Trying to get certificate for ISPCofig admin server failed

Discussion in 'Installation/Configuration' started by muekno, Apr 4, 2021.

  1. muekno

    muekno Member HowtoForge Supporter

    Seams I have n old lets encrypt certifiacte expired Nob 2019.
    I'm on DEBIAN 10 latest patches and ISPConfig 3.2.4
    Have multiple server configuration
    I have an SSH connection to the admin server
    ISPConfig admin server, thats where the admin.domain.tld:8080 webpage is on one IP addresse and a www.domain.tld on the web server on an other address.
    Letsencrypt certificates for my normal webservers works fie
    So first I tried thishttps://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ checked the ssl and Let´s encrypt check boxes nothing changesm still the old certificate
    then I tried acme.sh --issue -d domain.tld --webroot /var/www/admin.domain.tld
    got an error
    domain.tld:Verify error:Invalid response from https://domain.tld/.well-known/acme-challenge/AvmaaTBd54yZLdyV_kVhqkX_a65QyEptp-G7Ryc59Bk [xxx.yyy.zzz.75]:
    [Sun 04 Apr 2021 12:01:35 PM CEST] Please add '--debug' or '--log' to check more details.
    [Sun 04 Apr 2021 12:01:35 PM CEST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
    OK thats the wrong IP
    then I tried
    /.acme.sh# ./acme.sh --issue --apache -d admin.domain.tld --webroot /var/www/admin.domain.tld
    Got error again
    admin.domain.tld:Verify error:Invalid response from http://admin.domain.tld/.well-known/acme-challenge/1aw6P_1LTdjMvxK1zbIZ97BsuGq0qjKU-8S00aQCnJ4 [xxx.yyy.zzz.74]:
    but this time tis is the IP of the admin server.the website admin.domain.tld is reachable with a dummy content but with a security warning expired certificate
    What to do now.

    Thanks for any help hint
    Rainer
    did add --debug, but the outputtells me nothing
     
    Last edited: Apr 4, 2021
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Never run the acme.sh command manually, this will break the integration with ISPConfig.

    To get a certificate for the panel, run
    Code:
    ispconfig_update.sh --force
    and select yes when asked if you want a new SSL cert.
     
  3. muekno

    muekno Member HowtoForge Supporter

    Thanks, I did but
    Create new ISPConfig SSL certificate (yes,no) [no]: yes

    Checking / creating certificate for admin.gerdakloos.de
    Using certificate path /root/.acme.sh/admin.domain.tld
    Using apache for certificate validation
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/admin.domain.tld
    [Sun 04 Apr 2021 01:55:29 PM CEST] admin.gerdakloos.de:Verify error:Fetching http://admin.domain.tld/.well-known/acme-challenge/je3eeJlXBT4awzICM50GdqAOaVRwKUHhiR85g_KbuYE: Connection refused
    [Sun 04 Apr 2021 01:55:29 PM CEST] Please add '--debug' or '--log' to check more details.
    [Sun 04 Apr 2021 01:55:29 PM CEST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
    Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)

    admin.domain.tld has a vaild working DNS.
    ping from anywhre to admin.domain.tld resolves to teh correct IP address

    and apache refuse to start now, restart ask for a password for admin.domain,tld. I just pressed enter two times when the script ask for challange password so it should be empty
     
    Last edited: Apr 4, 2021
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Is port 80 opened in your firewall?
     
  5. muekno

    muekno Member HowtoForge Supporter

    yes
    Firewall is not managed by ISPConfig its an extra firewall server in front configured with Firewallbuilder using iptables with does nat and all ip forwardung to all the server admin, web, dns mail etc. behind. So it is not so easy to turn on and off. works since years no recent changes
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    So traffic to port 80 is forwarded to this server?

    Temporarily comment out the SSL lines from the files causing the conflict (most likely ispconfig.vhost and apps.vhost) and then start Apache. When it's up and running again, verify you can connect to the server on port 80.
     
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    And once it is, use the installer to attempt setting up the certificate again.
     
