Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-06-14, 13:50:51

Author Topic: Let's Encrypt and Hiawatha TLS config broken  (Read 8332 times)

0 Members and 1 Guest are viewing this topic.

Offline fossxplorer

  • Master
  • **
  • Posts: 640
  • Karma: +1/-0
    • View Profile
Let's Encrypt and Hiawatha TLS config broken
« on: 2016-07-19, 11:22:46 »
When a client uses Kloxo UI to add LE cert for a domain, your scripts doesn't add a .pem file inside  /home/kloxo/ssl/example.com.pem as Kloxo's Hiawatha config requires it:
[root@mail ~]# cat /opt/configs/hiawatha/conf/proxies/example.com.conf | grep TLScertFile| tail -n1
   TLScertFile = /home/kloxo/ssl/example.com.pem


Also, now on another subdomain, the TLS config of Hiwatha seems totally wrong:
[root@mail ~]# cat /opt/configs/hiawatha/conf/proxies/subdomain.example.com.conf | grep TLScertFile| tail -n1
   TLScertFile = /home/kloxo/ssl/eth0_0___localhost.pem

eth0_0___localhost.pem should have been subdomain.example.com.pem!



Kloxo-MR!

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Let's Encrypt and Hiawatha TLS config broken
« Reply #1 on: 2016-07-19, 12:01:07 »
Make sure using latest Kloxo-MR 7.0 and always running 'sh /script/cleanup' after 'yum update'.

Letsenscrypt may not work to create ssl if website using redirect (let say redirect non-www to www). Also no 'A record' (the same IP with '__base__' aka non-www) for www, cp and webmail in dns settings.
« Last Edit: 2016-07-19, 12:02:50 by MRatWork »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline fossxplorer

  • Master
  • **
  • Posts: 640
  • Karma: +1/-0
    • View Profile
Re: Let's Encrypt and Hiawatha TLS config broken
« Reply #2 on: 2016-07-19, 13:30:55 »
Just updated and cleanup crashes Hiawatha. Any tips?

*** Restart services - BEGIN ***

Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
-------------------------------------------------------------------

Stopping httpry:                                           [FAILED]
Starting httpry:                                           [  OK  ]
-------------------------------------------------------------------

Shutting down MySQL... SUCCESS!
Starting MySQL.. SUCCESS!
-------------------------------------------------------------------

Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
-------------------------------------------------------------------

Stopping php56m-fpm (PHP Used):                            [  OK  ]
Starting php56m-fpm (PHP Used):                            [  OK  ]
-------------------------------------------------------------------

Stopping php54m-fpm (Multiple Php):                        [  OK  ]
Stopping php55m-fpm (Multiple Php):                        [  OK  ]
Stopping php56m-fpm (Multiple Php):                        [  OK  ]
Stopping php70m-fpm (Multiple Php):                        [  OK  ]

Starting php54m-fpm (Multiple Php):                        [  OK  ]
Starting php55m-fpm (Multiple Php):                        [  OK  ]
Starting php56m-fpm (Multiple Php):                        [  OK  ]
Starting php70m-fpm (Multiple Php):                        [  OK  ]
-------------------------------------------------------------------

Stopping nginx:                                            [  OK  ]
Starting nginx:                                            [  OK  ]
-------------------------------------------------------------------

Stopping Hiawatha web server:                              [FAILED]
Starting Hiawatha web server: /bin/bash: line 1:   450 Segmentation fault      /usr/sbin/hiawatha -c /etc/hiawatha
                                                           [FAILED]
-------------------------------------------------------------------

Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
Kloxo-MR!

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Let's Encrypt and Hiawatha TLS config broken
« Reply #3 on: 2016-07-19, 13:33:59 »
Use latest upload (2016071802) and then run 'sh /script/cleanup'.

In your issue, go 'switch program' and try select lighttpd and change back to original.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline fossxplorer

  • Master
  • **
  • Posts: 640
  • Karma: +1/-0
    • View Profile
Re: Let's Encrypt and Hiawatha TLS config broken
« Reply #4 on: 2016-07-19, 13:41:18 »
I'm using 2016071802.
But there is no point in switching, since the problem is hiawtha binary:
[root@mail ~]# hiawatha -c /etc/hiawatha/
Segmentation fault
[root@mail ~]# dmesg | grep hiawatha
hiawatha[2470]: segfault at 0 ip 00007fdf5a0b38ca sp 00007ffebc54f3b8 error 4 in libc-2.12.so[7fdf5a034000+18a000]
hiawatha[2603]: segfault at 0 ip 00007f9e541198ca sp 00007ffe5688def8 error 4 in libc-2.12.so[7f9e5409a000+18a000]
[root@mail ~]#



Did a 'yum downgrade hiawatha -y', same issue.
 


