SSL for panel problem

Raphael · July 2, 2019, 11:45am

This was a issue with the installed openssl version:

OpenSSL 1.1.1 11 Sep 2018
Error message:
Using default temp DH parameters
139656848691648:error:02004061:system library:socket:unknown:…/crypto/bio/b_sock2.c:49:
139656848691648:error:2008C076:BIO routines:BIO_socket:unable to create socket:…/crypto/bio/b_sock2.c:50:
0 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
0 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
0 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)

Was fixed running a apt update && apt upgrade, installed the version from sury repository:

OpenSSL 1.1.1c 28 May 2019

With the new version above, the check went trough properly:

Using default temp DH parameters
ACCEPT

So the issue is solved, also we’ve reworked the installer: Run apt upgrade after adding the repositories instead before. · hestiacp/hestiacp@3bcd42d · GitHub

daffyy · July 2, 2019, 8:49pm

Next question about ssl,
how to use cloudflare ssl with hestiacp?
Cloudflare - protect leaking server ip but when i’m added domain to cloudflare & vestacp it’s working, but when forced ssl on cloudflare side not:

 Success!
Your new web server is ready to use.

its showing server default page not user page

alex · July 3, 2019, 6:09am

Hi daffyy,

I can assist you on this matter, however I will need access to review your Cloudflare settings. Is that possible?

daffyy · July 3, 2019, 6:48am

Nvm my bad, full SSL option on cf req. own SSL cert on server, changed to flexible and its ok

itsolon · September 15, 2019, 4:03pm

Hello I would like to understand if the le cert ist thought for the panel url itself most it will be some subdomain srv.domain.tld
As it can be done on vestacp
Or is it only for the hosted domains and we have to buy some ssl for the panel itself?
Best regards Markus

Raphael · September 15, 2019, 4:18pm

Hi Markus

Thanks for your request. Please check the v-add-letsencrypt-host command, it will automatically add a valid let’s encrypt ssl certificate for hestia backend.

itsolon · September 15, 2019, 4:37pm

Thank you for the ultra fast Sunday reply…
Nice hint I will report when I’m at home.

Update:
i cannot believe that it is so easy. great work what you did here. Thank you for that.
It worked, simply enter

v-add-letsencrypt-host

then the letsencrypt cert is used for panel no need to buy some cert elsewhere.

i use ubuntu 18.04 and first time i installed this HestiaCP i encountered the problem with Publickey due to missing gnugp2 package solvable easily with
sudo apt install gnupg2

i have another little problem i think i will open new thread so that others can perhaps benefit from my very good first experience with your software.
Best regards Markus

Raphael · September 16, 2019, 6:10am

Hi Markus

Thanks for the hint with gnupg2, I’ve added it to the installer.

itsolon · September 24, 2019, 10:37am

i reinstalled recently
in v 1.0.5 the gnupg2 is still not included
i have seen you discussed with some guys about that include

what is the result of that?

Raphael · September 24, 2019, 10:59am

The change was in master branch, not release. It will be released with 1.1.0.

itsolon · September 24, 2019, 11:54am

ok , i have second installation with hestia panel
i upgraded to branch master successfully and now have 1.1.0
by the way the user is quite big in my installation

the question is
that the upgrade was successful but
i do have old config

i found a migration script

github.com

hestiacp/hestiacp/blob/master/install/upgrade/manual/migrate-190718-multiphp.sh

#!/bin/bash

# Includes
source $HESTIA/func/main.sh
source $HESTIA/conf/hestia.conf

#
# Migrate legacy multiphp to full php-fpm backend
#
# nginx+fpm (default)
#   nothing to be done here,
#   (Adding new php backends will make them available on edit/web)
#
# nginx+multiphp,
# nginx+apache+multiphp,
# apache+multiphp:
#   Change Hestia WEB_BACKEND from null to php-fpm
#   Create backend templates ex: PHP-7_3, PHP-5_6 (in $HESTIA/data/templates/web/php-fpm/)
#   v-update-web-templates
#   Loop trough all web domains

This file has been truncated. show original

but i do not know how to execute it… or is it neccessary?

UPDATE: I better should have opened a new topic?
when you want then delete after reply

Raphael · September 26, 2019, 6:31am

A upgrade to 1.1.0 is not a good idea for productive servers. You should just be able to execute the script for the migration.

zulfianto · November 11, 2019, 1:31pm

v-add-letsencrypt-host: command not found

martineliascz · November 12, 2019, 5:12pm

You have to either export $PATH or issue “sudo su -” command prior the v-add-letsencrypt-host.

zulfianto · November 12, 2019, 10:06pm

thank you very much @martineliascz

phez · September 14, 2020, 9:22pm

Hi folks, just as an FYI, I have just installed Hestiacp (ex-vestacp user) and found that the Portal SSL was not encrypted which I thought was odd. I would hope the next release by default, has this enabled.

I was using Debain 10.5 and HestiaCP v1.2.3

I used the above command as root via SSH and it resolved the issue. Since it uses Lets Encrypt, will it automatically update at the end of the 90 days based on the primary site hostname?

Raphael · September 15, 2020, 7:26am

Its planed to implement it on fresh installs and yes, it will be renewed automatically.

makader · April 7, 2021, 1:28pm

it worked for me.

Leonid · September 14, 2021, 3:36pm

Your problem lies in the traffic between Cloudflare and your site. CF has 4 SSL/TLS operation modes. If it is set to OFF or Flexible, CF sends Http requests to the site and when the certificate is connected, a permanent 301 redirect occurs on the site from both sides. If it is set to Full, then the traffic goes only to Https.