  8. muekno

    muekno Member HowtoForge Supporter

    starting apache still ask for password.
    removed comments an did run ispconfig_update.sh --force
    again. made shure enter noting just ENTER when asking for passphrase, still apache asks
    Enter passphrase for SSL/TLS keys for admin.domain.tld:443 (RSA): even I the symlink for this vhost from sites-enabled
    i had made a backup running the force update. would its not be better to restore this. it my production ISPConfig

    Is the a description how to restore, the on I found on the net is 5 years old
     
    Last edited: Apr 4, 2021
  9. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    If apache is asking for the passphrase to a private key, the key and the certificate do not match, so commenting the ssl related lines out of the config will allow apache to start. Apache must be started for the certificate request to succeed.

    You probably could restore files from your backup to get apache working, but it would be faster to just content those lines.
     
  10. muekno

    muekno Member HowtoForge Supporter

    I know I have to bring up apache starting. commenting all ssl lines did not not help nor apache tells me which certificate does not mach. never had a passphrase for any certificate. is the a way to find out what certificate and then delete ist. or better to restore from the /var/backup/ispconfig,admin.domain.tld.20....I have from the this morning
    The system worked fine since years there was only the enoying browser warning from the expired certificat. the holidays now where fine for fixing this, Did not think to run in such problems.
     
  11. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You would probably need to restore the certificate files in /usr/local/ispconfig/interface/ssl/, not the vhost file, though restoring it too would undo your temp changes.
     
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    What is the status of Apache now? If there's a hiccup, it should be showing there as well:
    Code:
    systemctl status apache2
     
  13. muekno

    muekno Member HowtoForge Supporter

    restored the .../ssl files and symlinks apache nowEnter passphrase for SSL/TLS keys for admin.gerdakloos.de:8080 (RSA):
    what the fuck fools me
     
  14. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Please share the content of your ispconfig.vhost in /etc/apache2/sites-available.
     
  15. muekno

    muekno Member HowtoForge Supporter

    there is a ispconfig.conf too
    here the requested content
    Code:
    [email protected]:/etc/apache2/sites-available# cat ispconfig.vhost
    ######################################################
    # This virtual host contains the configuration
    # for the ISPConfig controlpanel
    ######################################################
    
     Listen 8080
    NameVirtualHost *:8080
    
    <VirtualHost _default_:8080>
      ServerAdmin [email protected]
    
      Alias /mail /var/www/ispconfig/mail
    
      <Directory /var/www/ispconfig/>
        <FilesMatch "\.ph(p3?|tml)$">
          SetHandler None
        </FilesMatch>
      </Directory>
      <Directory /usr/local/ispconfig/interface/web/>
        <FilesMatch "\.ph(p3?|tml)$">
          SetHandler None
        </FilesMatch>
      </Directory>
    
      <IfModule mod_fcgid.c>
        DocumentRoot /var/www/ispconfig/
        SuexecUserGroup ispconfig ispconfig
        <Directory /var/www/ispconfig/>
          Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
          AllowOverride AuthConfig Indexes Limit Options FileInfo
          <FilesMatch "\.php$">
            SetHandler fcgid-script
          </FilesMatch>
          FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
                Require all granted
              </Directory>
        IPCCommTimeout  7200
        MaxRequestLen 15728640
      </IfModule>
    
      <IfModule mpm_itk_module>
        DocumentRoot /usr/local/ispconfig/interface/web/
        AssignUserId ispconfig ispconfig
        AddType application/x-httpd-php .php
        <Directory /usr/local/ispconfig/interface/web>
          # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp"
          Options +FollowSymLinks
          AllowOverride None
                Require all granted
                php_value magic_quotes_gpc        0
        </Directory>
      </IfModule>
    
      # ErrorLog /var/log/apache2/error.log
      # CustomLog /var/log/apache2/access.log combined
      ServerSignature Off
    
      <IfModule mod_security2.c>
        SecRuleEngine Off
      </IfModule>
    
      # SSL Configuration
      SSLEngine On
        SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
        SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
      SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
      #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
    
      SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
      SSLHonorCipherOrder On
      
      <IfModule mod_headers.c>
        # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
        Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
        Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
        Header set X-Content-Type-Options: nosniff
        Header set X-Frame-Options: SAMEORIGIN
        Header set X-XSS-Protection: "1; mode=block"
        Header always edit Set-Cookie (.*) "$1; HTTPOnly"
        Header always edit Set-Cookie (.*) "$1; Secure"
        <IfVersion >= 2.4.7>
            Header setifempty Strict-Transport-Security "max-age=15768000"
        </IfVersion>
        <IfVersion < 2.4.7>
            Header set Strict-Transport-Security "max-age=15768000"
        </IfVersion>
        RequestHeader unset Proxy early
      </IfModule>
    
