View Single Post
Old 07-29-2018, 06:01 PM   #1
Junior Member
 
Join Date: Jul 2018
Posts: 2
TomvB is on a distinguished road
Default Question SSL Roundcube / phpMyAdmin & www-root

Hello,

I have a few questions about ISPmanager.

1. (Solved) When I request a certificate for the control panel (letsencrypt), it is not used by phpmyadmin and roundcube. I receive a 'random' certificate from a hosted website. The solution is now to create a new www-domain with the same domainname and letsencrypt.

Addition: The workaround (www-domain for roundcube/phpmyadmin) provides the following results on ssllabs.com after scanning "customer domain names."
Certificate #1: RSA 2048 bits (SHA256withRSA)
Everything = correct.

Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI
Alternative names ispmgrcp.url.com MISMATCH

What is the best solution for roundcube and phpmyadmin without this workaround? I dont like the 'mismatch' error.

Update 30-07-2018:

What I did to fix the error:
1. Add ispurl.domain.com to www-domains.
2. Do not enable SSL/Lets encrypt to prevent issues with SSL Labs!
3. Only virtualhost 80 is present in apache/nginx.
3. Add the following code to nginx.conf to fix the SNI/Cert errors:
Code:
server {
        server_name ispurl.domain.com ;
        ssl on;
        ssl_certificate "/usr/local/mgr5/etc/manager.crt";
        ssl_certificate_key "/usr/local/mgr5/etc/manager.key";
        ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:!NULL:!RC4;
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        add_header Strict-Transport-Security "max-age=31536000;";
        ssl_dhparam /etc/ssl/certs/dhparam4096.pem;
        charset off;
        disable_symlinks if_not_owner from=$root_path;
        include /etc/nginx/vhosts-includes/*.conf;
        include /etc/nginx/vhosts-resources/ispurl.domain.com/*.conf;
        access_log /var/www/httpd-logs/ispurl.domain.com.access.log;
        error_log /var/www/httpd-logs/ispurl.domain.coml.error.log notice;
        ssi on;
        set $root_path /var/www/user/data/www/ispurl.domain.com;
        root $root_path;
        listen 5.9.106.248:443 http2;
        location / {
                location ~ [^/]\.ph(p\d*|tml)$ {
                        try_files /does_not_exists @fallback;
                }
                location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
                        try_files $uri $uri/ @fallback;
                }
                location / {
                        try_files /does_not_exists @fallback;
                }
        }
        location @fallback {
                proxy_pass http://127.0.0.1:8080;
                proxy_redirect http://127.0.0.1:8080 /;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Port $server_port;
                access_log off;
        }
}
4. Problem solved.
5. The SNI / Wrong certificate message is still there when scanning ispurl.domain.com. The problem is reversed. I get the error with customer certificates when scanning ispurl.domain.com. Problem has been solved for customer domain scans.
'Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI'

Unanswered:
2. During the test, I saw the www-root account in the control panel. What is the default password for this account or can I find this in the logging?

@Admins do you want to enable SSL everywhere by default in the next update? Think of Roundcube / phpMyAdmin?

Thank you in advance.

Last edited by TomvB; 07-30-2018 at 07:51 PM.
TomvB is offline   Reply With Quote