Jump to content
Froxlor Forum
  • 0

Question

Hello,

I am hoping someone on here has experienced an odd issue with SSL/HTTPS when using the webmail URL, in my case, https://my.froxlorserver.com/webmail. I can't prove it for sure however, I believe it is working for some in a different country to me but I can't connect to the above URL using https, it will connect with http on port 80. I get the below error.

Forbidden

You don't have permission to access /webmail on this server.

I have confirmed this on different devices using different internet connections and I have cleared the cache/browsing data.

Using Digicert's tool (https://www.digicert.com/help/) the https://Froxlor admin page comes back as a success with zero issues. If I try https://froxlor/webmail I get the below error message

Error: my.froxlor.com/webmail is not a fully qualified public domain name or public IP address.

The above error message does not make sense as using port 80 I can get to the /webmail page, so the above might be a red herring.

Has anyone seen this issue?

Thanks in advance.

Share this post


Link to post
Share on other sites

9 answers to this question

Recommended Posts

  • 1

There should be the line "Alias /webmail /var/lib/roundcube" somewhere in the ip/port settings, you do not want to ADD this line, you want to remove it

Share this post


Link to post
Share on other sites
  • 0

please provide vhost of IP/Port for port 80 and 443 and also a "ls -la" of the froxlor directory to see whether webmail is located in there or an alias is used

Share this post


Link to post
Share on other sites
  • 0
3 hours ago, d00p said:

please provide vhost of IP/Port for port 80 and 443 and also a "ls -la" of the froxlor directory to see whether webmail is located in there or an alias is used

Hi D00p, thanks for your help again.

1). root@post:/var/www/froxlor# ls -la

drwxr-xr-x 13 froxlor froxlor    4096 Sep  4 20:03 webmail

2). root@post:/var/www/froxlor# cat 35_froxlor_ssl_vhost_mydomain.com.conf

<VirtualHost x.x.x.x:443 [x:x:x:x::x:x]:443>
  ServerName mydomain.com
  ServerAlias *.mydomain.com
  ServerAdmin myname@mydomain.com
  SSLEngine On
  SSLProtocol -ALL +TLSv1 +TLSv1.2
  SSLCompression Off
  SSLHonorCipherOrder On
  SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
  SSLVerifyDepth 10
  SSLCertificateFile /usr/local/ssl/post.mydomain.com.crt
  SSLCertificateKeyFile /usr/local/ssl/post.mydomain.com.key-nopass
  SSLCACertificateFile /usr/local/ssl/alphassl.pem
  SSLCertificateChainFile /usr/local/ssl/post.mydomain.com.intermediate.txt
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=0"
  </IfModule>
  DocumentRoot "/var/customers/webs/myname/mydomain.com/"
  FcgidIdleTimeout 30
  SuexecUserGroup "myname" "myname"
  <Directory "/var/customers/webs/myname/mydomain.com/">
    <FilesMatch "\.(php)$">
      SetHandler fcgid-script
      FcgidWrapper /var/www/php-fcgi-scripts/myname/mydomain.com/php-fcgi-starter .php
      Options +ExecCGI
    </FilesMatch>
    Require all granted
    AllowOverride All
  </Directory>
  Alias /webalizer "/var/customers/webs/myname/webalizer"
  ErrorLog "/var/customers/logs/myname-error.log"
  CustomLog "/var/customers/logs/myname-access.log" combined
</VirtualHost>

3). 

<VirtualHost x.x.x.x:80 [x:x:x:x::x:x]:80>
  ServerName mydomain.com
  ServerAlias *.mydomain.com
  ServerAdmin myname@mydomain.com
  <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R=301;L,NE]
  </IfModule>
  <IfModule !mod_rewrite.c>
    Redirect 301 / https://mydomain.com/
  </IfModule>
</VirtualHost>

 

Share this post


Link to post
Share on other sites
  • 0

AhHa! With your help I have temporarily fixed it.

root@me:/etc/apache2/sites-enabled# cat 10_froxlor_ipandport_138.68.188.75.443.conf

<VirtualHost 138.68.188.75:443>
DocumentRoot "/var/www/froxlor/"
 ServerName post.mydomain.com
  FcgidIdleTimeout 30
  SuexecUserGroup "froxlor" "froxlor"
  <Directory "/var/www/froxlor/">
    <FilesMatch "\.(php)$">
      SetHandler fcgid-script
      FcgidWrapper /var/www/php-fcgi-scripts/froxlor.panel/post.onyourcloud.zone/php-fcgi-starter .php
      Options +ExecCGI
    </FilesMatch>
    Require all granted
    AllowOverride All
  </Directory>
 Alias /webmail /var/lib/roundcube
 SSLEngine On
 SSLProtocol -ALL +TLSv1 +TLSv1.2
 SSLCompression Off
 SSLHonorCipherOrder On
 SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
 SSLVerifyDepth 10
 SSLCertificateFile /usr/local/ssl/post.mydomain.com.crt
 SSLCertificateKeyFile /usr/local/ssl/post.mydomain.com.key-nopass
 SSLCACertificateFile /usr/local/ssl/alphassl.pem
 SSLCertificateChainFile /usr/local/ssl/post.mydomain.com.intermediate.txt
</VirtualHost>

