Control Web Panel

WebPanel => SSL => Topic started by: PRR on July 10, 2024, 03:21:58 PM

Title: Domain works on SSL but not the ports
Post by: PRR on July 10, 2024, 03:21:58 PM

Hello
I can't login to CWP anymore as the domain has the Let's Encrypt and it works fine but as soon as :2030, :2031, :2087, :2083 added it it not connecting.

Firefox error:
Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Chrome Error:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

MS Edge Error:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

It's a new Almalinux 8 and CWP Pro installation
Really appreciate some help

Title: Re: Domain works on SSL but not the ports
Post by: Starburst on July 11, 2024, 12:18:20 AM

There is also that Let's Encrypt has changed their certificate chain.

@Sandeep also has a thread about it:
https://forum.centos-webpanel.com/ssl/acme-sh-is-now-using-zerossl-change-it-to-letsencrypt-ca-server/ (https://forum.centos-webpanel.com/ssl/acme-sh-is-now-using-zerossl-change-it-to-letsencrypt-ca-server/)

Title: Re: Domain works on SSL but not the ports
Post by: PRR on July 11, 2024, 04:04:03 AM

That post is from June 14, 2021
CWP hasn't changed it yet?
I will try it.
Thanks

Title: Re: Domain works on SSL but not the ports
Post by: PRR on July 11, 2024, 04:08:00 AM

Wait!
I ran that command, but still, how do I access my CWP panel?
How do I reissue certs from CLI?
Thanks  :'(

Title: Re: Domain works on SSL but not the ports
Post by: PRR on July 12, 2024, 01:46:33 PM

Anybody knows how to fix this?  :(

Title: Re: Domain works on SSL but not the ports
Post by: Starburst on July 12, 2024, 10:55:41 PM

What error shows in your SSL logs?
Or a screenshot of the error your are receiving in CWP?

Does the server have a Public IP with ports 80 & 443 open?
Or is it behind a NAT or Proxy?

Try running:

Code: [Select]

/root/.acme.sh/acme.sh --set-default-chain --preferred-chain  "ISRG Root X1"
Did you create a hostname SSL certificate via the panel?

Creating SSL certificates via CLI may not work correctly, they should all be created & renewed with the admin panel under:
WebServer Settings -> SSL Certificates.

Title: Re: Domain works on SSL but not the ports
Post by: PRR on July 13, 2024, 02:58:48 AM

Hi
Ran that command, but didn't help.
I can't figure out any error in the logs. Is it OK to attach the logs to this message?
I just can't connect to CWP Webpanel and user panel.
Public IP and ports are open 80, 443, 8181, 8443. Running Apache and Nginx.
As soon as I issued the Letsencrypt certs, I lost control the access to CWP panel.
https://dnsvj.com  (Works fine)
https://dnsvj.com:9090 (error)
https://dnsvj.com:2087 (Has different error)
Above domain has SSL installed and server hostname is rocks.dnsvj.com

Another domain I don't have the SSL installed
http://punjabrocks.com:9988 (Shoutcast stream works fine)
http://punjabrocks.com:2087 ( No go, same error dnsvj.com)
This domain is not using SSL and shoutcast streams won't work on https

All certs were created using AutoSSL in the panel.
Really appreciate #Starburst looking into this..

Title: Re: Domain works on SSL but not the ports
Post by: Starburst on July 13, 2024, 04:36:42 AM

Did you whitelist your IP in csf?

If you didn't, and you removed the admin ports from csf's TCP_IN, then that might be the problem.
CWP doesn't use 8181, 8443, or 9090

dnsvj,com as the certificate for rocks.dnsvj.com installed, at that domain & SSL are working.

The SSL manager doesn't create and install subdomain certificates for a whole different domain and another.
That has to be done manually

I looked at https://www.punjabrocks.com/, and the certificate is valid.
It just is having a problem with whatever is trying run on port 9988.

Best bet is to delete ALL the SSL certificates, USE the SSL Admin Panel to create them one by one for each domain name.

