SSL problem - error 12263

Discussion in 'Installation/Configuration' started by chillifire, Dec 6, 2007.

  1. chillifire

    chillifire New Member

    Hi,

    I have server with Ubuntu 7.10, went through perfect server allright and tried to load ISPConfig 2.2.18 with my domain chillifire.net

    That worked after some trials and tribulations and a first failed install (see below), so now http://www.chillifire.net work, https://www.chillifire.net:81 works and gets me to the panel, which seems to work fine. However, https://www.chillifire.net gets me the treaded 12263 error in the browser.

    Yes, there has been a lot of postings, but all seem to deal with the issue of more than one certificate per IP or multiple IPs and certificates etc. These posts do not apply as I have one IP only and (should) have only one certificate.

    Now, I did notice a few things:
    - I have entries apache2.conf.06-12-07_16-21-50, and ports.conf.06-12-07_16-21-50 and under mods-enabled every file seems to have a copy with a .06-12-07_16-21-50. Should these files be there? If not, could they have been created by a failed ISPConfig installation attempt? I installed twice - the first time the system aborted after creating the certificates, complaining php was not available. So I made php globally available (reversing 16.1 of the perfect server setup) and rerun the install - and it worked.
    Could it be that there is a dud certificate flying around somewhere that wrecks the whole thing?
    If so where?
    And should I get rid of all the *.06-12-07_16-21-50 entries? Where else do I need to llok for them?
    - Port 81 did not work at first. I had to recreate the certificate manually as per the instructions in this forum. Once that was done, 81 worked and I can get to the panel.
    - I noticed there is no module ssl under /etc/apach2/modules-available and modules-enabled. Also, under /etc/apache2/vhosts I have the files
    Vhosts_ispconfig.conf Vhosts_ispconfig.conf~ They look like this:
    Code:
    ###################################
    #
    # ISPConfig vHost Configuration File
    #         Version 1.0
    #
    ###################################
    #
    NameVirtualHost 210.48.62.30:80
    <VirtualHost 210.48.62.30:80>
      ServerName localhost
      ServerAdmin root@localhost
      DocumentRoot /var/www/sharedip
    </VirtualHost>
    NameVirtualHost 210.48.62.30:80
    <VirtualHost 210.48.62.30:80>
      ServerName localhost
      ServerAdmin root@localhost
      DocumentRoot /var/www/sharedip
    </VirtualHost>
    #
    #
    ######################################
    # Vhost: www.chillifire.net:80
    ######################################
    #
    #
    <VirtualHost 210.48.62.30:80>
    SuexecUserGroup web3_contact web3
    ServerName www.chillifire.net:80
    ServerAdmin webmaster@chillifire.net
    DocumentRoot /var/www/web3/web
    ServerAlias chillifire.net
    DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
    ScriptAlias  /cgi-bin/ /var/www/web3/cgi-bin/
    AddHandler cgi-script .cgi
    AddHandler cgi-script .pl
    ErrorLog /var/www/web3/log/error.log
    AddType application/x-httpd-php .php .php3 .php4 .php5
    <Files *.php>
        SetOutputFilter PHP
        SetInputFilter PHP
    </Files>
    <Files *.php3>
        SetOutputFilter PHP
        SetInputFilter PHP
    </Files>
    <Files *.php4>
        SetOutputFilter PHP
        SetInputFilter PHP
    </Files>
    <Files *.php5>
        SetOutputFilter PHP
        SetInputFilter PHP
    </Files>
    php_admin_flag safe_mode Off
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    Alias /error/ "/var/www/web3/web/error/"
    ErrorDocument 400 /error/invalidSyntax.html
    ErrorDocument 401 /error/authorizationRequired.html
    ErrorDocument 403 /error/forbidden.html
    ErrorDocument 404 /error/fileNotFound.html
    ErrorDocument 405 /error/methodNotAllowed.html
    ErrorDocument 500 /error/internalServerError.html
    ErrorDocument 503 /error/overloaded.html
    AliasMatch ^/~([^/]+)(/(.*))? /var/www/web3/user/$1/web/$3
    AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web3/user/$1/web/$3
    </VirtualHost>
    There is nothing anywhere I can see that would tell the system how to deal with port 443 (other than ports.conf, which says:
    Code:
    Listen 80
    
