Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: Amir Inbar on March 17, 2016, 10:16:31 AM
-
Sme server 9 was working fine.
Tryed to reconfigure self signed certificate as described here:
https://wiki.contribs.org/Certificates_Concepts (https://wiki.contribs.org/Certificates_Concepts)
I must have done something wrong - after signal-event reconfigure and signal-event-reboot, i have no access to http, https and can not even access server manager from console.
service httpd-e-smith status
down: /service/httpd-e-smith: 1s, want up
service httpd-admin status
run: /service/httpd-admin: (pid 2587) 3171s, normally down; run: log: (pid 1272) 3206s
less /var/log/httpd/error_log
/var/log/httpd/error_log: No such file or directory
httpd -t
Syntax error on line 3228 of /etc/httpd/conf/httpd.conf:
Invalid command 'SSLRequireSSL', perhaps misspelled or defined by a module not included in the server configuration
Please help
-
What's the output of 'config show modSSL'? Do the files identified for crt, key, and CertificateChainFile (if any) exist?
-
httpd -t
Syntax error on line 3228 of /etc/httpd/conf/httpd.conf:
Invalid command 'SSLRequireSSL', perhaps misspelled or defined by a module not included in the server configuration
That usually means it is missing "SSLEngine On" in the config file, have you made any other changes?
-
I'd add that with the availability of Let's Encrypt, there's very little reason to use self-signed certificates any more. See https://wiki.contribs.org/Letsencrypt for discussion; I'd suggest following the steps to use letsencrypt.sh rather than the official client. Following those instructions will give you trusted certificates for free, and they'll automatically renew every 60 days.
Of course, if you've made changes to your httpd.conf files, you'll likely need to revert those.
-
Thank you guys for helping :)
config show modSSL
modSSL=service
TCPPort=443
access=public
status=enable
@byte:
I might have - this is probably the reason for the problem :-(
-
config show modSSL
modSSL=service
TCPPort=443
access=public
status=enable
So in this case, the SME server should automatically generate a self-signed TLS certificate and use that. It seems to not be doing that. So, what did you do (referring to the wiki page unfortunately isn't very helpful, as there are lots of things discussed there)? Specifically, did you modify any template files? Did you create any custom template files? Any edits directly to httpd.conf should be cleared out with the post-upgrade and reboot.
What's the output of '/sbin/e-smith/audittools/templates'?
-
Also, please show the output of:
ls -la /home/e-smith/ssl.crt/
ls -la /home/e-smith/ssl.key/
-
@DanB35:
I did not change manually as far as i remember but i did try to find the correct way to produce the certificate again and again, i also installed smeserver-certificate to try and solve it - i have followed the instructions to generate RSA Keyand CSR as described here:
https://wiki.contribs.org/Certificate_ssl_management (https://wiki.contribs.org/Certificate_ssl_management)
/sbin/e-smith/audittools/templates
/etc/e-smith/templates-custom/home/e-smith/ssl.crt: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/04tls: MODIFIED smeserver-qpsmtpd-2.4.0-14.el6.sme
/etc/e-smith/templates/var/service/qpsmtpd/config/peers/local/04tls: MODIFIED smeserver-qpsmtpd-2.4.0-14.el6.sme
/etc/e-smith/templates/var/service/qpsmtpd/config/plugins/04tls: MODIFIED smeserver-qpsmtpd-2.4.0-14.el6.sme
@bye:
here is the output (i have change the name of my server here to mymailserver.mydomain.mytld):
ls -la /home/e-smith/ssl.crt/
total 12
drwx------ 2 root root 4096 Mar 17 12:35 .
drwxr-xr-x 9 admin admin 4096 Mar 17 12:36 ..
-rw-r--r-- 1 root root 1429 Mar 17 12:35 mymailserver.mydomain.mytld.crt
ls -la /home/e-smith/ssl.key/
total 12
drwx------ 2 root root 4096 Mar 17 12:35 .
drwxr-xr-x 9 admin admin 4096 Mar 17 12:36 ..
-rw-r--r-- 1 root root 1676 Mar 17 12:35 mymailserver.mydomain.mytld.key
-
The server runs sme9admin that sends periodic emails, i have noticed this is written :
#>service httpd-e-smith status
down: /service/httpd-e-smith: 1s, want up
#>service httpd-admin status
run: /service/httpd-admin: (pid 2407) 13s, normally down; run: log: (pid 1272) 25s
and a separate email message is sent with this:
Fatal error: Apache logfile /var/log/httpd/access_log not found Is Apache running?
-
Thank you guys for helping :)
config show modSSL
modSSL=service
TCPPort=443
access=public
status=enable
Is "status=enable" a copy paste error? It should show "status=enabled"
-
@DanB35:
I did not change manually as far as i remember but i did try to find the correct way to produce the certificate again and again, i also installed smeserver-certificate to try and solve it - i have followed the instructions to generate RSA Keyand CSR as described here:
https://wiki.contribs.org/Certificate_ssl_management (https://wiki.contribs.org/Certificate_ssl_management)
Looking at that link and if you did do this method then the link mentioned if your web server crashes then type this command...
signal-event certificate-revert
This then should revert back to SME Server's default certs.
@bye:
here is the output (i have change the name of my server here to mymailserver.mydomain.mytld):
That all looks OK.
-
@byte:
Thank you very much - this (status=enable instead of status=enabled) was my mistake :)
I have probably tried to disable it and re-enable it and misspelled...
I can now access all http and https.
There is another problem with roundcube now - but i'll post it in the suitable forum.
Thank you guys for helping so fast :-P
-
@byte:
Thank you very much - this (status=enable instead of status=enabled) was my mistake :)
I have probably tried to disable it and re-enable it and misspelled...
I can now access all http and https.
Great, could you please put [Solved] in the title of this topic :)