KeyHelp Community

Das offizielle KeyHelp Forum der Keyweb AG / The official KeyHelp forum of Keyweb AG
https://community.keyhelp.de/

HTTPS Anweisungen bei Subdomain führen zu Connection Refused auf das KH Panel

https://community.keyhelp.de/viewtopic.php?t=12988

Page 1 of 2

HTTPS Anweisungen bei Subdomain führen zu Connection Refused auf das KH Panel

Posted: Thu 25. Jan 2024, 10:13
by Dreandor
Ich bin sicher, dass die Ursache des Problems bei KeyHelp liegt
Ja


Server-Betriebssystem + Version
Debian 11.8


Eingesetzte Server-Virtualisierung-Technologie
KVM


KeyHelp-Version + Build-Nummer
23.2.1


Problembeschreibung / Fehlermeldungen
Wenn ich meiner Subdomain (mit Let's Encrypt Zertifikat) HTTPS Anweisungen gebe, dann komm ich nicht mehr auf das KH Panel (Connection Refused)

Erwartetes Ergebnis
Panel läuft weiterhin und die HTTPS Anweisungen funktionieren

Tatsächliches Ergebnis
Panel aufruf klappt nicht mehr mit Fehler: Connection Refused

Schritte zur Reproduktion
Subdomain erstellen + Let's Encrypt Zertifikat einstellen

In HTTP Anweisungen:

Code: Select all

RewriteEngine on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
In HTTPS Anweisungen:

Code: Select all

ProxyPreserveHost On
SSLProxyEngine On
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule .* "wss://127.0.0.1:8443%{REQUEST_URI}" [P]
SSLCertificateFile /var/opt/minecraft/crafty/crafty-4/app/config/web/certs/commander.cert.pem
SSLCertificateKeyFile /var/opt/minecraft/crafty/crafty-4/app/config/web/certs/commander.key.pem

ProxyPass / https://127.0.0.1:8443/
ProxyPassReverse / https://127.0.0.1:8443/
ProxyRequests off
Zusätzliche Informationen
(z.B. kürzlich durchgeführte Änderungen am Server, Auszüge aus Protokolldateien (/var/log/*, /var/log/keyhelp/php-error.log, etc.))
/var/log/keyhelp/php-error.log existiert nicht

php7.4-fpm.log

Code: Select all

[25-Jan-2024 09:10:01] NOTICE: Reloading in progress ...
[25-Jan-2024 09:10:01] NOTICE: reloading: execvp("/usr/sbin/php-fpm7.4", {"/usr/sbin/php-fpm7.4", "--nodaemonize", "--fpm-config", "/etc/php/7.4/fpm/php-fpm.conf"})
[25-Jan-2024 09:10:01] NOTICE: using inherited socket fd=7, "/run/php/keyhelp_keyhelp.socket"
[25-Jan-2024 09:10:01] NOTICE: using inherited socket fd=7, "/run/php/keyhelp_keyhelp.socket"
[25-Jan-2024 09:10:01] NOTICE: using inherited socket fd=8, "/run/php/keyhelp_dreandor_de.socket"
[25-Jan-2024 09:10:01] NOTICE: using inherited socket fd=8, "/run/php/keyhelp_dreandor_de.socket"
[25-Jan-2024 09:10:01] NOTICE: fpm is running, pid 585
[25-Jan-2024 09:10:01] NOTICE: ready to handle connections
[25-Jan-2024 09:10:01] NOTICE: systemd monitor interval set to 10000ms
journalctl -xe

Code: Select all

░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ An ExecStart= process belonging to unit apache2.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jan 25 09:14:01 panel.dreandor.de systemd[1]: apache2.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit apache2.service has entered the 'failed' state with result 'exit-code'.
Jan 25 09:14:01 panel.dreandor.de systemd[1]: Failed to start The Apache HTTP Server.
░░ Subject: A start job for unit apache2.service has failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit apache2.service has finished with a failure.
░░
░░ The job identifier is 183314 and the job result is failed.
Jan 25 09:14:01 panel.dreandor.de sudo[211979]: pam_unix(sudo:session): session closed for user root
Jan 25 09:14:01 panel.dreandor.de CRON[211945]: pam_unix(cron:session): session closed for user root
Jan 25 09:14:04 panel.dreandor.de systemd[1]: Starting The Apache HTTP Server...
░░ Subject: A start job for unit apache2.service has begun execution
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit apache2.service has begun execution.
░░
░░ The job identifier is 183379.
Jan 25 09:14:04 panel.dreandor.de apachectl[212000]: Action 'start' failed.
Jan 25 09:14:04 panel.dreandor.de apachectl[212000]: The Apache error log may have more information.
Jan 25 09:14:04 panel.dreandor.de systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ An ExecStart= process belonging to unit apache2.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jan 25 09:14:04 panel.dreandor.de systemd[1]: apache2.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit apache2.service has entered the 'failed' state with result 'exit-code'.
Jan 25 09:14:04 panel.dreandor.de systemd[1]: Failed to start The Apache HTTP Server.
░░ Subject: A start job for unit apache2.service has failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit apache2.service has finished with a failure.
░░
░░ The job identifier is 183379 and the job result is failed.
Jan 25 09:14:06 panel.dreandor.de dhclient[412]: DHCPREQUEST for 212.132.74.53 on ens6 to 169.254.0.2 port 67
Jan 25 09:14:06 panel.dreandor.de dhclient[412]: DHCPACK of 212.132.74.53 from 169.254.0.2
Jan 25 09:14:06 panel.dreandor.de dhclient[412]: bound to 212.132.74.53 -- renewal in 287 seconds.

