ISPConfig 3 issueshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues2021-03-09T15:42:55Zhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6040jailkit always created if 'Default chrooted PHP-FPM' is enabled2021-03-09T15:42:55ZJesse Norelljailkit always created if 'Default chrooted PHP-FPM' is enabledWith 'Default chrooted PHP-FPM' option enabled, jailkit files are always added to a new site (even with php disabled, and no shell users/cron jobs).With 'Default chrooted PHP-FPM' option enabled, jailkit files are always added to a new site (even with php disabled, and no shell users/cron jobs).3.2.3Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6039Jailkit init template have syntax errors2021-02-04T10:26:06ZGeorg MarxJailkit init template have syntax errors## short description
There are errors when using Jailkit chroot app section coreutils.
In template file `install/tpl/jk_init.ini.master` are some syntax errors.
## environment
Server OS: debian buster
ISPConfig version: 3.2
## propos...## short description
There are errors when using Jailkit chroot app section coreutils.
In template file `install/tpl/jk_init.ini.master` are some syntax errors.
## environment
Server OS: debian buster
ISPConfig version: 3.2
## proposed fix
Delete +-sign before comment [jk_init.ini.master#L152](install/tpl/jk_init.ini.master#L152) and line 153
Delete `[` in [coreutils] paths line [jk_init.ini.master#L157](install/tpl/jk_init.ini.master#L157)3.2.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6036PHP errors when creating a new web2021-02-04T10:24:38ZThomPHP errors when creating a new webWhen creating a new web with all default settings, you receive 3 PHP warnings: \
`31.01.2021-21:55 - DEBUG - Adding the user: web118` \
`31.01.2021-21:55 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/ \client0/web118' - return cod...When creating a new web with all default settings, you receive 3 PHP warnings: \
`31.01.2021-21:55 - DEBUG - Adding the user: web118` \
`31.01.2021-21:55 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/ \client0/web118' - return code: 0` \
`PHP Warning: Invalid argument supplied for foreach() in /usr/local/ispconfig/server/lib/classes/system.inc.php on line 2437` \
`31.01.2021-21:56 - DEBUG - safe_exec cmd: jk_init -c /etc/jailkit/jk_init.ini -j \'/var/www/clients/client0/web118' 'basicshell' 'editors' 'extendedshell' 'netutils' 'ssh' 'sftp' 'scp' 'groups' 'jk_lsh' - return code: 0` \
`31.01.2021-21:56 - DEBUG - Added jailkit chroot` \
`PHP Warning: Invalid argument supplied for foreach() in /usr/local/ispconfig/server/lib/classes/system.inc.php on line 2520` \
`31.01.2021-21:56 - DEBUG - safe_exec cmd: jk_cp -j '/var/www/clients/ \client0/web118' '/usr/bin/groups' '/usr/bin/id' '/usr/bin/dircolors' '/usr/bin/lesspipe' '/usr/bin/basename' '/usr/bin/dirname' '/usr/bin/nano' '/usr/bin/pico' '/usr/bin/mysql' '/usr/bin/mysqldump' '/usr/bin/git' '/usr/bin/git-receive-pack' '/usr/bin/git-upload-pack' '/usr/bin/unzip' '/usr/bin/zip' '/bin/tar' '/bin/rm' '/usr/bin/patch' - return code: 0` \
`31.01.2021-21:56 - DEBUG - Added app programs to jailkit chroot` \
`PHP Warning: Invalid argument supplied for foreach() in /usr/local/ispconfig/server/lib/classes/system.inc.php on line 2520` \
`31.01.2021-21:56 - DEBUG - safe_exec cmd: jk_cp -j '/var/www/clients/ \client0/web118' '/usr/bin/php' '/usr/bin/perl' '/usr/share/perl' '/usr/share/php' - return code: 0` \
`31.01.2021-21:56 - DEBUG - Added cron programs to jailkit chroot`3.2.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6031rspamd is using the wrong settings for add_header / rewrite_subject2021-01-29T10:37:21ZMarius Burkardrspamd is using the wrong settings for add_header / rewrite_subjectWhen using rspamd and setting an account to a policy that is either using add header or rewrite subject, the second option is not added to the config file.
