Author Topic: Locked out of Administration  (Read 7269 times)

pj

  • Zen Monk
  • **
  • Posts: 77
  • Karma: +0/-0
    • View Profile
Re: Locked out of Administration
« Reply #15 on: December 17, 2009, 09:59:51 pm »
Thanks jjm. OK - added:

Listen 443
Listen 8443 to ports.conf

Restarted apache - no difference over WAN.

Stopped the firewall - no difference over WAN.

However, I now have:

wget https://127.0.0.1:8433
--21:42:41--  https://127.0.0.1:8433/
           => `index.html'
Connecting to 127.0.0.1:8443... failed: Connection refused.

(same for 443)

???

So, something has changed. The only thing I can think of is running the unconfigure module line (I took out the extra port lines just in case, but that made no difference).

It would then appear to be an internal problem. 


Another thing we could try is to use a text based browser with HTTPS support (like links) from inside eBox to try to connect to the administrative interface in https://127.0.0.1:8433. If it works we will know that is a problem with outside connections and not with apache itself..

Do you think it is apache Javier?

Kind regards

Javier Amor Garcia

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1225
  • Karma: +12/-0
    • View Profile
Re: Locked out of Administration
« Reply #16 on: December 18, 2009, 02:15:20 pm »
The wget output looks as that either apache isnt running, dont listen in the port or there is a firewall between. Since is the 127.0.0.1 we can discard this last option.

Have you tried to execute '/etc/init.d/ebox apache restart' after unconfiguring the apache module?

pj

  • Zen Monk
  • **
  • Posts: 77
  • Karma: +0/-0
    • View Profile
Re: Locked out of Administration
« Reply #17 on: December 18, 2009, 11:29:19 pm »
Hello Javier,

yes, restarted apache - no difference. The web server is working OK - http over WAN works with port 80, http://www.website.com:5222/ for Jabber returns a page over WAN . 5222 is not in ports.conf.  Added 8080, 8443 and 443 into ports.conf. Re-started Apache:

Here is the latest:

wget http://127.0.0.1
--23:05:43--  http://127.0.0.1/
           => `index.html'
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45 [text/html]

100%[=================================================================================>] 45            --.--K/s             

23:05:43 (5.36 MB/s) - `index.html' saved [45/45]


wget http://127.0.0.1:8080
--23:05:55--  http://127.0.0.1:8080/
           => `index.html.1'
Connecting to 127.0.0.1:8080... failed: Connection refused.


wget http://127.0.0.1:8443
--23:06:13--  http://127.0.0.1:8443/
           => `index.html.1'
Connecting to 127.0.0.1:8443... connected.
HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9
Length: unspecified

    [ <=>                                                                              ] 450           --.--K/s             

23:06:13 (43.41 MB/s) - `index.html.1' saved [450]


wget https://127.0.0.1:8443
--23:06:28--  https://127.0.0.1:8443/
           => `index.html.2'
Connecting to 127.0.0.1:8443... connected.
ERROR: Certificate verification error for 127.0.0.1: self signed certificate
ERROR: certificate common name `eBox Server' doesn't match requested host name `127.0.0.1'.
To connect to 127.0.0.1 insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.


wget http://127.0.0.1:443
--23:24:28--  http://127.0.0.1:443/
           => `index.html.4'
Connecting to 127.0.0.1:443... failed: Connection refused.


wget https://127.0.0.1:443
--23:06:45--  https://127.0.0.1/
           => `index.html.2'
Connecting to 127.0.0.1:443... failed: Connection refused.


HTTP and HTTPS over port 8443 return a page over the LAN now, ??? Over WAN, still can't connect.

It should connect over 8080 though, without problem. Stopping the firewall makes no difference.

Include ports.conf is in the apache2.conf file, but it seems to me that apache is not listening or only partly listening.

Which files were changed by me adding a new service https on port 443?
Do you think that re-installing Apache will make a difference perhaps?

Kind regards

pj

  • Zen Monk
  • **
  • Posts: 77
  • Karma: +0/-0
    • View Profile
Re: Locked out of Administration
« Reply #18 on: December 23, 2009, 01:13:48 pm »
Hello,

not heard from you for a while.

the latest is:

sudo /etc/init.d/ebox apache stop
 * Stopping eBox module: apache                                                                                       [ OK ]

sudo /etc/init.d/ebox apache start
 * Restarting eBox module: apache                                        [ OK ]

sudo netstat -tlnp | grep apache2
tcp        0      0 0.0.0.0:8888            0.0.0.0:*               LISTEN      9637/apache2   
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      29683/apache2

Apache has stopped listening on post 80!!! Haven't made any changes since the last post whatsoever.

ports.conf reads:

Listen 80
Listen 8080
Listen 443
Listen 8443

At a loss here...