Re: HTTPS Anweisungen bei Subdomain führen zu Connection Refused auf das KH Panel

Posted: Thu 25. Jan 2024, 10:53
by Tobi
Das hier ist definitiv falsch.
Sogar doppelt.

Code: Select all


https://127.0.0.1/

Localhost gibt es nicht in der SSL Variante.
IP Adressen können kein Zertifikat haben.

Re: HTTPS Anweisungen bei Subdomain führen zu Connection Refused auf das KH Panel

Posted: Thu 25. Jan 2024, 11:09
by Dreandor
Tobi wrote: Thu 25. Jan 2024, 10:53 Das hier ist definitiv falsch.
Sogar doppelt.

Code: Select all


https://127.0.0.1/

Localhost gibt es nicht in der SSL Variante.
IP Adressen können kein Zertifikat haben.

Code: Select all

  GNU nano 5.4                                                                                                               dreandor_de_mc.dreandor.de_https.conf
ProxyPreserveHost On
SSLProxyEngine On
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule .* "wss://mc.dreandor.de:8443%{REQUEST_URI}" [P]
SSLCertificateFile /var/opt/minecraft/crafty/crafty-4/app/config/web/certs/commander.cert.pem
SSLCertificateKeyFile /var/opt/minecraft/crafty/crafty-4/app/config/web/certs/commander.key.pem

ProxyPass / https://mc.dreandor.de:8143/
ProxyPassReverse / https://mc.dreandor.de:8143/
ProxyRequests off
Weiterhin geht Apache2 nicht mehr.

Re: HTTPS Anweisungen bei Subdomain führen zu Connection Refused auf das KH Panel

Posted: Thu 25. Jan 2024, 11:41
by Dreandor
Wenn ich aber die HTTPS Anweisungen hart in die Vhost Datei schreibe klappt es sogar mit IP Adressen. So bald es über custom_vhosts geladen wird schmiert mir das komplette Panel + Apache2 ab.

Re: HTTPS Anweisungen bei Subdomain führen zu Connection Refused auf das KH Panel

Posted: Thu 25. Jan 2024, 12:45
by Jolinar

Code: Select all

Jan 25 09:14:04 panel.dreandor.de apachectl[212000]: Action 'start' failed.
Jan 25 09:14:04 panel.dreandor.de apachectl[212000]: The Apache error log may have more information.
Was sagt das Logfile an der Stelle?


BTW:
Dreandor wrote: Thu 25. Jan 2024, 10:13 In HTTP Anweisungen:

Code: Select all

RewriteEngine on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Warum?

Das kannst du doch direkt übers Panel einstellen:
Screenshot_65.png
Screenshot_65.png (3.41 KiB) Viewed 2472 times

Re: HTTPS Anweisungen bei Subdomain führen zu Connection Refused auf das KH Panel