```
ispc_spamfilter_user_78 {
priority = 10;
rcpt = "x@y.com";
apply {
CLA...When using rspamd and setting an account to a policy that is either using add header or rewrite subject, the second option is not added to the config file.
```
ispc_spamfilter_user_78 {
priority = 10;
rcpt = "x@y.com";
apply {
CLAM_VIRUS = 1004.5;
JUST_EICAR = 1004.5;
actions {
"rewrite subject" = 4;
reject = 4.5;
greylist = null;
}
}
}
```
This seems to lead to a problem that the default value for `add_header` is used and as it is mostly higher than the `reject` value leads to unwanted behaviour:
Score: 8.9 leads to `add_header` instead of `reject` because default for rspamd is 6.03.2.3Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6030acme.sh fails on ISPConfig initial update / install2021-01-29T10:35:58ZMarius Burkardacme.sh fails on ISPConfig initial update / installOn initial update or install with new installer containing acme.sh, issuing the cert succeeds but using it fails due to wrong path checks.On initial update or install with new installer containing acme.sh, issuing the cert succeeds but using it fails due to wrong path checks.3.2.3Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6018Postfix - smtpd_helo_restrictions have permit_sasl_authenticated with higher...2021-03-09T15:48:22ZKoSPostfix - smtpd_helo_restrictions have permit_sasl_authenticated with higher priorityAs there are some devices (e.g. older IoT/industrial devices) that are often not very good in fullfilling the SMTP standards, they get rejected by the SMTP server, even if using SMTP Auth.
I would suggest to move the permit_sasl_authent...As there are some devices (e.g. older IoT/industrial devices) that are often not very good in fullfilling the SMTP standards, they get rejected by the SMTP server, even if using SMTP Auth.
I would suggest to move the permit_sasl_authenticated before the reject_invalid_helo_hostname in line https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/install/tpl/debian_postfix.conf.master#L293.2.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6017SSL for nginx apps vhost2021-02-27T11:08:15ZSascha P.SSL for nginx apps vhost## short description
The template for the nginx apps vhosts is not populated correctly, when ssl is enabled. This is only working for apache. One has to edit the vhosts file manually.
## correct behaviour
The apps vhosts should work wit...## short description
The template for the nginx apps vhosts is not populated correctly, when ssl is enabled. This is only working for apache. One has to edit the vhosts file manually.
## correct behaviour
The apps vhosts should work with ssl out of the box when enabled.
## environment
Server OS: centos
Server OS version: 8.3
ISPConfig version: 3.2.2
## proposed fix
The proposed fix is attached. I cant open a merge request, since it tells me, that I've reached my limit (seems to be at 0) when trying to fork.
I've edited the lines 2714 to 2715 (based on d1652d6b6405b168af957774aac506cf83d8186a)
Old:
```
$content = str_replace('{ssl_on}', '', $content);
$content = str_replace('{ssl_comment}', '#', $content);
```
New:
```
if(is_file($install_dir.'/interface/ssl/ispserver.crt') && is_file($install_dir.'/interface/ssl/ispserver.key')) {
$content = str_replace('{ssl_on}', 'ssl', $content);
$content = str_replace('{ssl_comment}', '', $content);
} else {
$content = str_replace('{ssl_on}', '', $content);
$content = str_replace('{ssl_comment}', '#', $content);
}
```
[install_lib_installer_base.lib.php](/uploads/bed05a31d515df8557acb1646656a6f2/install_lib_installer_base.lib.php)3.2.3ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6016Wrong LE certificate path used with acme.sh2021-02-16T01:34:09ZDragan SavicWrong LE certificate path used with acme.sh## short description
ISPConfig updater uses `/etc/letsencrypt/live/hostname` as certificate path when issuing LE cert with acme.sh for the first time. This leads to error message below, because cert is actually issued in `/root/.acme.sh/...## short description
ISPConfig updater uses `/etc/letsencrypt/live/hostname` as certificate path when issuing LE cert with acme.sh for the first time. This leads to error message below, because cert is actually issued in `/root/.acme.sh/hostname/`, but ispconfig updater tries to find it in the wrong folder after issuing.
