Jump to content
Froxlor Forum
  • 0

SSL/HTTPS Webmail (odd) issue


oedwards0088
 Share

Question

Hello,

I am hoping someone on here has experienced an odd issue with SSL/HTTPS when using the webmail URL, in my case, https://my.froxlorserver.com/webmail. I can't prove it for sure however, I believe it is working for some in a different country to me but I can't connect to the above URL using https, it will connect with http on port 80. I get the below error.

Forbidden

You don't have permission to access /webmail on this server.

I have confirmed this on different devices using different internet connections and I have cleared the cache/browsing data.

Using Digicert's tool (https://www.digicert.com/help/) the https://Froxlor admin page comes back as a success with zero issues. If I try https://froxlor/webmail I get the below error message

Error: my.froxlor.com/webmail is not a fully qualified public domain name or public IP address.

The above error message does not make sense as using port 80 I can get to the /webmail page, so the above might be a red herring.

Has anyone seen this issue?

Thanks in advance.

Link to comment
Share on other sites

9 answers to this question

Recommended Posts

  • 0
3 hours ago, d00p said:

please provide vhost of IP/Port for port 80 and 443 and also a "ls -la" of the froxlor directory to see whether webmail is located in there or an alias is used

Hi D00p, thanks for your help again.

1). root@post:/var/www/froxlor# ls -la

drwxr-xr-x 13 froxlor froxlor    4096 Sep  4 20:03 webmail

2). root@post:/var/www/froxlor# cat 35_froxlor_ssl_vhost_mydomain.com.conf

<VirtualHost x.x.x.x:443 [x:x:x:x::x:x]:443>
  ServerName mydomain.com
  ServerAlias *.mydomain.com
  ServerAdmin myname@mydomain.com
  SSLEngine On
  SSLProtocol -ALL +TLSv1 +TLSv1.2
  SSLCompression Off
  SSLHonorCipherOrder On
  SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
  SSLVerifyDepth 10
  SSLCertificateFile /usr/local/ssl/post.mydomain.com.crt
  SSLCertificateKeyFile /usr/local/ssl/post.mydomain.com.key-nopass
  SSLCACertificateFile /usr/local/ssl/alphassl.pem
  SSLCertificateChainFile /usr/local/ssl/post.mydomain.com.intermediate.txt
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=0"
  </IfModule>
  DocumentRoot "/var/customers/webs/myname/mydomain.com/"
  FcgidIdleTimeout 30
  SuexecUserGroup "myname" "myname"
  <Directory "/var/customers/webs/myname/mydomain.com/">
    <FilesMatch "\.(php)$">
      SetHandler fcgid-script
      FcgidWrapper /var/www/php-fcgi-scripts/myname/mydomain.com/php-fcgi-starter .php
      Options +ExecCGI
    </FilesMatch>
    Require all granted
    AllowOverride All
  </Directory>
  Alias /webalizer "/var/customers/webs/myname/webalizer"
  ErrorLog "/var/customers/logs/myname-error.log"
  CustomLog "/var/customers/logs/myname-access.log" combined
</VirtualHost>

3). 

<VirtualHost x.x.x.x:80 [x:x:x:x::x:x]:80>
  ServerName mydomain.com
  ServerAlias *.mydomain.com
  ServerAdmin myname@mydomain.com
  <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R=301;L,NE]
  </IfModule>
  <IfModule !mod_rewrite.c>
    Redirect 301 / https://mydomain.com/
  </IfModule>
</VirtualHost>

 

Link to comment
Share on other sites

  • 0

AhHa! With your help I have temporarily fixed it.

root@me:/etc/apache2/sites-enabled# cat 10_froxlor_ipandport_138.68.188.75.443.conf

<VirtualHost 138.68.188.75:443>
DocumentRoot "/var/www/froxlor/"
 ServerName post.mydomain.com
  FcgidIdleTimeout 30
  SuexecUserGroup "froxlor" "froxlor"
  <Directory "/var/www/froxlor/">
    <FilesMatch "\.(php)$">
      SetHandler fcgid-script
      FcgidWrapper /var/www/php-fcgi-scripts/froxlor.panel/post.onyourcloud.zone/php-fcgi-starter .php
      Options +ExecCGI
    </FilesMatch>
    Require all granted
    AllowOverride All
  </Directory>
 Alias /webmail /var/lib/roundcube
 SSLEngine On
 SSLProtocol -ALL +TLSv1 +TLSv1.2
 SSLCompression Off
 SSLHonorCipherOrder On
 SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
 SSLVerifyDepth 10
 SSLCertificateFile /usr/local/ssl/post.mydomain.com.crt
 SSLCertificateKeyFile /usr/local/ssl/post.mydomain.com.key-nopass
 SSLCACertificateFile /usr/local/ssl/alphassl.pem
 SSLCertificateChainFile /usr/local/ssl/post.mydomain.com.intermediate.txt
</VirtualHost>

