    -rwxr-x--- 1 root root 1679 Feb 15 08:25 ispserver.key
    -rwxr-x--- 1 root root 3272 Feb 15 07:11 ispserver.key-20220215071111.bak
    -rwxr-x--- 1 root root 1679 Feb 15 08:25 ispserver.key-20220215082457.bak
    -rwxr-x--- 1 root root 7353 Feb 15 08:25 ispserver.pem
    -rwxr-x--- 1 root root 5191 Feb 15 07:11 ispserver.pem-20220215071111.bak
    -rwxr-x--- 1 root root 7353 Feb 15 08:25 ispserver.pem-20220215082457.bak

    And here is : cat /etc/apache2/sites-available/ispconfig.vhost

    ######################################################
    # This virtual host contains the configuration
    # for the ISPConfig controlpanel
    ######################################################

    Listen 8080
    NameVirtualHost *:8080

    <VirtualHost _default_:8080>
    ServerAdmin [email protected]

    Alias /mail /var/www/ispconfig/mail

    <Directory /var/www/ispconfig/>
    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>
    </Directory>
    <Directory /usr/local/ispconfig/interface/web/>
    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>
    </Directory>

    <IfModule mod_fcgid.c>
    DocumentRoot /var/www/ispconfig/
    SuexecUserGroup ispconfig ispconfig
    <Directory /var/www/ispconfig/>
    Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
    AllowOverride AuthConfig Indexes Limit Options FileInfo
    <FilesMatch "\.php$">
    SetHandler fcgid-script
    </FilesMatch>
    FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
    Require all granted
    </Directory>
    IPCCommTimeout 7200
    MaxRequestLen 15728640
    </IfModule>

    <IfModule mpm_itk_module>
    DocumentRoot /usr/local/ispconfig/interface/web/
    AssignUserId ispconfig ispconfig
    AddType application/x-httpd-php .php
    <Directory /usr/local/ispconfig/interface/web>
    # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp"
    Options +FollowSymLinks
    AllowOverride None
    Require all granted
    php_value magic_quotes_gpc 0
    </Directory>
    </IfModule>

    # ErrorLog /var/log/apache2/error.log
    # CustomLog /var/log/apache2/access.log combined
    ServerSignature Off

    <IfModule mod_security2.c>
    SecRuleEngine Off
    </IfModule>

    # SSL Configuration
    SSLEngine On
    SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
    SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
    SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
    #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle

    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder On

    <IfModule mod_headers.c>
    # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
    Header set X-Content-Type-Options: nosniff
    Header set X-Frame-Options: SAMEORIGIN
    Header set X-XSS-Protection: "1; mode=block"
    Header always edit Set-Cookie (.*) "$1; HTTPOnly"
    Header always edit Set-Cookie (.*) "$1; Secure"
    <IfVersion >= 2.4.7>
    Header setifempty Strict-Transport-Security "max-age=15768000"
    </IfVersion>
    <IfVersion < 2.4.7>
    Header set Strict-Transport-Security "max-age=15768000"
    </IfVersion>
    RequestHeader unset Proxy early
    </IfModule>

    SSLUseStapling On
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors Off
    </VirtualHost>

    Thanks for your help Tim.
     
  5. midihipi

    midihipi New Member HowtoForge Supporter

    When I run the update I get an error saying:

    Checking / creating certificate for ubuntu-s-1vcpu-1gb-sfo3-01.acmealliedllc.com
    Using certificate path /root/.acme.sh/ubuntu-s-1vcpu-1gb-sfo3-01.acmealliedllc.com
    Server's public ip(s) (137.184.127.237) not found in A/AAAA records for ubuntu-s-1vcpu-1gb-sfo3-01.acmealliedllc.com:

    The record exists in ISPConfig dns for this client. The hosts file on the server reads:
    127.0.1.1 ubuntu-s-1vcpu-1gb-sfo3-01.acmealliedllc.com ubuntu-s-1vcpu-1gb-sfo3-01
    127.0.0.1 localhost
    # The following lines are desirable for IPv6 capable hosts
    ::1 localhost ip6-localhost ip6-loopback
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters

    I have namecheaps records pointing to three digitalocean name servers and do's name servers have these records:
    @ record pointing to the IP of the ispc server.
    * pointing to the IP
    acmealliedllc.com pointing to the IP
    ubuntu-s-1vcpu-1gb-sfo3-01.acmealliedllc.com pointing to the IP
     
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Agreed.

    You may try also force updating ISPConfig using git-development, choose create ssl during that update and see if that resolve your problem.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    I wonder if the whole reason for your issue is the hostname of the system. Is the hostname one that you set, or is it a generic autogenerated hostname of your hoster, or is it a subdomain of one of your own domains?

    According to the command output, you have a valid ssl cert according to acme.sh and this ssl cert is used by this vhost. maybe you just connect to a different server or something similar?
     
  9. midihipi

    midihipi New Member HowtoForge Supporter

    Just added the public ip and fqdn to the hosts file. It didn't solve the issue. This has to be DNS.
    Code:
    systemd-resolve --status
    Global
           LLMNR setting: no                 
    MulticastDNS setting: no                 
      DNSOverTLS setting: no                 
          DNSSEC setting: no                 
        DNSSEC supported: no                 
      Current DNS Server: 67.207.67.2         
             DNS Servers: 67.207.67.2         
                          67.207.67.3         
              DNSSEC NTA: 10.in-addr.arpa     
                          16.172.in-addr.arpa
                          168.192.in-addr.arpa
                          17.172.in-addr.arpa
                          18.172.in-addr.arpa
                          19.172.in-addr.arpa
                          20.172.in-addr.arpa
                          21.172.in-addr.arpa
                          22.172.in-addr.arpa
                          23.172.in-addr.arpa
                          24.172.in-addr.arpa
                          25.172.in-addr.arpa
                          26.172.in-addr.arpa
                          27.172.in-addr.arpa
                          28.172.in-addr.arpa
                          29.172.in-addr.arpa
                          30.172.in-addr.arpa
                          31.172.in-addr.arpa
                          corp               
                          d.f.ip6.arpa       
                          home               
                          internal           
                          intranet           
                          lan                 
                          local               
                          private             
                          test               
    
    Link 3 (eth1)
          Current Scopes: DNS       
    DefaultRoute setting: yes       
           LLMNR setting: yes       
    MulticastDNS setting: no         
      DNSOverTLS setting: no         
    lines 1-43
     
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    From my side I see SSL_ERROR_RX_RECORD_TOO_LONG which is more on server side fault, not dns.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Sorry, I forgot to enter the port. It is indeed self-signed.
     
  13. midihipi

    midihipi New Member HowtoForge Supporter

    It's just the customer site I can't get to with https now. I just tried to update again and still get that error even though I put the fqdn in the hosts file.
     
  14. midihipi

    midihipi New Member HowtoForge Supporter

    When I check the box for LE and save it then go back it doesn't save the setting
     
  15. midihipi

    midihipi New Member HowtoForge Supporter

    I take it back this time it stuck and now the site is https. huh.
     
  16. midihipi

    midihipi New Member HowtoForge Supporter

    Thanks to everyone who chimed in here. The last time I ran the update I still got the unable to resolve error but this time it's working. o_O
    I love ispconfig man. The new update feature is awesome and knowing where to look for logs now is super helpful.

    B
     
  17. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Please post such command/script output in code (in the editor: insert -> code) tags to make it readable for us :)

    Thanks :)
     

Share This Page