Error on Domain SSL Port 8083 and Access Files

I’m a new user who recently installed Hestiacp on Ubuntu 20.04.

1. Assume I have 2 domains myserver-webhostingname-com (Public IP address 123-45-67-123) and mydomain-com.
2. During the initial installation of Hestiacp I entered mydomain-com so that I could access the System Admin via mydomain-com:8083.
3. After completing the installation I logged in via 123-45-67-123:8083 and there was a warning SSL was invalid / insecure where the certificate was issued by my-domain-com.
4. I added mydomain domain and positive SSL certificate via login at 123-45.67-123:8083 by copying the contents of the Certificate, Private Key and CA-Bundle.
5. I access mydomain.com via chrome browser to get a valid SSL connection and no problem.

Problem:
6. When accessing mydomain-com:8083, 123-45-67-123:8083 or myserver-webhostingname-com:8083 all of them get an Invalid SSL error.
7. When checked it turns out that SSL still uses a personal certificate / Self Signed Certificate from mydomain-com even though I have added Positive SSL mydomain-com via Hestiacp > Webdomain.
8. I tried to replace Self Signed SSL with Positive SSL mydomain-com via Hestiacp > Server > Configure Server > SSL > copying the SSL Certificate and Key.
9. There is an Error: Certificate Authority not found.
10. I have copied the contents of Positive SSL mydomain-com zip certificate and extracted 3 contents to the server including CA-Bundled but it still has problems.
11. Access Files also gets Unknown Error even after deleting and changing SSH Key in Hestiacp > User > Manages SSH Keys.

Question
12. Why did it happen what was wrong?
13. Why is there no place to copy the CA-Bundle contents in Configure Server> SSL. There are only 2 SSL Certificate and Key boxes.
14. Why not replace it immediately with SSL installed on mydomain-com SSL?

Suggestion.
15. Maybe given 3 boxes for SSL CA-Bundle or automatically filled with SSL domain user system admin at Hestiacp > SSL Web Domain.
16. In open source products, there are usually those that are supported by premium product income to support the financing of a project. Especially if you look at HestiaCP, it is a good project and can be developed more than before. Not a commercial OS product, but all require a fee. Maybe you can develop some kind of Hestiacp extension / template like in Joomla which is premium so that users who want more can buy it and make a white label on the website for their customers. Meanwhile, other users can also use Hestiacp as usual without losing its main features. All are only intended so that HestiaCP can develop in the future, not only from donations (only input suggestions :).

Back to the problem, I am a Newbie, please help from my question above.
Due to restrictions on new users entering links, I replace “.” with “-” in any link/domain name.
Sorry for the long questions and bad English. Thanks.

You want to huse host.domain.tld (for example srv01.domain.tld) as hostname and not your whole domain.

by design, self signed certificate.

i suggest to use v-add-letsencrypt-host after you verified that you installed the server with a proper host and not domain name. Be sure you created the needed dns record so let’s encrypt can verify your domain. The command will then create a lets encrypt certificate and install it on every relevant service.

Probaly didnt changed the self signed certificate, but will not be a issue anymore, if you follow the steps above.

see above.

usualy not needed, but you can place multiple certificates in the ca box, including their chains.

not that easy but already in discussion, to run v-add-letsencrypt-host on new installations. But we also don’t want to “spam” let’s encrypt verification process with a lot of request, so there is a few addtional work left for a validation check prior to the certificate request.

as explained above.

Currently it isnt a factor to gain money out of the project. All of the devs are doing hestia beside their 100% jobs, so mostly the factor time is a problem. There are some plans for paid support, but aswell here, we need to be able to provide the support in a proper time frame. Also the hourly rate is a part of discussion, for example I work in a country with decent high rates - I don’t think users would love to pay such a rate .

Waooow … very fast response for something called a beside job. Appreciate it.
Yes, I want Hestiacp to be accessible via SSL at mydomain-com: 8083 with the admin system user and not myserver-webhostingname-com: 8083 / 123-45-67-123: 8083.

Hey … it’s work. thanks. For others who have the same problem as me, maybe you can try it too. I copied the Certificate + CA Bundle to the CA box … and the private key to the Key box. But I don’t know if you use Let’s encrypt for that.

now the problem remains just this … because it only occurs in the admin system user only

Yes, that’s right … For that, making premium templates / extensions might be more acceptable as long as it’s really not for commercialization but for users who want to be more professional while the main function remains the same. As for paid support, it might be hard to accept for some people, but actually you can give support with more flexible time for free but get paid … for example through tutorial/ forums channels like YouTube and this also makes other people know about Hestiacp. for the speed of response (in a proper time frame) it is a consequence because it is given free haha…In essence, it provides several choices for the user but still rewards the developer.

Thanks to the team who created this great project. I hope your side job will be the main thing later

We currently give “free” support via docs.hestiacp.com, Discord and forum.

Adding more possible channels will take only more than checking every thing and could cause issues that questions never got followed up.

How ever unless it is a strange issue that get us interested or we need some information and we are not able to to replicate the issue our self we ask some times if we can login on that server.

I have personally totally no intrest fixing issues by logging in a remote server or creating an Nginx tenplate for software package X for free. It takes me xx minutes to create the template and test the softwar to make sure if everything is working…

We have multiple examples available at GitHub and some basic information is available https://docs.hestiacp.com. And Google is often a good starting point.

I can spend my time only once and if I need to decide between a feature that could help 50 persons or fix one issue for one person for me the decision is easy. Unless the person is willing to pay high xx euro a hour for it it could change offcourse…

But also seen al a few times asking for free support for certain tasks but charging their own clients for it.

Why should I brother giving free support?

Are you able to login over sftp?

Yes, nothing is free … and for that premium templates have to pay to get it.

Free but getting paid… means a business model like YouTuber. they give content (tutorial / support) for free but get paid for clicking subscribers. not actually free, yes it all depends on the business goals … and it’s one of the many option.

OK. back to the problem.

No I previously deleted and changed the SSH-Keys but still can’t connect to the server. For information, I generated the new SSH-Key from the Putty Key Generator with the RSA type of 2048 bits.

When I access via SFTP on Filezilla:
…
Status: Server refused our key
Status: Access denied
Error: Authentication failed.
Error: Critical error: Could not connect to server

Meanwhile, other additional users have no problem and can access these files via HestiaCP.

Once again, I suggest strongly to use host.domain.tld as server hostname, otherwise I’m not sure if it will work properly. Also you should not host any website, expect the hostname, ubder the admin user.

I don’t know if this is related or not.
I can login fine on hostname.domain.ltd:8083 and domain2.ltd:8083 , but the SSL certificate for port 8083 is only for hostname.domain.ltd. … domain2.ltd has valid Let’s Encrypt certificate.

Could you please point me to a relevant post? Thank you.

SSL 8083 is linked to the hostname. There currently not possible to change this behaviour…