We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
How to open 443 port? SSL not working
How to open 443 port? SSL not working
Hello,
I have SSL working to 8083 port (panel), but not to SSL in my domains. I have installed SSL cert (copy cert in the domain creation step and seems to be OK), but when I call the https page, it returns an ERR_CONNECTION_REFUSED error.
At Vesta firewall (IPTables option inside the vesta CP) I added 8080 and 8443 ports to can listen both, but nothing, outside port 8443 is open but 443 is closed.
How can I solve it? any idea or help...
Thanks in advance,
Sebastian
I have SSL working to 8083 port (panel), but not to SSL in my domains. I have installed SSL cert (copy cert in the domain creation step and seems to be OK), but when I call the https page, it returns an ERR_CONNECTION_REFUSED error.
At Vesta firewall (IPTables option inside the vesta CP) I added 8080 and 8443 ports to can listen both, but nothing, outside port 8443 is open but 443 is closed.
How can I solve it? any idea or help...
Thanks in advance,
Sebastian
Last edited by scristi on Fri Jun 23, 2017 12:09 pm, edited 1 time in total.
Re: Port 443 or 8443? SSL not working
The default SSL port for nginx server is 443.
If you use default templates, please check that you allowed 443 port in firewall.
If you use default templates, please check that you allowed 443 port in firewall.
Re: Port 443 or 8443? SSL not working
Thanks gecube_ru.
I tried to allow 443 port in firewall, but nothing.
I'm with CentOS 7
At vesta panel, in firewall:
ACCEPT TCP/ SSH 22 0.0.0.0/0
ACCEPT TCP/ WEB 80,443,8080,8443 0.0.0.0/0
ACCEPT TCP/ FTP 21,12000-12100 0.0.0.0/0
ACCEPT UDP/ DNS 53 0.0.0.0/0
ACCEPT TCP/ DNS 53 0.0.0.0/0
ACCEPT TCP/ SMTP 25,465,587,2525 0.0.0.0/0
ACCEPT TCP/ POP3 110,995 0.0.0.0/0
ACCEPT TCP/ IMAP 143,993 0.0.0.0/0
ACCEPT TCP/ DB 3306,5432 0.0.0.0/0
ACCEPT TCP/ VESTA 8083 0.0.0.0/0
ACCEPT ICMP/ PING 0 0.0.0.0/0
Also I tried it with IPTABLES (SSH) but port 443 remains closed...
If I try firewall by command, return that:
[root@server ~]# firewall-cmd --get-active-zones
FirewallD is not running
-------------
If I try https://mydomain.com:8443/ it works... but not https://mydomain.com (without port, neither with 443 port). Maybe the solution is make nginx work with 8443 port, the same used by httpd... but how?
Any idea?
I tried to allow 443 port in firewall, but nothing.
I'm with CentOS 7
At vesta panel, in firewall:
ACCEPT TCP/ SSH 22 0.0.0.0/0
ACCEPT TCP/ WEB 80,443,8080,8443 0.0.0.0/0
ACCEPT TCP/ FTP 21,12000-12100 0.0.0.0/0
ACCEPT UDP/ DNS 53 0.0.0.0/0
ACCEPT TCP/ DNS 53 0.0.0.0/0
ACCEPT TCP/ SMTP 25,465,587,2525 0.0.0.0/0
ACCEPT TCP/ POP3 110,995 0.0.0.0/0
ACCEPT TCP/ IMAP 143,993 0.0.0.0/0
ACCEPT TCP/ DB 3306,5432 0.0.0.0/0
ACCEPT TCP/ VESTA 8083 0.0.0.0/0
ACCEPT ICMP/ PING 0 0.0.0.0/0
Also I tried it with IPTABLES (SSH) but port 443 remains closed...
If I try firewall by command, return that:
[root@server ~]# firewall-cmd --get-active-zones
FirewallD is not running
-------------
If I try https://mydomain.com:8443/ it works... but not https://mydomain.com (without port, neither with 443 port). Maybe the solution is make nginx work with 8443 port, the same used by httpd... but how?
Any idea?
