Seams I have n old lets encrypt certifiacte expired Nob 2019. I'm on DEBIAN 10 latest patches and ISPConfig 3.2.4 Have multiple server configuration I have an SSH connection to the admin server ISPConfig admin server, thats where the admin.domain.tld:8080 webpage is on one IP addresse and a www.domain.tld on the web server on an other address. Letsencrypt certificates for my normal webservers works fie So first I tried thishttps://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ checked the ssl and Let´s encrypt check boxes nothing changesm still the old certificate then I tried acme.sh --issue -d domain.tld --webroot /var/www/admin.domain.tld got an error domain.tld:Verify error:Invalid response from https://domain.tld/.well-known/acme-challenge/AvmaaTBd54yZLdyV_kVhqkX_a65QyEptp-G7Ryc59Bk [xxx.yyy.zzz.75]: [Sun 04 Apr 2021 12:01:35 PM CEST] Please add '--debug' or '--log' to check more details. [Sun 04 Apr 2021 12:01:35 PM CEST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh OK thats the wrong IP then I tried /.acme.sh# ./acme.sh --issue --apache -d admin.domain.tld --webroot /var/www/admin.domain.tld Got error again admin.domain.tld:Verify error:Invalid response from http://admin.domain.tld/.well-known/acme-challenge/1aw6P_1LTdjMvxK1zbIZ97BsuGq0qjKU-8S00aQCnJ4 [xxx.yyy.zzz.74]: but this time tis is the IP of the admin server.the website admin.domain.tld is reachable with a dummy content but with a security warning expired certificate What to do now. Thanks for any help hint Rainer did add --debug, but the outputtells me nothing
Never run the acme.sh command manually, this will break the integration with ISPConfig. To get a certificate for the panel, run Code: ispconfig_update.sh --force and select yes when asked if you want a new SSL cert.
Thanks, I did but Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for admin.gerdakloos.de Using certificate path /root/.acme.sh/admin.domain.tld Using apache for certificate validation acme.sh is installed, overriding certificate path to use /root/.acme.sh/admin.domain.tld [Sun 04 Apr 2021 01:55:29 PM CEST] admin.gerdakloos.de:Verify error:Fetching http://admin.domain.tld/.well-known/acme-challenge/je3eeJlXBT4awzICM50GdqAOaVRwKUHhiR85g_KbuYE: Connection refused [Sun 04 Apr 2021 01:55:29 PM CEST] Please add '--debug' or '--log' to check more details. [Sun 04 Apr 2021 01:55:29 PM CEST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt Could not issue letsencrypt certificate, falling back to self-signed. Generating RSA private key, 4096 bit long modulus (2 primes) admin.domain.tld has a vaild working DNS. ping from anywhre to admin.domain.tld resolves to teh correct IP address and apache refuse to start now, restart ask for a password for admin.domain,tld. I just pressed enter two times when the script ask for challange password so it should be empty
yes Firewall is not managed by ISPConfig its an extra firewall server in front configured with Firewallbuilder using iptables with does nat and all ip forwardung to all the server admin, web, dns mail etc. behind. So it is not so easy to turn on and off. works since years no recent changes
So traffic to port 80 is forwarded to this server? Temporarily comment out the SSL lines from the files causing the conflict (most likely ispconfig.vhost and apps.vhost) and then start Apache. When it's up and running again, verify you can connect to the server on port 80.
starting apache still ask for password. removed comments an did run ispconfig_update.sh --force again. made shure enter noting just ENTER when asking for passphrase, still apache asks Enter passphrase for SSL/TLS keys for admin.domain.tld:443 (RSA): even I the symlink for this vhost from sites-enabled i had made a backup running the force update. would its not be better to restore this. it my production ISPConfig Is the a description how to restore, the on I found on the net is 5 years old
If apache is asking for the passphrase to a private key, the key and the certificate do not match, so commenting the ssl related lines out of the config will allow apache to start. Apache must be started for the certificate request to succeed. You probably could restore files from your backup to get apache working, but it would be faster to just content those lines.
I know I have to bring up apache starting. commenting all ssl lines did not not help nor apache tells me which certificate does not mach. never had a passphrase for any certificate. is the a way to find out what certificate and then delete ist. or better to restore from the /var/backup/ispconfig,admin.domain.tld.20....I have from the this morning The system worked fine since years there was only the enoying browser warning from the expired certificat. the holidays now where fine for fixing this, Did not think to run in such problems.
You would probably need to restore the certificate files in /usr/local/ispconfig/interface/ssl/, not the vhost file, though restoring it too would undo your temp changes.