Use latest upload (2016071802) and then run 'sh /script/cleanup'.

In your issue, go 'switch program' and try select lighttpd and change back to original.
Kloxo-MR!

Offline fossxplorer

  • Master
  • **
  • Posts: 640
  • Karma: +1/-0
    • View Profile
Re: Let's Encrypt and Hiawatha TLS config broken
« Reply #5 on: 2016-07-19, 14:10:49 »
I swiched to Nginx. Now i'm getting issues:

topping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
-------------------------------------------------------------------

Stopping php56m-fpm (PHP Used):                            [  OK  ]
Starting php56m-fpm (PHP Used): Failed loading /opt/php56m/usr/lib64/php/modules/opt/php56m/opcache.so:  /opt/php56m/usr/lib64/php/modules/opt/php56m/opcache.so: cannot open shared object file: No such file or directory
                                                           [  OK  ]
-------------------------------------------------------------------

Stopping php54m-fpm (Multiple Php):                        [  OK  ]
Stopping php55m-fpm (Multiple Php):                        [  OK  ]
Stopping php56m-fpm (Multiple Php):                        [  OK  ]
Stopping php70m-fpm (Multiple Php):                        [  OK  ]

Starting php54m-fpm (Multiple Php):                        [  OK  ]
Starting php55m-fpm (Multiple Php):                        [  OK  ]
Starting php56m-fpm (Multiple Php): Failed loading /opt/php56m/usr/lib64/php/modules/opt/php56m/opcache.so:  /opt/php56m/usr/lib64/php/modules/opt/php56m/opcache.so: cannot open shared object file: No such file or directory
                                                           [  OK  ]
Starting php70m-fpm (Multiple Php):                        [  OK  ]
-------------------------------------------------------------------

Stopping spawn-fcgi:                                       [FAILED]
Starting spawn-fcgi:                                       [FAILED]
-------------------------------------------------------------------

Stopping nginx:                                            [  OK  ]
Starting nginx:                                            [  OK  ]
-------------------------------------------------------------------

Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
-------------------------------------------------------------------

Also, your new changes to DoS is creating too much problem with max conn per IP.
Where can i customize it? I need to raise the value as we host cloud systems with many reg/s, much more than 10r/s.
 
« Last Edit: 2016-07-19, 14:26:17 by fossxplorer (formerly 'Mella') »
Kloxo-MR!

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Let's Encrypt and Hiawatha TLS config broken
« Reply #6 on: 2016-07-19, 15:22:56 »
Try reinstall phpm with 'sh /script/phpm-all-install -y'.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline fossxplorer

  • Master
  • **
  • Posts: 640
  • Karma: +1/-0
    • View Profile
Re: Let's Encrypt and Hiawatha TLS config broken
« Reply #7 on: 2016-07-19, 15:26:57 »
I fixed the PHP opcache.so issue by editing /opt/php56m/etc/php.d/10-opcache.ini and changing from

zend_extension=/opt/....... to just opcache.so.

But now i need to hoiw i can customize the limit_conn and limit req in Nginx? You have too low values for our apps. 

Try reinstall phpm with 'sh /script/phpm-all-install -y'.
Kloxo-MR!

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Let's Encrypt and Hiawatha TLS config broken
« Reply #8 on: 2016-07-19, 15:34:29 »
limit_conn and limit_req related to protect 'DDOS' attack.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline fossxplorer

  • Master
  • **
  • Posts: 640
  • Karma: +1/-0
    • View Profile
Re: Let's Encrypt and Hiawatha TLS config broken
« Reply #9 on: 2016-07-19, 15:44:38 »
Yes, correct and i'm using Nginx with such settings on many of our non-Kloxo servers :)
But your settings actually brings DoS to our sites :)
We are running SaaS cloud and they often need 2-300 connections per IP :)

Anyway, i have changed this in files inside /opt/configs/nginx/conf/globals/*.conf, but will they be overwritten by next update or cleanup etc?
I need this permanent!



limit_conn and limit_req related to protect 'DDOS' attack.
Kloxo-MR!

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Let's Encrypt and Hiawatha TLS config broken
« Reply #10 on: 2016-07-19, 16:25:09 »
Copy all php-fpm*.conf and proxy*.conf to custom.php-fpm*.conf and custom.proxy*.conf and then modified all custom files. After that, run 'sh /script/fixweb; sh /script/restart-web -y'.

This is 'customize rule' in Kloxo-MR.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

 


Top 4 Global Search Engines:    Google    Bing    Baidu    Yahoo
Click Here

Page created in 0.028 seconds with 17 queries.

web stats analysis