Re: How to open 443 port? SSL not working
Please run the next commands and write here their output
Code: Select all
netstat -tulpn | grep --color :80
netstat -tulpn | grep --color :443
Re: How to open 443 port? SSL not working
Thanks:
---------------------------------------
---------------------------------------
Code: Select all
[root@server nginx]# netstat -tulpn | grep --color :80
tcp 0 0 myip1:80 0.0.0.0:* LISTEN 32560/nginx: master
tcp 0 0 myip2:80 0.0.0.0:* LISTEN 32560/nginx: master
tcp 0 0 myip3:80 0.0.0.0:* LISTEN 32560/nginx: master
tcp 0 0 myip4:80 0.0.0.0:* LISTEN 32560/nginx: master
tcp 0 0 myip5:80 0.0.0.0:* LISTEN 32560/nginx: master
tcp 0 0 myip1:8080 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 myip2:8080 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 myip3:8080 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 myip4:8080 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 myip5:8080 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 0.0.0.0:8083 0.0.0.0:* LISTEN 1987/nginx: master
tcp 0 0 127.0.0.1:8084 0.0.0.0:* LISTEN 32560/nginx: master
Code: Select all
[root@server nginx]# netstat -tulpn | grep --color :443
[root@server nginx]#
(nothing)
Code: Select all
[root@server nginx]# netstat -tulpn | grep --color :8443
tcp 0 0 myip1:8443 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 myip2:8443 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 myip3:8443 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 myip4:8443 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 myip5:8443 0.0.0.0:* LISTEN 5212/httpd
Last edited by scristi on Fri Jun 23, 2017 3:38 pm, edited 1 time in total.
Re: How to open 443 port? SSL not working
It just means that you have not enabled SSL configuration for nginx.
Check the existance and correctness of snginx.conf file under /home/<username>/conf/web catalogue
If it is OK, try to check config and to reload nginx.
Check the existance and correctness of snginx.conf file under /home/<username>/conf/web catalogue
If it is OK, try to check config
Code: Select all
nginx -t
Re: How to open 443 port? SSL not working
Thanks for your help and time gecube_ru.
file snginx.conf is not under this dir. How can I fix it?
first:
At negix.conf I have a doubdt. I have 2 domains inside server, but inside that file just appear to be one, the domain1 (it's not my work domain, domain1 is there just to make some tests and I use it to nameservers):
-----------------------------------------------------
-----------------------------------------------------
Inside the same folder there are independient files for each domain. Domain2 file (also there is domain1 file here) is nginx.domain2.conf_letsencrypt and it show:
-----------------------------------------------------
Also I have here shttpd.conf, the content:
(I'm trying to start https in domain2. Domain 1 is there just for testing porpouses)
More info, at /etc/httpd/conf.d/my-ip2.conf:
file snginx.conf is not under this dir. How can I fix it?
first:
Code: Select all
[root@server web]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
-----------------------------------------------------
Code: Select all
server {
listen 204.(my-ip-for-domain1):80;
server_name domain1.com www.domain1.com ns3.domain1.com ns4.domain1.com;
error_log /var/log/httpd/domains/domain1.com.error.log error;
location / {
proxy_pass http://204.(my-ip-for-domain1):8080;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|tif|tiff|css|js|htm|html|ttf|otf|webp|woff|txt|csv|rtf|doc|docx|xls|xlsx|ppt|pptx|odf|odp|ods|odt|pdf|psd|ai|eot|eps|ps|zip|tar|tgz|gz|rar|bz2|7z|aac|m4a|mp3|mp4|ogg|wav|wma|3gp|avi$
root /home/scristi/web/domain1/public_html;
access_log /var/log/httpd/domains/domain1.log combined;
access_log /var/log/httpd/domains/domain1.bytes bytes;
expires max;
try_files $uri @fallback;
}
}
location /error/ {
alias /home/scristi/web/domain1/document_errors/;
}
location @fallback {
proxy_pass http://204.(my-ip-for-domain1):8080;
}
location ~ /\.ht {return 404;}
location ~ /\.svn/ {return 404;}
location ~ /\.git/ {return 404;}
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}
disable_symlinks if_not_owner from=/home/scristi/web/domain1/public_html;
include /home/scristi/conf/web/nginx.domain1.conf*;
}
Inside the same folder there are independient files for each domain. Domain2 file (also there is domain1 file here) is nginx.domain2.conf_letsencrypt and it show:
Code: Select all
location ~ "^/\.well-known/acme-challenge/(.*)$" {
default_type text/plain;
return 200 "$1.Vt43YGcIN7B3dK9lmY3MsHIsjtZK9AiZeXaQ_Xocjqc";
}
Also I have here shttpd.conf, the content:
Code: Select all
<VirtualHost 204.(my-ip-for-DOMAIN2):8443>
ServerName domain2.com
ServerAlias www.domain2.com domain2-com.domain2.com
ServerAdmin [email protected]
DocumentRoot /home/scristi/web/domain2/public_html
ScriptAlias /cgi-bin/ /home/scristi/web/domain2/cgi-bin/
Alias /vstats/ /home/scristi/web/domain2/stats/
Alias /error/ /home/scristi/web/domain2/document_errors/
#SuexecUserGroup scristi scristi
CustomLog /var/log/httpd/domains/domain2.bytes bytes
CustomLog /var/log/httpd/domains/domain2.log combined
ErrorLog /var/log/httpd/domains/domain2.error.log
<Directory /home/scristi/web/domain2/public_html>
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
php_admin_value upload_max_filesize 10M
php_admin_value max_execution_time 20
php_admin_value post_max_size 8M
php_admin_value memory_limit 32M
php_admin_flag mysql.allow_persistent off
php_admin_flag safe_mode off
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@domain2"
php_admin_value open_basedir /home/scristi/web/domain2/public_html:/home/scristi/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/et$
php_admin_value upload_tmp_dir /home/scristi/tmp
php_admin_value session.save_path /home/scristi/tmp
</Directory>
<Directory /home/scristi/web/domain2/stats>
AllowOverride All
</Directory>
SSLEngine on
SSLVerifyClient none
SSLCertificateFile /home/scristi/conf/web/ssl.domain2.crt
SSLCertificateKeyFile /home/scristi/conf/web/ssl.domain2.key
#SSLCertificateChainFile /home/scristi/conf/web/ssl.domain2.ca
<IfModule mod_ruid2.c>
RMode config
RUidGid scristi scristi
RGroups apache
</IfModule>
<IfModule itk.c>
AssignUserID scristi scristi
</IfModule>
IncludeOptional /home/scristi/conf/web/shttpd.domain2.conf*
</VirtualHost>
More info, at /etc/httpd/conf.d/my-ip2.conf:
Code: Select all
Listen my-ip2:8080
Listen my-ip2:8443
Re: How to open 443 port? SSL not working
Please try to de-select "SSL Support" in checkbox for your domain, save settings.