What is the status of Apache now? If there's a hiccup, it should be showing there as well: Code: systemctl status apache2
restored the .../ssl files and symlinks apache nowEnter passphrase for SSL/TLS keys for admin.gerdakloos.de:8080 (RSA): what the fuck fools me
there is a ispconfig.conf too here the requested content Code: [email protected]:/etc/apache2/sites-available# cat ispconfig.vhost ###################################################### # This virtual host contains the configuration # for the ISPConfig controlpanel ###################################################### Listen 8080 NameVirtualHost *:8080 <VirtualHost _default_:8080> ServerAdmin [email protected] Alias /mail /var/www/ispconfig/mail <Directory /var/www/ispconfig/> <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> </Directory> <Directory /usr/local/ispconfig/interface/web/> <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> </Directory> <IfModule mod_fcgid.c> DocumentRoot /var/www/ispconfig/ SuexecUserGroup ispconfig ispconfig <Directory /var/www/ispconfig/> Options -Indexes +FollowSymLinks +MultiViews +ExecCGI AllowOverride AuthConfig Indexes Limit Options FileInfo <FilesMatch "\.php$"> SetHandler fcgid-script </FilesMatch> FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php Require all granted </Directory> IPCCommTimeout 7200 MaxRequestLen 15728640 </IfModule> <IfModule mpm_itk_module> DocumentRoot /usr/local/ispconfig/interface/web/ AssignUserId ispconfig ispconfig AddType application/x-httpd-php .php <Directory /usr/local/ispconfig/interface/web> # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp" Options +FollowSymLinks AllowOverride None Require all granted php_value magic_quotes_gpc 0 </Directory> </IfModule> # ErrorLog /var/log/apache2/error.log # CustomLog /var/log/apache2/access.log combined ServerSignature Off <IfModule mod_security2.c> SecRuleEngine Off </IfModule> # SSL Configuration SSLEngine On SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1 SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder On <IfModule mod_headers.c> # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'" Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests" Header set X-Content-Type-Options: nosniff Header set X-Frame-Options: SAMEORIGIN Header set X-XSS-Protection: "1; mode=block" Header always edit Set-Cookie (.*) "$1; HTTPOnly" Header always edit Set-Cookie (.*) "$1; Secure" <IfVersion >= 2.4.7> Header setifempty Strict-Transport-Security "max-age=15768000" </IfVersion> <IfVersion < 2.4.7> Header set Strict-Transport-Security "max-age=15768000" </IfVersion> RequestHeader unset Proxy early </IfModule> SSLUseStapling On SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors Off </VirtualHost>
Comment out Code: # SSL Configuration SSLEngine On SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1 SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder On <IfModule mod_headers.c> # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'" Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests" Header set X-Content-Type-Options: nosniff Header set X-Frame-Options: SAMEORIGIN Header set X-XSS-Protection: "1; mode=block" Header always edit Set-Cookie (.*) "$1; HTTPOnly" Header always edit Set-Cookie (.*) "$1; Secure" <IfVersion >= 2.4.7> Header setifempty Strict-Transport-Security "max-age=15768000" </IfVersion> <IfVersion < 2.4.7> Header set Strict-Transport-Security "max-age=15768000" </IfVersion> RequestHeader unset Proxy early </IfModule> SSLUseStapling On SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors Off and then restart Apache2. Then run a force update and generate a new cert. Let the installer reconfigure your services. And, as said, but you didn't answer this, make sure that traffic on port 80 goes to this server.
Thats what I did on your first request before restoring the .../ssl/ directory but now I could start apache. I check port 80 open via nmap from an externer customer server port = open. die the force update <code> Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for admin.gerdakloos.de Using certificate path /root/.acme.sh/admin.gerdakloos.de Using apache for certificate validation acme.sh is installed, overriding certificate path to use /root/.acme.sh/admin.gerdakloos.de [Sun 04 Apr 2021 04:57:02 PM CEST] admin.gerdakloos.de:Verify error:Fetching http://admin.gerdakloos.de/.well-known/acme-challenge/qaMB39sCKn0XrB9_fB46_J8dZJw6ZhFVyLuo0IgwFYg: Connection refused [Sun 04 Apr 2021 04:57:02 PM CEST] Please add '--debug' or '--log' to check more details. [Sun 04 Apr 2021 04:57:02 PM CEST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt Could not issue letsencrypt certificate, falling back to self-signed. Generating RSA private key, 4096 bit long modulus (2 primes) .....................................................................++++ ..............................................................................................++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]E State or Province Name (full name) [Some-State]:BY Locality Name (eg, city) []:Rednitzhembach Organization Name (eg, company) [Internet Widgits Pty Ltd]:IB MK Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:admin.gerdakloos.de Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: writing RSA key Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: n Reconfigure Crontab? (yes,no) [yes]: </code> restart apache Ok I can start the admin panel now but the certificate is now self signed disabled and enabled the admin.domain.tld/ no there is a valid new letsencrypt certificate Thanks a lot so far But how to get a valid cert for :8080, my fist way seamed the wrong way
It's weird that it does not work through the installer. You can use the old method: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
yes its weird as it works for admin.domain.tdl/ so the norm port 80 with reroute to 443. An that certificate is from now. Thanks anyway
Oh fuck sorry. followed the instructions the link you provided. did the section Changing ISPConfig 3 Control Panel (Port 8080 did the command one by one with copy paste to not do a false typo got to my browser startet the admin panel, still the self signed cert. did a apache restart and i am at the beging, beeing asked for passphrase apache fails to start so I restart at the point commenting the ssl lines