`Issuing certificate seems to have succeeded but /usr/local/ispconfig/interface/ssl/ispserver.crt seems to be missing. Falling back to self-signed.`
## environment
Server OS: debian
Server OS version: stretch and buster
ISPConfig version: 3.2.2
Run on multiple server instances, either with no LE client installed before or they had certbot before (which was cleaned along with all files/folders before update).
## proposed fix
Took a glance on the update script/code and I think that this part should be modified in "installer_base.lib.php".
```
swriteln('Checking / creating certificate for ' . $hostname);
$acme_cert_dir = '/usr/local/ispconfig/server/scripts/' . $hostname;
$check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
if(!@is_dir($acme_cert_dir)) {
$acme_cert_dir = '/root/.acme.sh/' . $hostname;
$check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
if(!@is_dir($acme_cert_dir)) {
$acme_cert_dir = '/etc/letsencrypt/live/' . $hostname;
$check_acme_file = $acme_cert_dir . '/cert.pem';
}
}
```
to
```
swriteln('Checking / creating certificate for ' . $hostname);
$acme_cert_dir = '/usr/local/ispconfig/server/scripts/' . $hostname;
$check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
if(!@is_dir($acme_cert_dir)) {
$acme_cert_dir = '/etc/letsencrypt/live/' . $hostname;
$check_acme_file = $acme_cert_dir . '/cert.pem';
if(!@is_dir($acme_cert_dir)) {
$acme_cert_dir = '/root/.acme.sh/' . $hostname;
$check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
}
}
```
## references
https://www.howtoforge.com/community/threads/lets-encrypt-ssl-not-working-no-errors.85534/page-3#post-416008
## log entries
[acme-certification-path.txt](/uploads/489433cf4de11facb290511019095559/acme-certification-path.txt) - terminal log of two consecutive update runs. I used "manual update instruction" because of the issue mentioned in #6015 .3.2.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6015acme.sh always fails with 'Verify error:Invalid response' msg when using ispc...2021-03-23T19:10:14ZDragan Savicacme.sh always fails with 'Verify error:Invalid response' msg when using ispconfig_update.sh## short description
Creating LE cert with acme.sh when running `ispconfig_update.sh` or `ispconfig_update.sh --force` always fails with `Verify error:Invalid response` error message.
When using "Manual update instructions", process run...## short description
Creating LE cert with acme.sh when running `ispconfig_update.sh` or `ispconfig_update.sh --force` always fails with `Verify error:Invalid response` error message.
When using "Manual update instructions", process runs without errors and LE cert is issued and installed for all ISPConfig apps.
## correct behaviour
`ispconfig_update.sh` should function the same as "manual update instruction".
Maybe my reasoning is wrong and "manual update instruction" needs to be used when LE certs are generated for the first time. :)
## environment
Server OS: debian
Server OS version: stretch and buster
ISPConfig version: 3.1.5 and newer
Run on multiple server instances, either with no LE client installed before or they had certbot before (which was cleaned along with all files/folders before update).