I hashed out the Alias line like the below

#Alias /webmail /var/lib/roundcube

Then

service apache2 reload && service apache2 restart

I was then able to connect to the web mail server using https://post.mydomain.com/webmail. I believe, when some were able to access the webmail using https and some were not, the people who were able to were using IPV6 not IPv4.

The problem I have is the comment in that file says not to manually updated the file as it will be overwritten, as per the below.

# 10_froxlor_ipandport_X.X.X.X.443.conf
# Created 19.09.2017 10:10
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.

What do I need to do to make this a permanent change?

Thanks in advance.

Share this post


Link to post
Share on other sites
  • 0

I also have a question with regards to how to permanently redirect http > https. I modified the below file and added the bold redirect line.

Redirect / https://post.onyourcloud.zone/

<VirtualHost X.X.X.X:80>
DocumentRoot "/var/www/froxlor/"
 ServerName post.mydomain.com
 Redirect / https://post.mydomain.com/
  FcgidIdleTimeout 30
  SuexecUserGroup "froxlor" "froxlor"
  <Directory "/var/www/froxlor/">
    <FilesMatch "\.(php)$">
      SetHandler fcgid-script
      FcgidWrapper /var/www/php-fcgi-scripts/froxlor.panel/post.onyourcloud.zone/php-fcgi-starter .php
      Options +ExecCGI
    </FilesMatch>
    Require all granted
    AllowOverride All
  </Directory>
</VirtualHost>
  FcgidIdleTimeout 30
  SuexecUserGroup "froxlor" "froxlor"
  <Directory "/var/www/froxlor/">
    <FilesMatch "\.(php)$">
      SetHandler fcgid-script
      FcgidWrapper /var/www/php-fcgi-scripts/froxlor.panel/post.onyourcloud.zone/php-fcgi-starter .php
      Options +ExecCGI
    </FilesMatch>
    Require all granted
    AllowOverride All
  </Directory>
</VirtualHost>

Again, this file will be overwritten so I need to know how to make the permanent change.

Share this post


Link to post
Share on other sites
  • 0

Thanks d00p. That has now sorted it.

If anyone else comes across this problem where webmail was either not working or only working for some, hopefully this will help.

The server was migrated from one service provider to another. There was a line in the Froxlor config, Resources > Ips and Ports > x.x.x.x:443 that was 

Alias /webmail /var/lib/roundcube

Once this was removed, webmail starting working properly.

The reason it was working for some and not all is that on the old platform it did not have IPV6 hence on the new platform it was fresh and working fine.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Similar Content

    • By juca
      Hi,
      I was wondering if it possible to specify different custom configurations for HTTP and HTTPS traffic. 
      I have a couple of sites that would need to keep HTTP traffic active. Basically what I would like to do is the following:
      for HTTP:
      ProxyPreserveHost On ProxyRequests off ### HTTP Proxy AllowCONNECT 443 563 ProxyPass / http://localhost:16080/ ProxyPassReverse / http://localhost:16080/  
      for HTTPS:
      ###SSL Proxy ProxyPreserveHost On ProxyRequests off SSLProxyEngine on SSLProxyVerify none  SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPass / https://localhost:16443/ ProxyPassReverse / https://localhost:16433/ is this possible?
       
    • By j4mb4l4j4
      Hallo, ich hätte eine Frage da ich aktuell in folgendes Problem laufe.
      Froxlor version: 0.9.39.5 (DB: 201805290)
      Meine Domains bekommen aktuell keine neuen Zertifikate mehr, da der Cronjob der die Letsencrypt Zertifikate erzeugt einen Fehler wirft.
      Gemäß Syspanel bekomme ich die Meldung (customer = mein Kunde, my.domain.com = meine Domain):
      25.03.19 18:51:38 error customer Could not get Let's Encrypt certificate for my.domain.com: Curl: Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443 25.03.19 17:48:28 error froxlor.panel Could not get Let's Encrypt certificate for my.domain.com: Curl: Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443 25.03.19 17:35:04 error customer Could not get Let's Encrypt certificate for my.domain.com: Curl: Empty reply from server 25.03.19 16:47:52 error froxlor.panel Could not get Let's Encrypt certificate for my.domain.com: Curl: Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443 25.03.19 16:43:53 error froxlor.panel Could not get Let's Encrypt certificate for my.domain.com: Curl: Empty reply from server 25.03.19 16:43:53 error customer Could not get Let's Encrypt certificate for my.domain.com: Curl: Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443 25.03.19 16:30:27 error froxlor.panel Could not get Let's Encrypt certificate for my.domain.com: Curl: Empty reply from server 20.03.19 16:55:42 error froxlor.panel Could not get Let's Encrypt certificate for my.domain.com: Curl: Could not resolve host: acme-v02.api.letsencrypt.org 20.03.19 16:50:50 error customer Could not get Let's Encrypt certificate for my.domain.com: Curl: Could not resolve host: acme-v02.api.letsencrypt.org 20.03.19 16:50:20 error froxlor.panel Could not get Let's Encrypt certificate for my.domain.com: Curl: Operation timed out after 0 milliseconds with 0 out of 0 bytes received 09.03.19 16:12:36 error customer Could not get Let's Encrypt certificate for my.domain.com: Curl: Empty reply from server 09.03.19 14:52:02 error customer Could not get Let's Encrypt certificate for my.domain.com: Curl: Empty reply from server 01.03.19 14:54:10 error customer Could not get Let's Encrypt certificate for my.domain.com: Curl: Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443 01.03.19 05:30:01 error customer Could not get Let's Encrypt certificate for my.domain.com: Curl: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error Leider bekomme ich wenn ich folgenden Befehl ausführe auch keine Meldung, es hängt einfach und passiert nix:
      root@server:/var/run# php -q /var/www/my.domain.com/scripts/froxlor_master_cronjob.php --letsencrypt --debug [information] Updating Let's Encrypt certificates [information] Updating my.domain.com [information] letsencrypt-v2 Using 'https://acme-v02.api.letsencrypt.org' to generate certificate [information] letsencrypt-v2 Using existing account key [information] letsencrypt-v2 Starting certificate generation process for domains [information] letsencrypt-v2 Requesting challenge for my.domain.com Leider sehe ich keine weitere Möglichkeit zum Debugging.
      Wo müsste ich ansetzen um mehr Logs zu bekommen, bzw. kennt jemand den Fehler und kann mir sagen was ich falsch mache ?
      Irgendwie verstehe ich nicht was das Problem ist.
      Auf einem anderen Server mit anderer IP und Froxlor habe ich genau das gleiche Problem.
      Ich kann erfolgreich pingen und telnetten:
      root@server:/var/run# telnet acme-v02.api.letsencrypt.org 443 Trying 2a02:26f0:eb:186::3a8e... Connected to e14990.dscx.akamaiedge.net. Escape character is '^]'. ^CConnection closed by foreign host.  

    • By princeofnaxos
      After migrating from syscp, all SSL hosts have empty host files. A comment is there, saying "# no ssl-certificate was specified for this domain, therefore no explicit vhost is being generated".
      Looking in lib/Froxlor/Cron/Http/Apache.php, I see that $domain['ssl_cert_file'] must be empty in order to get that message. But where in the domain form should I enter the certificate's filename? There is nothing under "Webserver SSL settings" that looks like that.
       
    • By FearTheDude
      Folgende Situation:
      Ich betreibe einen vServer mit Froxlor als Hostingpanel
      Der docroot von meinedomain.tld liegt unter /var/customers/webs/meinAccount
      Eine SSL Weiterleitung wurde auf meinedomain.tld eingerichtet
      Kunden verwenden ein paar vorinstallierte tools (Webmailer, DB Frontend, Froxlor Panel) über toolname.meinedomain.tld
      Die Tools liegen nicht im docroot von meinedomain.tld sondern unter /var/www/toolname
      Folgendes Problem:
      Die SSL Weiterleitung von http auf https bei der Hauptdomain meinedomain.tld funktioniert nicht, es sei denn, man verwendet eine der Subdomains für die Tools
      Für meinedomain.tld wird anstatt /var/customers/webs/meinAccount der docroot /var/www verwendet
      Vorübergehende Lösung:
      Die Prüfung, ob mod_rewrite in der NN_froxlor_normal_vhost_meinedomain.tld.conf aktiv ist, entfernen
      <IfModule !mod_rewrite.c> Redirect 301 / https://meinedomain.tld/ </IfModule> Dann findet IMMER ein Redirect auf HTTPS statt, wobei hier auch der richtige docroot geladen wird.
      Nachteil:
      Sobald die Configs neu geschrieben werden, ist die Änderung weg.
      Fragen:
      Kann man die mod_rewrite prüfung für die SSL Weiterleitung irgendwo dauerhaft deaktivieren?
      Warum verwendet der vHost Container für http keinen bzw. den falschen docroot?
      Wie kann ich persistente Änderungen an den .conf Dateien für einen vHost vornehmen?




×
×
  • Create New...