Activating SSL in settings

[AndrewL]

Hello,

I have just installed the latest version (0.10.12) of Froxlor on my Ubuntu 18.04 VPS (Apache 2.4.29) and just trying to figure out how to adjust the settings before configuring Froxlor.

The hurdle I'm facing right now while navigating the settings is with regards to the Froxlor VirtualHost settings where I want to enable LetsEncrypt but most of the options in this section of the settings is marked as "Option not available due to other settings." [Screenshot attached below] even though I have selected the "Enable SSL usage" and "Enable Let's Encrypt" in the SSL Settings section.

What should I do?

[d00p]

If there's only one entry I bet it's port 80, you need to add a new entry with port 443 and enable SSL on that one

[AndrewL]

Hello @d00p,

My mistake with the apache restart. I thought that it would apply the changes to the server.

I ran the above code but got the following error instead:

Quote

Could not open input file: /var/www/froxlor/scripts/froxlor_master_cronjob.php

 

[AndrewL]

Please ignore the above. My Froxlor installation was in `/var/www/html/froxlor`. Rerunning the above again with correct file path.

[AndrewL]

The above script returned the following:

[information] TasksCron: Searching for tasks to do
[information] TasksCron: Task10 started - setting filesystem quota
repquota: Cannot stat() given mountpoint /dev/root: No such file or directory
Skipping...
repquota: No correct mountpoint specified.
repquota: Cannot initialize mountpoint scan.
[information] Task4 started - Rebuilding froxlor_bind.conf
[information] Cleaning dns zone files from /etc/bind/domains/
[debug] domId    domain                                  ismainbutsubto parent domain                           list of child domain ids
[debug] 2        andrewlyndem.com                        0              -                                  
[information] `/etc/bind/domains/andrewlyndem.com.zone` written
[debug] Generating dns config for andrewlyndem.com
[information] froxlor_bind.conf written
[information] Bind daemon reloaded
[information] Task4 finished
[information] Running Let's Encrypt cronjob prior to regenerating webserver config files
[information] Requesting/renewing Let's Encrypt certificates
[information] No new certificates or certificates due for renewal found
[information] apache::createIpPort: creating ip/port settings for  193.36.237.207:80
[notice] 193.36.237.207:80 :: namevirtualhost-statement no longer needed for apache-2.4
[debug] 193.36.237.207:80 :: inserted vhostcontainer
[information] apache::createIpPort: creating ip/port settings for  193.36.237.207:443
[debug] 193.36.237.207:443 :: inserted listen-statement
[debug] System certificate file "/etc/apache2/apache2.pem" does not seem to exist. Disabling SSL-vhost for "vps1.shillongserver.com"
[debug] 193.36.237.207:443 :: inserted vhostcontainer
[information] apache::createVirtualHosts: creating vhost container for domain 2, customer andrewlyndem
[information] apache::createVirtualHosts: creating vhost container for domain 1, customer andrewlyndem
[information] apache::writeConfigs: rebuilding /etc/apache2/sites-enabled/
[information] apache::writeConfigs: rebuilding /etc/apache2/htpasswd/
[information] apache::writeConfigs: rebuilding /etc/apache2/sites-enabled/
[information] Froxlor\Cron\Http\Apache::reload: reloading Froxlor\Cron\Http\Apache
apache2.service is not active, cannot reload.
[notice] Checking system's last guid

 

[d00p]

Looks like you did not activate let's encrypt for the froxlor vhost nor do you have alternatively the specified fallback certificate /etc/apache2/apache2.pem so naturally it cannot create a SSL vhost for you. You seem to have very basic issues, are you new to server administration?

[AndrewL]

@d00p Yes I am. I had a VPS server before using virtualmin and webmin but other than the initial installing part of it and tweaking a few settings for a couple of wordpress sites, I didn't really dabble with the server much. But I am trying to learn more about server management again now and wanted to go with Froxlor this time.

[AndrewL]

Since the server is not really live or anything and I don't have any content on it yet, should I just reinstall LAMP as well as froxlor and add a self-signed/letsencrypt cert first before adding port 443 to the list or would it be a better idea to generate a cetificate now and rerun the above script again?

[d00p]

What? No, why? Just enable let's encrypt for the Froxlor vhost, run the cronjob, it will generate your certificate if everything is setup and configured correctly of course. Hope you did go through the configuration before running the cronjob?

[AndrewL]

I did yes but that was before I added the port 443 to the list. Should I rerun the configuration for webserver again? And if yes, how do I get access the froxlor panel again since going to [ip-address]/froxlor/ or the domain name I added earlier just returns a "This site can’t be reached" error in the browser.

[d00p]

1) yes, after activating SSL and let's encrypt you should again go through the configuration (that's why one does settings prior to configuration)

2) just remove all *froxlor* files from /etc/apache2/sites-enabled/, restart apache and you should be able to access again

[AndrewL]

I have removed the froxlor files and restarted apache. I'm in the froxlor dashboard again and since there are no ssl certificates generated yet, in the SSL settings, should I leave the "Path to the SSL certificate" and "Path to the SSL Keyfile" paths empty or leave the current default values "/etc/apache2/apache2.pem" and "/etc/apache2/apache2.key" there as it is?

With regards to point 1, the option "Enable SSL usage" in the SSL Settings section and the options "Enable Let's Encrypt for the froxlor vhost" and "Enable SSL-redirect for the froxlor vhost" in the Froxlor VirtualHost settings section are all ticked. Should I go ahead and rerun the configuration now?