        SSLUseStapling On
      SSLStaplingResponderTimeout 5
      SSLStaplingReturnResponderErrors Off
      </VirtualHost>
    
     
  16. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Comment out
    Code:
      # SSL Configuration
      SSLEngine On
       SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
       SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
      SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
      #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
    
      SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
      SSLHonorCipherOrder On
     
      <IfModule mod_headers.c>
       # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
       Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
       Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
       Header set X-Content-Type-Options: nosniff
       Header set X-Frame-Options: SAMEORIGIN
       Header set X-XSS-Protection: "1; mode=block"
       Header always edit Set-Cookie (.*) "$1; HTTPOnly"
       Header always edit Set-Cookie (.*) "$1; Secure"
       <IfVersion >= 2.4.7>
           Header setifempty Strict-Transport-Security "max-age=15768000"
       </IfVersion>
       <IfVersion < 2.4.7>
           Header set Strict-Transport-Security "max-age=15768000"
       </IfVersion>
       RequestHeader unset Proxy early
      </IfModule>
    
       SSLUseStapling On
      SSLStaplingResponderTimeout 5
      SSLStaplingReturnResponderErrors Off
    and then restart Apache2. Then run a force update and generate a new cert.
    Let the installer reconfigure your services. And, as said, but you didn't answer this, make sure that traffic on port 80 goes to this server.
     
  17. muekno

    muekno Member HowtoForge Supporter

    Thats what I did on your first request before restoring the .../ssl/ directory but now I could start apache.
    I check port 80 open via nmap from an externer customer server port = open.
    die the force update
    <code>
    Create new ISPConfig SSL certificate (yes,no) [no]: yes

    Checking / creating certificate for admin.gerdakloos.de
    Using certificate path /root/.acme.sh/admin.gerdakloos.de
    Using apache for certificate validation
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/admin.gerdakloos.de
    [Sun 04 Apr 2021 04:57:02 PM CEST] admin.gerdakloos.de:Verify error:Fetching http://admin.gerdakloos.de/.well-known/acme-challenge/qaMB39sCKn0XrB9_fB46_J8dZJw6ZhFVyLuo0IgwFYg: Connection refused
    [Sun 04 Apr 2021 04:57:02 PM CEST] Please add '--debug' or '--log' to check more details.
    [Sun 04 Apr 2021 04:57:02 PM CEST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
    Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)
    .....................................................................++++
    ..............................................................................................++++
    e is 65537 (0x010001)
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:DE
    State or Province Name (full name) [Some-State]:BY
    Locality Name (eg, city) []:Rednitzhembach
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:IB MK
    Organizational Unit Name (eg, section) []:IT
    Common Name (e.g. server FQDN or YOUR name) []:admin.gerdakloos.de
    Email Address []:[email protected]

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    writing RSA key
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: n

    Reconfigure Crontab? (yes,no) [yes]:
    </code>

    restart apache Ok
    I can start the admin panel now but the certificate is now self signed
    disabled and enabled the admin.domain.tld/
    no there is a valid new letsencrypt certificate
    Thanks a lot so far
    But how to get a valid cert for :8080, my fist way seamed the wrong way
     
  18. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It's weird that it does not work through the installer. You can use the old method: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
     
  19. muekno

    muekno Member HowtoForge Supporter

    yes its weird as it works for admin.domain.tdl/ so the norm port 80 with reroute to 443. An that certificate is from now.

    Thanks anyway
     
  20. muekno

    muekno Member HowtoForge Supporter

    Oh fuck sorry. followed the instructions the link you provided. did the section
    Changing ISPConfig 3 Control Panel (Port 8080
    did the command one by one with copy paste to not do a false typo
    got to my browser startet the admin panel, still the self signed cert.
    did a apache restart and i am at the beging, beeing asked for passphrase
    apache fails to start

    so I restart at the point commenting the ssl lines
     
    Last edited: Apr 4, 2021

Share This Page