Jump to content
Froxlor Forum
  • 0
llucps

Small problems after update to Debian 9

Question

Hi,

I updated my server from Jessie to Stretch and the process was reasonably smooth with a few little problems, mainly with fail2ban and modescurity but I figured them out and fix them.

The first little problem is after the update all the logs (apache2, fail2ban, postfix, dovecot, spamassassin etc) stopped recording in their related files (mail.log, apache2.log etc..) if I run journalctl -xe I see all the activity such as postfix, dovecot, apache2 etc..so all the services are working but they are not translated to /var/log/*.log

I checked all settings in froxlor and they haven't changed after the update, all of them are pointing to the correct file, for example /var/log/mail.log for postfix and dovecot. I can't see any errors on journalctl -xe  regarding this and I'm not sure where to look at.

The other issue is regarding PHP, and that is after the update the system ended up with two PHP binaries 5.6 and 7.0, I wasn't sure whether it would install PHP 7 and delete PHP 5.6 or keep both versions. Anyway since I have the two versions installed and in PHP Configurations I'm still using version PHP 5.6 I decided to create a new configuration with PHP 7.0 to test with one of my domains and see whether was working or not, and unfortunately I get this error and obviously I get an Internal server error message if I go the the website for that domain.

[Fri Mar 23 09:42:48.397550 2018] [fcgid:warn] [pid 2226] (104)Connection reset by peer: [client 85.56.93.162:38001] mod_fcgid: error reading data from FastCGI server
[Fri Mar 23 09:42:48.397669 2018] [core:error] [pid 2226] [client 85.56.93.162:38001] End of script output before headers: index.php

My PHP configuration is the following:

System 	Linux xxxxxxxx.com 2.6.32-042stab127.2 #1 SMP Thu Jan 4 16:41:44 MSK 2018 x86_64
Build Date 	Jan 5 2018 15:48:20
Server API 	CGI/FastCGI
Virtual Directory Support 	disabled
Configuration File (php.ini) Path 	/etc/php5/cgi
Loaded Configuration File 	/var/www/php-fcgi-scripts/froxlor.panel/xxxxxxxx.com/php.ini
Scan this dir for additional .ini files 	/etc/php5/cgi/conf.d
Additional .ini files parsed 	/etc/php5/cgi/conf.d/05-opcache.ini, /etc/php5/cgi/conf.d/10-pdo.ini, /etc/php5/cgi/conf.d/20-apcu.ini, /etc/php5/cgi/conf.d/20-curl.ini, /etc/php5/cgi/conf.d/20-gd.ini, /etc/php5/cgi/conf.d/20-imap.ini, /etc/php5/cgi/conf.d/20-intl.ini, /etc/php5/cgi/conf.d/20-json.ini, /etc/php5/cgi/conf.d/20-mcrypt.ini, /etc/php5/cgi/conf.d/20-mysql.ini, /etc/php5/cgi/conf.d/20-mysqli.ini, /etc/php5/cgi/conf.d/20-pdo_mysql.ini, /etc/php5/cgi/conf.d/20-pdo_pgsql.ini, /etc/php5/cgi/conf.d/20-pdo_sqlite.ini, /etc/php5/cgi/conf.d/20-pgsql.ini, /etc/php5/cgi/conf.d/20-readline.ini, /etc/php5/cgi/conf.d/20-sqlite3.ini
PHP API 	20131106
PHP Extension 	20131226
Zend Extension 	220131226
Zend Extension Build 	API220131226,NTS
PHP Extension Build 	API20131226,NTS
Debug Build 	no
Thread Safety 	disabled
Zend Signal Handling 	disabled
Zend Memory Manager 	enabled
Zend Multibyte Support 	provided by mbstring
IPv6 Support 	enabled
DTrace Support 	enabled
Registered PHP Streams 	https, ftps, compress.zlib, compress.bzip2, php, file, glob, data, http, ftp, phar, zip
Registered Stream Socket Transports 	tcp, udp, unix, udg, ssl, sslv3, tls, tlsv1.0, tlsv1.1, tlsv1.2
Registered Stream Filters 	zlib.*, bzip2.*, convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk, mcrypt.*, mdecrypt.*

See FCGID settings on file attached.

I'm not quite sure what would be the best approach to transition to PHP 7, I guess first find out why is not working (it could be I need to install something else?) then decide whether to delete PHP 5.6 or keep it installed just in case.

Any help will be appreciated!

Thanks

Lluc

 

 

 

 

 

 

 

Screen Shot 2018-03-23 at 10.25.53.png

Share this post


Link to post
Share on other sites

24 answers to this question

Recommended Posts

  • 0
7 minutes ago, llucps said:

The first little problem is after the update all the logs (apache2, fail2ban, postfix, dovecot, spamassassin etc) stopped recording in their related files (mail.log, apache2.log etc..) if I run journalctl -xe I see all the activity such as postfix, dovecot, apache2 etc..so all the services are working but they are not translated to /var/log/*.log

Not froxlor related, all upgrade I've done never had this issue. Disk full?

