Posts by gpeter73

gpeter73 · May 4th 2022

After following your solution I can't create any Certificates anymore:

Code

Some challenges have failed. at /var/www/imscp/gui/plugins/LetsEncrypt/backend/LetsEncrypt.pm line 834.cd /

The letsencrypt Log:

Code

Domain: khopen.xxx.xxx
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for khopen.xxx.xxx - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for khopen.xxx.xxx - check that a DNS record exists for this domain
2022-05-04 09:15:33,715:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
2022-05-04 09:15:33,715:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-05-04 09:15:33,715:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-05-04 09:15:33,715:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/imscp/gui/plugins/LetsEncrypt/acme/.well-known/acme-challenge/zTyJc3Ij0EZZCesgHkNjEhSjwN5xS5Bja9mid2MAgZk
2022-05-04 09:15:33,716:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2022-05-04 09:15:33,716:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/sbin/certbot", line 11, in <module>
sys.exit(main())
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1357, in main
return config.func(config, plugins)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1237, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/client.py", line 418, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/client.py", line 351, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/client.py", line 398, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
2022-05-04 09:15:33,717:ERROR:certbot._internal.log:Some challenges have failed.

Display More

But the domain exist and till I changed the config of my system I could create and recreate certificates

Quote from kess

Hello guys,

there you can find the solution I've adopted in order to get the systems working with every type of certificate (self signed, from CA or Let's Encrypt)

I didn't change absolutely nothing in the code of i-MSCP, everything is original.

The following has been tested ONLY on Debian Stretch x64, with a standard i-MSCP installation. No strange things.

1. Integrate the new LE CAs in your system:

Code

mkdir /usr/share/ca-certificates/letsencrypt

curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem

curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/isrg-root-x2.crt https://letsencrypt.org/certs/isrg-root-x2.pem

curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/isrg-root-x1-cross-signed.crt https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem

curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem

curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-r3-cross-signed.crt https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem

curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-r4.crt https://letsencrypt.org/certs/lets-encrypt-r4.pem

curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-e2.crt https://letsencrypt.org/certs/lets-encrypt-e2.pem

dpkg-reconfigure ca-certificates

Here a Dialog appears.

- In the first dialog choose "yes"

- In the second select your new 7 CA certificates to import and then click OK

The result should be as follows:

Code

Updating certificates in /etc/ssl/certs...

7 added, 0 removed; done.

Running hooks in /etc/ca-certificates/update.d...

done.

2. Remove any previous certbot versions:

Code

apt remove certbot

3. Install the new and supported certbot version

Code

apt install snapd

snap install core && snap refresh core

snap install --classic certbot

4. Optional, but recommended, edit the file /var/www/imscp/gui/plugins/LetsEncrypt/config.php and update the section as follows:

Code

'certbot_create_options' => [

'--preferred-chain ISRG Root X1'

],

Save and close;

5. Remove previous symlinks that could still exist, we'll fix them in next steps:

Code

rm /usr/bin/certbot

rm /usr/local/sbin/certbot

6. HIT THE "UPDATE PLUGINS" BUTTON here: https://your.server.panel:1234/admin/settings_plugins.php

If everything goes well, the LE Plugin will reconfigure.

7. Now it's time to fix the symlinks:

Code

rm /usr/bin/certbot

ln -s /snap/bin/certbot /usr/bin/certbot

rm /usr/local/sbin/certbot

ln -s /usr/bin/certbot /usr/local/sbin/certbot

8. Now a little check:

Code

which certbot

Result:

- /usr/local/sbin/certbot

which -a certbot

Result:

- /usr/local/sbin/certbot

- /usr/bin/certbot

- /snap/bin/certbot

9. And the final check:

Code

/usr/local/sbin/certbot --version

Result:

certbot 1.19.0

Now your system will have:

- The new CA from LE that it didn't have before

- The new supported version of certbot that knows the new chains

I tested the procedure on more boxes and it works for certificates creation and for certificates revocations. I don't know if it works for renewals. Please test it and kindly report back.