I'm also not sure if the Free Let's Encrypt SSL certificates will cover anything outside the normal ports (e.g. Web, FTP & Email)

Ports 2030, 2031, 2086, 2087, 2082, 2083 Do not respond, which points to a firewall issue.
If you can log into your CLI, run:

Code: [Select]

systemctl stop lfd
systemctl stop csf
Then try to login to the web interface.

Title: Re: Domain works on SSL but not the ports
Post by: PRR on July 13, 2024, 05:09:12 PM

No go at all.

Is there a way to manually delete the certs from CLI?
That is the only option left.

Content of  acme.sh.log
^{[Sat Jul 13 03:19:54 EDT 2024] LE_WORKING_DIR='/root/.acme.sh'
[Sat Jul 13 03:19:54 EDT 2024] Running cmd: upgrade
[Sat Jul 13 03:19:54 EDT 2024] Using config home:/root/.acme.sh
[Sat Jul 13 03:19:54 EDT 2024] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Sat Jul 13 03:19:54 EDT 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sat Jul 13 03:19:54 EDT 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Sat Jul 13 03:19:54 EDT 2024] _ACME_SERVER_PATH='directory'
[Sat Jul 13 03:19:54 EDT 2024] GET
[Sat Jul 13 03:19:54 EDT 2024] url='https://api.github.com/repos/acmesh-official/acme.sh/git/refs/heads/master'
[Sat Jul 13 03:19:54 EDT 2024] timeout=
[Sat Jul 13 03:19:54 EDT 2024] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Sat Jul 13 03:19:54 EDT 2024] ret='0'
[Sat Jul 13 03:19:54 EDT 2024] Already uptodate!
[Sat Jul 13 03:19:54 EDT 2024] Upgrade success!
[Sat Jul 13 08:53:01 EDT 2024] LE_WORKING_DIR='/root/.acme.sh'
[Sat Jul 13 08:53:02 EDT 2024] Running cmd: cron
[Sat Jul 13 08:53:02 EDT 2024] Using config home:/root/.acme.sh
[Sat Jul 13 08:53:02 EDT 2024] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Sat Jul 13 08:53:02 EDT 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sat Jul 13 08:53:02 EDT 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Sat Jul 13 08:53:02 EDT 2024] _ACME_SERVER_PATH='directory'
[Sat Jul 13 08:53:02 EDT 2024] ===Starting cron===
[Sat Jul 13 08:53:02 EDT 2024] Using config home:/root/.acme.sh
[Sat Jul 13 08:53:02 EDT 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sat Jul 13 08:53:02 EDT 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Sat Jul 13 08:53:02 EDT 2024] _ACME_SERVER_PATH='directory'
[Sat Jul 13 08:53:02 EDT 2024] _stopRenewOnError
[Sat Jul 13 08:53:02 EDT 2024] _server
[Sat Jul 13 08:53:02 EDT 2024] _set_level='2'
[Sat Jul 13 08:53:02 EDT 2024] di='/root/.acme.sh/*.*/'
[Sat Jul 13 08:53:02 EDT 2024] Not a directory, skip: /root/.acme.sh/*.*/
[Sat Jul 13 08:53:02 EDT 2024] _error_level='3'
[Sat Jul 13 08:53:02 EDT 2024] _set_level='2'
[Sat Jul 13 08:53:02 EDT 2024] ===End cron===}

Title: Re: Domain works on SSL but not the ports
Post by: Starburst on July 13, 2024, 09:29:40 PM

Look like your SSL configuration is already corrupted from something.

CWP doesn't always use the default paths, and when you try to start doing stuff via CLI without knowing exactly what, the system can become corrupted.

The path listed in the log is not the default path to SSL certificates.

Only option I could suggest is to redo the server from scratch, and not use CLI, and stick to the GUI.

Support maybe able to login and fix thing, but I am not sure.

Title: Re: Domain works on SSL but not the ports
Post by: PRR on July 14, 2024, 01:20:09 PM

Rebuilt the server and everything is fine now.
Thanks

Title: Re: Domain works on SSL but not the ports
Post by: Starburst on July 14, 2024, 09:11:42 PM

That is good news.

Just stay away from the CLI, it's amazing how fast that can corrupt a server sometimes.

Having a test box also helps, that way if it gets messed up, you just wipe it.