 

8 minutes ago, llucps said:

The other issue is regarding PHP, and that is after the update the system ended up with two PHP binaries 5.6 and 7.0, I wasn't sure whether it would install PHP 7 and delete PHP 5.6 or keep both versions.

Never had this issue either, usually debian dist-upgrade upgrades the packages, so you should have php-7 installed now

 

9 minutes ago, llucps said:

I decided to create a new configuration with PHP 7.0

Show us your php-config settings for this please (php-binary etc.)

Share this post


Link to post
Share on other sites
  • 0
2 minutes ago, d00p said:

Not froxlor related, all upgrade I've done never had this issue. Disk full?

Never had this issue either, usually debian dist-upgrade upgrades the packages, so you should have php-7 installed now

There is plenty of disk space 52 GB.. It's strange I'll try to dig in a little more and google it.

I have both versions installed 5.6 and 7.0 see my /usr/bin/php*

lrwxrwxrwx 1 root root      21 Apr  4  2014 /usr/bin/php -> /etc/alternatives/php
-rwxr-xr-x 1 root root 9089768 Jan  5 16:13 /usr/bin/php5
-rwxr-xr-x 1 root root 9059112 Jan  5 16:13 /usr/bin/php5-cgi
-rwxr-xr-x 1 root root 4389936 Jan  5 14:51 /usr/bin/php7.0
lrwxrwxrwx 1 root root      25 Apr  4  2014 /usr/bin/php-cgi -> /etc/alternatives/php-cgi

/usr/bin/php -v

PHP 7.0.27-0+deb9u1 (cli) (built: Jan  5 2018 13:51:52) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.0.27-0+deb9u1, Copyright (c) 1999-2017, by Zend Technologies

/usr/bin/php-cgi -v

PHP 5.6.33-0+deb8u1 (cgi-fcgi) (built: Jan  5 2018 15:48:20)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies

I have two PHP configurations setup both with /usr/bin/php-cgi so PHP 5.6, all is working, but not if I change to PHP 7

2 minutes ago, d00p said:

Show us your php-config settings for this please (php-binary etc.)

PHP 7 Configuration:

PHP Binary: /usr/bin/php
File extensions: php
Umask (default: 022): 022



allow_call_time_pass_reference = Off
allow_url_fopen = On
asp_tags = Off
default_charset = UTF-8
disable_classes =
disable_functions = curl_multi_exec,exec,parse_ini_file,passthru,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,show_source,system
display_errors = Off
display_startup_errors = Off
enable_dl = Off
error_reporting = E_ALL & ~E_NOTICE
expose_php = Off
file_uploads = On
cgi.force_redirect = 1
gpc_order = "GPC"
html_errors = Off
ignore_repeated_errors = Off
ignore_repeated_source = Off
include_path = ".:{PEAR_DIR}"
log_errors = On
log_errors_max_len = 1024
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
max_execution_time = 30
max_input_time = 60
memory_limit = 72M
{OPEN_BASEDIR_C}open_basedir = "{OPEN_BASEDIR}"
output_buffering = 4096
post_max_size = 64M
precision = 14
register_argc_argv = Off
register_globals = Off
report_memleaks = On
sendmail_path = "/usr/sbin/sendmail -t -i -f {CUSTOMER_EMAIL}"
session.auto_start = 0
session.bug_compat_42 = 0
session.bug_compat_warn = 1
session.cache_expire = 180
session.cache_limiter = nocache
session.cookie_domain =
session.cookie_lifetime = 0
session.cookie_path = /
session.entropy_file = /dev/urandom
session.entropy_length = 16
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.gc_probability = 1
session.name = PHPSESSID
session.referer_check =
session.save_handler = files
session.save_path = "{TMP_DIR}"
session.serialize_handler = php
session.use_cookies = 1
session.use_trans_sid = 0
short_open_tag = On
suhosin.mail.protect = 1
suhosin.simulation = Off
track_errors = Off
upload_max_filesize = 64M
upload_tmp_dir = "{TMP_DIR}"
variables_order = "GPCS"
opcache.restrict_api = "{DOCUMENT_ROOT}"

Share this post


Link to post
Share on other sites
  • 0

One thing I noticed:

/usr/bin/php-cgi says

PHP 5.6.33-0+deb8u1 (cgi-fcgi)

and /usr/bin/php says

PHP 7.0.27-0+deb9u1 (cli)

one  cgi.-fcgi and the other cli.. could it be this small detail?

