Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

How to open 443 port? SSL not working

https://forum.vestacp.com/viewtopic.php?f=11&t=14829

Page 1 of 2

How to open 443 port? SSL not working

Posted: Thu Jun 22, 2017 11:25 pm
by scristi
Hello,

I have SSL working to 8083 port (panel), but not to SSL in my domains. I have installed SSL cert (copy cert in the domain creation step and seems to be OK), but when I call the https page, it returns an ERR_CONNECTION_REFUSED error.

At Vesta firewall (IPTables option inside the vesta CP) I added 8080 and 8443 ports to can listen both, but nothing, outside port 8443 is open but 443 is closed.

How can I solve it? any idea or help...

Thanks in advance,

Sebastian

Re: Port 443 or 8443? SSL not working

Posted: Fri Jun 23, 2017 6:15 am
by gecube_ru
The default SSL port for nginx server is 443.
If you use default templates, please check that you allowed 443 port in firewall.

Re: Port 443 or 8443? SSL not working

Posted: Fri Jun 23, 2017 10:44 am
by scristi
Thanks gecube_ru.

I tried to allow 443 port in firewall, but nothing.

I'm with CentOS 7

At vesta panel, in firewall:

ACCEPT TCP/ SSH 22 0.0.0.0/0
ACCEPT TCP/ WEB 80,443,8080,8443 0.0.0.0/0
ACCEPT TCP/ FTP 21,12000-12100 0.0.0.0/0
ACCEPT UDP/ DNS 53 0.0.0.0/0
ACCEPT TCP/ DNS 53 0.0.0.0/0
ACCEPT TCP/ SMTP 25,465,587,2525 0.0.0.0/0
ACCEPT TCP/ POP3 110,995 0.0.0.0/0
ACCEPT TCP/ IMAP 143,993 0.0.0.0/0
ACCEPT TCP/ DB 3306,5432 0.0.0.0/0
ACCEPT TCP/ VESTA 8083 0.0.0.0/0
ACCEPT ICMP/ PING 0 0.0.0.0/0

Also I tried it with IPTABLES (SSH) but port 443 remains closed...

If I try firewall by command, return that:

[root@server ~]# firewall-cmd --get-active-zones
FirewallD is not running

-------------
If I try https://mydomain.com:8443/ it works... but not https://mydomain.com (without port, neither with 443 port). Maybe the solution is make nginx work with 8443 port, the same used by httpd... but how?

Any idea?

Re: How to open 443 port? SSL not working

Posted: Fri Jun 23, 2017 12:44 pm
by gecube_ru
Please run the next commands and write here their output

Code: Select all

netstat -tulpn | grep --color :80
netstat -tulpn | grep --color :443

Re: How to open 443 port? SSL not working

Posted: Fri Jun 23, 2017 12:47 pm
by scristi
Thanks:

Code: Select all

[root@server nginx]# netstat -tulpn | grep --color :80
tcp        0      0 myip1:80       0.0.0.0:*               LISTEN      32560/nginx: master
tcp        0      0 myip2:80       0.0.0.0:*               LISTEN      32560/nginx: master
tcp        0      0 myip3:80       0.0.0.0:*               LISTEN      32560/nginx: master
tcp        0      0 myip4:80       0.0.0.0:*               LISTEN      32560/nginx: master
tcp        0      0 myip5:80       0.0.0.0:*               LISTEN      32560/nginx: master
tcp        0      0 myip1:8080     0.0.0.0:*               LISTEN      5212/httpd
tcp        0      0 myip2:8080     0.0.0.0:*               LISTEN      5212/httpd
tcp        0      0 myip3:8080     0.0.0.0:*               LISTEN      5212/httpd
tcp        0      0 myip4:8080     0.0.0.0:*               LISTEN      5212/httpd
tcp        0      0 myip5:8080     0.0.0.0:*               LISTEN      5212/httpd
tcp        0      0 127.0.0.1:8081          0.0.0.0:*               LISTEN      5212/httpd
tcp        0      0 0.0.0.0:8083            0.0.0.0:*               LISTEN      1987/nginx: master
tcp        0      0 127.0.0.1:8084          0.0.0.0:*               LISTEN      32560/nginx: master
---------------------------------------