## log entries
[ispconfig-update-first-run.txt](/uploads/02da3dc899cf7a1fd61b32bf1b1db66a/ispconfig-update-first-run.txt) - first time trying `ispconfig_update.sh --force` after installing acme.sh client
[ispconfig-update-second-run.txt](/uploads/4d1903d0be782c7bb2312e0af4c78527/ispconfig-update-second-run.txt) - second time trying `ispconfig_update.sh --force`
[ispconfig-update-third-run.txt](/uploads/223da66b1f3a19097068aafc5da64f79/ispconfig-update-third-run.txt) - using "manual update instruction"
Make note of `/root/.acme.sh/hosting.premiumbrands.rs/` folder contents: cert, fullchain and ca files get generated only on 3rd run.3.2.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6009php_fpm_socket_dir label missing2021-01-12T16:57:55ZThomphp_fpm_socket_dir label missing![image](/uploads/1fb7c73b208fe6584c93bf03a37ea713/image.png)![image](/uploads/1fb7c73b208fe6584c93bf03a37ea713/image.png)3.2.3ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6007Apps Vhost Breaks on ISPConfig Update2021-02-27T11:09:14ZCollin MachineApps Vhost Breaks on ISPConfig Update## short description
When I update ISPConfig via the ispconfig_update.sh script, the update reconfigures my 000-apps.vhost, adding the Listen 2083 line (which has conveniently been commented out in 000-ispconfig.vhost) and commenting my ...## short description
When I update ISPConfig via the ispconfig_update.sh script, the update reconfigures my 000-apps.vhost, adding the Listen 2083 line (which has conveniently been commented out in 000-ispconfig.vhost) and commenting my SSL lines so I can no longer access the apps.
## correct behaviour
It would be great if the Listen line was no longer added or commented on upgrade, but it would be amazing if the SSL lines weren't commented after an upgrade, and connection to the site broken.
## environment
Server OS: Ubuntu
Server OS version: 20.04.1
ISPConfig version: 3.2.23.2.3ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6001tpl files for dovecot2, mis-spelling SPECIAL-USE > SEPCIAL-USE2021-02-12T22:41:25ZTony Gtpl files for dovecot2, mis-spelling SPECIAL-USE > SEPCIAL-USERef:
/install/tpl/opensuse_dovecot2.conf.master
/install/tpl/fedora_dovecot2.conf.master
/install/tpl/debian6_dovecot2.conf.master
`imap_capability=+SEPCIAL-USE XLIST` value should be `SPECIAL-USE XLIST`Ref:
/install/tpl/opensuse_dovecot2.conf.master
/install/tpl/fedora_dovecot2.conf.master
/install/tpl/debian6_dovecot2.conf.master
`imap_capability=+SEPCIAL-USE XLIST` value should be `SPECIAL-USE XLIST`3.2.3ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5999postfix whitelist 'type' translation string2021-03-09T19:37:37ZJesse Norellpostfix whitelist 'type' translation stringIn 3.2.2, viewing the Postfix Whitelist shows the string id (eg. "client_txt", "recipient_txt") for Type column.In 3.2.2, viewing the Postfix Whitelist shows the string id (eg. "client_txt", "recipient_txt") for Type column.3.2.3Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5989Remote user logins not working2021-01-05T17:44:51ZThomRemote user logins not workingDue to a column length issue, after upgrading to 3.2.2, remote user logins are broken.Due to a column length issue, after upgrading to 3.2.2, remote user logins are broken.3.2.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5975DNS SOA xfer/notify input check2020-12-23T09:19:11ZThomDNS SOA xfer/notify input checkBoth should have a regex to only accept numbers, commas, and dotsBoth should have a regex to only accept numbers, commas, and dots3.2.2ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5973Additional PHP versions - Fix php_fpm_socket_dir2020-12-23T09:17:52ZJozef SrokaAdditional PHP versions - Fix php_fpm_socket_dirHi, I made on fix using wrong column name from server_php. Sorry it's my fault. MR !1366Hi, I made on fix using wrong column name from server_php. Sorry it's my fault. MR !13663.2.2Jozef SrokaJozef Srokahttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5971Fixing TLS1.3 support in nginx2020-12-22T13:21:03ZJozef SrokaFixing TLS1.3 support in nginxHi, I would like to fix bug in the nginx configuration. I created a merge request !1364
In the original code, this part of code
`$output = $app->system->exec_safe('nginx -V 2>&1');`
return the last line from the result of the command:
...Hi, I would like to fix bug in the nginx configuration. I created a merge request !1364
In the original code, this part of code
`$output = $app->system->exec_safe('nginx -V 2>&1');`
return the last line from the result of the command:
`configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/l...`
Correct information is in second or third line by distribution:
`built with OpenSSL 1.1.1g....`
But in "system" exist function `getopensslversion` that returns open ssl version from command `openssl version`.