All php packages installed: (dpkg -l)

ii  php-cli                                     1:7.0+49                   all                        command-line interpreter for the PHP scripting language (default)
ii  php-common                                  1:49                       all                        Common files for PHP packages
ii  php-pear                                    1:1.10.1+submodules+notgz- all                        PEAR Base System
ii  php-xml                                     1:7.0+49                   all                        DOM, SimpleXML, WDDX, XML, and XSL module for PHP [default]
ii  php-xml-parser                              1.3.4-7                    all                        XML parsing class based on PHP's bundled expat
ii  php5                                        5.6.33+dfsg-0+deb8u1       all                        server-side, HTML-embedded scripting language (metapackage)
ii  php5-apcu                                   4.0.7-1                    amd64                      APC User Cache for PHP 5
ii  php5-cgi                                    5.6.33+dfsg-0+deb8u1       amd64                      server-side, HTML-embedded scripting language (CGI binary)
ii  php5-cli                                    5.6.33+dfsg-0+deb8u1       amd64                      command-line interpreter for the php5 scripting language
ii  php5-common                                 5.6.33+dfsg-0+deb8u1       amd64                      Common files for packages built from the php5 source
ii  php5-curl                                   5.6.33+dfsg-0+deb8u1       amd64                      CURL module for php5
rc  php5-fpm                                    5.4.4-14+deb7u8            amd64                      server-side, HTML-embedded scripting language (FPM-CGI binary)
ii  php5-gd                                     5.6.33+dfsg-0+deb8u1       amd64                      GD module for php5
rc  php5-imagick                                3.2.0~rc1-1                amd64                      Provides a wrapper to the ImageMagick library
ii  php5-imap                                   5.6.33+dfsg-0+deb8u1       amd64                      IMAP module for php5
ii  php5-intl                                   5.6.33+dfsg-0+deb8u1       amd64                      internationalisation module for php5
ii  php5-json                                   1.3.6-1                    amd64                      JSON module for php5
rc  php5-ldap                                   5.6.24+dfsg-0+deb8u1       amd64                      LDAP module for php5
ii  php5-mcrypt                                 5.6.33+dfsg-0+deb8u1       amd64                      MCrypt module for php5
ii  php5-mysql                                  5.6.33+dfsg-0+deb8u1       amd64                      MySQL module for php5
ii  php5-pgsql                                  5.6.33+dfsg-0+deb8u1       amd64                      PostgreSQL module for php5
rc  php5-pspell                                 5.6.30+dfsg-0+deb8u1       amd64                      pspell module for php5
ii  php5-readline                               5.6.33+dfsg-0+deb8u1       amd64                      Readline module for php5
ii  php5-sqlite                                 5.6.33+dfsg-0+deb8u1       amd64                      SQLite module for php5
rc  php5-xmlrpc                                 5.6.30+dfsg-0+deb8u1       amd64                      XML-RPC module for php5
ii  php7.0-cli                                  7.0.27-0+deb9u1            amd64                      command-line interpreter for the PHP scripting language
ii  php7.0-common                               7.0.27-0+deb9u1            amd64                      documentation, examples and common module for PHP
ii  php7.0-json                                 7.0.27-0+deb9u1            amd64                      JSON module for PHP
ii  php7.0-opcache                              7.0.27-0+deb9u1            amd64                      Zend OpCache module for PHP
ii  php7.0-readline                             7.0.27-0+deb9u1            amd64                      readline module for PHP
ii  php7.0-xml                                  7.0.27-0+deb9u1            amd64                      DOM, SimpleXML, WDDX, XML, and XSL module for PHP

 

Regarding the log problem... I found this error runing /etc/init.d/postfix status.. I think this could be the problem

Mar 23 11:07:47 xxxxxxxx.com systemd[1]: postfix.service: Failed to set invocation ID on control group /system.slice/postfix.service, ignoring: Operation not permitted

 

Share this post


Link to post
Share on other sites
  • 0
1 hour ago, d00p said:

You cannot use /usr/bin/php as FCGID binary...it has to be php-cgi and you dont seem to have php7.0-cgi installed

Did you even try to google your postfix/systemd issue? -> https://github.com/systemd/systemd/issues/5236

I managed to install some missing PHP7 packages and now is working well. My question is, now that PHP7 is working can I safely remove PHP5? I see two directories in :

Global PEAR directories -> /usr/share/php/:/usr/share/php5/

Just wondering if I remove PHP 5 whether /usr/share/php5 will be removed or I can remove it myself from the text field.

Regarding the systemd issue.. sorry I googled but I couldn't find that information. It seems the minimum kernel supported is 3.12 and I have 2.6.32. Let's see if I can update it.

I'm almost there.. spamassassin is not working either I'll check that too.

Many thanks,

 

 

Share this post


Link to post
Share on other sites
  • 0

You have a 2.6 kernel? holy....it's been YEARS since I last saw that....you should upgrade that asap

regarding the PEAR directories -> just check your system where the php pear directories are for php7, mostly also in /usr/share/ - and yes, if php7 is working fine for you, you can safely remove 5.6

Share this post


Link to post
Share on other sites
  • 0
14 minutes ago, d00p said:

You have a 2.6 kernel? holy....it's been YEARS since I last saw that....you should upgrade that asap

regarding the PEAR directories -> just check your system where the php pear directories are for php7, mostly also in /usr/share/ - and yes, if php7 is working fine for you, you can safely remove 5.6

Oh well... it seems I reached a dead end. My VPS uses OpenVZ so I can't upgrade the kernel myself it's up to the hosting provider, and it's unlikely they will do it.

I think I better start over and move to Hetzner with a more reliable VPS platform, with snapshots and where I'll be able to update the kernel. Actually I already setup another server with them and works very well..

It's just a lot of work... but I knew this day would come eventually.

Just one dumb question about the migration.

I wonder if a I can setup the new server and get ready to migrate everything carefully and pointing my xxxx.com main domain to the new nameservers in the last minute when all the services are installed.

What I mean is whether I need the hostname to install the new sever or I can use the IP instead and when all is propery installed and working change the nameservers.. I want to make the transition as smooth as possible.

Thanks,

Share this post


Link to post
Share on other sites
  • 0

Froxlor requires a valid FQDN for the installation. Just use the search-function, there are many migration threads on here

Share this post


Link to post
Share on other sites
  • 0

Thank you d00p,

I'm in the process of moving all databases (mysql, froxlor etc) and maybe is stupid question. But how can I import the mysql database to into to the new server? I mean when you install mariaDB on a new server it already creates the mysql database, so I can't import using the command:

mysql mysql < mysql.sql

this would overwrite the root user and if I try it gets stucked.

I couldn't find the way to import the data mainly in tables users, db, innodb_index_stats, innodb_table_stats which seems where all the data is.. Do I have to do it manually? if so, how?

Thanks,

Share this post


Link to post
Share on other sites
  • 0

Hi,

I'm getting there.. at the end I started the whole process from scratch.. painful but steady.

I was about to install dkim-filter with apt-get install but the package doesn't exist anymore and according Froxlor opendkim is not supported yet. How can I install dkim-filter on Stretch?

Thanks,

P.D Don't worry I found the dkim-filter package, and is up and running..

 

Share this post


Link to post
Share on other sites
  • 0

Hi,

Finally I managed to get everything working.. except one small issue. I can't get the Virtual domains letsencrypt certificates to work, Let me explain:

The "Enable Let's Encrypt for the froxlor vhost" is disabled because I manage the certificate for the hostname myself, I installed certbot, got the certificate, and manually insert them in IP/PORTS 443 so that's working.

5ab8adb23c792_ScreenShot2018-03-26at10_20_58.thumb.png.eb036439ce7c8255900f3eea03d1cd5e.png

The problem is with Virtual domains certificates. What I do is check these options for each domain:

5ab8ac7d979c0_ScreenShot2018-03-26at10_10_10.thumb.png.d0afb173ee37dd4414c9d0228c11ad7a.png

And then run these two scripts:

/usr/bin/php /var/www/froxlor/scripts/froxlor_master_cronjob.php --force
/usr/bin/php -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --letsencrypt 1> /dev/null

And I get this error:

Could not get Let's Encrypt certificate for xxxxxxx.com: Verification ended with error: {"identifier":{"type":"dns","value":"xxxxxxxx.com"},"status":"invalid","expires":"2018-04-02T07:58:01Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http:\/\/xxxxxxx.com\/.well-known\/acme-challenge\/q5MgvUod6jWmc7SFqh2Ns7GzuLD20xlN7wqrXyJsf6s: \"<!DOCTYPE HTML PUBLIC \"-\/\/IETF\/\/DTD HTML 2.0\/\/EN\">\n<html><head>\n<title>404 Not Found<\/title>\n<\/head><body>\n<h1>Not Found<\/h1>\n<p\"","status":403},"uri":"https:\/\/acme-staging.api.letsencrypt.org\/acme\/challenge\/oNDyFaqNbifRUl6lW4cL7r_U7MeYUjGq-nz3fgcUHpk\/112085799","token":"q5MgvUod6jWmc7SFqh2Ns7GzuLD20xlN7wqrXyJsf6s","keyAuthorization":"q5MgvUod6jWmc7SFqh2Ns7GzuLD20xlN7wqrXyJsf6s.Uonnxp7enhwz-TbOBrK-RowzBK3PFDw3ntAKcOAQlx4","validationRecord":[{"url":"http:\/\/xxxxxx.com\/.well-known\/acme-challenge\/q5MgvUod6jWmc7SFqh2Ns7GzuLD20xlN7wqrXyJsf6s","hostname":"xxxxxxxxx.com","port":"80","addressesResolved":["195.201.96.107"],"addressUsed":"195.201.96.107"}]},{"type":"dns-01","status":"invalid","uri":"https:\/\/acme-staging.api.letsencrypt.org\/acme\/challenge\/oNDyFaqNbifRUl6lW4cL7r_U7MeYUjGq-nz3fgcUHpk\/112085800","token":"xW18ZOYXgnswsfD2hLDkp-Q229wU5hp3jQb6tvLtw_U"}],"combinations":[[0],[1]]}

Something that I realized is after activating the SSL IP address, SSL redirect and Use Let's Encrypt options for Virtual Domains and running the config job cron the outcome Apache file has the SSL certificate from froxlor hostname.. and I suspect the error could come from this side:

# 35_froxlor_ssl_vhost_xxxxxxx.com.conf
# Created 26.03.2018 09:57
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.

