US: 1-941-4621-069
  
Cyprus: 3-572-2052-781

Go Back   ISPsystem.com Forums > ISPmanager > General technical discussion


Reply
 
Thread Tools
Old 07-29-2018, 06:01 PM   #1
Junior Member
 
Join Date: Jul 2018
Posts: 2
TomvB is on a distinguished road
Default Question SSL Roundcube / phpMyAdmin & www-root

Hello,

I have a few questions about ISPmanager.

1. (Solved) When I request a certificate for the control panel (letsencrypt), it is not used by phpmyadmin and roundcube. I receive a 'random' certificate from a hosted website. The solution is now to create a new www-domain with the same domainname and letsencrypt.

Addition: The workaround (www-domain for roundcube/phpmyadmin) provides the following results on ssllabs.com after scanning "customer domain names."
Certificate #1: RSA 2048 bits (SHA256withRSA)
Everything = correct.

Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI
Alternative names ispmgrcp.url.com MISMATCH

What is the best solution for roundcube and phpmyadmin without this workaround? I dont like the 'mismatch' error.

Update 30-07-2018:

What I did to fix the error:
1. Add ispurl.domain.com to www-domains.
2. Do not enable SSL/Lets encrypt to prevent issues with SSL Labs!
3. Only virtualhost 80 is present in apache/nginx.
3. Add the following code to nginx.conf to fix the SNI/Cert errors:
Code:
server {
        server_name ispurl.domain.com ;
        ssl on;
        ssl_certificate "/usr/local/mgr5/etc/manager.crt";
        ssl_certificate_key "/usr/local/mgr5/etc/manager.key";
        ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:!NULL:!RC4;
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        add_header Strict-Transport-Security "max-age=31536000;";
        ssl_dhparam /etc/ssl/certs/dhparam4096.pem;
        charset off;
        disable_symlinks if_not_owner from=$root_path;
        include /etc/nginx/vhosts-includes/*.conf;
        include /etc/nginx/vhosts-resources/ispurl.domain.com/*.conf;
        access_log /var/www/httpd-logs/ispurl.domain.com.access.log;
        error_log /var/www/httpd-logs/ispurl.domain.coml.error.log notice;
        ssi on;
        set $root_path /var/www/user/data/www/ispurl.domain.com;
        root $root_path;
        listen 5.9.106.248:443 http2;
        location / {
                location ~ [^/]\.ph(p\d*|tml)$ {
                        try_files /does_not_exists @fallback;
                }
                location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
                        try_files $uri $uri/ @fallback;
                }
                location / {
                        try_files /does_not_exists @fallback;
                }
        }
        location @fallback {
                proxy_pass http://127.0.0.1:8080;
                proxy_redirect http://127.0.0.1:8080 /;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Port $server_port;
                access_log off;
        }
}
4. Problem solved.
5. The SNI / Wrong certificate message is still there when scanning ispurl.domain.com. The problem is reversed. I get the error with customer certificates when scanning ispurl.domain.com. Problem has been solved for customer domain scans.
'Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI'

Unanswered:
2. During the test, I saw the www-root account in the control panel. What is the default password for this account or can I find this in the logging?

@Admins do you want to enable SSL everywhere by default in the next update? Think of Roundcube / phpMyAdmin?

Thank you in advance.

Last edited by TomvB; 07-30-2018 at 07:51 PM.
TomvB is offline   Reply With Quote
Old 08-21-2018, 06:13 AM   #2
ISPsystem team
 
Join Date: Jul 2014
Posts: 443
ksenya is on a distinguished road
Default

Hello

Please refer to this article https://doc.ispsystem.com/index.php/..._panel_address
After you configure the panel as described in this article, you won't have issues with the web-applications, control panel, and SSL
ksenya is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 09:42 AM.