How to fix SSL issues in CyberPanel
如何修复 Cyber Panel 中的 SSL 问题
CyberPanel is equipped with a built-in security certificate issuing mechanism. It uses the Let’s Encrypt Certificate authority to obtain an SSL certificate for your websites. We have a great tutorial on how to create/issue SSL certificates for your domain here.
Cyber Panel 配备了内置的安全证书颁发机制。它使用 Let's Encrypt 证书颁发机构为您的网站获取 SSL 证书。我们在此处提供了有关如何为您的域创建/颁发 SSL 证书的精彩教程。
However, if CyberPanel is unable to obtain a certificate for your domain, it generates a self-signed certificate instead. This certificate, however, isn’t acceptable to the browser and it throws a red screen warning that the connection might not be secure.
但是,如果 Cyber Panel 无法为您的域获取证书,它会生成一个自签名证书。但是,浏览器不接受此证书,并且它会引发红屏警告,指出连接可能不安全。
In this tutorial, we are going to see a few common errors that occur and how to fix them.
在本教程中,我们将看到一些发生的常见错误以及如何修复它们。
Major SSL Certificate issues in CyberPanel
Cyber Panel 中的主要 SSL 证书问题
1. A Record or IP Address Issue
1. 记录或 IP 地址问题
CyberPanel can only get you certificates for the websites that are on the server and the domain that is connected to the server too. In order to verify this, you can use Whats My DNS to verify that the A record for your domain points to the server IP shown on the top left of the CyberPanel dashboard just below the CyberPanel logo.
Cyber Panel 只能为您获取服务器上的网站和连接到服务器的域的证书。为了验证这一点,您可以使用 Whats My DNS 来验证您的域的 A 记录是否指向显示在 Cyber Panel 仪表板左上角 Cyber Panel 徽标下方的服务器 IP。
If that doesn’t match, kindly change the A record to this IP in your domain manager’s DNS settings. If you are using Cloudflare, you might see a different IP on Whats My DNS but you should make sure that the IP in DNS setting is the same as the server IP.
如果不匹配,请在域管理器的 DNS 设置中将 A 记录更改为此 IP。如果您使用的是 Cloudflare,您可能会在 Whats My DNS 上看到不同的 IP,但您应该确保 DNS 设置中的 IP 与服务器 IP 相同。
2. ACME Client Verification
2. ACME 客户端验证
CyberPanel uses acme-client for issuance and regeneration of SSL certificates every 90 days. Sometimes either the client is outdated or removed from the server that makes the whole process impossible.
Cyber Panel 每 90 天使用 acme-client 颁发和重新生成 SSL 证书。有时,客户端已过时或从服务器中删除,这使得整个过程无法完成。
In order to check and update the ACME client to the latest version run the following command
要检查ACME客户端并将其更新到最新版本,请运行以下命令
wget -O - https://get.acme.sh | sh
Now you can go back to the menu and choose Manage SSL from the SSL menu to issue SSL again.
现在,您可以返回菜单并从 SSL 菜单中选择 Manage SSL 以再次颁发 SSL。
3. Folder permissions 3. 文件夹权限
Let’s Encrypt Authority verifies that you are indeed the owner and in control of the domain that you want to get a certificate for so they offer a few forms of verification.
Let's Encrypt Authority 验证您确实是要为其获取证书的域的所有者和控制者,因此他们提供了几种形式的验证。
- HTTP-01 Challenge (or file-based challenge): This is the most common challenge type currently. Let’s Encrypt gives a token to your ACME client, and your ACME client puts a file on your web server at
http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>.
HTTP-01 质询(或基于文件的质询):这是目前最常见的质询类型。Let's Encrypt 为您的 ACME 客户端提供令牌,而您的 ACME 客户端将文件放在您的 Web 服务器上。http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN> -
DNS-01 challenge: This challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name. Let’s Encrypt gives your ACME client a token, your client will create a TXT record derived from that token and your account key, and put that record at
_acme-challenge.<YOUR_DOMAIN>
DNS-01 质询:此质询要求您通过在域名下的 TXT 记录中放置特定值来证明您控制了域名的 DNS。Let's Encrypt 为您的 ACME 客户端提供一个令牌,您的客户端将创建从该令牌和您的帐户密钥派生的 TXT 记录,并将该记录放在_acme-challenge.<YOUR_DOMAIN>
CyberPanel uses file-based verification because it’s easier and DNS records can take a very long time to propagate.
Cyber Panel 使用基于文件的验证,因为它更容易,而且 DNS 记录可能需要很长时间才能传播。
Sometimes, users change files and folder permission which makes it impossible for CyberPanel to add the required file for the verification and the verification fails.
有时,用户更改文件和文件夹权限,导致 Cyber Panel 无法添加验证所需的文件,验证失败。
In order to fix these issues go to Websites->List Websites where you will see something like this
要解决这些问题,请转到 Websites->List Websites,在那里您将看到类似这样的内容
Click the Manage button next to the website that you want to issue SSL for and you will be greeted with a screen like this
单击要为其颁发 SSL 的网站旁边的 Manage 按钮,您将看到如下所示的屏幕
Use the File Manager option to open the file manager for that website. Once the file manager is open, click the Fix Permissions button on the top right.
使用 File Manager 选项打开该网站的文件管理器。打开文件管理器后,单击右上角的 Fix Permissions 按钮。修复权限。
CyberPanel will fix the permissions for you and then you can issue a SSL certificate from SSL->Manage SSL as shown in the first issue.
Cyber Panel 将为您修复权限,然后您可以从 SSL->Manage SSL 颁发 SSL 证书,如第一期所示。
4. ModSecurity Blocking 4. ModSecurity 阻止
CyberPanel comes with ModSecurity that keeps your server and websites safe from a variety of hacking attempts and spam content, however sometimes as a false-positive, it can block legitimate traffic considering it spam or an attack.
Cyber Panel 带有 ModSecurity,可保护您的服务器和网站免受各种黑客攻击和垃圾邮件内容的侵害,但有时作为误报,它可以阻止合法流量,将其视为垃圾邮件或攻击。
Lets Encrypt verifies the identity of the domain by checking whether the file it provides is available at your domain or not. It does so by accessing that file from multiple servers to confirm that you are indeed the owner or authorized person for that domain. As they issue millions of certificates per day, their servers generate a lot of traffic and sometimes spam-fighting companies see a lot of similar traffic as spam and they put Lets Encrypt server IPs on their blacklists.
Lets Encrypt 通过检查它提供的文件是否在您的域中可用来验证域的身份。它通过从多个服务器访问该文件来确认您确实是该域的所有者或授权人。由于他们每天颁发数百万个证书,他们的服务器会产生大量流量,有时打击垃圾邮件的公司会将许多类似的流量视为垃圾邮件,并将 Lets Encrypt 服务器 IP 列入黑名单。
As a result, ModSecurity blocks all connections from those IPs and Let’s Encrypt isn’t able to verify the domain causing a failure to issue a SSL certificate.
因此,ModSecurity 会阻止来自这些 IP 的所有连接,并且 Let's Encrypt 无法验证域,从而导致无法颁发 SSL 证书。
There is a simple workaround to be able to issue SSL certificates in this case.
在这种情况下,有一种简单的解决方法可以颁发 SSL 证书。
Go to Security-> ModSecurity Conf and you will be greeted with this screen
转到 Security-> ModSecurity Conf,您将看到此屏幕
Turn off ModSecurity then go to SSL -> Manage SSL and issue SSL certificate for your website. Once you are done, turn the ModSecurity back on.
关闭 ModSecurity,然后转到 SSL -> 管理 SSL 并为您的网站颁发 SSL 证书。完成后,重新打开 ModSecurity。
Debugging with the command line
使用命令行进行调试
If none of the above worked for you, it means you have a different issue that needs to be debugged and fixed. In order to do that, go to your terminal and type the following.
如果以上方法都不起作用,则意味着您有其他问题需要调试和修复。为此,请转到您的终端并键入以下内容。
/root/.acme.sh/acme.sh --issue -d <YOUR_DOMAIN> -d www.<YOUR_DOMAIN> --cert-file /etc/letsencrypt/live/<YOUR_DOMAIN>/cert.pem --key-file /etc/letsencrypt/live/<YOUR_DOMAIN>/privkey.pem --fullchain-file /etc/letsencrypt/live/<YOUR_DOMAIN>/fullchain.pem -w /home/<YOUR_DOMAIN>/public_html --force --debug
This command will give you detailed information on where and why the issue occurred so you can fix it.
此命令将为您提供有关问题发生位置和原因的详细信息,以便您进行修复。