# Domain ID: 8 (SSL) - CustomerID: 1 - CustomerLogin: yyyyyy
<VirtualHost xxx.xxx.xxx.xxx:443>
  ServerName xxxxxxxx.com
  ServerAlias www.xxxxxxxxx.com
  ServerAdmin yyy@xxxxxxxx.com
  SSLEngine On
  SSLProtocol -ALL +TLSv1 +TLSv1.2
  SSLCompression Off
  SSLHonorCipherOrder On
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
  SSLVerifyDepth 10
  SSLCertificateFile /etc/letsencrypt/live/froxlor_hostname.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/froxlor_hostname/privkey.pem
  SSLCACertificateFile /etc/letsencrypt/live/froxlor_hostname/fullchain.pem
  SSLCertificateChainFile /etc/letsencrypt/live/froxlor_hostname/chain.pem
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=0"
  </IfModule>
  DocumentRoot "/var/customers/webs/yyyyy/xxxxxxxxx/"
  FcgidIdleTimeout 30
  SuexecUserGroup "yyyyy" "yyyyy"
  <Directory "/var/customers/webs/yyyyyy/xxxxxxxxx/">
    <FilesMatch "\.(php)$">
      SetHandler fcgid-script
      FcgidWrapper /var/www/php-fcgi-scripts/squeaky/xxxxxxxx/php-fcgi-starter .php
      Options +ExecCGI
    </FilesMatch>
    Require all granted
    AllowOverride All
  </Directory>
  Alias /webalizer "/var/customers/webs/xxxxxx/webalizer"
  ErrorLog "/var/customers/logs/xxxxx-error.log"
  CustomLog "/var/customers/logs/xxxxxxx-access.log" combined
</VirtualHost>

I don't know if it matters, but I also checked that that the /etc/apache2/conf-enabled/acme.conf exists 

Alias "/.well-known/acme-challenge" "/var/www/froxlor/.well-known/acme-challenge"
<Directory "/var/www/froxlor/.well-known/acme-challenge">
	Require all granted
</Directory>

One thing to mention is have the virtual domain certificates since they were created on my "old" server, so if I place them manually into /etc/ssl/froxlor-custom and add them in the apache files, the work perfectly.. Obviously the problem comes from renew them or obtain them from the "new" server.

Any idea what could it be? I tried everything..

Thanks!

 

 

 

 

Share this post


Link to post
Share on other sites
  • 0
1 minute ago, llucps said:

so if I place them manually into /etc/ssl/froxlor-custom

Don't do that, froxlor manages this folder and it gets cleaned on regeneration of the certificates.

Also, why handle the froxlor-vhost certificate manually via certbot if froxlor can do that for you?

Validate that your acme-alias is working, put a test-file with "hello" in it into /var/www/froxlor/.well-known/acme-challenge and call http://yourdomain.com/.well-known/acme-challenge/test-file to see if it outputs "hello"

Share this post


Link to post
Share on other sites
  • 0

Mainly because I don't have the option the get mail.hostname.com subdomain.. I would get hostname.com and www.hostname.com but not mail.hostname.com.

I made progress... the problem I believe was I have a custom apache file to redirect all calls from http://hostname.com/froxlor to http://froxlor.hostname.com..

So, I created a hello.html in /var/www/froxlor/.well-known/acme-challenge and it works is accessible.

So removed the file, restart the apache and launched the cron job again.. and I get this error:

Could not get Let's Encrypt certificate for virtualdomain.com: Curl error: SSL: no alternative certificate subject name matches target host name 'virtualdomain.com'

any idea?

Thanks

Share this post


Link to post
Share on other sites
  • 0
3 minutes ago, llucps said:

the problem I believe was I have a custom apache file to redirect all calls from http://hostname.com/froxlor to http://froxlor.hostname.com..

custom...says it alll

3 minutes ago, llucps said:

Could not get Let's Encrypt certificate for virtualdomain.com: Curl error: SSL: no alternative certificate subject name matches target host name 'virtualdomain.com'

why would let's encrypt try to open a ssl connection for validation? Don't know what you are doing, most likely more custom stuff. Works perfectly fine on many machines here

Share this post


Link to post
Share on other sites
  • 0

I don't think I have any other customization, I even remove the option Enable SSL-redirect for the froxlor vhost  in Froxlor VirtualHost settings just in case...

On thing to blame myself was I had the configfile cronjob disabled... so that's my fault. Although all crons are active now.

I did manage to get this:

Skipping Let's Encrypt generation for xxxxxxxx.com due to an enabled ssl_redirect

I thought eureka!! so I unchecked the SSL Redirect option as the warning specified, so only SSL IP Address and Use Let's Encrypt were checked.

and I get these two errors (in chronological order):

[Lets Encrypt self-check] Please check http://xxxxxxxx.com/.well-known/acme-challenge/YMbO1LF1jn6JTU98dFphoitPJ3Y2meOXbG05SxKQCFM - token seems to be not available. This is just a simple self-check, it might be wrong but consider using this information when Let's Encrypt fails to issue a certificate
Could not get Let's Encrypt certificate for xxxxxx.com: Verification ended with error: {"identifier":{"type":"dns","value":"xxxxxxxxx.com"},"status":"invalid","expires":"2018-04-02T10:55:03Z","challenges":[{"type":"dns-01","status":"invalid","uri":"https:\/\/acme-staging.api.letsencrypt.org\/acme\/challenge\/UIqUJNrlHmhkPEGFAWeBWfw9sNpkwMJl0xdJJ5rd0Dk\/112115765","token":"eI15xhc_QV8yOw6PA9TPNBmBeB0rQ1n3AaObdgyLruc"},{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http:\/\/xxxxxx.com\/.well-known\/acme-challenge\/OB8uOeTWMVIH_yLvChykFW7QuyhTKoePFa44EQbrpBU: \"<!DOCTYPE HTML PUBLIC \"-\/\/IETF\/\/DTD HTML 2.0\/\/EN\">\n<html><head>\n<title>404 Not Found<\/title>\n<\/head><body>\n<h1>Not Found<\/h1>\n<p\"","status":403},"uri":"https:\/\/acme-staging.api.letsencrypt.org\/acme\/challenge\/UIqUJNrlHmhkPEGFAWeBWfw9sNpkwMJl0xdJJ5rd0Dk\/112115766","token":"OB8uOeTWMVIH_yLvChykFW7QuyhTKoePFa44EQbrpBU","keyAuthorization":"OB8uOeTWMVIH_yLvChykFW7QuyhTKoePFa44EQbrpBU.BmmkzlbZ7EfNABqYJGl5LskffdqisVLBzg0k5kuOB_k","validationRecord":[{"url":"http:\/\/xxxxxx.com\/.well-known\/acme-challenge\/OB8uOeTWMVIH_yLvChykFW7QuyhTKoePFa44EQbrpBU","hostname":"xxxxxxxx.com","port":"80","addressesResolved":["195.201.96.107"],"addressUsed":"195.201.96.107"}]}],"combinations":[[0],[1]]}

Then after this error.. froxlor creates a 35_froxlor_ssl_vhost_xxxxxxxx.com.conf file with the values from the hostname certificate in IP/PORTS 443, these ones:

5ab8d489d1daf_ScreenShot2018-03-26at10_20_58.thumb.png.527856e24ce691f8b79e506058579a7a.png

I really don't understand... since the domain is reachable and works.. (xxxxxxxxx.com).. I don't get why froxlor can't reach the domain put the token and create the certificate.

Sorry to be a pain but I'm trying everytinng in every way.

Thanks,

 

Share this post


Link to post
Share on other sites
  • 0

local dns....try to deactivate the let's encrypt self-check and see whether this works. Also, when changing ssl-redirect stuff, you need to regenerate configfiles too (froxlor_master_cronjob.php --force --debug) to have the new vhost being generated.

And again, why specify let's encrypt certificates in IP/Port when you can just check "Let's Encrypt for froxlor vhost" in the froxlor-vhost settings...

Share this post


Link to post
Share on other sites
  • 0
1 hour ago, d00p said:

And again, why specify let's encrypt certificates in IP/Port when you can just check "Let's Encrypt for froxlor vhost" in the froxlor-vhost settings...

I did it that way, because initially Froxlor didn't have the option to create Let's Encrypt certificate for the vhost, so I install certbot and created it manually and have multiple subdomains such as mail.xxx.com. so I could use it for email (dovecot) and hostname. This setup is also how I had it in my old server, and Froxlor was working perfectly and being able to renew the virtual domain certificates with no problem. Regarding the mail.xxx.com and hostname certificate I made a script and using cron to renew it.

So, let's step back and go to process step by step of how to create certificates for virtual domains, I'm literally going in circles and getting more confused.

It seems obvious that in IP/PORTS we need to create 2 entries one with port 80 and the other one with 443 to be used for SSL. If we setup the 443 we and check Is this an SSL Port?, then we are forced to specify the four fields (Path to the SSL Certificate etc..), otherwise when we try to create a certificate for a virtual domain Froxlor complains of xxxxx.com :: empty certificate file! Cannot create ssl-directives, and none certificate is created. Then if I specify the directory where the certificate a I manually created with certbot, then when we want to create a certificate for a virtual domain then it gets this mail.xxx.com hostname values, so it doesn't work.

So, if we don't check the Is this an SSL Port?, then we dont have the SSL option to setup in virtual domains.. so I assume we MUST create that 443 entry in IP/ports.. but then I'm forced to specifiy the four directives I mentioned above which relate to the hostname vhost domain.

Can you specify step by step the options I have to check in order to get the 443 SSL options in virtual domains and therefore to create its domain?

P.D. I also tried to createa certificate for the vhost by hecking Let's Encrypt for froxlor vhost and I also got the same error:

Could not get Let's Encrypt certificate for hostname.com: Verification ended with error: {"identifier":{"type":"dns","value":"hostname.com"},"status":"invalid","expires":"2018-04-02T12:45:03Z","challenges":[{"type":"dns-01","status":"invalid","uri":"https:\/\/acme-staging.api.letsencrypt.org\/acme\/challenge\/v-pYQ61JbBBJv7VPzbfNT8qjwOEiES8knQVrZa5AsrE\/112138223","token":"fkwhTv44irQxIg4ioUphc3Jyxsgf6JaLlsoI3EI0CO0"},{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http:\/\/hostname.com\/.well-known\/acme-challenge\/PMdooEBSj38A5gFLUEUKkOHnFKKbGXdbPBOQScEziq4: \"<!DOCTYPE HTML PUBLIC \"-\/\/IETF\/\/DTD HTML 2.0\/\/EN\">\n<html><head>\n<title>404 Not Found<\/title>\n<\/head><body>\n<h1>Not Found<\/h1>\n<p\"","status":403},"uri":"https:\/\/acme-staging.api.letsencrypt.org\/acme\/challenge\/v-pYQ61JbBBJv7VPzbfNT8qjwOEiES8knQVrZa5AsrE\/112138224","token":"PMdooEBSj38A5gFLUEUKkOHnFKKbGXdbPBOQScEziq4","keyAuthorization":"PMdooEBSj38A5gFLUEUKkOHnFKKbGXdbPBOQScEziq4.BzA_ow8z1IpZskT_cUzCJ9D6UNIjVgvAXvemCXHMfIk","validationRecord":[{"url":"http:\/\/squeakyhost.com\/.well-known\/acme-challenge\/PMdooEBSj38A5gFLUEUKkOHnFKKbGXdbPBOQScEziq4","hostname":"hostname.com","port":"80","addressesResolved":["195.201.96.107"],"addressUsed":"195.201.96.107"}]}],"combinations":[[1],[0]]}

Your help is and will be much appreciated.

Thank for you patience.

 

 

Share this post


Link to post
Share on other sites
  • 0
12 minutes ago, llucps said:

then we are forced to specify the four fields (Path to the SSL Certificate etc..)

only if you don't activate let's encrypt for the froxlor vhost :P

Does the Server has an IPv6 address which is not configured in froxlor or the domain did not get assigned?

Share this post


Link to post
Share on other sites
  • 0

Also, froxlor by default generates vhost that exclude .well-known/acme-challenge/ from being redirected to https in case a SSL-redirect is enabled ...can you please nopaste the vhosts of 

1) the froxlor-vhost (the ones starting with 10_*) and

2) the vhost of the domain you want to request the certificate for (starts with 35_*)

Share this post


Link to post
Share on other sites
  • 0

Something weird is happening here.. before I paste the information. Can you tell me if you have access to http://www.squeakyhost.com/froxlor/.well-known/acme-challenge/hello.html ?

I'm getting redirect to https://www.squeakyhost.com/froxlor... using chrome, firefox, safari, cleaning caches, cookies etc... Using my phone either wifi or 3g (another network) it doesn't redirect and works at it should to http:// without s. I removed the SSL port, and any redirect...

I did reset the router, everything I can think of.. and still it doesn't work... if it were cache it would not owrk with the phone on wifi since is the same network... it's really strange.

Jesus today is not my day..

I'll paste the info right away

 

 

 

Share this post


Link to post
Share on other sites
  • 0

Let see... above you said:

Validate that your acme-alias is working, put a test-file with "hello" in it into /var/www/froxlor/.well-known/acme-challenge and call http://yourdomain.com/.well-known/acme-challenge/test-file to see if it outputs "hello" 

I'm not sure whether is a mistake or not, but I understand the the test-file would go into /var/www/froxlor/.well-known/acme-challenge folder but then It would be accesible from http://squeakyhost.com/froxlor/.well-known/acme-challenge/hello.html

and you said https://squeakyhost.com/.well-known/acme-challenge/hello.html without the froxlor folder? the root is /var/www/ so it won't be accessible..

Am i missing something?

Thanks,

 

Share this post


Link to post
Share on other sites
  • 0

The info:

# 10_froxlor_ipandport_XXX.XXX.XX.XX:443.conf
# Created 26.03.2018 16:51
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.