    <IfModule mod_ssl.c>
        Listen 443
    </IfModule>
    - This is what is in directory /root/ispconfig/httpd/conf/ssl.crt
    Code:
    0cf14d7d.0  544fc7bf.1  82ab5372.0  README.CRT     ca.crt      server.crt           snakeoil-ca-rsa.crt  snakeoil-rsa.crt
    544fc7bf.0  5d8360e1.0  Makefile    ca-bundle.crt  e52d41d0.0  snakeoil-ca-dsa.crt  snakeoil-dsa.crt
    Is that what should be there? The server.crt file is the one I manually recreated.

    Again, I suspect it has something to do with the failed installation, but then again, what do I know? So for starters, where should I look for dud certificates. And why are there no ssl modules and for Vhost? Any input/advice is welcome.

    Thanks

    chillifire
    Auckland, New Zealand


    PS: Here is some more output you will ask me for:
    Code:
    root@blackbird:~# netstat -tan
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:81              0.0.0.0:*               LISTEN
    tcp        0      0 210.48.62.30:53         0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
    tcp        0      0 210.48.62.30:81         60.234.129.51:56569     TIME_WAIT
    tcp        0      0 210.48.62.30:81         60.234.129.51:56567     TIME_WAIT
    tcp6       0      0 :::993                  :::*                    LISTEN
    tcp6       0      0 :::995                  :::*                    LISTEN
    tcp6       0      0 :::110                  :::*                    LISTEN
    tcp6       0      0 :::143                  :::*                    LISTEN
    tcp6       0      0 :::21                   :::*                    LISTEN
    tcp6       0      0 :::22                   :::*                    LISTEN
    tcp6       0      0 :::25                   :::*                    LISTEN
    tcp6       0      0 ::1:953                 :::*                    LISTEN
    tcp6       0   2112 ::ffff:210.48.62.30:22  ::ffff:60.234.129:56685 ESTABLISHED
     
  2. chillifire

    chillifire New Member

    This is getting interesting

    Hi everyone,

    Out of sheer desparation I deinstalled ISPConfig. Interesting: it does not remove those funny files with date/time appended and it also does not get used to vhosts directories and files and vost roots. I deleted these all manually and then reinstalled ISPConfig. The result was interesting:
    The same certificate error (unvalid signature) occured again and I had to employ www.howtoforge.com/faq/14_63_en.html to fix that. After that at least port 81 works and I can access the ISPConfig admin site. But SSL still does not work (leads to 12263 error) and new date and time appended files have been created.

    So now I am thinking these files were not created by the fialed install but obviouslyare created by a 'successful' install.

    So something must be in the setup of the system that upsets ISPConfig enough to do somehing very funny and not cope with SSL.

    Any thoughts?

    chillifire
     
  3. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

  4. chillifire

    chillifire New Member

    Thanks - but no solution

    Thanks till for your quick response. Much appreciated.

    I had seen the thread, but it does not really apply and it does not provide a solution.

    As I stated, there is only
    Vhosts_ispconfig.conf Vhosts_ispconfig.conf~
    in the vhosts folder. There is no file with date/time appendage that I could rename. So therefore this approach does not provide a fix.

    There were indeed an apache2.conf and ports.conf file with date/time appendage as reported (ports was indetnical though, not sure about apache2). I renamed them and restarted apache2 and ispconfig_server. No change.

