ISPConfig 3.1.1p1 LetsEncrypt certs problems

Hello

IspConfig LetsEncrypt (LE) has strange behavior since a few days.

When I created firsts LE certs via ISPconfig all works fine.

But a cascade a bugs occured :

  • Wrong certs was presented on https requests (another ISPconfig website cert, not the cert. atached to the requested URL host)

  • Certificate generation seems now completely broken :
    ***.net-le.bundle ***.net-le.crt ***.net-le.key
    are created in /var/www/***.net/ssl
    but ISPconfig SSL and LE checkboxes switched unchecked and https://www.***.net attempts show this message:

An error occurred during a connection to www.***.net. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

Any idea ?

I installed certbot and generated a cert for a non-ispconfig domain for SMTP SSL. I dont know if the installation of certbot can disturb or not LE.

I do think it’s possible that there’s a conflict between Certbot and IspConfig LE; after all, Certbot tries to edit web server configurations directly (if you ask it to). Maybe IspConfig LE does so as well and they’re making incompatible changes?

The SSL_ERROR_RX_RECORD_TOO_LONG almost always means that your web server is speaking HTTP, instead of HTTPS, on port 443. Various kinds of web server misconfiguration can cause this, like adding a directive to listen on port 443 without adding a corresponding directive to say that the listener should use HTTPS.

In fact I installed Certbot because I was a problem with phpMailer and SSL / SMTP (invalid certificate). I have followed this guide :

https://techish.net/linux/ispconfig-dovecot-postfix-and-letsencrypt-ssl/

and this problem was resolved for phpMailer.

I don’t know if this resolution caused another problem… Theorically the modifications of this guide concerns only mail server (Dovecot, Postfix) isnt’it ?

UPDATE: I finally removed the website from ISPconfig and recreated the same website. No more error message for this domain but, see below…

When an ISPconfig (version 3.1.1) website has a LE certificate (domain1.com) and another (domain2.com) one hasn’t LE certificate https://domain2.com connexion attempt says :

“domain2.com uses an invalid security certificate.
The certificate is only valid for the following names: domain1.com, www.domain1.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN”

This bug(?) or misconfiguration(?) always occurs on my IPSconfig server.

valid certificate announced by Firefox is always the last LE certificate created from ISPconfig.

For example if I create a cert. for domain3.com, the browser message will be:

“domain2.com uses an invalid security certificate.
The certificate is only valid for the following names: domain3.com, www.domain3.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN”

But currently domain2.com has not LE certificate (from ISPconfig admin).

Is it “normal” ?

What should be occur if there is an https connexion attempt for a website without LE certificate ? A Not found page or a warning with a certificate corresponding to another ISPconfig website ?

I have 2 hypothesis :

1/ An ISPconfig configuration problem with wrong certificate path (however I have never modified any ISPconfig templates or vhost files)

2/ A problem due to LE certificates and files still remaining and living after having unchecked LE SSL checkbox in ISPConfig

Solution: don’t surf manually with https:// to a site which isn’t configured for TLS.

Yes, pretty much.

That depends how you have set things up. Typically there is a default SSL set up - which would normally be the server name. If not, then it's going to be one of the other domains with an SSL configured. Basically your server is listening on https - so will respond. Of course if the cert for your server name doesn't match the domain name you'll still get an error of the certificate not matching.

As @Osiris says, the solution is not to go to a domain which doesn't have https:// set up ... or add a correct Cert and configuration for all domains :slight_smile:

This all is a side effect of a method called Server Name Indication, which is used to host multiple TLS sites on just one IP address.

If you’ve got plenty of IP(v4) addresses around (probably not) or your site is IPv6 only, you can also configure a webserver so every host has its own IP address. That way you could prevent your webserver to listen on port 443 (TLS) for hosts which don’t have TLS configured.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.