Posted: Thu 25. Jan 2024, 14:26
by Dreandor
ErrorLog /var/log/apache2/error.log

Code: Select all

[Thu Jan 25 13:24:01.908306 2024] [mpm_event:notice] [pid 248148:tid 140133451824448] AH00493: SIGUSR1 received.  Doing graceful restart
[Thu Jan 25 13:24:01.965148 2024] [ssl:warn] [pid 248148:tid 140133451824448] AH01906: webmail:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Jan 25 13:24:01.965173 2024] [ssl:warn] [pid 248148:tid 140133451824448] AH01909: webmail:443:0 server certificate does NOT include an ID which matches the server name
[Thu Jan 25 13:24:01.965296 2024] [ssl:error] [pid 248148:tid 140133451824448] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=info@keyhelp.de,CN=panel.dreandor.de,OU=KeyHelp Control Panel,O=KeyHelp,L=Erfurt,ST=Thuringia,C=DE / issuer: em>
[Thu Jan 25 13:24:01.965305 2024] [ssl:error] [pid 248148:tid 140133451824448] AH02604: Unable to configure certificate webmail:443:0 for stapling
[Thu Jan 25 13:24:01.965772 2024] [:emerg] [pid 248148:tid 140133451824448] AH00020: Configuration Failed, exiting
[Thu Jan 25 13:25:01.619055 2024] [ssl:warn] [pid 249050:tid 140483355684160] AH01906: webmail:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Jan 25 13:25:01.619113 2024] [ssl:warn] [pid 249050:tid 140483355684160] AH01909: webmail:443:0 server certificate does NOT include an ID which matches the server name
[Thu Jan 25 13:25:01.619195 2024] [ssl:error] [pid 249050:tid 140483355684160] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=info@keyhelp.de,CN=panel.dreandor.de,OU=KeyHelp Control Panel,O=KeyHelp,L=Erfurt,ST=Thuringia,C=DE / issuer: em>
[Thu Jan 25 13:25:01.619201 2024] [ssl:error] [pid 249050:tid 140483355684160] AH02604: Unable to configure certificate webmail:443:0 for stapling
AH00016: Configuration Failed
Errorlog /var/log/apache2/keyhelp/error.log

Code: Select all

[Wed Jan 24 07:30:34.178724 2024] [ssl:warn] [pid 18487:tid 140492828781888] AH01906: panel.dreandor.de:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Jan 24 07:30:34.178823 2024] [ssl:error] [pid 18487:tid 140492828781888] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=info@keyhelp.de,CN=panel.dreandor.de,OU=KeyHelp Control Panel,O=KeyHelp,L=Erfurt,ST=Thuringia,C=DE / issuer: ema>
[Wed Jan 24 07:30:34.178829 2024] [ssl:error] [pid 18487:tid 140492828781888] AH02604: Unable to configure certificate panel.dreandor.de:443:0 for stapling
[Wed Jan 24 07:30:34.188753 2024] [ssl:warn] [pid 18488:tid 140492828781888] AH01906: panel.dreandor.de:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Jan 24 07:30:34.188843 2024] [ssl:error] [pid 18488:tid 140492828781888] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=info@keyhelp.de,CN=panel.dreandor.de,OU=KeyHelp Control Panel,O=KeyHelp,L=Erfurt,ST=Thuringia,C=DE / issuer: ema>
[Wed Jan 24 07:30:34.188849 2024] [ssl:error] [pid 18488:tid 140492828781888] AH02604: Unable to configure certificate panel.dreandor.de:443:0 for stapling
[Wed Jan 24 07:33:37.728358 2024] [ssl:warn] [pid 697:tid 139641325047104] AH01906: panel.dreandor.de:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Jan 24 07:33:37.728596 2024] [ssl:error] [pid 697:tid 139641325047104] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=info@keyhelp.de,CN=panel.dreandor.de,OU=KeyHelp Control Panel,O=KeyHelp,L=Erfurt,ST=Thuringia,C=DE / issuer: email>
[Wed Jan 24 07:33:37.728604 2024] [ssl:error] [pid 697:tid 139641325047104] AH02604: Unable to configure certificate panel.dreandor.de:443:0 for stapling
[Wed Jan 24 07:33:37.740189 2024] [ssl:warn] [pid 737:tid 139641325047104] AH01906: panel.dreandor.de:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Jan 24 07:33:37.740287 2024] [ssl:error] [pid 737:tid 139641325047104] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=info@keyhelp.de,CN=panel.dreandor.de,OU=KeyHelp Control Panel,O=KeyHelp,L=Erfurt,ST=Thuringia,C=DE / issuer: email>
[Wed Jan 24 07:33:37.740293 2024] [ssl:error] [pid 737:tid 139641325047104] AH02604: Unable to configure certificate panel.dreandor.de:443:0 for stapling
[Wed Jan 24 07:34:27.834051 2024] [authz_core:error] [pid 1675:tid 139640048707328] [client 144.126.202.105:54434] AH01630: client denied by server configuration: /home/keyhelp/www/keyhelp/server-status
[Wed Jan 24 13:59:28.653247 2024] [cgid:error] [pid 36799:tid 140517381179136] [client 185.224.128.191:56396] AH01264: script not found or unable to stat: /usr/lib/cgi-bin/jarrewrite.sh

Re: HTTPS Anweisungen bei Subdomain führen zu Connection Refused auf das KH Panel

Posted: Thu 25. Jan 2024, 16:03
by Florian
Hallo,

ich würde wenn die Anweisungen aktiv sind und der Webserver nicht mehr erreichbar ist ein "apache2ctl configtest" ausführen.