Hope it helps,

bye Kess.

Display More

gpeter73 · May 4th 2022

Hi,

I'm unable to connect to my ProFTPD Server with Filezilla.
I got the following error:

Code

Status: Resolving address of www.tcxxxx.com
Status: Connecting to 85.25.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Error: GnuTLS error -110: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Status: Connection attempt failed with "ECONNABORTED - Connection aborted".
Error: Could not connect to server
Status: Waiting to retry...
Status: Resolving address of www.tcxxxx.com
Status: Connecting to 85.25.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Response: 220 [malta1264.startdedicated.de] i-MSCP FTP server.
Command: AUTH TLS
Response: 234 AUTH TLS successful
Status: Initializing TLS...
Error: GnuTLS error -110: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Status: Connection attempt failed with "ECONNABORTED - Connection aborted".
Error: Could not connect to server

Display More

I checked the cert.pem of the Domain without any errors.

service proftpd status says:

Code

Mai 04 08:10:54 malta1264 proftpd[24512]: 85.25.xxx.xxx (85.16.xxx.xxx[85.16.xxx.xxx]) - FTP session opened.
Mai 04 08:10:54 malta1264 proftpd[24512]: 85.25.xxx.xxx (85.16.xxx.xxx[85.16.xxx.xxx]) - mod_tls/2.6: unexpected OpenSSL error, disconnecting

The ftp_ssl.log says:

Code

2022-05-04 08:10:54,057 mod_tls/2.6[24512]: TLS/TLS-C requested, starting TLS handshake
2022-05-04 08:10:54,092 mod_tls/2.6[24512]: unable to accept TLS connection: received EOF that violates protocol
2022-05-04 08:10:54,092 mod_tls/2.6[24512]: panic: SSL_ERROR_SSL, line 4540:
(1) error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
2022-05-04 08:10:54,092 mod_tls/2.6[24512]: unexpected OpenSSL error, disconnecting

The SSL Section of the proftpd.conf looks like this:

Code

# SSL configuration
<Global>
<IfModule mod_tls.c>
TLSEngine on
TLSRequired off
TLSLog /var/log/proftpd/ftp_ssl.log
TLSOptions NoCertRequest NoSessionReuseRequired
TLSRSACertificateFile /etc/imscp/imscp_services.pem
TLSRSACertificateKeyFile /etc/imscp/imscp_services.pem
TLSCACertificateFile /etc/imscp/isrgrootx1.pem
TLSVerifyClient off
</IfModule>
</Global>
<IfModule mod_tls.c>
TLSProtocol TLSv1.2
</IfModule>

Display More

Can anyone help?

gpeter73 · Jan 31st 2022

Quote from kess

Are you sure that that's the correct path where to change the ini file ?
What does

PHP

<?php phpinfo(); ?>

say ?

I don't use compiled versions, I use sury.org packages. My ini path is /etc/php/7.4/fpm/pool.d/sub.domain.com.conf

Thank you, your path was the right one. PHP_INFO was also blocked so couldn't help me.

gpeter73 · Jan 28th 2022

Hey, I need to have for each Subdomain a separate PHP-Config with for example allow_url_fopen activated or similar options.

I tried to create an config file at: /opt/phpswitcher/xxxx/php7.4/etc/php-fpm.d with the following content:

