A Debian Buster / ISPCONFIG server was runing well until Letsencrypt certificates renewalls. To simplify I desactivated ISPCONFIG to focus on simple default server access:
Code: Select all
ks307144 apache2 > ll sites-enabled/
total 4
lrwxrwxrwx 1 root root 45 avril 15 19:27 000-default.conf -> /etc/apache2/sites-available/000-default.conf
lrwxrwxrwx 1 root root 56 avril 15 18:42 100-joomla-development.eu.vhost -> /etc/apache2/sites-available/joomla-development.eu.vhost
lrwxrwxrwx 1 root root 56 avril 15 18:42 100-mon-voyage-a-cuba.com.vhost -> /etc/apache2/sites-available/mon-voyage-a-cuba.com.vhost
lrwxrwxrwx 1 root root 48 avril 15 18:39 100-webologix.com.vhost -> /etc/apache2/sites-available/webologix.com.vhost
lrwxrwxrwx 1 root root 35 avril 15 18:22 default-ssl.conf -> ../sites-available/default-ssl.conf
lrwxrwxrwx 1 root root 60 avril 14 16:22 webologix.com.vhost-le-ssl.conf -> /etc/apache2/sites-available/webologix.com.vhost-le-ssl.conf
ks307144 apache2 > cat sites-enabled/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
ks307144 apache2 > ll /etc/ssl/certs/ssl-cert-snakeoil.pem
-rw-r--r-- 1 root root 1078 janv. 19 2019 /etc/ssl/certs/ssl-cert-snakeoil.pem
ks307144 apache2 > ll mods-enabled/|grep ssl
lrwxrwxrwx 1 root root 26 janv. 19 2019 ssl.conf -> ../mods-available/ssl.conf
lrwxrwxrwx 1 root root 26 janv. 19 2019 ssl.load -> ../mods-available/ssl.load
Code: Select all
ks307144 apache2 > openssl s_client -connect localhost:443 -state -debug
CONNECTED(00000003)
SSL_connect:before SSL initialization
write to 0x4cc520 [0x4debe0] (293 bytes => 293 (0x125))
0000 - 16 03 01 01 20 01 00 01-1c 03 03 54 1a 1b 7d 0a .... ......T..}.
0010 - ef 73 3a 62 cf b7 8d a7-8b f1 78 93 28 e3 aa 2d .s:b......x.(..-
0020 - e3 bf 22 1b a0 8e f2 19-83 49 98 20 35 a2 e2 61 .."......I. 5..a
0030 - 57 56 47 0f 72 26 33 a1-5f c5 80 52 75 52 0e 3f WVG.r&3._..RuR.?
0040 - 54 1c 25 53 fc 7a fd 43-44 57 08 19 00 3e 13 02 T.%S.z.CDW...>..
0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa .....,.0........
0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27 .+./...$.(.k.#.'
0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d .g.....9.....3..
0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 95 ...=.<.5./......
0090 - 00 0b 00 04 03 00 01 02-00 0a 00 0c 00 0a 00 1d ................
00a0 - 00 17 00 1e 00 19 00 18-00 23 00 00 00 16 00 00 .........#......
00b0 - 00 17 00 00 00 0d 00 30-00 2e 04 03 05 03 06 03 .......0........
00c0 - 08 07 08 08 08 09 08 0a-08 0b 08 04 08 05 08 06 ................
00d0 - 04 01 05 01 06 01 03 03-02 03 03 01 02 01 03 02 ................
00e0 - 02 02 04 02 05 02 06 02-00 2b 00 09 08 03 04 03 .........+......
00f0 - 03 03 02 03 01 00 2d 00-02 01 01 00 33 00 26 00 ......-.....3.&.
0100 - 24 00 1d 00 20 73 51 84-eb d2 1f b8 d3 43 4a 7d $... sQ......CJ}
0110 - 5e 88 ce 64 3f c2 73 09-bf 13 9b b5 cb fc f9 5b ^..d?.s........[
0120 - 5b ac c9 87 32 [...2
SSL_connect:SSLv3/TLS write client hello
read from 0x4cc520 [0x4d59c3] (5 bytes => 5 (0x5))
0000 - 48 54 54 50 2f HTTP/
SSL_connect:error in error
140024379380864:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x4cc520 [0x4c3ce0] (8192 bytes => 489 (0x1E9))
0000 - 31 2e 31 20 34 30 30 20-42 61 64 20 52 65 71 75 1.1 400 Bad Requ
0010 - 65 73 74 0d 0a 44 61 74-65 3a 20 54 68 75 2c 20 est..Date: Thu,
0020 - 31 36 20 41 70 72 20 32-30 32 30 20 30 38 3a 35 16 Apr 2020 08:5
0030 - 39 3a 33 32 20 47 4d 54-0d 0a 53 65 72 76 65 72 9:32 GMT..Server
0040 - 3a 20 41 70 61 63 68 65-2f 32 2e 34 2e 33 38 20 : Apache/2.4.38
0050 - 28 44 65 62 69 61 6e 29-0d 0a 43 6f 6e 74 65 6e (Debian)..Conten
0060 - 74 2d 4c 65 6e 67 74 68-3a 20 33 31 32 0d 0a 43 t-Length: 312..C
0070 - 6f 6e 6e 65 63 74 69 6f-6e 3a 20 63 6c 6f 73 65 onnection: close
0080 - 0d 0a 43 6f 6e 74 65 6e-74 2d 54 79 70 65 3a 20 ..Content-Type:
0090 - 74 65 78 74 2f 68 74 6d-6c 3b 20 63 68 61 72 73 text/html; chars
00a0 - 65 74 3d 69 73 6f 2d 38-38 35 39 2d 31 0d 0a 0d et=iso-8859-1...
