How to fix SSL issues in CyberPanel
如何修復 Cyber Panel 中的 SSL 問題
CyberPanel is equipped with a built-in security certificate issuing mechanism. It uses the Let’s Encrypt Certificate authority to obtain an SSL certificate for your websites. We have a great tutorial on how to?create/issue SSL certificates for your domain here.
Cyber Panel 配備了內置的安全證書頒發機制。它使用 Let's Encrypt 證書頒發機構為您的網站獲取 SSL 證書。我們在此處提供了有關如何為您的域創建/頒發 SSL 證書的精彩教程。
However, if CyberPanel is unable to obtain a certificate for your domain, it generates a self-signed certificate instead. This certificate, however, isn’t acceptable to the browser and it throws a red screen warning that the connection might not be secure.
但是,如果 Cyber Panel 無法為您的域獲取證書,它會生成一個自簽名證書。但是,瀏覽器不接受此證書,并且它會引發紅屏警告,指出連接可能不安全。
In this tutorial, we are going to see a few common errors that occur and how to fix them.
在本教程中,我們將看到一些發生的常見錯誤以及如何修復它們。
Major SSL Certificate issues in CyberPanel
Cyber Panel 中的主要 SSL 證書問題
1. A Record or IP Address Issue
1. 記錄或 IP 地址問題
CyberPanel can only get you certificates for the websites that are on the server and the domain that is connected to the server too. In order to verify this, you can use?Whats My DNS?to verify that the A record for your domain points to the server IP shown on the top left of the CyberPanel dashboard just below the CyberPanel logo.
Cyber Panel 只能為您獲取服務器上的網站和連接到服務器的域的證書。為了驗證這一點,您可以使用?Whats My DNS?來驗證您的域的 A 記錄是否指向顯示在 Cyber Panel 儀表板左上角 Cyber Panel 徽標下方的服務器 IP。
If that doesn’t match, kindly change the A record to this IP in your domain manager’s DNS settings. If you are using Cloudflare, you might see a different IP on Whats My DNS but you should make sure that the IP in DNS setting is the same as the server IP.
如果不匹配,請在域管理器的 DNS 設置中將 A 記錄更改為此 IP。如果您使用的是 Cloudflare,您可能會在 Whats My DNS 上看到不同的 IP,但您應該確保 DNS 設置中的 IP 與服務器 IP 相同。
2. ACME Client Verification
2. ACME 客戶端驗證
CyberPanel uses acme-client for issuance and regeneration of SSL certificates every 90 days. Sometimes either the client is outdated or removed from the server that makes the whole process impossible.
Cyber Panel 每 90 天使用 acme-client 頒發和重新生成 SSL 證書。有時,客戶端已過時或從服務器中刪除,這使得整個過程無法完成。
In order to check and update the ACME client to the latest version run the following command
要檢查ACME客戶端并將其更新到最新版本,請運行以下命令
wget -O - https://get.acme.sh | sh
Now you can go back to the menu and choose?Manage SSL from the SSL menu?to issue SSL again.
現在,您可以返回菜單并從?SSL 菜單中選擇 Manage SSL?以再次頒發 SSL。
3. Folder permissions?3. 文件夾權限
Let’s Encrypt Authority verifies that you are indeed the owner and in control of the domain that you want to get a certificate for so they offer a few forms of verification.
Let's Encrypt Authority 驗證您確實是要為其獲取證書的域的所有者和控制者,因此他們提供了幾種形式的驗證。
- HTTP-01 Challenge (or file-based challenge): This is the most common challenge type currently. Let’s Encrypt gives a token to your ACME client, and your ACME client puts a file on your web server at?
http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>.
HTTP-01 質詢(或基于文件的質詢):這是目前最常見的質詢類型。Let's Encrypt 為您的 ACME 客戶端提供令牌,而您的 ACME 客戶端將文件放在您的 Web 服務器上。?http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN> DNS-01 challenge: This challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name. Let’s Encrypt gives your ACME client a token, your client will create a TXT record derived from that token and your account key, and put that record at?
_acme-challenge.<YOUR_DOMAIN>
DNS-01 質詢:此質詢要求您通過在域名下的 TXT 記錄中放置特定值來證明您控制了域名的 DNS。Let's Encrypt 為您的 ACME 客戶端提供一個令牌,您的客戶端將創建從該令牌和您的帳戶密鑰派生的 TXT 記錄,并將該記錄放在?_acme-challenge.<YOUR_DOMAIN>
CyberPanel uses file-based verification because it’s easier and DNS records can take a very long time to propagate.