Code

[prj5.xxx.com]
user = vu2007
group = vu2007
listen = /run/phpswitcher/psw7.4-fpm-prj5.xxxx.com.sock
listen.owner = vu2007
listen.group = vu2007
listen.mode = 0660
pm = ondemand
pm.max_children = 6
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 2
pm.process_idle_timeout = 60s
pm.max_requests = 1000
chdir = /
security.limit_extensions = .php .php3 .php4 .php5 .php7 .pht .phtml
env[TMPDIR] = /var/www/virtual/xxxx/phptmp
php_admin_value[open_basedir] = /var/www/virtual/xxxx.com/:/opt/phpswitcher/static/php7.4/share/pear/
php_admin_value[upload_tmp_dir] = /var/www/virtual/xxxx.com/phptmp
php_admin_value[session.save_path] = /var/www/virtual/xxxx.com/phptmp
php_admin_value[soap.wsdl_cache_dir] = /var/www/virtual/xxxx.com/phptmp
php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f webmaster@prj9.sbgit.com
php_admin_value[max_execution_time] = 30
php_admin_value[max_input_time] = 60
php_admin_value[memory_limit] = 127M
php_value[error_reporting] = E_ALL & ~E_DEPRECATED & ~E_STRICT
php_flag[display_errors] = off
php_flag[output_buffering] = off
php_admin_value[post_max_size] = 32M
php_admin_value[upload_max_filesize] = 32M
php_admin_flag[allow_url_fopen] = on
php_admin_value[disable_functions] = exec,passthru,popen,proc_open,show_source,shell,shell_exec,symlink,system,mail

Display More

But it does not work. I rebooted the Server each Time I changed the config.
What can I do?

gpeter73 · Jan 28th 2022

Danke Euch, werde mir das mit dem POSTFWD mal anschauen. Es geht ausschließlich um ausgehende Mails von Kunden

gpeter73 · Dec 15th 2021

Hi there,

I've noticed that we sometimes loose some Subdomains.

Their are available at the Panel and at the Database, but not at the Zonefiles. NSLookup says there are not available.

After runt: perl /var/www/imscp/engine/setup/imscp-reconfigure -da

The Subdomains are available again. There are not all Subdomains and Customers affected.

gpeter73 · Dec 14th 2021

Hi,
am Sonntag ist es wieder passiert.
Über ein gehacktes Kundenkonto wurden tausende Mails versendet. Ergebnis, der Server stand auf der Blacklist.
Wie kann man das verhindern? Über die Ratelimits von Postfix scheint es mir nicht wirklich effektiv zu sein.

gpeter73 · Nov 4th 2021

Hi,

today I installed PHP 8.0 and updated an (compiled) PHP 7.4 Version with an Packed one.

After anything was done without any Error the Website can't be loaded anymore. I looked into the error Log an saw this:

Code

[Thu Nov 04 10:00:26.932719 2021] [proxy_fcgi:error] [pid 20143:tid 139730217842432] [client xxx.xxx.xxx.xxx:58290] AH01071: Got error 'PHP message: PHP Warning: session_start(): Failed to read session data: user (path: /var/www/virtual/domain.de/phptmp) in /var/www/virtual/domain.de/htdocs/libraries/joomla/session/handler/native.php on line 260'

After I switched to an compiled Version of PHP 7.3 I could load the Website again.

Whats wrong?

gpeter73 · Oct 11th 2021

Quote from fulltilt

The clients OS, mail & web browser must support ISRG Root X1

https://letsencrypt.org/docs/certificate-compatibility/

My Problem is, IMSCP doesn't generates new Certificates for the Panel and Mail System. I don't think I can restore the old ones from Backup

gpeter73 · Oct 11th 2021

Hi,

nach den Patch wegen des Root Zertifikates aus einem anderen Thread funktionierte mein SMTP Dienst mit SSL nicht mehr.

Diesen bekomme ich derzeit nur mit einem Selbsegnieren Zertifikat ans laufen. Laut dem Letsencrypt Plugin soll dies über das Plugin laufen, aber wo finde ich die Option??

Posts by gpeter73

LetsEncrypt - SSL certificate is not valid

FTP Connection issues TLS "ECONNABORTED"

PHPSwitcher, separate PHP-Config for Subdomains

PHPSwitcher, separate PHP-Config for Subdomains

Wie das versenden von Massenmails verhindern

Strange DNS Problem

Wie das versenden von Massenmails verhindern

PHPSwitcher: Website offline when using packed PHP

SMTP Dienst Letsencrypt Zert zusweisen?!

SMTP Dienst Letsencrypt Zert zusweisen?!