servisys
Script fails to create ssl certificates for the ISPconfig interface, causing nginx and amavis not able to start
Script fails to create a security key and results in failed nginx and amavis restart as follows:
...
e is 65537 (0x10001)
end of string encountered while processing type of subject name element #5
problems making Certificate Request
/usr/local/ispconfig/interface/ssl/ispserver.csr: No such file or directory
140084984571536:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/usr/local/ispconfig/interface/ssl/ispserver.csr','r')
140084984571536:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Job for amavis.service failed. See 'systemctl status amavis.service' and 'journalctl -xn' for details.
Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.
Installation completed.
Restarting nginx (via systemctl): nginx.serviceJob for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.
failed!
Well done ISPConfig installed and configured correctly :D
Now you can connect to your ISPConfig installation at https://:8080 or https://IP_ADDRESS:8080
You can visit my GitHub profile at https://github.com/servisys/ispconfig_setup/
Phpmyadmin is accessibile at http://:8081/phpmyadmin or http://IP_ADDRESS:8081/phpmyadmin
Webmail is accessibile at https:///webmail or https://IP_ADDRESS/webmail
root@debian-ispconfig3:/tmp/servisys-ispconfig_setup-bf3cb93#
# systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled)
Active: failed (Result: exit-code) since Sat 2016-03-19 14:39:40 CET; 1min 42s ago
Process: 7138 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
Main PID: 9467 (code=exited, status=0/SUCCESS)
Mar 19 14:39:40 debian-ispconfig3 nginx[7138]: nginx: [emerg] BIO_new_file("/usr/local/ispconfig/interface/ssl/ispserver.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/loc...le:no such file)
Mar 19 14:39:40 debian-ispconfig3 nginx[7138]: nginx: configuration file /etc/nginx/nginx.conf test failed
Mar 19 14:39:40 debian-ispconfig3 systemd[1]: nginx.service: control process exited, code=exited status=1
Mar 19 14:39:40 debian-ispconfig3 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Mar 19 14:39:40 debian-ispconfig3 systemd[1]: Unit nginx.service entered failed state.
Mar 19 14:39:41 debian-ispconfig3 systemd[1]: Unit nginx.service cannot be reloaded because it is inactive.
Hint: Some lines were ellipsized, use -l to show in full.
# journalctl -xn
Mar 19 14:43:03 debian-ispconfig3 systemd[1]: [email protected] has no holdoff time, scheduling restart.
Mar 19 14:43:03 debian-ispconfig3 systemd[1]: Stopping Getty on tty5...
-- Subject: Unit [email protected] has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit [email protected] has begun shutting down.
Mar 19 14:43:03 debian-ispconfig3 systemd[1]: Starting Getty on tty5...
-- Subject: Unit [email protected] has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit [email protected] has begun starting up.
Mar 19 14:43:03 debian-ispconfig3 systemd[1]: Started Getty on tty5.
-- Subject: Unit [email protected] has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit [email protected] has finished starting up.
--
-- The start-up result is done.
Mar 19 14:43:03 debian-ispconfig3 agetty[16238]: /dev/tty5: No such file or directory
Mar 19 14:43:05 debian-ispconfig3 dhclient[60]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 8
I found a similar issue with turnkey linux with lxc and here goes the solution that worked in turnkey linux at least: https://github.com/turnkeylinux/tracker/issues/587#issuecomment-197177925 as posted by @JedMeister
URL=https://raw.githubusercontent.com/turnkeylinux/common/master/overlays/turnkey.d/sslcert
FILE=usr/local/bin/turnkey-make-ssl-cert
wget -O /$FILE $URL/$FILE
turnkey-make-ssl-cert --default --force-overwrite
service nginx restart
It suggests to create and force overwrite the security certificates.
@zenny - it may be a similar issue but I'm not sure that the fix would be the relevant anywhere other than TurnKey though. The error/issue (in TurnKey) was caused by a bug in our turnkey-make-ssl-cert script (which all appliances use to create self signed SSL certs).
I did the following to solve above problem by reissuing the certs (can cut and paste):
BACKUP THE OLD CERTS
tar pcfz /root/ispconfig_ssl_backup.tar.gz /usr/local/ispconfig/interface/ssl
chmod 600 /root/ispconfig_ssl_backup.tar.gz
CREATED NEW CSR
cd /usr/local/ispconfig/interface/ssl
openssl genrsa -out ispserver.key 4096
openssl req -new -key ispserver.key -out ispserver.csr
-des3 was removed from the second command above to issue it without a passphrase (ref: http://serverfault.com/questions/366372/is-it-possible-to-generate-rsa-key-without-pass-phrase)
CREATED CERTS
openssl x509 -req -days 3650 -in ispserver.csr -signkey ispserver.key -out ispserver.crt
openssl rsa -in ispserver.key -out ispserver.key.insecure
REPLACED NEW CERTS WITH NEW
mv ispserver.key ispserver.key.secure
mv ispserver.key.insecure ispserver.key
