I have upgraded to last CSF :
https://download.configserver.com/csf/changelog.txt
I'm very interested in adding https use to messenger which I use fine for years
Logs
Feb 27 18:45:31 web1 lfd[611595]: MESSENGER: Error starting HTTPS service: No SSL certs found in MESSENGER_HTTPS_CONF location
Feb 27 18:45:31 web1 lfd[611595]: MESSENGER: HTTPS service temporarily DISABLED
See in csf.conf
This option points to the file(s) containing the Apache VirtualHost SSL
definitions. This can be a file glob if there are multiple files to search.
Only Apache v2 SSL VirtualHost definitions are supported
MESSENGER_HTTPS_CONF = /usr/local/apache/conf/httpd.conf
Just tell me what to do, since we have hostname ssl, and a lot from client users on server...
CSF V10
Re: CSF V10
I now installed Perl Module "IO::Socket::SSL"
rebuilt apache in case
We still get :
Feb 27 19:42:53 web1 lfd[665784]: MESSENGER: Error starting HTTPS service: No SSL certs found in MESSENGER_HTTPS_CONF location
Feb 27 19:42:53 web1 lfd[665784]: MESSENGER: HTTPS service temporarily *DISABLED*
rebuilt apache in case
We still get :
Feb 27 19:42:53 web1 lfd[665784]: MESSENGER: Error starting HTTPS service: No SSL certs found in MESSENGER_HTTPS_CONF location
Feb 27 19:42:53 web1 lfd[665784]: MESSENGER: HTTPS service temporarily *DISABLED*
Re: CSF V10
Nothing is working :
Searching IO::Socket::SSL on cpanmetadb (http://cpanmetadb.cpanel.net/v1.0/packa ... ocket::SSL) ...
Source: httpupdate.cpanel.net ... IO::Socket::SSL is up to date. (1.94)
Searching IO::Socket::SSL on cpanmetadb (http://cpanmetadb.cpanel.net/v1.0/packa ... ocket::SSL) ...
Source: httpupdate.cpanel.net ... IO::Socket::SSL is up to date. (1.94)
Re: CSF V10
I am pretty sure there is no perl issue
error is
MESSENGER: Error starting HTTPS service: No SSL certs found in MESSENGER_HTTPS_CONF location
After some investigation, i found that csf is a little myopic, he does not recognize the setting of nginx proxy which listens on port 4430 for 443
After adding this port in messenger port settings, all works
error is
MESSENGER: Error starting HTTPS service: No SSL certs found in MESSENGER_HTTPS_CONF location
After some investigation, i found that csf is a little myopic, he does not recognize the setting of nginx proxy which listens on port 4430 for 443
After adding this port in messenger port settings, all works
Re: CSF V10
I observe that lfd SSL messenger is eating already 3% memory, let say 4 GB
on our server
seem abnormal
on our server
seem abnormal
-
ForumAdmin
- Moderator
- Posts: 1523
- Joined: 01 Oct 2008, 09:24
Re: CSF V10
lfd will only detect Apache SSL virtualhost definitions that you point that MESSENGER_HTTPS_CONF to of the regex formats:
If you have Apache SSL virtualhost definitions in the file glob that you have pointed MESSENGER_HTTPS_CONF to, then you need to post an example that contains those attributes that you believe is not being detected.
Code: Select all
^\s*<VirtualHost .*:(\d+)> # where (\d+) matches one of the ports you list in MESSENGER_HTTPS_IN
\s*ServerName\s+(\S+)
\s*ServerAlias\s+(.*) # this is optional
\s*SSLCertificateFile\s+(\S+)
\s*SSLCertificateKeyFile\s+(\S+)
^\s*<\/VirtualHost>-
ForumAdmin
- Moderator
- Posts: 1523
- Joined: 01 Oct 2008, 09:24
Re: CSF V10
That is likely due to the session cache size used by IO::Socket::SSL and the Net::SSLeay instance. It is also likely to be a factor of the number of certificates being served multiplied by the number of domains and aliases.
It's likely the cost for using the feature and little, if anything, that we can do about it.
Re: CSF V10
This is a busy shared hosting server with more than 1000 websites on it, and lots are using SSL....
This feature is really interesting, this will decrease tickets opened from clients being frustrated because they see suddenly : ssl error connect, not seeing then our custom message to unblock themselves alone from client area with module unblockip from modulesgarden....
When I checked this morning i have found in double the process this time ;
lfd HTTPS messenger
I now put only 4430, and not 443 at same time
let see
1.
This is what i have in httpd.conf for 1 ssl domain
<VirtualHost 151.90.108.15:4430>
ServerName user.name.com
ServerAlias mail.user.name.com www.user.name.com
DocumentRoot /home/username/public_html
ServerAdmin webmaster@user.name.com
UseCanonicalName Off
Options -ExecCGI -Includes
RemoveHandler cgi-script .cgi .pl .plx .ppl .perl
CustomLog /etc/apache2/logs/domlogs/user.name.com combined
<IfModule log_config_module>
<IfModule logio_module>
CustomLog /etc/apache2/logs/domlogs/user.name.com-bytes_log "%{%s}t %I .\n%{%s}t %O ."
</IfModule>
</IfModule>
## User username # Needed for Cpanel::ApacheConf
<IfModule userdir_module>
<IfModule !mpm_itk.c>
<IfModule !ruid2_module>
UserDir disabled
UserDir enabled username
</IfModule>
</IfModule>
</IfModule>
# Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.