[d00p]

25 minutes ago, AndrewL said:

I have removed the froxlor files and restarted apache. I'm in the froxlor dashboard again and since there are no ssl certificates generated yet, in the SSL settings, should I leave the "Path to the SSL certificate" and "Path to the SSL Keyfile" paths empty or leave the current default values "/etc/apache2/apache2.pem" and "/etc/apache2/apache2.key" there as it is?

Just leave it this way, if you enable let's encrypt it will overwrite these settings, they are just a fallback

26 minutes ago, AndrewL said:

With regards to point 1, the option "Enable SSL usage" in the SSL Settings section and the options "Enable Let's Encrypt for the froxlor vhost" and "Enable SSL-redirect for the froxlor vhost" in the Froxlor VirtualHost settings section are all ticked. Should I go ahead and rerun the configuration now?

yes

[AndrewL]

I have removed the customer that I initially added as well as it's domain and then run the configuration for webserver and cron again.

Then I ran the script you gave me earlier and got the following output:

 

[information] TasksCron: Searching for tasks to do
[information] TasksCron: Task10 started - setting filesystem quota
repquota: Cannot stat() given mountpoint /dev/root: No such file or directory
Skipping...
repquota: No correct mountpoint specified.
repquota: Cannot initialize mountpoint scan.
[information] Task4 started - Rebuilding froxlor_bind.conf
[information] Cleaning dns zone files from /etc/bind/domains/
[information] No domains found for nameserver-config, skipping...
[information] Running Let's Encrypt cronjob prior to regenerating webserver config files
[information] Requesting/renewing Let's Encrypt certificates
[information] No new certificates or certificates due for renewal found
[information] apache::createIpPort: creating ip/port settings for  193.36.237.207:80
[notice] 193.36.237.207:80 :: namevirtualhost-statement no longer needed for apache-2.4
[debug] 193.36.237.207:80 :: inserted vhostcontainer
[information] apache::createIpPort: creating ip/port settings for  193.36.237.207:443
[debug] 193.36.237.207:443 :: inserted listen-statement
[debug] System certificate file "" does not seem to exist. Disabling SSL-vhost for "vps1.shillongserver.com"
[debug] 193.36.237.207:443 :: inserted vhostcontainer
[information] apache::writeConfigs: rebuilding /etc/apache2/sites-enabled/
[information] apache::writeConfigs: rebuilding /etc/apache2/htpasswd/
[information] apache::writeConfigs: rebuilding /etc/apache2/sites-enabled/
[information] Froxlor\Cron\Http\Apache::reload: reloading Froxlor\Cron\Http\Apache
apache2.service is not active, cannot reload.
[notice] Checking system's last guid

 

And the inaccessible froxlor login problem occurs again. I deleted all the froxlor files from the sites-enabled folder, restarted apache and tried again to run configuration followed by the script that you gave and yet again, the inaccessible froxlor login problem occurs.

[d00p]

You sure you've activated let's encrypt for the froxlor vhost? I don't see froxlor trying to request one...

[AndrewL]

Both "Enable Let's Encrypt for the froxlor vhost" and "Enable SSL-redirect for the froxlor vhost" are ticked in the Froxlor VirtualHost Settings section.

I noticed an option "HTTP2 Support (enable HTTP2 support for ssl.)" in the Webserver settings section which is not checked however. Should I checked that too?

[d00p]

28 minutes ago, AndrewL said:

[information] No new certificates or certificates due for renewal found

Does not look like it. Sorry, no idea what you are doing there, it's usually a 5-second-task and everythings up...

[AndrewL]

@d00p I think I might have messed up the settings somewhere when I installed froxlor. I'll try reinstalling it from scratch and follow the instructions you gave above. I think that should fix the issue if it really is a misconfigured setting that I did. I really appreciate your help man. Cheers!! I'll let you know if the new installation works or not in a while. Thanks again!

[AndrewL]

@d00p The reinstalled froxlor seems to work now. I most probably must have screwed up with the settings somewhere earlier. Thanks again for the help man!! I seem to have some problems with ftp now but I'll try to figure it out first and will post a new topic if I can't figure it out. Cheers.

[d00p]

Be sure to have vhost container enabled for the SSL IP/port, because without a vhost container, SSL options won't make sense for the froxlor vhost

[AndrewL]

Hello @d00p

How should I go about it enabling vhost container for the froxlor SSL IP/port? What I have done so far is just added SSH keys to my VPS, install LAMP stack with the help of a step-by-step guide from the digitalocean community site along with the help of the official wiki (tarball approach) for installing Froxlor.

Regards

[d00p]

Login as admin, click on "IPs/Ports", edit entry, check "create vhost container" , save

[AndrewL]

There is only one entry on the IPs/Ports list and the `create vhost container` checkbox was already checked. However, there's another checkbox for `Create Listen statement:` that is not checked. Should I checked that too?

[AndrewL]

Yes, the entry is port 80. I added another entry with port 443 and enabled SSL on it just now. I then restarted apache and the option for enabling LetSEncrypt as well as the option for SSL redirect in the Froxlor Virtualhost Settings are available now and I checked both of them and saved. I then restarted apache again but for some weird reason, I can't open [ip-address]/froxlor/ nor the domain name I added earlier anymore in my browser. I just get a "This site can’t be reached" error in chrome. 

[d00p]

Why would you restart apache if you change settings? You need to run the cronjob, which generates the corresponding vhost configs for you. If you want to invoke that manually, run:

php /var/www/froxlor/scripts/froxlor_master_cronjob.php --force --debug