Then select it again, save settings and check again if nginx will accept incoming connections on 443 port.
The problem is that nginxs.conf wasn't created in your catalogue. So it doesn't know that you need to accept ssl connections on 443 port.
Then select it again, save settings and check again if nginx will accept incoming connections on 443 port.
The problem is that nginxs.conf wasn't created in your catalogue. So it doesn't know that you need to accept ssl connections on 443 port.
Re: How to open 443 port? SSL not working
I tried following this steps:
1.- Disable SSL checkbox and regenerating the hosting account
2.- reboot server
3.- Select SSL checkbox, entering the SSL keys and certs, and regenerating account
4.- reboot server
Result: the same (tried 3 times)
Maybe the problem is because I'm using an external SSL cert., but I can't generate a letsencrypt cert directly in Vesta, this option generate an error at creation step.
But cert seems to be valid and working:
-----------------------------------
Subject: (domain2-here.com)
ALIASES: (domain2-here.com),www.(domain2-here.com)
NOT_BEFORE: Jun 20 22:42:00 2017 GMT
NOT_AFTER: Sep 18 22:42:00 2017 GMT
SIGNATURE: sha256WithRSAEncryption
PUB_KEY: 2048 bit
ISSUER C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X
----------------------------------
But...
And if I go to test 443 from another location,
1.- Disable SSL checkbox and regenerating the hosting account
2.- reboot server
3.- Select SSL checkbox, entering the SSL keys and certs, and regenerating account
4.- reboot server
Result: the same (tried 3 times)
Maybe the problem is because I'm using an external SSL cert., but I can't generate a letsencrypt cert directly in Vesta, this option generate an error at creation step.
But cert seems to be valid and working:
-----------------------------------
Subject: (domain2-here.com)
ALIASES: (domain2-here.com),www.(domain2-here.com)
NOT_BEFORE: Jun 20 22:42:00 2017 GMT
NOT_AFTER: Sep 18 22:42:00 2017 GMT
SIGNATURE: sha256WithRSAEncryption
PUB_KEY: 2048 bit
ISSUER C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X
----------------------------------
But...
Code: Select all
[root@server ~]# cat /etc/services | grep 443
https 443/tcp # http protocol over TLS/SSL
https 443/udp # http protocol over TLS/SSL
https 443/sctp # http protocol over TLS/SSL
pcsync-https 8443/tcp # PCsync HTTPS
pcsync-https 8443/udp # PCsync HTTPS
(there are another *443* ports but listed both of interest)
Code: Select all
The 1 scanned port on domain-2.com (my-ip-2) is closed
Nmap done: 1 IP address (1 host up) scanned in 0.74 seconds
Re: How to open 443 port? SSL not working
It is very strange that your "external" certificate is issued by Lets Encrypt authority.
I really don't have any idea how you could get into such issie. If I got into such one, I'd rewrite nginx.conf adding listen 443 ssl directive, path to actual certificates and proxy to your site. Also httpd on 8443 is totally non-sense, because the proxy server (i.e. nginx) uses certificate for ssl connection with client of your site.
The only drawback of manual editing of config files is that they will be rewritten by Vesta when you will change settings in panel
I really don't have any idea how you could get into such issie. If I got into such one, I'd rewrite nginx.conf adding listen 443 ssl directive, path to actual certificates and proxy to your site. Also httpd on 8443 is totally non-sense, because the proxy server (i.e. nginx) uses certificate for ssl connection with client of your site.
The only drawback of manual editing of config files is that they will be rewritten by Vesta when you will change settings in panel