I hashed out the Alias line like the below

#Alias /webmail /var/lib/roundcube

Then

service apache2 reload && service apache2 restart

I was then able to connect to the web mail server using https://post.mydomain.com/webmail. I believe, when some were able to access the webmail using https and some were not, the people who were able to were using IPV6 not IPv4.

The problem I have is the comment in that file says not to manually updated the file as it will be overwritten, as per the below.

# 10_froxlor_ipandport_X.X.X.X.443.conf
# Created 19.09.2017 10:10
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.

What do I need to do to make this a permanent change?

Thanks in advance.

Link to comment
Share on other sites

  • 0

I also have a question with regards to how to permanently redirect http > https. I modified the below file and added the bold redirect line.

Redirect / https://post.onyourcloud.zone/

<VirtualHost X.X.X.X:80>
DocumentRoot "/var/www/froxlor/"
 ServerName post.mydomain.com
 Redirect / https://post.mydomain.com/
  FcgidIdleTimeout 30
  SuexecUserGroup "froxlor" "froxlor"
  <Directory "/var/www/froxlor/">
    <FilesMatch "\.(php)$">
      SetHandler fcgid-script
      FcgidWrapper /var/www/php-fcgi-scripts/froxlor.panel/post.onyourcloud.zone/php-fcgi-starter .php
      Options +ExecCGI
    </FilesMatch>
    Require all granted
    AllowOverride All
  </Directory>
</VirtualHost>
  FcgidIdleTimeout 30
  SuexecUserGroup "froxlor" "froxlor"
  <Directory "/var/www/froxlor/">
    <FilesMatch "\.(php)$">
      SetHandler fcgid-script
      FcgidWrapper /var/www/php-fcgi-scripts/froxlor.panel/post.onyourcloud.zone/php-fcgi-starter .php
      Options +ExecCGI
    </FilesMatch>
    Require all granted
    AllowOverride All
  </Directory>
</VirtualHost>

Again, this file will be overwritten so I need to know how to make the permanent change.

Link to comment
Share on other sites

  • 0

Thanks d00p. That has now sorted it.

If anyone else comes across this problem where webmail was either not working or only working for some, hopefully this will help.

The server was migrated from one service provider to another. There was a line in the Froxlor config, Resources > Ips and Ports > x.x.x.x:443 that was 

Alias /webmail /var/lib/roundcube

Once this was removed, webmail starting working properly.

The reason it was working for some and not all is that on the old platform it did not have IPV6 hence on the new platform it was fresh and working fine.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Similar Content

    • By logicbloke
      Hello,
      I seem to be getting this error when the cron runs:
      [debug] System certificate file "/etc/ssl/froxlor-custom/xxx.tld.crt" does not seem to exist. Disabling SSL-vhost for "xxx.tld"
      Froxlor VirtualHost is enabled, along with SSL generation but it seems like it's being generated on acme's folder and not copied over to /etc/ssl/froxlor-custom/, anyone has any clues?
       
      Many thanks,
    • By logicbloke
      Hi,
      I'm just wondering what the difference is between the following 2 folders:
      Why is froxlor installing acme.sh cron everytime it runs at 3am everyday especially since the 5-min let's encrypt froxlor cron is already in place? Also, all my db config points to /etc/ssl/froxlor-custom for the domains and all keys/certificates inside that folder have a different md5 from the ones under /root/.acme.sh/, so I'm wondering what's with the mismatch? Are we updating certificates for domains twice?
       
      If anyone can shed some more light on this, it will be very much appreciated.
       
      Many thanks!
    • By Michael Groß
      Hallo zusammen,
      ich kämpfe momentan mit der SSL Konfiguration von meinem Froxlor-Server.
      Bedauerlicherweise befindet sich der Webserver hinter einer Firewall und hat eine private IP Adresse zugewiesen bekommen. 
      Die Firewall leitet entsprechend den Traffic von außerhalb auf den Server weiter (HTTP ist das alles kein Problem).
      Nun habe ich vorhin SSL aktivieren wollen und hierzu kann ich leider keine private IP Adresse eintragen (lässt Froxlor nicht zu).
      Entsprechend habe ich die public IP eingetragen, was aber auch nicht funktioniert, da durch das NAT der Firewall die private IP angesprochen wird - somit funktioniert dies nicht.
      Habt ihr eine Idee, wie man das umbauen kann?
      An sich brauche ich nur die private IP Adresse als SSL Adresse eintragen - vermute aber, dass dadurch Let's Encrypt auch nicht mehr richtig laufen wird.
      Viele Grüße
      Michael
      PS: Ein 1:1 NAT wäre noch eine Möglichkeit, da ich die Public IP aber für diverse Server verwende, fällt das auch raus. Müsste dann eine neue Public IP kaufen, welche ich dann mit einem 1:1 NAT auf den Webserver laufen lasse (wäre noch eine Möglichkeit)
    • By AndrewL
      Hello,

      I have installed the latest version of Froxlor (0.10.12) on my Ubuntu 18.04 server and after tweaking the settings and running the configuration, everything is working beautifully.
      However, I noticed that there are options for specifying URLs for PHPMyAdmin, WebMail and WebFTP within the Panel Settings section but I can't seem to figure out how to integrate the three with Froxlor.

      Right now, I want to integrate Roundcube as my server's webmail client and any recommended client for webftp, but I'm not so sure how to go about it? What changes should I make to my server or to my Froxlor settings?

      I have already run the configuration for FTP-Server(Proftpd), Mailserver(SMTP) as well as Mailserver(IMAP/POP3) and have set the "FTP Server" to Proftpd in the FTP Server settings section and the  "Type of the Mail Delivery Server" and "Type of the Mail Transfer Agent" to Dovecot and Postfix respectively in the Mailserver settings section.

      Regards.
    • By nisamudeen97
      Hi,
      Our froxlor server is behiend NAT and it uses the local IP  192.168.73.40.  We have enabled letsencrypt module in froxlor and tried validating SSL for a domain in the server.  SSL generation is getting failed with 403 error.  See the debug log information.      Replaced domain name and main IP.    Can any one help me regarding the issue.
       
      [information] Updating Let's Encrypt certificates [information] Updating domain-name.com [information] Adding SAN entry: domain-name.com [information] Adding SAN entry: www.domain-name.com [information] letsencrypt-v2 Using 'https://acme-v02.api.letsencrypt.org' to generate certificate [information] letsencrypt-v2 Using existing account key [information] letsencrypt-v2 Starting certificate generation process for domains [information] letsencrypt-v2 Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-order [information] letsencrypt-v2 Requesting challenge for domain-name.com [information] letsencrypt-v2 Got challenge token for domain-name.com [information] letsencrypt-v2 Token for domain-name.com saved at /var/www/froxlor/.well-known/acme-challenge/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k and should be available at http://domain-name.com/.well-known/acme-challenge/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k [information] letsencrypt-v2 Sending request to challenge [information] letsencrypt-v2 Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/803008408/k46kFQ [information] letsencrypt-v2 Verification pending, sleeping 1s [information] letsencrypt-v2 Verification pending, sleeping 1s [error] Could not get Let's Encrypt certificate for domain-name.com: Verification ended with error: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http:\/\/domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k [212.224.xxx.xxx]: \"<!DOCTYPE html>\\n<html lang=\\\"en-CA\\\" class=\\\"html_stretched responsive av-preloader-active av-preloader-enabled av-default-lightbox\"","status":403},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/803008408\/k46kFQ","token":"vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","validationRecord":[{"url":"http:\/\/www.domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","hostname":"www.domain-name.com","port":"80","addressesResolved":["212.224.xxx.xxx"],"addressUsed":"212.224.xxx.xxx"},{"url":"http:\/\/domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","hostname":"domain-name.com","port":"80","addressesResolved":["212.224.xxx.xxx"],"addressUsed":"212.224.xxx.xxx"}]} [information] Let's Encrypt certificates have been updated  
×
×
  • Create New...