<VirtualHost 195.201.96.107:443>
DocumentRoot "/var/www/"
 ServerName xxxxxxxxx.com
  FcgidIdleTimeout 30
  SuexecUserGroup "froxlorlocal" "froxlorlocal"
  <Directory "/var/www/">
    <FilesMatch "\.(php)$">
      SetHandler fcgid-script
      FcgidWrapper /var/www/php-fcgi-scripts/froxlor.panel/xxxxxxx.com/php-fcgi-starter .php
      Options +ExecCGI
    </FilesMatch>
    Require all granted
    AllowOverride All
  </Directory>
ServerAlias www.xxxxxxxxx.com
 SSLEngine On
 SSLProtocol -ALL +TLSv1 +TLSv1.2
 SSLCompression Off
 SSLHonorCipherOrder On
 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
 SSLVerifyDepth 10
 SSLCertificateFile /etc/letsencrypt/live/xxxxxxxx.com/cert.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/xxxxxxx.com/privkey.pem
 SSLCACertificateFile /etc/letsencrypt/live/xxxxxxxx.com/fullchain.pem
 SSLCertificateChainFile /etc/letsencrypt/live/xxxxxxxxx.com/chain.pem
</VirtualHost>
# 10_froxlor_ipandport_xxx.xxx.xxx.80.conf
# Created 26.03.2018 16:57
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.

<VirtualHost 195.201.96.107:80>
DocumentRoot "/var/www/"
 ServerName xxxxxxx.com
  FcgidIdleTimeout 30
  SuexecUserGroup "froxlorlocal" "froxlorlocal"
  <Directory "/var/www/">
    <FilesMatch "\.(php)$">
      SetHandler fcgid-script
      FcgidWrapper /var/www/php-fcgi-scripts/froxlor.panel/xxxxxxxx.com/php-fcgi-starter .php
      Options +ExecCGI
    </FilesMatch>
    Require all granted
    AllowOverride All
  </Directory>
ServerAlias www.xxxxxx.com
</VirtualHost>
# 35_froxlor_normal_vhost_xxxxxxxx.com.conf
# Created 26.03.2018 16:57
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.

# Domain ID: 8 - CustomerID: 1 - CustomerLogin: xxxxxx
<VirtualHost 195.201.96.107:80>
  ServerName xxxxxxxx.com
  ServerAlias www.xxxxxxx.com
  ServerAdmin xx@xxxxxx.com
  DocumentRoot "/var/customers/webs/xxxxx/xxxxxx/"
  FcgidIdleTimeout 30
  SuexecUserGroup "xxxx" "xxxx"
  <Directory "/var/customers/webs/squeaky/xxxxxx/">
    <FilesMatch "\.(php)$">
      SetHandler fcgid-script
      FcgidWrapper /var/www/php-fcgi-scripts/xxxxx/xxxxxx.com/php-fcgi-starter .php
      Options +ExecCGI
    </FilesMatch>
    Require all granted
    AllowOverride All
  </Directory>
  Alias /webalizer "/var/customers/webs/xxxx/webalizer"
  ErrorLog "/var/customers/logs/xxx-error.log"
  CustomLog "/var/customers/logs/xxxx-access.log" combined
</VirtualHost>
# 35_froxlor_ssl_vhost_xxxxxx.com.conf
# Created 26.03.2018 16:57
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.

# Domain ID: 8 (SSL) - CustomerID: 1 - CustomerLogin: xxxxx
<VirtualHost 195.201.96.107:443>
  ServerName xxxx.com
  ServerAlias www.xxxxxx.com
  ServerAdmin xxxx@xxxxxx.com
  SSLEngine On
  SSLProtocol -ALL +TLSv1 +TLSv1.2
  SSLCompression Off
  SSLHonorCipherOrder On
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
  SSLVerifyDepth 10
  SSLCertificateFile /etc/letsencrypt/live/xxxxx.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/xxxxx.com/privkey.pem
  SSLCACertificateFile /etc/letsencrypt/live/xxxxxx.com/fullchain.pem
  SSLCertificateChainFile /etc/letsencrypt/live/xxxxxx.com/chain.pem
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=0"
  </IfModule>
  DocumentRoot "/var/customers/webs/xxxxx/xxxxxx/"
  FcgidIdleTimeout 30
  SuexecUserGroup "xxxx" "xxx"
  <Directory "/var/customers/webs/xxx/xxxxx/">
    <FilesMatch "\.(php)$">
      SetHandler fcgid-script
      FcgidWrapper /var/www/php-fcgi-scripts/squeaky/xxxxxxx.com/php-fcgi-starter .php
      Options +ExecCGI
    </FilesMatch>
    Require all granted
    AllowOverride All
  </Directory>
  Alias /webalizer "/var/customers/webs/xxx/webalizer"
  ErrorLog "/var/customers/logs/xxx-error.log"
  CustomLog "/var/customers/logs/xxxx-access.log" combined
</VirtualHost>

 

Share this post


Link to post
Share on other sites
  • 0

DONE!!!!! :lol::lol:

sorry you're going to kill me... I swear I thought did that step but obviously I didn't.

Alias "/.well-known/acme-challenge" "/var/www/froxlor/.well-known/acme-challenge"
<Directory "/var/www/froxlor/.well-known/acme-challenge">
    Require all granted
</Directory>

it makes total sense if that directive wasn't present.

Thanks for your help and understanding.!

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now





×
×
  • Create New...