If the version from `openssl version` is not sufficient, than i can check all lines from `nginx -V 2>&1`.
And second problem was in $vhost_data key `tls1.3_supported`, key cannot contain dot, as you can see in `tpl.inc.php` on line 327 /^[A-Za-z_]+[A-Za-z0-9_]*$/3.2.2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5969Letsencrypt (certbot) does not create webroot map anymore for new domains2020-12-18T21:15:39ZJanThielLetsencrypt (certbot) does not create webroot map anymore for new domainsAfter upgrading to ISPC 3.2.1 the renewal config file for NEW certs does not contain the webroot map anymore for additional (sub-)domains.
The map in still created in code but not passed on to the certbot command anymore.
This leaves the...After upgrading to ISPC 3.2.1 the renewal config file for NEW certs does not contain the webroot map anymore for additional (sub-)domains.
The map in still created in code but not passed on to the certbot command anymore.
This leaves the [[webroot_map]] section empty initially. But when creating new subdomains / aliasdomains they are added to the [[webroot_map]] section.
Check this:
https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/server/lib/classes/letsencrypt.inc.php#L165
The `$webroot_args` is populated, but never used.
This was introduced within the acme.sh backport: https://git.ispconfig.org/ispconfig/ispconfig3/-/commit/746e79db393f22b03fdd408cc086eecc084f1991
Is this intentional, or a regression?
A new cert with many subdomains was issued without any issues as the webroot is the same for all domains. Still either the webroot map should be used or totaly omitted. Currently it's a mixed state. Also the creation of the map could be completely removed if unnecessary.3.2.2Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5964Mail Filter written incorrectly2020-12-18T21:15:16ZTony GMail Filter written incorrectlyFrom Mail Filter, Add new filter: **To Contains** _some-text_ **Reject** _some-message_. This is saved to .ispconfig-before.sieve as:
```
### BEGIN FILTER_ID:19
if header :regex "to" [".*some-text"] {
reject "some-message"; s...From Mail Filter, Add new filter: **To Contains** _some-text_ **Reject** _some-message_. This is saved to .ispconfig-before.sieve as:
```
### BEGIN FILTER_ID:19
if header :regex "to" [".*some-text"] {
reject "some-message"; stop;\n\n}
### END FILTER_ID:19
```
The \n\n is flagged in /var/log/mail.err as:
> Error: sieve: Failed to compile script `/var/vmail/domain.tld/boxname/.ispconfig-before.sieve'
**AND THE EMAIL IS LOST.** The mail item is not rejected back to the sender.
This fixed code works, verified mail rejected to sender with no error in log:
```
### BEGIN FILTER_ID:19
if header :regex "to" [".*some-text"] {
reject "some-message";
stop;
}
### END FILTER_ID:19
```
Running Ubuntu v20 with ISPConfig v3.2.1.3.2.2Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5962Backup stats not shown when logged in as admin2020-12-10T12:59:36ZThomBackup stats not shown when logged in as adminA check was introduced in 3.2 (in commit e82b879172f077f4c36066fa0ac9d98b4ec4d2e1) to only show the tab when the client has the backup function enabled. Because the admin is not a client, it is not working for the admin.A check was introduced in 3.2 (in commit e82b879172f077f4c36066fa0ac9d98b4ec4d2e1) to only show the tab when the client has the backup function enabled. Because the admin is not a client, it is not working for the admin.3.2.2ThomThom