Cyber Panel 使用基于文件的驗證,因為它更容易,而且 DNS 記錄可能需要很長時間才能傳播。
Sometimes, users change files and folder permission which makes it impossible for CyberPanel to add the required file for the verification and the verification fails.
有時,用戶更改文件和文件夾權限,導致 Cyber Panel 無法添加驗證所需的文件,驗證失敗。
In order to fix these issues go to?Websites->List Websites?where you will see something like this
要解決這些問題,請轉到?Websites->List Websites,在那里您將看到類似這樣的內容
Click the Manage button next to the website that you want to issue SSL for and you will be greeted with a screen like this
單擊要為其頒發 SSL 的網站旁邊的 Manage 按鈕,您將看到如下所示的屏幕
Use the?File Manager?option to open the file manager for that website. Once the file manager is open, click the Fix Permissions button on the top right.
使用?File Manager 選項打開該網站的文件管理器。打開文件管理器后,單擊右上角的 Fix Permissions 按鈕。修復權限。
CyberPanel will fix the permissions for you and then you can issue a SSL certificate from?SSL->Manage SSL?as shown in the first issue.
Cyber Panel 將為您修復權限,然后您可以從?SSL->Manage SSL?頒發 SSL 證書,如第一期所示。
4. ModSecurity Blocking?4. ModSecurity 阻止
CyberPanel comes with ModSecurity that keeps your server and websites safe from a variety of hacking attempts and spam content, however sometimes as a false-positive, it can block legitimate traffic considering it spam or an attack.
Cyber Panel 帶有 ModSecurity,可保護您的服務器和網站免受各種黑客攻擊和垃圾郵件內容的侵害,但有時作為誤報,它可以阻止合法流量,將其視為垃圾郵件或攻擊。
Lets Encrypt verifies the identity of the domain by checking whether the file it provides is available at your domain or not. It does so by accessing that file from multiple servers to confirm that you are indeed the owner or authorized person for that domain. As they issue millions of certificates per day, their servers generate a lot of traffic and sometimes spam-fighting companies see a lot of similar traffic as spam and they put Lets Encrypt server IPs on their blacklists.
Lets Encrypt 通過檢查它提供的文件是否在您的域中可用來驗證域的身份。它通過從多個服務器訪問該文件來確認您確實是該域的所有者或授權人。由于他們每天頒發數百萬個證書,他們的服務器會產生大量流量,有時打擊垃圾郵件的公司會將許多類似的流量視為垃圾郵件,并將 Lets Encrypt 服務器 IP 列入黑名單。
As a result, ModSecurity blocks all connections from those IPs and Let’s Encrypt isn’t able to verify the domain causing a failure to issue a SSL certificate.
因此,ModSecurity 會阻止來自這些 IP 的所有連接,并且 Let's Encrypt 無法驗證域,從而導致無法頒發 SSL 證書。
There is a simple workaround to be able to issue SSL certificates in this case.
在這種情況下,有一種簡單的解決方法可以頒發 SSL 證書。
Go to?Security-> ModSecurity Conf?and you will be greeted with this screen
轉到?Security-> ModSecurity Conf,您將看到此屏幕
Turn off ModSecurity then go to?SSL -> Manage SSL?and issue SSL certificate for your website. Once you are done, turn the ModSecurity back on.
關閉 ModSecurity,然后轉到?SSL -> 管理 SSL?并為您的網站頒發 SSL 證書。完成后,重新打開 ModSecurity。
Debugging with the command line
使用命令行進行調試
If none of the above worked for you, it means you have a different issue that needs to be debugged and fixed. In order to do that, go to your terminal and type the following.
如果以上方法都不起作用,則意味著您有其他問題需要調試和修復。為此,請轉到您的終端并鍵入以下內容。
/root/.acme.sh/acme.sh --issue -d <YOUR_DOMAIN> -d www.<YOUR_DOMAIN> --cert-file /etc/letsencrypt/live/<YOUR_DOMAIN>/cert.pem --key-file /etc/letsencrypt/live/<YOUR_DOMAIN>/privkey.pem --fullchain-file /etc/letsencrypt/live/<YOUR_DOMAIN>/fullchain.pem -w /home/<YOUR_DOMAIN>/public_html --force --debug
This command will give you detailed information on where and why the issue occurred so you can fix it.
此命令將為您提供有關問題發生位置和原因的詳細信息,以便您進行修復。
評論