# To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in
# the user's .htaccess file. For more information, please read:
# http://httpd.apache.org/docs/2.4/mod/mo ... exprparser
<IfModule mod_include.c>
<Directory "/home/username/public_html">
SSILegacyExprParser On
</Directory>
</IfModule>
<IfModule mod_suphp.c>
suPHP_UserGroup username username
</IfModule>
<IfModule suexec_module>
<IfModule !mod_ruid2.c>
SuexecUserGroup username username
</IfModule>
</IfModule>
<IfModule ruid2_module>
RMode config
RUidGid username username
</IfModule>
<IfModule mpm_itk.c>
# For more information on MPM ITK, please read:
# http://mpm-itk.sesse.net/
AssignUserID username username
</IfModule>
<IfModule ssl_module>
SSLEngine on
SSLCertificateFile /var/cpanel/ssl/installed/certs/user_name_com_d339b_8b65d_1492905599_6323db27dcd34ac3962c547deb7eecf9.crt
SSLCertificateKeyFile /var/cpanel/ssl/installed/keys/d339b_8b65d_8432e236ccad45730b6c56e5e8fda202.key
SSLCACertificateFile /var/cpanel/ssl/installed/cabundles/cPanel_Inc__681917bfb43af6b642178607e0b36ccc_1747526399.cabundle
CustomLog /etc/apache2/logs/domlogs/user.name.com-ssl_log combined
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
<Directory "/home/username/public_html/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
</IfModule>
2.
For high memory usage, I suggest simply that by default, ssl of hostname be used, it is a too costly gadget to consume such amount of RAM just for the luxury to display to client its own domain with SSL if any
OR, I suggest that we have the choice to choose this behavior in CSF setting :
Use only SSL hostname : ON/OFF
This feature is really interesting, this will decrease tickets opened from clients being frustrated because they see suddenly : ssl error connect, not seeing then our custom message to unblock themselves alone from client area with module unblockip from modulesgarden....
When I checked this morning i have found in double the process this time ;
lfd HTTPS messenger
I now put only 4430, and not 443 at same time
let see
1.
This is what i have in httpd.conf for 1 ssl domain
<VirtualHost 151.90.108.15:4430>
ServerName user.name.com
ServerAlias mail.user.name.com www.user.name.com
DocumentRoot /home/username/public_html
ServerAdmin webmaster@user.name.com
UseCanonicalName Off
Options -ExecCGI -Includes
RemoveHandler cgi-script .cgi .pl .plx .ppl .perl
CustomLog /etc/apache2/logs/domlogs/user.name.com combined
<IfModule log_config_module>
<IfModule logio_module>
CustomLog /etc/apache2/logs/domlogs/user.name.com-bytes_log "%{%s}t %I .\n%{%s}t %O ."
</IfModule>
</IfModule>
## User username # Needed for Cpanel::ApacheConf
<IfModule userdir_module>
<IfModule !mpm_itk.c>
<IfModule !ruid2_module>
UserDir disabled
UserDir enabled username
</IfModule>
</IfModule>
</IfModule>
# Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.
# To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in
# the user's .htaccess file. For more information, please read:
# http://httpd.apache.org/docs/2.4/mod/mo ... exprparser
<IfModule mod_include.c>
<Directory "/home/username/public_html">
SSILegacyExprParser On
</Directory>
</IfModule>
<IfModule mod_suphp.c>
suPHP_UserGroup username username
</IfModule>
<IfModule suexec_module>
<IfModule !mod_ruid2.c>
SuexecUserGroup username username
</IfModule>
</IfModule>
<IfModule ruid2_module>
RMode config
RUidGid username username
</IfModule>
<IfModule mpm_itk.c>
# For more information on MPM ITK, please read:
# http://mpm-itk.sesse.net/
AssignUserID username username
</IfModule>
<IfModule ssl_module>
SSLEngine on
SSLCertificateFile /var/cpanel/ssl/installed/certs/user_name_com_d339b_8b65d_1492905599_6323db27dcd34ac3962c547deb7eecf9.crt
SSLCertificateKeyFile /var/cpanel/ssl/installed/keys/d339b_8b65d_8432e236ccad45730b6c56e5e8fda202.key
SSLCACertificateFile /var/cpanel/ssl/installed/cabundles/cPanel_Inc__681917bfb43af6b642178607e0b36ccc_1747526399.cabundle
CustomLog /etc/apache2/logs/domlogs/user.name.com-ssl_log combined
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
<Directory "/home/username/public_html/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
</IfModule>
2.
For high memory usage, I suggest simply that by default, ssl of hostname be used, it is a too costly gadget to consume such amount of RAM just for the luxury to display to client its own domain with SSL if any
OR, I suggest that we have the choice to choose this behavior in CSF setting :
Use only SSL hostname : ON/OFF
-
ForumAdmin
- Moderator
- Posts: 1523
- Joined: 01 Oct 2008, 09:24
Re: CSF V10
If you only want to offer the hostname certificate, then you can create a separate file and point MESSENGER_HTTPS_CONF to it with just a single VirtualHost in it mimicking what you find in the Apache configuration that just contains a section specifying the hostname certificate and key. All connections would then fallback to that key. However, due to the way SSL works, all browsers will throw an exception message as the certificate will only match if the user browsed to the server hostname.
Re: CSF V10
Then it's not good solution, we don't need a warning on top of all this....