1

Topic: Can Only Access /iredadmin from 127.0.0.1

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.6
- Linux/BSD distribution name and version: Ubuntu 16.04 Desktop
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

Hi All,

Limited background on this issue would be that I was having a great deal of difficulty with acquiring and installing a free Lets Encrypt SSL certificate, so once again, I rebuilt the VMWare Workstation 12 Ubuntu 16.04 Desktop guest and proceeded with a fresh, clean install of iRedMail 0.9.6.

I already had my ISP (Optimum business) create a PTR (reverse DNS) record, pointing the public IP to the private IP assigned to my iRedMail server - 192.168.1.117.  I then migrated DNS delegation from Godaddy to Dyn Managed DNS and working with the Dyn support staff, recreated all DNS records for my domain - freeholdcomputertech.com.  I then installed iRedMail 0.9.6 on the Ubuntu 16.04 VM machine, and then proceeded to Certbot and began the cert acquisition  and install process.  At this point I discovered that I had to also forward port 80 on my router to the Ubuntu/iRedmail VMW guest.  Once I did that, I was able to acquire and install the Lets Encrypt cert successfully.

However....at this point, I am still having some problems:

1)  On the iRedmail server, I could only access /iredadmin from https://127.0.0.1/admin -- and doing so resulted in in a security warning about a self-signed certificate.

2)  At the point above, I was not able to, from outside my site network, either access https:// mail.freeholdcomputertech.com/mail nor https:// mail.freeholdcomputertech.com/iredadmin

3)  On the iRedMail server, I edited /etc/hosts to read as follows:

127.0.0.1          localhost
192.168.1.117   mail.freeholdcomputertech.com  mail

At this point, I could:
    *  On the iRedMail server, successfully browse to https://mail.freeholdcomputertech.com/mail -- and received NO security warnings about invalid certificate, etc
    *  I could also access -- from outside my site network -- https://mail.freeholdcomputertech.com/mail and send and receive email.

At this point I can NOT:
     *  On the iRedMail server, I can not browse to https://mail.freeholdcomputertech.com/iredadmin nor https://192.168.1.117/iredadmin/ - 404 Not Found on this server.

That's about the gist of it.  Perhaps I omitted certain important details.  ANY help would be greatly appreciated.

--Jim

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by james.witterschein 2017-02-03 02:24:24)

Re: Can Only Access /iredadmin from 127.0.0.1

UPDATE:  I *think* I may have found a solution to my issue, I just don't know what the "vhosts file for SSL" is or where it's located.  I'm referring to the one solution posted in this URL:

http://serverfault.com/questions/726689 … the-server

UPDATE 2:  It appears the solution offered in the serverfault.com URL above IS in fact the solution I have been looking for.    What I did was:

1)  sudo nano /etc/apache2/sites-available/000-default-le-ssl.conf

2)  Added the 7- lines below to the end of the file, just above </VirtualHost>

Alias /cluebringer "/usr/share/postfix-cluebringer-webui/webui/"
Alias /iredadmin/static "/opt/www/iredadmin/static/"
WSGIScriptAlias /iredadmin "/opt/www/iredadmin/iredadmin.py/"
Alias /mail "/opt/www/roundcubemail/"
Alias /awstats/icon "/usr/share/awstats/icon/"
Alias /awstatsicon "/usr/share/awstats/icon/"
ScriptAlias /awstats "/usr/lib/cgi-bin/"

3)  Re-started my iRedmail / Ubuntu server w/ sudo reboot

4)  I can now access https://mail.freeholdcomputertech.com/iredadmin on the server, and from outside my server network.  I can NOT access https://mail.freeholdcomputertech.com/iredadmin from my inside my server network.

Re item (4)...I'm ok with not being able to access /iredadmin from hosts other than my server on my server network.  I think I'd like to block access to iredadmin from outside my server network, too.  If anyone has any guidance they'd like to offer on this item, I'd be most grateful.

3

Re: Can Only Access /iredadmin from 127.0.0.1

If will be easier to not use LetsEncrypte modified Apache config file, and just use default iRedMail ones. Then you can update Apache config file to use ssl cert by following this tutorial:
http://www.iredmail.org/docs/use.a.boug … icate.html

4

Re: Can Only Access /iredadmin from 127.0.0.1

ZhangHuangbin wrote:

If will be easier to not use LetsEncrypte modified Apache config file, and just use default iRedMail ones. Then you can update Apache config file to use ssl cert by following this tutorial:
http://www.iredmail.org/docs/use.a.boug … icate.html

Zhang.....I've already installed the Lets Encrypt free certificate...but it's not working.....would I cause problems if I follow your instructions at the above link and install a bough SSL certificate from, say, Godaddy?

5

Re: Can Only Access /iredadmin from 127.0.0.1

Let's Encrypt ssl cert is ok. The problem is you're using the Apache config files modified by LetsEncrypt script.

*) If this is not a production server and reinstalling OS+iRedMail is acceptable, you can reinstall OS+iRedMail first, then request LetsEncrypt ssl cert with its '--webroot' option. Then it just requests cert without modifying any config file. After got the cert, follow our tutorial to modify Apache/Nginx/Postfix/Dovecot config files to use the cert: http://www.iredmail.org/docs/use.a.boug … icate.html

*) If you cannot reinstall OS+iRedMail: Don't use the Apache config files modified by LetsEncrypt, just use the ones generated by iRedMail, and follow our tutorial to use the ssl cert.

6

Re: Can Only Access /iredadmin from 127.0.0.1

ZhangHuangbin wrote:

Let's Encrypt ssl cert is ok. The problem is you're using the Apache config files modified by LetsEncrypt script.

*) If this is not a production server and reinstalling OS+iRedMail is acceptable, you can reinstall OS+iRedMail first, then request LetsEncrypt ssl cert with its '--webroot' option. Then it just requests cert without modifying any config file. After got the cert, follow our tutorial to modify Apache/Nginx/Postfix/Dovecot config files to use the cert: http://www.iredmail.org/docs/use.a.boug … icate.html

*) If you cannot reinstall OS+iRedMail: Don't use the Apache config files modified by LetsEncrypt, just use the ones generated by iRedMail, and follow our tutorial to use the ssl cert.

Thanks for your reply, Zhang.  I rebuilt the server one more time and this time I *purchased an SSL cert from Network Solutions.  All is working well now, thanks in no small part to your excellent instructions for installing a bought certificate ( http://www.iredmail.org/docs/use.a.boug … icate.html ).  All is working well at this point.

*  For anyone who might be struggling with the letsencrypt free SSL cert, Network Solutions is currently running a special on SSL certificates where 1st month is free, then it's $5.99 per month thereafter for the remaining 12 months.  I'd be happy to help with applying Zhang's instructions on how to install the bought Network Solutions SSL cert.  Just reply to this thread and I'll get back to you.

Network Solutions $5.99 per mo SSL Cert:

https://marketing.networksolutions.com/ … Apkt8P8HAQ

7

Re: Can Only Access /iredadmin from 127.0.0.1

To avoid misunderstanding and lead to wrong direction, i want to emphasize that iRedMail works fine with LetsEncrypt ssl cert. The point is getting cert with '--webroot' option of certbot, don't let certbot to modify your Apache/Nginx config file.