Trouble with SSL on ISPconfig 3.1 with Nginx

Discussion in 'ISPConfig 3 Priority Support' started by peterpetr, Mar 24, 2017.

  1. peterpetr

    peterpetr New Member HowtoForge Supporter

    Hello, I would appreciate getting assistance with getting my SSL cert working on ISPconfig 3.1.
    1. I spun up a new VPS server, Ubuntu 16 LTS, then used your Perfect Server guide: https://www.howtoforge.com/tutorial/perfect-server-ubuntu-16-04-nginx-bind-dovecot-and-ispconfig-3/ Then I upgraded MariaDB to version 10.1. Seems all is working fine. I can open the ISPconfig login page with httpS://u16.domain.com:8080 and get the usual Certificate Error (untrusted ssl cert), but can proceed to login to ISPconfig.
    2. Created a new website in preparation to install WordPress. I'll want to run the entire site via HTTPS. I enabled both checkboxes "SSL" and "Let's Encrypt SSL" for a new website.
    3. Next, I entered the info in the SSL tab. Created the SSL Cert with the "Create" SSL Action. The SSL tab does have the SSL Key, SSL Request, and SSL Certificate text.
    4. I have also checked the "Rewrite HTTP to HTTPS" box under the Redirect tab.
    I can access the new website's index.html page using HTTP. But with the https:// prefix on Chrome I get the error: ERR_CONNECTION_REFUSED. Firefox says "Unable to connect - Firefox can’t establish a connection to the server at app.domain.ca"
    I only have one IP address on this VPS server. I believe one IP for multiple hosted domains shouldn't be an issue based on other posts I read here?

    This will be an ecommerce site so I need the SSL working, especially to quality for credit card payments. I have not yet installed WordPress as I want to have SSL working first. I would appreciate your help. Thank you.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Either sue Letsencrypt or create a SSL cert manually but not both options at the same time.

    So either you enable SSL on the first page of the website settings and enable the Letsencrypt checkbox and leave the ssl tab alone.

    Or you enable SSL on the first tab but not letsencrypt and then create a SSL cert on the ssl tab manually.

    When a ssl cert ahs been created manually like you did now but you wanted to use letsencryot, then you have to empty all fields on the ssl tab, select "delete certificate" as action and press save, before you can enable letsencrypt again.

    And a side note to letsencrypt, the domain name must be working in dns and reachable from outside before you can enable letsencrypt, as LE tries to connect to your server to verify the domain.

    One IP address is ok.
     
  3. peterpetr

    peterpetr New Member HowtoForge Supporter

    Thank you for your guidance. I'm still not able to get the website to display with https. I tried to get the LetsEncryptSSL working as follows:
    1. I deleted everything in the SSL tab and set Actions to "delete certificate" and pressed Save. The Country field and Domain field are drop-lists so I just left them alone.
    2. After the red job icon at the top disappeared, I checked the SSL tab but the first large text field "SSL Key" still was filled with the key text string. So, I manually deleted the SSL Key text and saved. Now the only values in the SSL tab are the two drop-list values.
    3. Next, I also unchecked the SSL and LetsEncryptSSL checkboxes and saved.
    4. Finally, I checked the two checkboxes for SSL and LetsencryptSSL and saved.
    I am not able to open a web browser (Chrome, IE, Edge or Firefox) on the httpS://app.domain.com
    I am still getting the browser error (Chrome): ERR_CONNECTION_REFUSED Did I miss something?

    You mentioned the DNS must be configured. I have the DNS configured using the domain registrar's, Godaddy.com's DNS. I can ping the domain and can open the default index.html page using plain http://app.domain.com. I am not using DNS of the ISPconfig Ubuntu machine.
    • I understand that I can use just one IP address for multiple websites / domains with LetsEncryptSSL, right?
    My preference is to get LetsEncryptSSL working.
    • If for some reason I can't get LetsEncryptSSL working, I may resort to purchasing a SSL Cert. For purchased SSL certs, can I still use just one IP address on this server?
    • Can I mix websites / domains on this ISPconfig 3.1 server, some using LetsEncryptSSL and other websites/domains using a purchased SSL cert? All with just one IP?
    • My hope is to resolve the LetsEncryptSSL problem and use only LE certs. Once LE is working, can you confirm that the LE SSL certs should work without errors for users of current version web browsers such as Chrome, Firefox, IE, Safari, Opera and Edge?
    Thank you.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Please take a look at the letsencrypt FAQ:

    https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/

    Especially looking into the letsencrypt.log is useful and you can also use the debug mode to find out why letsencrypt fails to create a ssl cert on your server.

    yes.