    Admittedly there are also all these date/time appended files in mods-available next to 'normal' files. it looks like this:
    Code:
    alias.conf                              include.load.07-12-07_15-41-46
    alias.conf.07-12-07_15-41-46            mime.conf
    alias.load                              mime.conf.07-12-07_15-41-46
    alias.load.07-12-07_15-41-46            mime.load
    auth_basic.load                         mime.load.07-12-07_15-41-46
    auth_basic.load.07-12-07_15-41-46       negotiation.conf
    authn_file.load                         negotiation.conf.07-12-07_15-41-46
    authn_file.load.07-12-07_15-41-46       negotiation.load
    authz_default.load                      negotiation.load.07-12-07_15-41-46
    authz_default.load.07-12-07_15-41-46    php5.conf
    authz_groupfile.load                    php5.conf.07-12-07_15-41-46
    authz_groupfile.load.07-12-07_15-41-46  php5.load
    authz_host.load                         php5.load.07-12-07_15-41-46
    authz_host.load.07-12-07_15-41-46       rewrite.load
    authz_user.load                         rewrite.load.07-12-07_15-41-46
    authz_user.load.07-12-07_15-41-46       setenvif.conf
    autoindex.conf                          setenvif.conf.07-12-07_15-41-46
    autoindex.conf.07-12-07_15-41-46        setenvif.load
    autoindex.load                          setenvif.load.07-12-07_15-41-46
    autoindex.load.07-12-07_15-41-46        ssl.conf
    cgi.load                                ssl.conf.07-12-07_15-41-46
    cgi.load.07-12-07_15-41-46              ssl.load
    dir.conf                                ssl.load.07-12-07_15-41-46
    dir.conf.07-12-07_15-41-46              status.conf
    dir.load                                status.conf.07-12-07_15-41-46
    dir.load.07-12-07_15-41-46              status.load
    env.load                                status.load.07-12-07_15-41-46
    env.load.07-12-07_15-41-46              suexec.load
    include.load                            suexec.load.07-12-07_15-41-46
    The files without date/time are in a light turquios, so I assume they are symlinks. Also, I checked the pairs ssl.load / ssl.load.07-12-07_15-41-46 and ssl.conf / ssl.conf.07-12-07_15-41-46 and they are exactely the same. So for now I don't see how renaming all these files would change anything (as they should be just symlinks to mods-available anyway, right?)

    Any more clues?

    chillifire
     
    Last edited: Dec 7, 2007
  5. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Please undoi the renaming of these other files. I talked just about the file Vhost_ispconfig.conf and not any other file.

    Please recreate the SSL cert of the website where you have SSL enabled in ISPConfig (not the ecrt for port 81!).
     
  6. chillifire

    chillifire New Member

    Thanks again for the quick response.

    I have to ask in that case where does ISPConfig store these website related SSL certifiactes? I assume these website related keys were created during the ISP config install? But where are they? I assume they are not in /root/ispconfig/httpd/conf/ssl.* which holds the ispconfig certificates?

    I would not even know where to look, as there is no ssl module in either /etc/apache2/mods-available nor /etc/apache2/mods-enabled, nor are there any port 443 instructions in the vhosts files. So where apache2 even would know where to look for certificates is beyond my limited knowledge.

    BTW, I am also playing around with DNS entries at the same time, so this link may be required for testing at the moment.

    Thanks again for your support.

    Hanno
     
    Last edited: Dec 7, 2007
  7. daveb

    daveb Member

    a sites cert should be in /var/www/web#/ssl
     
  8. chillifire

    chillifire New Member

    no sites certs

    /var/www/web1/ssl is empty
     
  9. daveb

    daveb Member

    did you enable ssl for web1 and create a certificate from the ispconfig control panel for web1?
     
  10. chillifire

    chillifire New Member

    ssl for site enabled

    This might be a misunderstanding on my part then.

    Yes, I did enable SSL with that switch.

    No, I did not create a certificate for the site through the panel, I thought this was for certificates signed by agents only. Is this required for self signed certificates as well?
     
  11. chillifire

    chillifire New Member

    Solved

    OK,

    I created a certificate in ispconfig and it appears it not only creates a certificate request but also a self signed certificate. Now https://www.chillifire.net works like a charmer.

    I could be forgiven for what looks like a RTFM error. The documentation (see for yourself here) clearly talks about CA signed certificates only. It was not clear that further action other than clicking the SSL button was required, when creating the site.

    To the developers: I would like to propose a documentation update for the next release to avoid further misunderstanding. It is a shame when documentation lets down an otherwise great package. (No brown nosing intended - just my honest opinion).

    Thanks everyone for helping me here. Great community.

    chillifire
     
  12. daveb

    daveb Member

    yes you must create the self signed cert in control panel for the site.

    go deal glade you got it working.
     

Share This Page