Feliz Navidad!

javi

  • Zen Hero
  • *****
  • Posts: 1042
  • Karma: +0/-0
    • View Profile
Re: Locked out of Administration
« Reply #19 on: December 23, 2009, 01:17:10 pm »
Have you try connect to https://<ebox-ip>:8443 ?

pj

  • Zen Monk
  • **
  • Posts: 77
  • Karma: +0/-0
    • View Profile
Re: Locked out of Administration
« Reply #20 on: December 23, 2009, 02:51:24 pm »
oh yes! :) Many, many times!  Now http doesn't connect either...

pj

  • Zen Monk
  • **
  • Posts: 77
  • Karma: +0/-0
    • View Profile
Re: Locked out of Administration
« Reply #21 on: December 28, 2009, 06:42:57 pm »
Hello Javier,

Don't know if you are working over the holiday period - perdona las molestias!

Do you think it would be better to reinstall apache by apt-get or eBox, or install another web server in its place? I am not in the same place as the server, but contact with ssh has been no problem.

Kind regards

pj

  • Zen Monk
  • **
  • Posts: 77
  • Karma: +0/-0
    • View Profile
Re: Locked out of Administration
« Reply #22 on: December 30, 2009, 11:29:34 am »
Over 2 weeks now and no admin...

Here is a result of a nmap probe:

Not shown: 990 closed ports
PORT     STATE    SERVICE
21/tcp   filtered ftp
22/tcp   open     ssh
25/tcp   open     smtp
110/tcp  open     pop3
143/tcp  open     imap
2323/tcp open     unknown
5222/tcp open     unknown
5903/tcp filtered vnc-3
5904/tcp filtered unknown
8080/tcp filtered http-proxy

So, what is apache doing?

Could you please tell me whether I could install say nginx as well as apache, and try to take over the serving of the http ports? Even better, remove apache, if we can't find the reason?

Kind regards

J. A. Calvo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1986
  • Karma: +67/-3
    • View Profile
    • http://blogs.zentyal.org/jacalvo
Re: Locked out of Administration
« Reply #23 on: December 30, 2009, 02:56:37 pm »
Have you tried the following?

dpkg-reconfigure ebox

Then when it asks you for the eBox HTTPS port, try to enter a different one.
Zentyal Server Lead Developer

pj

  • Zen Monk
  • **
  • Posts: 77
  • Karma: +0/-0
    • View Profile
Re: Locked out of Administration
« Reply #24 on: December 30, 2009, 11:26:48 pm »
Hello,
did dpkg-reconfigure ebox again - changed the port back to 443. No difference, but as I wrote, apache has in the meantime refused to accept http requests at port 80 and Squirrelmail too, so it's not surprising really.

I am at a loss.

In the case that you too are at a loss, would you please let me know if I can install another web server by the side of apache without making a mess of eBox, or if I can replace apache with gninx, and if so, could you please let me have any removal code for apache under eBox to do this?

Kind regards and Prospero Nuevo Ano!

J. A. Calvo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1986
  • Karma: +67/-3
    • View Profile
    • http://blogs.zentyal.org/jacalvo
Re: Locked out of Administration
« Reply #25 on: December 31, 2009, 12:33:45 am »
I don't see any problem installing another different web server, as long as you configure it in a different unused port.
Zentyal Server Lead Developer

pj

  • Zen Monk
  • **
  • Posts: 77
  • Karma: +0/-0
    • View Profile
Re: Locked out of Administration
« Reply #26 on: January 04, 2010, 06:01:12 pm »
Hello,

OK, I am now a little further. The following error is shown by FireFox IF I add Listen 443 to ports.conf (otherwise, just a "cannot connect page"):

Secure Connection Failed

An error occurred during a connection to website.com.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)
    *   The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
    *   Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

Does that help? Presumably apache is doing the same job twice.

Kind regards

pj

  • Zen Monk
  • **
  • Posts: 77
  • Karma: +0/-0
    • View Profile
Re: Locked out of Administration
« Reply #27 on: January 12, 2010, 12:26:12 am »
Hello

Bump.

Really looking for an answer to this now - it has been a month now. I would like to open 2 ports in the firewall, but cannot as there is no access to the admin. I have looked in the /ebox/80firewall.conf, but there is nowhere to add the ports there.

Is there a file I can edit to add the ports in the ebox firewall please?

Kind regards

jjm1982

  • Zen Warrior
  • ***
  • Posts: 200
  • Karma: +7/-0
    • View Profile
Re: Locked out of Administration
« Reply #28 on: January 12, 2010, 12:48:53 am »
You don't need access to ebox to add access to the firewall. Try this...

sudo iptables -A INPUT -p TCP --dport 443 -j ACCEPT
sudo iptables -A INPUT -p TCP --dport 8443 -j ACCEPT

This will open the ports on the firewall. But when you restart the firewall, these entries will be removed and the original put back in its place.

pj

  • Zen Monk
  • **
  • Posts: 77
  • Karma: +0/-0
    • View Profile
Re: Locked out of Administration
« Reply #29 on: January 12, 2010, 11:24:47 am »
Hello jjm!

Thanks very much for your input, but the code hasn't opened the ports. I am not an expert with iptables, but I did think that ebox would anyway overwrite them on re-start. That is why I could do with the admin!

The ports I need to open are to allow external connections into the eBox. Is the iptable code the same for those? It is for tor, so I also need to allow connections coming through those ports to open connections outwards as well.

Hope you can help here!

Kind regards

p.s. nmap shows 8443/tcp open  https-alt, 443/tcp  open  https, but I still get this security certificate error... ???