Topic: [SOLVED] No access to http nor to console's "manage server"

[Amir Inbar]

Sme server 9 was working fine.
Tryed to reconfigure self signed certificate as described here:
https://wiki.contribs.org/Certificates_Concepts
I must have done something wrong - after signal-event reconfigure and signal-event-reboot, i have no access to http, https and can not even access server manager from console.

Code: [Select]

service httpd-e-smith status
down: /service/httpd-e-smith: 1s, want up

Code: [Select]

service httpd-admin status
run: /service/httpd-admin: (pid 2587) 3171s, normally down; run: log: (pid 1272) 3206s


Code: [Select]

less /var/log/httpd/error_log
/var/log/httpd/error_log: No such file or directory

Code: [Select]

httpd -t
Syntax error on line 3228 of /etc/httpd/conf/httpd.conf:
Invalid command 'SSLRequireSSL', perhaps misspelled or defined by a module not included in the server configuration
Please help

[DanB35]

What's the output of 'config show modSSL'?  Do the files identified for crt, key, and CertificateChainFile (if any) exist?

[byte]

Code: [Select]

httpd -t
Syntax error on line 3228 of /etc/httpd/conf/httpd.conf:
Invalid command 'SSLRequireSSL', perhaps misspelled or defined by a module not included in the server configuration

That usually means it is missing "SSLEngine On" in the config file, have you made any other changes?

[DanB35]

I'd add that with the availability of Let's Encrypt, there's very little reason to use self-signed certificates any more.  See https://wiki.contribs.org/Letsencrypt for discussion; I'd suggest following the steps to use letsencrypt.sh rather than the official client.  Following those instructions will give you trusted certificates for free, and they'll automatically renew every 60 days.

Of course, if you've made changes to your httpd.conf files, you'll likely need to revert those.

[Amir Inbar]

Thank you guys for helping

Code: [Select]

config show modSSL
modSSL=service
    TCPPort=443
    access=public
    status=enable

@byte:
I might have - this is probably the reason for the problem 

[DanB35]

Code: [Select]

config show modSSL
modSSL=service
    TCPPort=443
    access=public
    status=enable


So in this case, the SME server should automatically generate a self-signed TLS certificate and use that.  It seems to not be doing that.  So, what did you do (referring to the wiki page unfortunately isn't very helpful, as there are lots of things discussed there)?  Specifically, did you modify any template files?  Did you create any custom template files?  Any edits directly to httpd.conf should be cleared out with the post-upgrade and reboot.

What's the output of '/sbin/e-smith/audittools/templates'?

[byte]

Also, please show the output of:

ls -la /home/e-smith/ssl.crt/
ls -la /home/e-smith/ssl.key/

[Amir Inbar]

@DanB35:
I did not change manually as far as i remember but i did try to find the correct way to produce the certificate again and again, i also installed smeserver-certificate to try and solve it - i have followed the instructions to generate RSA Keyand CSR as described here:
https://wiki.contribs.org/Certificate_ssl_management

Code: [Select]

/sbin/e-smith/audittools/templates
/etc/e-smith/templates-custom/home/e-smith/ssl.crt: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/04tls: MODIFIED smeserver-qpsmtpd-2.4.0-14.el6.sme
/etc/e-smith/templates/var/service/qpsmtpd/config/peers/local/04tls: MODIFIED smeserver-qpsmtpd-2.4.0-14.el6.sme
/etc/e-smith/templates/var/service/qpsmtpd/config/plugins/04tls: MODIFIED smeserver-qpsmtpd-2.4.0-14.el6.sme
@bye:
here is the output (i have change the name of my server here to mymailserver.mydomain.mytld):

Code: [Select]

ls -la /home/e-smith/ssl.crt/
total 12
drwx------ 2 root  root  4096 Mar 17 12:35 .
drwxr-xr-x 9 admin admin 4096 Mar 17 12:36 ..
-rw-r--r-- 1 root  root  1429 Mar 17 12:35 mymailserver.mydomain.mytld.crt


Code: [Select]

ls -la /home/e-smith/ssl.key/
total 12
drwx------ 2 root  root  4096 Mar 17 12:35 .
drwxr-xr-x 9 admin admin 4096 Mar 17 12:36 ..
-rw-r--r-- 1 root  root  1676 Mar 17 12:35 mymailserver.mydomain.mytld.key


[Amir Inbar]

The server runs sme9admin that sends periodic emails, i have noticed this is written :

#>service httpd-e-smith status
down: /service/httpd-e-smith: 1s, want up

#>service httpd-admin status
run: /service/httpd-admin: (pid 2407) 13s, normally down; run: log: (pid 1272) 25s

and a separate email message is sent with this:

Fatal error: Apache logfile /var/log/httpd/access_log not found Is Apache running?

[byte]

Thank you guys for helping

Code: [Select]

config show modSSL
modSSL=service
    TCPPort=443
    access=public
    status=enable


Is "status=enable" a copy paste error?  It should show "status=enabled"

[byte]

@DanB35:
I did not change manually as far as i remember but i did try to find the correct way to produce the certificate again and again, i also installed smeserver-certificate to try and solve it - i have followed the instructions to generate RSA Keyand CSR as described here:
https://wiki.contribs.org/Certificate_ssl_management

Looking at that link and if you did do this method then the link mentioned if your web server crashes then type this command...

Code: [Select]

signal-event certificate-revert
This then should revert back to SME Server's default certs.

@bye:
here is the output (i have change the name of my server here to mymailserver.mydomain.mytld):

That all looks OK.

[Amir Inbar]

@byte:

Thank you very much - this (status=enable instead of status=enabled) was my mistake
I have probably tried to disable it and re-enable it and misspelled...

I can now access all http and https.

There is another problem with roundcube now - but i'll post it in the suitable forum.

Thank you guys for helping so fast

[byte]

@byte:

Thank you very much - this (status=enable instead of status=enabled) was my mistake
I have probably tried to disable it and re-enable it and misspelled...

I can now access all http and https.

Great, could you please put [Solved] in the title of this topic