Code: Select all

[root@server nginx]# netstat -tulpn | grep --color :443
[root@server nginx]#
(nothing)
---------------------------------------

Code: Select all

[root@server nginx]# netstat -tulpn | grep --color :8443
tcp        0      0 myip1:8443     0.0.0.0:*               LISTEN      5212/httpd
tcp        0      0 myip2:8443     0.0.0.0:*               LISTEN      5212/httpd
tcp        0      0 myip3:8443     0.0.0.0:*               LISTEN      5212/httpd
tcp        0      0 myip4:8443     0.0.0.0:*               LISTEN      5212/httpd
tcp        0      0 myip5:8443     0.0.0.0:*               LISTEN      5212/httpd

Re: How to open 443 port? SSL not working

Posted: Fri Jun 23, 2017 2:42 pm
by gecube_ru
It just means that you have not enabled SSL configuration for nginx.
Check the existance and correctness of snginx.conf file under /home/<username>/conf/web catalogue
If it is OK, try to check config

Code: Select all

nginx -t
and to reload nginx.

Re: How to open 443 port? SSL not working

Posted: Fri Jun 23, 2017 3:11 pm
by scristi
Thanks for your help and time gecube_ru.

file snginx.conf is not under this dir. How can I fix it?

first:

Code: Select all

[root@server web]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
At negix.conf I have a doubdt. I have 2 domains inside server, but inside that file just appear to be one, the domain1 (it's not my work domain, domain1 is there just to make some tests and I use it to nameservers):
-----------------------------------------------------

Code: Select all

server {
    listen      204.(my-ip-for-domain1):80;
    server_name domain1.com www.domain1.com ns3.domain1.com ns4.domain1.com;
    error_log  /var/log/httpd/domains/domain1.com.error.log error;

    location / {
        proxy_pass      http://204.(my-ip-for-domain1):8080;
        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|tif|tiff|css|js|htm|html|ttf|otf|webp|woff|txt|csv|rtf|doc|docx|xls|xlsx|ppt|pptx|odf|odp|ods|odt|pdf|psd|ai|eot|eps|ps|zip|tar|tgz|gz|rar|bz2|7z|aac|m4a|mp3|mp4|ogg|wav|wma|3gp|avi$
            root           /home/scristi/web/domain1/public_html;
            access_log     /var/log/httpd/domains/domain1.log combined;
            access_log     /var/log/httpd/domains/domain1.bytes bytes;
            expires        max;
            try_files      $uri @fallback;
        }
    }

    location /error/ {
        alias   /home/scristi/web/domain1/document_errors/;
    }

    location @fallback {
        proxy_pass      http://204.(my-ip-for-domain1):8080;
    }

    location ~ /\.ht    {return 404;}
    location ~ /\.svn/  {return 404;}
    location ~ /\.git/  {return 404;}
    location ~ /\.hg/   {return 404;}
    location ~ /\.bzr/  {return 404;}

    disable_symlinks if_not_owner from=/home/scristi/web/domain1/public_html;

    include /home/scristi/conf/web/nginx.domain1.conf*;
}
-----------------------------------------------------
Inside the same folder there are independient files for each domain. Domain2 file (also there is domain1 file here) is nginx.domain2.conf_letsencrypt and it show:

Code: Select all

location ~ "^/\.well-known/acme-challenge/(.*)$" {
    default_type text/plain;
    return 200 "$1.Vt43YGcIN7B3dK9lmY3MsHIsjtZK9AiZeXaQ_Xocjqc";
}
-----------------------------------------------------
Also I have here shttpd.conf, the content:

