Control Web Panel

WebPanel => SSL => Topic started by: Thorth on March 13, 2021, 08:31:29 AM

Title: SSL: 2nd user
Post by: Thorth on March 13, 2021, 08:31:29 AM
Hi.
I think I did something wrong, or I don't know how to config correctly.
I have a server with 2 public IP, let say Ip1 & Ip2.

Ip1:
   =>   is used for hostname, access CWP panel, etc
   =>   is used for shared Ip for server
   =>   I create a user that handle the main domain that is mapped on this
   =>   the auto SSL created for this domain is Ok, valid, etc


Ip2:
   =>  I create a another user for another domain
   =>  That domain have multiple subdomains
   =>  my web app is for this second domain


The auto SSL for the second user, mapped on Ip2, is not valid, I got a Common Name (CN) mismatch, the hostname for server appeared in certificate.

What i did wrong, or what i didn't config correctly.
Please advice.
Thanks


Title: Re: SSL: 2nd user
Post by: Painkiller88 on March 13, 2021, 02:41:16 PM
Hi,

I am not really sure why you handle it this way, but maybe there is a problem with the Firewall/Port Forwarding.

For an valid SSL Cert you need to have at least port 80 open and pointing to your server.

How have you handled the Port management for the 2nd IP?

Or are the web ports only open for the ip1?

This could explain why ip2 can't receive valid Certs.
Title: Re: SSL: 2nd user
Post by: Thorth on March 14, 2021, 09:46:00 AM
Hi,

So my virtual machine works this way.
My ISP give me a group of public IPs, those IPs are pointing to a virtual machine. On that VM I assigned 2 IPs.

The flow is:

Public IP1 ---> go to ISP datacenter ---> my first internal IP of my VM : 192.160.0.*
Public IP2 ---> go to ISP datacenter ---> my second internal IP of my VM : 192.160.0.*


on IP1 ==> User 1 on CWP  ==> the main domain(hostname) of server ==> SSL valid, is Ok.
on IP2 ==> User 2 on CWP  ==> a domain (with subdomains) that handle my App. ==> SSL not valid, Common Name (CN) problem, in certificate appeared the hostname of the server, so the SSL is not Ok.

I tested the ports of both IP, and they are Ok.
I attached a pic, with the result of scanning. Also a result of the SSL testing result

(https://i.ibb.co/hsjGGsW/port-Scanner.jpg)

(https://i.ibb.co/pQsBDfL/certificate-Result.jpg)


Hope u got any idea what to test next, or what to do :)

Thanks
Title: Re: SSL: 2nd user
Post by: Igor S. on March 14, 2021, 05:30:52 PM
@Thorth
Try to install the SSL to the hostname. Check if you have NAT-ed mode enabled (CWPadmin => CWP settings)
Title: Re: SSL: 2nd user
Post by: Thorth on March 14, 2021, 09:49:15 PM
Hi.
I reinstall the entire server again.
And I have NAT active.
Now idk why the SSL is ok if I use Apache only webserver, when I change to Nginx & Apache webserver, again everything is wrong, absolutely everything is wrong, SSL, not even the index.php is not reading correctly ....  :-[
Idk....
Title: Re: SSL: 2nd user
Post by: Thorth on March 15, 2021, 07:44:35 AM
I think I got it  ;D 8)
After several weeks off reinstall finally I got it.
In the next days I'll post the entire flow I did, so maybe others will need it  ;D
Title: Re: SSL: 2nd user
Post by: ghassan on April 22, 2021, 12:33:55 AM
Hi Thorth,

I have the same issue here, 
I've got a floating IP from Digitalocean and assigned it to my droplet
then I added it to my CWP and created a new account pointed to new IP
new domain with HTTP:// is working but with HTTPS:// getting ERR_SSL_PROTOCOL_ERROR

can you please tell me how you fixed the problem?
with many thanks
Title: Re: SSL: 2nd user
Post by: Starburst on April 22, 2021, 11:04:46 PM
"floating IP"
SSL requires a Static IP as they look at rDNS to confirm the domain name to the IP.

The "floating IP" may be your problem.
I responded to your other post.

What is /var/log/cwp/autossl.log showing?
Title: Re: SSL: 2nd user
Post by: Painkiller88 on May 01, 2021, 01:14:44 PM
rDNS is not needed for SSL Cert, rDNS is only needed for mailserver.

I know a lot people without an rdns record but they are able to host their own sites and use certbot or similar to have SSL.
Title: Re: SSL: 2nd user
Post by: Starburst on May 02, 2021, 01:43:20 AM
Hostname should be only as a subdomain, like: srv1.mydomain.com, please don't use cloudflare protection with hostname as this will cause you issues.
If you are using a VPS with OpenVZ/Virtuozzo/Lxc containers then you should also update hostname within the VPS panel.

Hostname change will also generate a new Hostname autoSSL Certificate.
Certificate Path: /etc/pki/tls/certs/hostname.bundle
Key Path: /etc/pki/tls/private/hostname.key
Pure-FTPd PEM: /etc/pki/tls/private/hostname.pem

Your Hostname is: domainname and it resolves to IP: (IP) [Check Black List] [Check CWP SSL] [Check WebServers SSL]
rDNS/PTR = domainname SUCCESS [Check SenderBase]

rDNS/PTR check for IP (IP) = domainname


Those are checks that are done when changing the hostname.
If they fail, problems could occur.
Also see the CWP note about cloudfare.