Re: HTTPS Anweisungen bei Subdomain führen zu Connection Refused auf das KH Panel

Posted: Thu 25. Jan 2024, 18:31
by Dreandor
Florian wrote: Thu 25. Jan 2024, 16:03 Hallo,

ich würde wenn die Anweisungen aktiv sind und der Webserver nicht mehr erreichbar ist ein "apache2ctl configtest" ausführen.
Scheint alles in Ordnung zu sein

Code: Select all

root@panel:~# apache2ctl configtest
Syntax OK

Re: HTTPS Anweisungen bei Subdomain führen zu Connection Refused auf das KH Panel

Posted: Thu 25. Jan 2024, 18:38
by Florian
Hallo,

und der Webserver läuft trotzdem nicht bzw. lässt sich nicht starten?

Re: HTTPS Anweisungen bei Subdomain führen zu Connection Refused auf das KH Panel

Posted: Thu 25. Jan 2024, 18:57
by Dreandor
Florian wrote: Thu 25. Jan 2024, 18:38 Hallo,

und der Webserver läuft trotzdem nicht bzw. lässt sich nicht starten?
Genau. Der Webserver startet trotzdem nicht.

Code: Select all

root@panel:~# systemctl status apache2
● apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Thu 2024-01-25 18:57:01 CET; 1s ago
    Process: 4297 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
        CPU: 14ms

Jan 25 18:57:01 panel.dreandor.de systemd[1]: Starting The Apache HTTP Server...
Jan 25 18:57:01 panel.dreandor.de apachectl[4297]: Action 'start' failed.
Jan 25 18:57:01 panel.dreandor.de apachectl[4297]: The Apache error log may have more information.
Jan 25 18:57:01 panel.dreandor.de systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
Jan 25 18:57:01 panel.dreandor.de systemd[1]: apache2.service: Failed with result 'exit-code'.
Jan 25 18:57:01 panel.dreandor.de systemd[1]: Failed to start The Apache HTTP Server.

Re: HTTPS Anweisungen bei Subdomain führen zu Connection Refused auf das KH Panel

Posted: Thu 25. Jan 2024, 19:01
by Florian
und was steht in /var/log/apache2/error.log direkt nach dem Startversuch

Re: HTTPS Anweisungen bei Subdomain führen zu Connection Refused auf das KH Panel

Posted: Thu 25. Jan 2024, 19:03
by Dreandor
Florian wrote: Thu 25. Jan 2024, 19:01 und was steht in /var/log/apache2/error.log direkt nach dem Startversuch

Code: Select all

root@panel:~# systemctl start apache2
Job for apache2.service failed because the control process exited with error code.
See "systemctl status apache2.service" and "journalctl -xe" for details.

Code: Select all

[Thu Jan 25 19:02:48.251904 2024] [ssl:warn] [pid 5137:tid 140109540576576] AH01906: webmail:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Jan 25 19:02:48.251967 2024] [ssl:warn] [pid 5137:tid 140109540576576] AH01909: webmail:443:0 server certificate does NOT include an ID which matches the server name
[Thu Jan 25 19:02:48.252046 2024] [ssl:error] [pid 5137:tid 140109540576576] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=info@keyhelp.de,CN=panel.dreandor.de,OU=KeyHelp Control Panel,O=KeyHelp,L=Erfurt,ST=Thuringia,C=DE / issuer: emai>
[Thu Jan 25 19:02:48.252052 2024] [ssl:error] [pid 5137:tid 140109540576576] AH02604: Unable to configure certificate webmail:443:0 for stapling
AH00016: Configuration Failed

Re: HTTPS Anweisungen bei Subdomain führen zu Connection Refused auf das KH Panel

Posted: Thu 25. Jan 2024, 19:13
by Florian
Hallo,

bitte Logins per PM, muss ich wenn selber gucken.

Re: HTTPS Anweisungen bei Subdomain führen zu Connection Refused auf das KH Panel

Posted: Thu 25. Jan 2024, 19:43
by Dreandor
Florian wrote: Thu 25. Jan 2024, 19:13 Hallo,

bitte Logins per PM, muss ich wenn selber gucken.
Hab ich dir geschickt.

Re: HTTPS Anweisungen bei Subdomain führen zu Connection Refused auf das KH Panel  [GELÖST]

Posted: Thu 25. Jan 2024, 20:38
by Dreandor
Dank der Hilfe von Florian geht es wieder.

Lag an
SSLCertificateFile /var/opt/minecraft/crafty/crafty-4/app/config/web/certs/commander.cert.pem
SSLCertificateKeyFile /var/opt/minecraft/crafty/crafty-4/app/config/web/certs/commander.key.pem

Wenn ich die beiden entferne dann geht es auch wieder.
All times are UTC+02:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited