Author Topic: CWP pro not work with recompile nginx and tls 1.3  (Read 862 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
CWP pro not work with recompile nginx and tls 1.3
« on: December 23, 2020, 12:21:23 PM »
I'm trying to recompile nginx on cwp7 pro for TLS 1.3 I followed the one described in this post:

http://forum.centos-webpanel.com/ssl/cwp-support-for-tlsv1-3/

but without success.
CWP pro cannot find nginx, the nginx itself stops working.
I need some help very urgently.
does anyone know where i can get information about enabling tls in nginx from cwp7 pro?

my CWPpro version: 0.9.8.1026

Offline
*
Re: CWP pro not work with recompile nginx and tls 1.3
« Reply #1 on: February 11, 2021, 03:56:37 PM »
A clean solution for cwp, I tested it and nginx worked perfectly with cwp. I just need to do the tests now.
https://gist.github.com/lesstif/a332456a4a6fecdf50f2ccbfe4a02727
only execute:  ./openssl-1.1-compile.sh
« Last Edit: February 11, 2021, 04:01:49 PM by dinho »


Offline
*
Re: CWP pro not work with recompile nginx and tls 1.3
« Reply #3 on: April 04, 2021, 10:41:15 AM »
Hello Sandeep

I do have
CentOS Linux release 7.9.2009 (Core)
Kernel Version: 3.10.0-1160.21.1.el7.x86_64
CWPpro version: 0.9.8.1055
Apache version: Apache/2.4.39
Nginx version: nginx/1.18.0
CWP webservers configuration Web Servers: nginx-apache
PHP version: 7.4.13 PHP-FPM is forced

I tried to follow your tutorials to upgrade apache and Nginx and have tlsV1.3

To start with I did not understand well if I have to follow both tutorials or, since I do use Nginx, if I do I need to follow only the Nginx tutorial

Being not expert I imagined I needed to follow both
So I started with the apache tutorial, https://www.mysterydata.com/how-to-enable-tls-1-3-in-apache-on-cwp-control-web-panel-centos-7-centos-8-el7-el8/

it all seemed to go well up to last step when I got this error warning:

** (pkttyagent:24849): WARNING **: 11:12:40.375: Unable to register authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject
Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject (polkit-error-quark, 0)
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.
Apache Rebuild Completed

I decided to ignore this warning for the moment and proceeded to follow the second tutorial for Nginx:
https://www.mysterydata.com/how-to-enable-tls-1-3-in-nginx-cwp-centos-7-centos-8-el7-el8/

Again all went fine until I got these two error warnings:

** (pkttyagent:11719): WARNING **: 11:28:52.528: Unable to register authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject
Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject (polkit-error-quark, 0)


** (pkttyagent:11865): WARNING **: 11:29:47.478: Unable to register authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject
Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject (polkit-error-quark, 0)
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.

Again decided to ignore for the moment the two erroes and concluded the tutorial up to the step 6.

As I read on Step 7 the following "Step 7 : ONLY FOR CWP : Ensure you create proper template for nginx in CWP else on every webserver build or ssl renew TLS 1.3 will be disabled" I understood that at this point I could test the setup as this is needed to avoid to loose this setup in case of changes

So I run the test as indicated in the first tutorial at https://www.cdn77.com/tls-test

The result was good except that tls 1 and tls 1.1 was still enabled

Than I tried to check my website and found the 502 Bad Gateway nginx/1.18.0 error

So checked the dashboard and saw that apache was not running, I tried to restart it, it failed to restart, so I clicked on status and got this error message:

● httpd.service - Web server Apache
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sun 2021-04-04 11:53:23 CEST; 1min 11s ago
  Process: 3815 ExecStart=/usr/local/apache/bin/apachectl start (code=exited, status=1/FAILURE)

Apr 04 11:53:23 srv.example.com systemd[1]: Starting Web server Apache...
Apr 04 11:53:23 srv.example.com apachectl[3815]: httpd: Syntax error on line 511 of /usr/local/apache/conf/httpd.conf: Syntax error on line 9 of /usr/local/apache/conf.d/mod_security.conf: Cannot load modules/mod_security2.so into server: /usr/local/apache/modules/mod_security2.so: undefined symbol: apr_crypto_block_cleanup
Apr 04 11:53:23 srv.example.com systemd[1]: httpd.service: control process exited, code=exited status=1
Apr 04 11:53:23 srv.example.com systemd[1]: Failed to start Web server Apache.
Apr 04 11:53:23 srv.example.com systemd[1]: Unit httpd.service entered failed state.
Apr 04 11:53:23 srv.example.com systemd[1]: httpd.service failed.

I tried to find some hints about to solve this error but found none, however I rolled back the server and decided to get more info in order to try repeat the procedure avoiding this errors.

BTW, in your first tutorial in the last line there is a typographic error: the line sh aapache-rebuild-new.sh should be sh apache-rebuild-new.sh

apache is written with 2 a, very simple, if anoyne did not notice it yet, just remove the extra a

Here my questions:

1) Please, are the errors shown at the end of the two procedures to be ignored or there is something wrong?

In case these errors are a matter of concern or critical, what must be done to fix it?

2) Who do use apache + Nginx + php-fpm, must do both the two tutorials OR must do follow only the second tutorial for Nginx?

3) When the tutorial is successfully ended, how tls v1 and tls v1.1 can be disabled?

When following step 7 of the tutorial I imagine that tls v1 and v1.1 must also be removed from the templates otherwise rebuilding vhosts or renewing SSL certificates will be re-enabled...

Is this correct?

4) How exactly can be definitely disabled and removed?

Thank you
« Last Edit: April 04, 2021, 10:54:10 AM by David »

Offline
*****
Re: CWP pro not work with recompile nginx and tls 1.3
« Reply #4 on: April 04, 2021, 02:44:03 PM »
try this :

Code: [Select]
mv /usr/local/apache/conf.d/mod_security.conf /usr/local/apache/conf.d/mod_security.conf.bak
systemctl restart httpd


this will disable mod security as for some reason modsec is not working.

you can do only nginx config to get tls 1.3 if you want t o use mod security.[/code]

Offline
*****
Re: CWP pro not work with recompile nginx and tls 1.3
« Reply #5 on: April 04, 2021, 03:10:07 PM »
okay i've fixed the apache script rerun the step2