    yes

    yes

    yes
     
  5. peterpetr

    peterpetr New Member HowtoForge Supporter

    Thank you. I had success with (1) Let's Encrypt SSL, but not with (2) a purchased SSL Cert.
    I would appreciate if you could correct me in my (2) SSL process below.
    (1) For the LetsEncryptSSL, I was easily able to create a NEW website an just check both:
    SSL: [x]
    Let's Encrypt SSL: [x]​
    This enabled SSL and HTTPS without error. I tested with Chrome, IE and Edge (latest versions). No errors or warnings were displayed to the browser-side user. Awesome.
    (2) For the purchased SSL, I used PositiveSSL which is a Comodo SSL Certificate for a different domain/website.
    (2a) I did not check the "Let's Encrypt SSL" checkbox in ISPconfig Web Domain page. I did check only "SSL"
    (2b) In the SSL tab, I completed the fields State, Locality, Organization Unit, Country and selected the SSL Domain from the droplist without a wildcard and without the "www" subdomain.
    (2c) I left all other fields blank.
    (2d) At the bottom, I selected "Create Certificate" from the SSL Action droplist. Then clicked the [Save] button.
    (2e) The SSL Key, SSL Request, SSL Certificate, SSL Bundle and SSL Action text boxes were populated when I returned to check.
    (2f) When testing with browsers, I could view the page but got errors associated with the certificate:
    Chrome: "Not Secure" and a red line crossed through the "https" in the address.
    Edge: "Certificate Error"​
    (2g) Next, I used the SSL Request text as my CSR (cert signing request) to generate the Comodo SSL Cert.
    (2h) I copied the text for the SSL Certificate and SSL Bundle into those fields under the SSL tab and selected Save Certificate under the SSL Action droplist. Clicked the [Save] button.
    (2i) Using the purchased ComodoSSL/PositiveSSL cert, as described above in (2g) to (2h), I get the same results as in (2f) "Not Secure" in Chrome, and I can view the page.
    Q#1: Is my procedure correct for creating the Purchased Cert SSL capable site? What did I do wrong?
    Thank you.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Your procedure is correct. I'm using comodo certs myself for some sites and I installed they in exact the same way.

    Did you close the web browser and opened it again, just to ensure that you really see the new ssl cert? Did you try to do a apache restart manually and then check again?

    What you can do then is that you enable the ISPConfig debug mode, disable the server.sh cronjob, then go to the SSL tab again, select save as option and press save. then run the ispconfig server.sh script on the shell and post the output. https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/
     
  7. peterpetr

    peterpetr New Member HowtoForge Supporter

    Hello Till,
    Thank you for your guidance. I will follow your instructions first thing in the morning, as it's 12:48 AM here in Vancouver, Canada.
    Q1: One question or clarification. I'm using NGINX only. Is my procedure and your most recent reply a few minutes ago correct for NGINX, as you mentioned Apache? Thanks.
    Q2: Also to automatically redirect all http (non-SSL) to httpS (SSL), do I just check the "Rewrite HTTP to HTTPS: [x]" in the Web Domain's Redirect tab? Or do I also add the following to the "Rewrite Rules" text box for Directives on the same Redirect tab?
    if ($scheme != "https") { rewrite ^ https://www.howtoforge.com$request_uri? permanent; }​
    Thank you.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    1) The procedure is the same for all web servers.
    2) Just enable the checkbox.
     
  9. peterpetr

    peterpetr New Member HowtoForge Supporter

    Hi Till,
    I followed your instructions but was not able to get "Rewrite to HTTPS: [x]" on the Web Domain | Redirect tab working. As this was a new website for WordPress. I deleted the web site and started again with ISPconfig. This time I just checked the "Lets Encrypt SS: [x]" and the "Rewrite HTTP to HTTPS" and it worked right away. All pages were successfully served using HTTPS.

    Later, I will follow your other instructions about installing a purchased Comodo SSL Cert. I need to proceed with other work on this site now.

    Next issue: Uploading large files with WordPress resulted in: 413 Request Entity Too Large error from NGINX. I understand I need to accommodate for uploading files with HTTPS.
    After a lot of Google research, I was able to successfully upload with HTTPS (SSL) pages by editing this file:
    /etc/nginx/sites-enabled/100-mydomain.net
    After the statement: server_name mydomain.net
    I added: client_max_body_size 100M; then restarted nginx​
    My preference would be to just use a Directive Snippet in the ISPconfig Website Domain | Options tab.

    QUESTION #1: What edits should I make in NGINX Directives to accomplish the same solution as I described above to enable the larger value for "client_max_body_size 100M" ?