00b0 - 0a 3c 21 44 4f 43 54 59-50 45 20 48 54 4d 4c 20 .<!DOCTYPE HTML
00c0 - 50 55 42 4c 49 43 20 22-2d 2f 2f 49 45 54 46 2f PUBLIC "-//IETF/
00d0 - 2f 44 54 44 20 48 54 4d-4c 20 32 2e 30 2f 2f 45 /DTD HTML 2.0//E
00e0 - 4e 22 3e 0a 3c 68 74 6d-6c 3e 3c 68 65 61 64 3e N">.<html><head>
00f0 - 0a 3c 74 69 74 6c 65 3e-34 30 30 20 42 61 64 20 .<title>400 Bad
0100 - 52 65 71 75 65 73 74 3c-2f 74 69 74 6c 65 3e 0a Request</title>.
0110 - 3c 2f 68 65 61 64 3e 3c-62 6f 64 79 3e 0a 3c 68 </head><body>.<h
0120 - 31 3e 42 61 64 20 52 65-71 75 65 73 74 3c 2f 68 1>Bad Request</h
0130 - 31 3e 0a 3c 70 3e 59 6f-75 72 20 62 72 6f 77 73 1>.<p>Your brows
0140 - 65 72 20 73 65 6e 74 20-61 20 72 65 71 75 65 73 er sent a reques
0150 - 74 20 74 68 61 74 20 74-68 69 73 20 73 65 72 76 t that this serv
0160 - 65 72 20 63 6f 75 6c 64-20 6e 6f 74 20 75 6e 64 er could not und
0170 - 65 72 73 74 61 6e 64 2e-3c 62 72 20 2f 3e 0a 3c erstand.<br />.<
0180 - 2f 70 3e 0a 3c 68 72 3e-0a 3c 61 64 64 72 65 73 /p>.<hr>.<addres
0190 - 73 3e 41 70 61 63 68 65-2f 32 2e 34 2e 33 38 20 s>Apache/2.4.38
01a0 - 28 44 65 62 69 61 6e 29-20 53 65 72 76 65 72 20 (Debian) Server
01b0 - 61 74 20 6b 73 33 30 37-31 34 34 2e 6b 69 6d 73 at ks307144.kims
01c0 - 75 66 69 2e 63 6f 6d 20-50 6f 72 74 20 38 30 3c ufi.com Port 80<
01d0 - 2f 61 64 64 72 65 73 73-3e 0a 3c 2f 62 6f 64 79 /address>.</body
01e0 - 3e 3c 2f 68 74 6d 6c 3e-0a ></html>.
read from 0x4cc520 [0x4c3ce0] (8192 bytes => 0 (0x0))
ks307144 apache2 > iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-recidive tcp -- anywhere anywhere
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- 157.230.37.16 anywhere reject-with icmp-port-unreachable
REJECT all -- CPEf81d0fa78ac3-CMf81d0fa78ac0.cpe.net.cable.rogers.com anywhere reject-with icmp-port-unreachable
REJECT all -- 93.ip-51-83-77.eu anywhere reject-with icmp-port-unreachable
REJECT all -- 175.ip-51-178-54.eu anywhere reject-with icmp-port-unreachable
...a milion IP REJECTED HERE...
RETURN all -- anywhere anywhere
Chain f2b-postfix-sasl (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain f2b-recidive (1 references)
target prot opt source destination
REJECT all -- ip95.ip-54-37-44.eu anywhere reject-with icmp-port-unreachable
REJECT all -- 222.186.52.86 anywhere reject-with icmp-port-unreachable
REJECT all -- 112.85.42.187 anywhere reject-with icmp-port-unreachable
..ANOTHER MILION OF IP REJECTED HERE...
RETURN all -- anywhere anywhere
# Warning: iptables-legacy tables present, use iptables-legacy to see them
ks307144 apache2 > rgrep Listen .
./sites-available/ispconfig.vhost: Listen 8080
./sites-available/apps.vhost: Listen 8081
./ports.conf:Listen 80
./ports.conf:Listen 443
./ports.conf:Listen 443