Hi,
can you connect to the server via an external browser using the server name or ipaddress?
no. all services that use https \ http access do not work. sabma and AD work fine.
https://04.vpn.rozkrolik.ru:8888/owncloud
https://04.vpn.rozkrolik.ru:8888
When I try to add this address to the desctop client owncloud, I get the “Connection refused” error. So the server works, but rejects connections.
root@ucs:/etc/univention/ssl/ucs# date
oct 19 17:09:21 MSK 2017
The rollback of the backup did not help. Now I remember that I tried to create a new certificate (but I do not remember that I accepted the changes), two months ago (uptime of the server is 90 days). And the reboot did just now. After that, probably, some changes came into force. How can I fix the problem?
дек = december
авг = august
окт = october
июн = june
июл = jule
ps
I have a backup for July. I’m now deploying it to a separate virtual machine. I am sure that there still should work. it can be possible to extract some data from it to replace it in the latest version?
Backup for July is working. Can this somehow help fix the problem in the production version? (I absolutely did not accept any changes to the root certificate editing, I did not find any more options for the operation of certificates and management system.) Maybe the problem is with the installation of RADIUS?
is there any solution? do you have any idea?
As you said you “tried to create a new certificate”, did you mean for Apache or for the system? Because /etc/univention/ssl/ucs/cert.pem is Apache, while /etc/univention/ssl/ucsCA/ is for the root-CA certificate. In your screenshots I saw both.
Apache will not start if there is something broken, i.e. if the certificate is empty or invalid. You can find possible errors in the logfile /var/log/apache2/error.log
You may take a look at Renewing the complete SSL certificate chain and Renewing the SSL certificates
Maybe there is also a firewall problem, because at Port 80 a nginx is answering and Port 8888 is in “State closed”.
With the certificate files all right, I tried to replace them from the working July backup. It did not help. The apache log is interrupted after the server is rebooted (19 oct ~14.00), after which problems begin.
About certificate replacement:
I saw what opportunities there are in the management console. I wanted to understand how to make a certified certificate. Then I saw this letter:
New in App Center: Let’s Encrypt + ZuluDesk
Alice Horstmann - Univention
newsletter@univention.de
and installed after that Let’s Encrypt
These are all actions, as far as I remember, which I made with certificates.
it`s all. I think the problem is in the lets encrypt… :
@
The following services are already integrated:
Apache
Postfix
Dovecot
@
?
It seems that you installed let’s encrypt from the app center. Hopefully we can find the reason for the problem:
- First of all, take a look at the “Troubleshooting” section at Let’s encrypt - Wiki → that means to unset the mentiond apache2 ucr values to its default. Afterwards Apache should be run again. (service apache start)
- Next, very that port 80 is redirected to your UCS server, to let the certificate signing request pass through → This means http://04.vpn.rozkrolik.ru/.well-known must be accessible (but at the moment I see nginx there)
- Please verify that you configure let’s encrypt after installing from the app center. Which means in the “App Settings” of let’s encrypt to enter your domain and which services should be provided → A minimal setting would by Apache.
- Also there is a logfile for let’s encrypt in
/var/log/univention/letsencrypt.logIf the certificate signing request is successful or fails, there you find some hints. - if all from above went fine, you could re-start the certificate request again by executing
/usr/share/univention-letsencrypt/setup-letsencrypt
YES! THANK YOU!
root@ucs:/etc/univention/ssl/ucs# ucr set apache2/ssl/certificate="/etc/univention/ssl/ucs/cert.pem"
Create apache2/ssl/certificate
Multifile: /etc/simplesamlphp/metadata/saml20-idp-hosted.php
Multifile: /etc/apache2/sites-available/default-ssl.conf
root@ucs:/etc/univention/ssl/ucs# ucr set apache2/ssl/key="/etc/univention/ssl/ucs/private.key"
Create apache2/ssl/key
Multifile: /etc/simplesamlphp/metadata/saml20-idp-hosted.php
Multifile: /etc/apache2/sites-available/default-ssl.conf
root@ucs:/etc/univention/ssl/ucs# service apache2 restart
root@ucs:/etc/univention/ssl/ucs# ucr set letsencrypt/domains=“04.vpn.rozkrolik.ru”
Setting letsencrypt/domains
root@ucs:/etc/univention/ssl/ucs# /usr/share/univention-letsencrypt/setup-letsencrypt
run-parts: executing /etc/univention/letsencrypt/setup.d//apache2
run-parts: executing /etc/univention/letsencrypt/setup.d//dovecot
run-parts: executing /etc/univention/letsencrypt/setup.d//postfix
Ср окт 25 01:21:38 MSK 2017
Refreshing certificate for following domains:
04.vpn.rozkrolik.ru
Parsing account key…
Parsing CSR…
Registering account…
Already registered!
Verifying 04.vpn.rozkrolik.ru…
04.vpn.rozkrolik.ru verified!
Signing certificate…
Certificate signed!
Certificate refreshed at Ср окт 25 01:21:43 MSK 2017
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//apache2
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//dovecot
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//postfix
root@ucs:/etc/univention/ssl/ucs# service apache2 restart
1 Like