Very begining steps after installation

Discussion in 'Installation/Configuration' started by carlosopenges, Jul 16, 2017.

  1. carlosopenges

    carlosopenges New Member

    Hi all,
    I have a domain, example.com, with registered nameserver (ns1.example.com and ns2.example.com) pointing with glue records to the IP 111.222.333.444.
    I have a VPS with this IP as network address. I have installed ISPConfig 3.1dev as mentioned in: The Perfect Server CentOS 7.3 with Apache, Postfix, Dovecot, Pure-FTPD, BIND and ISPConfig 3.1
    This server is named server1.example.com and has to be the SOA of the domain.
    I have imported a previously working zone for this domain:
    --------------------------------------------------------------------------------------------------------------------
    $ttl 1800
    @ IN SOA example.com. hostmaster.example.com$
    2017071502 ;Serial, todays date + todays serial #
    1H ;Refresh
    1H ;Retry
    1W ;Expire
    1H ;Minimum
    )
    ;Nameservers
    IN NS ns1.example.com.
    IN NS ns2.example.com.

    ;Resolve Nameserver IPs
    ns1 IN A 111.222.333.44
    ns2 IN A 111.222.333.44

    ;Define hosts resolutions
    @ IN A 111.222.333.44 ;ns1
    @ IN A 111.222.333.44 ;ns2
    mail IN A 111.222.333.44
    ftp IN A 111.222.333.44

    ;MX records
    example.com. IN MX 10 mail.example.com.

    ;CNAMEs
    www IN CNAME @

    ;TXT Records
    example.com. IN TXT "v=spf1 ip4:111.222.333.444 include:_spf.google$
    -----------------------------------------------------------------------------------------------------------------------------------
    This VPS it will have only this domain.

    I have bought the ISPConfig Manual with the hope that I should find the first steps all ISPConfig installations needs but I couldn't find it.

    If I try to test this example.com dns in places like leafdns.com I get:

    ns1.example.com. 111.222.333.444 Glue:Yes TTL:172800
    FAIL: Nameserver is not authoritative for example.com.
    ns2.example.com. 111.222.333.444 Glue:Yes TTL:172800
    FAIL: Nameserver is not authoritative for example.com.
    What I have to do?.
    Thanks.
     
  2. carlosopenges

    carlosopenges New Member

    Nobody knows?
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The system is ready to be used when you followed the perfect server guides. So there are no further steps that need to be done on all systems. Instructions on how to do individual tasks like how to add a dns record or a website can be found in the manual.

    If your dns is not working, then take a look at the folder where the BIND config files are stored to see if your zone file has no .err ending. If it has a .err ending, then bind rejected it. you can find the detailed error in the system.log then or by using the named-checkzone command to test the file.
     
  4. carlosopenges

    carlosopenges New Member

    Thanks Till. I was lost and I solved it with your suggestions.

    For the future readers:
    - When you create a DNS with the wizard the A record for the ns1 and ns2 nameservers are not setted automatically. You have to point the ns host to your ip adding a new A record per each ns you have. I have not been able to find this on the manual.
    - I haven't been able to find the system.log file, that's because in CentOs has a different name, /var/log/messages.
    - The named-checkzone only has worked when the zone was well configured.

    I have it running so thanks again.
     
  5. pannet1

    pannet1 Member

    hi,
    I am using debian 9 stretch. I have hostname -f command return the following

    server1.mydomain.tld

    Earlier, I have pointed out to my vps nameserver ns1.vultr.com ns2.vultr.com correctly. However under my vps control panel i have added following domain records.

    A xx.xx.xx.xx 300
    CNAME mydomain.tld 300
    ....

    Is this correct ? I am asking this because I am getting "Your connection is not secure" when I visit the full hostname.
    Advanced Button
    server1.mydoman.tld:8080 uses an invalid security certificate. The certificate is not trusted because it is self-signed. Error code: SEC_ERROR_UNKNOWN_ISSUER

    Can you please help resolve this issue.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    That's ok. you must get this message as it is a self-signed ssl cert.
     
  7. pannet1

    pannet1 Member

    hi till,

    I realised only now that I have posted in the linux forum instead of ispconfig forum. can you please move this there. sorry for the trouble.

    since its ispconfig now i read some where that i should not mess with the certbot commands directly from command line.

    the irony is that the domains i create for the customers (from the insecure ispconfig panel :) ) get ssl without problems. its only i have problem with the root top level ispconfig server1.mydomain.tld for which i dont have any control. So i guess I have begun with the wrong FQDN in the first name. (ie. mydomain.tld instead of server1.mydomain.tld).

    Kindly advise.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Change the hostname of your system to server1.mydomain.tld in /etc/hosts, /etc/hostname, /etc/mailname and /etc/postfix/main.cf and then restart the server to apply the changes.
     
  9. pannet1

    pannet1 Member

    hi till,
    report taken before making changes suggested by you with php -q htf-common-issues.php:
    Code:
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] ISPConfig is installed.
    [WARN] /usr/local/ispconfig/server/lib/config.inc.php is missing.
    
    ##### VERSION CHECK #####
    [INFO] php (cli) version is 7.0.19-1
    
    ##### PORT CHECK #####
    [WARN] Port 465 (SMTP server SSL) seems NOT to be listening
    
    ##### MAIL SERVER CHECK #####
    [WARN] I found no "submission" entry in your postfix master.cf
    [INFO] this is not critical, but if you want to offer port 587 for smtp connections you have to enable this.
    [WARN] I found no "smtps" entry in your postfix master.cf
    [INFO] this is not critical, but if you want to offer SSL for smtp (not TLS) connections you have to enable this.
    
    ##### RUNNING SERVER PROCESSES #####
    
    [WARN] I could not determine which web server is running.
    [WARN] I could not determine which mail server is running.
    [WARN] I could not determine which pop3 server is running.
    [WARN] I could not determine which imap server is running.
    [WARN] I could not determine which ftp server is running.
    
    ##### LISTENING PORTS #####
    (only        ()
    Local        (Address)
    [localhost]:3306        (-)
    [localhost]:10027        (-)
    [localhost]:11211        (-)
    [anywhere]:110        (-)
    [anywhere]:143        (-)
    [anywhere]:21        (-)
    ***.***.***.***:53        (-)
    [localhost]:53        (-)
    [anywhere]:22        (-)
    [anywhere]:25        (-)
    [localhost]:953        (-)
    [anywhere]:993        (-)
    [anywhere]:995        (-)
    [localhost]:10023        (-)
    [localhost]:10025        (-)
    [localhost]10        (-)
    [localhost]43        (-)
    *:*:*:*::*:80        (-)
    *:*:*:*::*:8080        (-)
    *:*:*:*::*:8081        (-)
    *:*:*:*::*:21        (-)
    *:*:*:*::*:53        (-)
    *:*:*:*::*:22        (-)
    *:*:*:*::*:25        (-)
    *:*:*:*::*:953        (-)
    *:*:*:*::*:443        (-)
    *:*:*:*::*:993        (-)
    *:*:*:*::*:995        (-)
    *:*:*:*::*:10023        (-)
    ##### IPTABLES #####
    
    since i followed the steps mentioned in perfect server debian ispconfig exactly, now i needed to change only one file /etc/hostname to:
    Code:
    server1.mydomain.tld
    instead of:
    Code:
    server1
    so hostname -f still outputs to:
    Code:
    server1.mydomain.tld
    after making the changes you suggested, still i have https "connections not secure error". do you have any ideas for me to try?
     
  10. pannet1

    pannet1 Member

    hi till,

    just realised the report i generated with php -q htf-common-issues.php is super useless because there was no preceding sudo before it. so i regenerated it now with preceding sudo. Please take a look.
    Code:
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] ISPConfig is installed.
    
    ##### ISPCONFIG #####
    ISPConfig version is 3.1.7p1
    
    ##### VERSION CHECK #####
    [INFO] php (cli) version is 7.0.19-1
    
    ##### PORT CHECK #####
    [WARN] Port 465 (SMTP server SSL) seems NOT to be listening
    
    ##### MAIL SERVER CHECK #####
    [WARN] I found no "submission" entry in your postfix master.cf
    [INFO] this is not critical, but if you want to offer port 587 for smtp connections you have to enable this.
    [WARN] I found no "smtps" entry in your postfix master.cf
    [INFO] this is not critical, but if you want to offer SSL for smtp (not TLS) connections you have to enable this.
    
    ##### RUNNING SERVER PROCESSES #####
    [INFO] I found the following web server(s):
       Apache 2 (PID 17249)
    [INFO] I found the following mail server(s):
       Postfix (PID 976)
    [INFO] I found the following pop3 server(s):
       Dovecot (PID 518)
    [INFO] I found the following imap server(s):
       Dovecot (PID 518)
    [INFO] I found the following ftp server(s):
       PureFTP (PID 886)
    
    ##### LISTENING PORTS #####
    (only     ()
    Local     (Address)
    [localhost]:3306     (716/mysqld)
    [localhost]:10027     (976/master)
    [localhost]:11211     (466/memcached)
    [anywhere]:110     (518/dovecot)
    [anywhere]:143     (518/dovecot)
    [anywhere]:21     (886/pure-ftpd)
    ***.***.***.***:53     (461/named)
    [localhost]:53     (461/named)
    [anywhere]:22     (480/sshd)
    [anywhere]:25     (976/master)
    [localhost]:953     (461/named)
    [anywhere]:993     (518/dovecot)
    [anywhere]:995     (518/dovecot)
    [localhost]:10023     (755/postgrey)
    [localhost]:10025     (976/master)
    [localhost]10     (518/dovecot)
    [localhost]43     (518/dovecot)
    *:*:*:*::*:80     (17249/apache2)
    *:*:*:*::*:8080     (17249/apache2)
    *:*:*:*::*:8081     (17249/apache2)
    *:*:*:*::*:21     (886/pure-ftpd)
    *:*:*:*::*:53     (461/named)
    *:*:*:*::*:22     (480/sshd)
    *:*:*:*::*:25     (976/master)
    *:*:*:*::*:953     (461/named)
    *:*:*:*::*:443     (17249/apache2)
    *:*:*:*::*:993     (518/dovecot)
    *:*:*:*::*:995     (518/dovecot)
    *:*:*:*::*:10023     (755/postgrey)
    
    Left iptables because i am exceeding the forum number of lines limit.
    Sorry for the trouble.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Itmight be that you missed to remove the # in front of the submission and smtps lines. Regarding hostname, when neither the command 'hostname' nor 'hostname -f' show 'yourdomain.tld' without 'server1', then the hostname setup should be fine. If you get just 'server1' from 'hostname', the that's ok as well.
     
  12. pannet1

    pannet1 Member

    hi till,
    many thanks for your reply. i made the changes proposed by you. i have attached
    the full htf_report.txt

    Code:
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] ISPConfig is installed.
    
    ##### ISPCONFIG #####
    ISPConfig version is 3.1.7p1
    
    ##### VERSION CHECK #####
    [INFO] php (cli) version is 7.0.19-1
    
    ##### PORT CHECK #####
    
    ##### MAIL SERVER CHECK #####
    
    ##### RUNNING SERVER PROCESSES #####
    [INFO] I found the following web server(s):
       Apache 2 (PID 819)
    [INFO] I found the following mail server(s):
       Postfix (PID 1082)
    [INFO] I found the following pop3 server(s):
       Dovecot (PID 586)
    [INFO] I found the following imap server(s):
       Dovecot (PID 586)
    [INFO] I found the following ftp server(s):
    ........
    
    hostname -f
    Code:
    mydomain.tld
    
    hostname -s
    Code:
    mydomain
    
    /etc/hosts (previous reference of server1 is commented out)
    Code:
    127.0.0.1   localhost
    #xx.xx.xx.xx  server1.mydomain.tld  server1
    xx.xx.xx.xxx  mydomain.tld  server1
    
    # The following lines are desirable for IPv6 capable hosts
    ::1  localhost ip6-localhost ip6-loopback
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    
    #127.0.0.1 server1
    #::1  server1
    
    ifconfig (please note there is no eth0. i hope that is ok)
    Code:
    ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
      inet xx.xx.xx.xx netmask xxx.xxx.xxx.x  broadcast xx.xx.xx.xxx
      inet6 fe80::5400:1ff:fe38:b731  prefixlen 64  scopeid 0x20<link>
      ether 56:00:01:38:b7:31  txqueuelen 1000  (Ethernet)
      RX packets 968  bytes 143264 (139.9 KiB)
      RX errors 0  dropped 0  overruns 0  frame 0
      TX packets 899  bytes 106494 (103.9 KiB)
      TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
      inet 127.0.0.1  netmask 255.0.0.0
      inet6 ::1  prefixlen 128  scopeid 0x10<host>
      loop  txqueuelen 1  (Local Loopback)
      RX packets 10  bytes 478 (478.0 B)
      RX errors 0  dropped 0  overruns 0  frame 0
      TX packets 10  bytes 478 (478.0 B)
      TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    Please advise what is wrong with resolving the server name.

    Note: You are correct on the master.cf me forgetting to uncomment. I was more fixated with the -o lines :)
     
  13. pannet1

    pannet1 Member

    hi till,
    do you want to me to a fresh install after doing the hostname fix, you proposed ?
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    There is no need to reintall. Remove the line:

    xx.xx.xx.xxx mydomain.tld server1

    from /etc/hosts file and remove the # in front of the line:

    #xx.xx.xx.xx server1.mydomain.tld server1
     
    pannet1 likes this.
  15. pannet1

    pannet1 Member

    Hi Till,

    got frustrated a bit and reinstalled the Debian Stretch Custom 64-bit net install CD.
    1) Did a minimal server setup and then ran the Servisys script. Everything went well, except the last message after successful installation !?

    Code:
    You had to edit user/pass /var/lib/roundcube/plugins/ispconfig3_account/config/config.inc.php of roudcube user, as the one you inserted in ISPconfig
    
    2) no errors on the htf_report as well.

    3) Again no padlock for me at https://server1.mydomain.tld:8080

    4) also i am not able to the outside world but sending mail to myself works correctly.

    Please advise.

    BTW: I am on DNS (no static IP), is it OK?

     
  16. pannet1

    pannet1 Member

    hi till,

    ned your suggestions and help on this please.

    thanks.

     
  17. Taleman

    Taleman Member

    I do not know what the servisys script does to HTTPS, but HTTPS should work for the ISPConfig control panel if the usual ispconfig install is told to create a self signed certificate. Although the browser must be told to trust the certificate. Since Let's Encrypt is installed by the servisys script, it is possible to use that to get a certificate that browsers trust. See for example this thread: https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/
    About sending mails: Does the mail server have an IP address that resolves back to the host name? Check like this:
    Mail servers receiving mail from your server quite likely are checking the IP resolves back to the hostname the sending server claims to be.
     
    pannet1 likes this.
  18. pannet1

    pannet1 Member

    Hi Taleman,

    Thanks,

    AA)
    Code:
    [email protected]:~$ host mail.myvhost.tld
    mail.myvhost.tld is an alias for myvhost.tld
    myvhost.tld has address xx.xx.xxx.xxx
    myvhost.tld mail is handled by 10 myvhost.tld
    [email protected]:~$ host xx.xx.xxx.xxx
    132.177.76.45.in-addr.arpa domain name pointer xx.xx.xx.xxx.vultr.com.
    
    Note: xx.xx.xxx.xxx is the dynamic ip assigned to my vultr.com account. I did not like the vultr.com suffix at the end of my ip. is it Ok ?

    BB)
    seems servisys script does not install certbot. so i did it only now.

    Code:
    sudo apt-get install certbot
    
    Now how to rectify the no pad lock ssl problem.


     
  19. pannet1

    pannet1 Member

    hello all,
    bumping this again :-(
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    A self-signed ssl cert is absolutely fine but needs to be accepted once in the browser. The encryption with a self-signed cert is not lower than what you get with an official cert, it's just that you have to accept it once as confirmation that you know that it's your own ssl cert and of course, the padlock is not green. If you want to get an officially signed cert, then you can e.g. use letsencrypt.

    https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/

    Then you should check your dns records and especially the reverse dns record for your server IP and ensure that your hosting provider does not block outgoing traffic on pot 25.
     
    pannet1 likes this.

Share This Page