Code: Select all

<VirtualHost 204.(my-ip-for-DOMAIN2):8443>

    ServerName domain2.com
    ServerAlias www.domain2.com domain2-com.domain2.com
    ServerAdmin [email protected]
    DocumentRoot /home/scristi/web/domain2/public_html
    ScriptAlias /cgi-bin/ /home/scristi/web/domain2/cgi-bin/
    Alias /vstats/ /home/scristi/web/domain2/stats/
    Alias /error/ /home/scristi/web/domain2/document_errors/
    #SuexecUserGroup scristi scristi
    CustomLog /var/log/httpd/domains/domain2.bytes bytes
    CustomLog /var/log/httpd/domains/domain2.log combined
    ErrorLog /var/log/httpd/domains/domain2.error.log
    <Directory /home/scristi/web/domain2/public_html>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
        php_admin_value upload_max_filesize 10M
        php_admin_value max_execution_time 20
        php_admin_value post_max_size  8M
        php_admin_value memory_limit 32M
        php_admin_flag mysql.allow_persistent  off
        php_admin_flag safe_mode off
        php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@domain2"
        php_admin_value open_basedir /home/scristi/web/domain2/public_html:/home/scristi/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/et$
        php_admin_value upload_tmp_dir /home/scristi/tmp
        php_admin_value session.save_path /home/scristi/tmp
    </Directory>
    <Directory /home/scristi/web/domain2/stats>
        AllowOverride All
    </Directory>
    SSLEngine on
    SSLVerifyClient none
    SSLCertificateFile /home/scristi/conf/web/ssl.domain2.crt
    SSLCertificateKeyFile /home/scristi/conf/web/ssl.domain2.key
    #SSLCertificateChainFile /home/scristi/conf/web/ssl.domain2.ca
    <IfModule mod_ruid2.c>
        RMode config
        RUidGid scristi scristi
        RGroups apache
    </IfModule>
    <IfModule itk.c>
        AssignUserID scristi scristi
    </IfModule>

    IncludeOptional /home/scristi/conf/web/shttpd.domain2.conf*

</VirtualHost>
(I'm trying to start https in domain2. Domain 1 is there just for testing porpouses)

More info, at /etc/httpd/conf.d/my-ip2.conf:

Code: Select all

Listen my-ip2:8080
Listen my-ip2:8443

Re: How to open 443 port? SSL not working

Posted: Sat Jun 24, 2017 10:51 am
by gecube_ru
Please try to de-select "SSL Support" in checkbox for your domain, save settings.
Then select it again, save settings and check again if nginx will accept incoming connections on 443 port.
The problem is that nginxs.conf wasn't created in your catalogue. So it doesn't know that you need to accept ssl connections on 443 port.

Re: How to open 443 port? SSL not working

Posted: Sat Jun 24, 2017 2:41 pm
by scristi
I tried following this steps:

1.- Disable SSL checkbox and regenerating the hosting account
2.- reboot server
3.- Select SSL checkbox, entering the SSL keys and certs, and regenerating account
4.- reboot server

Result: the same (tried 3 times)

Maybe the problem is because I'm using an external SSL cert., but I can't generate a letsencrypt cert directly in Vesta, this option generate an error at creation step.

But cert seems to be valid and working:

-----------------------------------
Subject: (domain2-here.com)
ALIASES: (domain2-here.com),www.(domain2-here.com)
NOT_BEFORE: Jun 20 22:42:00 2017 GMT
NOT_AFTER: Sep 18 22:42:00 2017 GMT
SIGNATURE: sha256WithRSAEncryption
PUB_KEY: 2048 bit
ISSUER C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X
----------------------------------

But...

Code: Select all

[root@server ~]# cat /etc/services | grep 443
https           443/tcp                         # http protocol over TLS/SSL
https           443/udp                         # http protocol over TLS/SSL
https           443/sctp                        # http protocol over TLS/SSL
pcsync-https    8443/tcp                # PCsync HTTPS
pcsync-https    8443/udp                # PCsync HTTPS

(there are another *443* ports but listed both of interest)
And if I go to test 443 from another location,

Code: Select all

The 1 scanned port on domain-2.com (my-ip-2) is closed
Nmap done: 1 IP address (1 host up) scanned in 0.74 seconds

Re: How to open 443 port? SSL not working

Posted: Sat Jun 24, 2017 6:25 pm
by gecube_ru
It is very strange that your "external" certificate is issued by Lets Encrypt authority.

I really don't have any idea how you could get into such issie. If I got into such one, I'd rewrite nginx.conf adding listen 443 ssl directive, path to actual certificates and proxy to your site. Also httpd on 8443 is totally non-sense, because the proxy server (i.e. nginx) uses certificate for ssl connection with client of your site.

The only drawback of manual editing of config files is that they will be rewritten by Vesta when you will change settings in panel
All times are UTC
Page 1 of 2
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/