    I hope ISPconfig can make it easier to deploy all SSL served sites by using the snippets.
    For reference, in addition to the above change to 100-mydomain.net,
    my current Nginx Directives are:
    http {
    #... Use upper case M for megabytes
    client_max_body_size 100M;
    #...
    }
    location / {
    try_files $uri $uri/ /index.php?$args;
    }
    # Add trailing slash to */wp-admin requests.
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;
    location ~* \.(jpg|jpeg|png|gif|css|js|ico)$ {
    expires max;
    log_not_found off;
    }​
    My Custom php.ini settings are:
    display_errors = On
    post_max_size = 99M
    upload_max_filesize = 255M
    max_execution_time = 220
    memory_limit = 256M
    max_input_vars = 2000
    QUESTION #2: What does ISPconfig 3.1 do after changing the snippets text on the Options tab? Does it replace previous config file settings reliably for "custom php.ini settings" and for "nginx Directives"? Any advise to ensure my snippets changes are reliably changed? Thank you.
     
    Last edited: Apr 5, 2017
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Just enter a single line:

    client_max_body_size 100M;

    and press safe.

    It saves them to the files and restarts php-fpm and nginx after you pressed the save button.

    yes

    The changes are reliable unless you enter something in the fields which nginx or php do not understand so that they fail to start. In that case, the last working config is used and a warning is logged in the ispconfig log and the non working config is saved as .err file. Don't forget that changes need up to 60 seconds to get applied. You will see the changes then also in the vhost file of that website. If an error occurred, then the nonworking config is saved as with the file ending .err in the sites-available folder.
     
  11. peterpetr

    peterpetr New Member HowtoForge Supporter

    Hello Till,
    As you suggested, I added the following on a single line:
    client_max_body_size 100M;​
    Now my httpS (ssl) pages are also able to upload larger files. Thanks.
    Will pursue the purchased Comodo ssl cert later.
     
  12. peterpetr

    peterpetr New Member HowtoForge Supporter

    Hello Till,
    Following your advice, I did get all website (WordPress) pages to auto-redirect to httpS (ssl) and can now upload larger files using the ssl secured pages. Thank you.
    • I have a new problem with WordPress, using this configuration. When I change Permalinks to anything other than "Plain" which is the default setting ( https://domain.net/?p=123 ), I get ERROR 404.
    • I would like to use the WordPress Permalinks setting for "Post Name" ( https://domain.net/sample-post ).
    • When I tried the other Permalinks setting and get the same ERROR 404 page. Only the default "plain" setting seems to work.
    I spent a lot of hours with Google. There's not many solutions for keywords: WordPress permalink 404 error with Nginx and httpS
    or other variations of search terms. Seems there may be other Nginx Directives / snippets required for an all-httpS (ssl) based WordPress site. My current Nginx Directives are:
    http {
    #... Use upper case M for megabytes
    client_max_body_size 100M;
    }
    # HowToForge: just use next line for HTTPS (ssl)
    client_max_body_size 100M;
    location / {
    try_files $uri $uri/ /index.php?$args;
    }
    # Add trailing slash to */wp-admin requests.
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;
    location ~* \.(jpg|jpeg|png|gif|css|js|ico)$ {
    expires max;
    log_not_found off;
    }​
    Thank you.
    Question: How can I get this Nginx, all httpS, ISPconfig 3.1 site to work with WordPress permalink settings other than default "plain" setting?

    ISPconfig3'1_SSL-pages+Permalink+404error.png
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Just add these lines into the nginx directives field for wordpress:

    Code:
    location / {
    try_files $uri $uri/ /index.php?$args;
    }
    # Add trailing slash to */wp-admin requests.
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;
    location ~* \.(jpg|jpeg|png|gif|css|js|ico)$ {
    expires max;
    log_not_found off;
    }
    
    so that the complete content of the nginx directivs field is this:

    Code:
    client_max_body_size 100M;
    location / {
    try_files $uri $uri/ /index.php?$args;
    }
    # Add trailing slash to */wp-admin requests.
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;
    location ~* \.(jpg|jpeg|png|gif|css|js|ico)$ {
    expires max;
    log_not_found off;
    }
    
    I'll write the complete content here as you seem to have some other stuff like the http {.... } section in there which is not nescessary and even worse, it will cause the system to fail so that all other settings get ignored. so as long as you have that in there, all other configuration will be ignored.
     
  14. peterpetr

    peterpetr New Member HowtoForge Supporter

    Till, Very nice. Your complete content of the nginx directive took the guess work out of it.
    I am now able to use any WordPress Permalinks with secure https pages for the entire site.
    I very much appreciate your corrections as I spent many hours with this. Thank you.
     

Share This Page