RickoT

Hey Folks,

Yeah I had the same issue but was able to resolve it by performing the following steps

  1. Get to where it fails to verify the challenge within TinyCP
  2. Navigate to /opt/tinycp
  3. perform chmod +x on the following folders
    • opt/tinycp/domains
    • opt/tinycp/domains/<domain.name>
    • opt/tinycp/domains/<domain.name>/ssl
    • opt/tinycp/domains/<domain.name>/ssl/acme
    • opt/tinycp/domains/<domain.name>/ssl/acme/challenges
  4. navigate to opt/tinycp/domains/<domain.name>/ssl and perform the following command
    • chown -R www-data:www-data acme
  5. Restart Apache (service apache2 restart)

This should be updated in the process by the TinyCP Folks

Not sure if you wanted a new bug report or not but after updating, when I attempt to create a new LetsEncrypt cert, I receive the following error
- Warning: mkdir(): File exists in /opt/tinycp/www/mods/web/apache/inc/ACME.class.php on line 281

This is a freshly added domain. The challenge is apparently created correctly because restarting apache allows me to verify the challenge and complete the certificate after seeing the error again twice in the CSR portion of the process.

If you are interested, I fine tuned the changes I made to my config files to get an A+ on SSLabs site tester:

Domain level Apache.conf:

#Enforce HSTS (requires mod_headers)
   Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;"

# Enable only TLSv1.2
   SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# Use only high grade CipherSuites, disable low grade/vulnerable suites.
   SSLCipherSuite "ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !DES"

These changes disable TLSv1 and TLSv2 as well as configure apache to use only high quality CipherSuites and leaving out suites that have vulnerabilities or are low encryption

/etc/apache2/mods-enabled/ssl.conf

# Enforce highest key exchange grade
   SSLOpenSSLConfCmd ECDHParameters Automatic
   SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1

I know you said you didn't want to mainipulate original apache files, but I just wanted to provide this for you

Update: For the last item (ssl.conf) those 2 lines can be added to the :443 virtualhost with the same result, modifying the ssl.conf file is not necessary

I was able to succesfully set up 2 Factor Auth with Authenticator Plus (Android)

Update: Previously I was able to configure this as the admin account, but after I created a new account and tried to set it up on that new account (with admin role) I was unable to and received the following error: Failed to edit two-factor authentication settings for TinyCP user.

I am still able to use (and set/unset) 2 Factor Auth on my admin account

I was able to resolve this by editing /etc/postfix/master.cf line 139

Reads: 127.0.0.1:10025 unix n - - - - smtpd
Should Read: 127.0.0.1:10025 inet n - - - - smtpd

unix = socket
inet = tcp

The issue being that amavis is trying to connect to 127.0.0.1:10025 but postfix was setup with a unix socket named 127.0.0.1:10025 not opening the IP/Port combination 127.0.0.1:10025

Hope this helps!

Write a reply Edit a reply