404 Not Found After certbot on FAMP

rg305 · May 29, 2018, 10:47pm

@jmorahan
And that is also a high probability.
I do see your point.
There have been no http requests posted.

oguruma · May 29, 2018, 10:48pm

the grep command parses the entirety of the jail… What am I looking for exactly?

Also, my virtualhost file (as copy pasta from the guide I am using).

<VirtualHost *:80>
DocumentRoot “/usr/local/www/apache24/data/nextcloud”
ServerName cloud.rangelmedianetwork.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =cloud.rangelmedianetwork.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
#ErrorLog ${APACHE_LOG_DIR}/error.log
#CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /usr/local/www/apache24/data/nextcloud/>
Options +FollowSymlinks
AllowOverride All

Dav off

SetEnv HOME /usr/local/www/apache24/data/nextcloud
SetEnv HTTP_HOME /usr/local/www/apache24/data/nextcloud
Satisfy Any

<VirtualHost *:443>
ServerAdmin YOUREMAIL
ServerName cloud.rangelmedianetwork.com
DirectoryIndex index.php
DocumentRoot /usr/local/www/apache24/data/nextcloud
SSLCertificateFile /usr/local/etc/letsencrypt/live/YOURSITE.COM/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/YOURSITE.COM/privkey.pem
SSLEngine on

Intermediate configuration, tweak to your needs

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
<Directory /usr/local/www/apache24/data/nextcloud>
AllowOverride all

Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

rg305 · May 29, 2018, 10:49pm

rem those lines and try getting a cert.

We're looking for any files that contain any of the following strings:
alias
nextcloud
documentroot
challenge

hopefully finding some overlooked redirection/mis-configuration.

But I would pause the https redirection first.
That may just do the trick.

oguruma · May 29, 2018, 10:52pm

Removed those lines and (after restarting apache)

The following errors were reported by the server:

Domain: cloud.rangelmedianetwork.com
Type: connection
Detail: Fetching
https://cloud.rangelmedianetwork.com/.well-known/acme-challenge/EmRIwp2YF4JaPuGz2lbEtKWnkJsifI-lu5y-993Wvls:
Error getting validation data

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

rg305 · May 29, 2018, 10:53pm

And yet it is still redirecting?
Please show a file that looks something like:
/etc/letssencrypt/renewal/cloud.rangelmedianetwork.com.conf

Oh wait - you've never gotten a cert...
Is there an .htaccess file you've overlooked?

I take that back - you have gotten a cert: crt.sh | 322631821
Please show the renewal file config file.

The exact file name can be found using:
certbot certificates

jmorahan · May 29, 2018, 10:59pm

Are you sure that’s the correct file? If it’s literally trying to use a cert from /usr/local/etc/letsencrypt/live/YOURSITE.COM/fullchain.pem (as opposed to, say, /usr/local/etc/letsencrypt/live/cloud.rangelmedianetwork.com/fullchain.pem) I’d expect Apache would be unable to start at all… while on the other hand, if there really is a cert there then the SSLEngine on should be causing it to serve HTTPS rather than HTTP on port 443, which as we can see is not currently happening.

Also it’s using /usr/local/www/apache24/data/nextcloud as its DocumentRoot, while as we can see from http://cloud.rangelmedianetwork.com:443/ and http://cloud.rangelmedianetwork.com:443/nextcloud/ your actual webserver configuration is still apparently using /usr/local/www/apache24/data

rg305 · May 29, 2018, 11:01pm

I suspect some file may have been deleted in the making of this “fix”…

oguruma · May 29, 2018, 11:07pm

There aren’t any certs on this box. That cert is from an old Linux box.

jmorahan · May 29, 2018, 11:10pm

Maybe try apachectl -S (or it might be apache2ctl -S, I don’t know freebsd) - one of those should tell you which configuration files are actually being used for your virtual hosts.

rg305 · May 29, 2018, 11:10pm

That explains the “missing” files…
You need to disable the https redirection - you have no cert to speak https with.

oguruma · May 29, 2018, 11:21pm

I think at this point, I am going to start over with a fresh jail.

Note: barring any mistakes I made (don’t rule those out) I followed this guide here from a vanilla jail.

jmorahan · May 29, 2018, 11:31pm

In the step titled “Add virtual Host info”, what did you use as the file name?

rg305 · May 29, 2018, 11:38pm

I think the guide is making one mistake (possibly they used a copy of the final file in the documentation).
This is verbatim in order:

Add virtual Host info :
cd /usr/local/etc/apache24/Includes
touch YOURDOMAIN.com or org or gov.conf
nano YOURDOMAIN*
RewriteEngine on
RewriteCond %{SERVER_NAME} =YOURSITE.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

restart apache
service apache24 restart

Now lets secure this server SSL using Certbot:
Download/Install Certbot
pkg install py27-certbot
certbot certonly --webroot -w /usr/local/www/apache24/data/nextcloud -d YOURSITE.COM

Force to https redirect:
nano /usr/local/www/apache24/data/nextcloud/.htaccess
Add:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

rg305 · May 29, 2018, 11:40pm

They “force to https redirect” but already included a similar forced redirection in the “Add virtual Host info:” section.
restart apache and THEN run certbot.
(that is out-of-order)

Just rem out the three redirection lines in the “Add virtual Host info :” section and certbot should get the cert.
Then undo the rems and your good to go…

jmorahan · May 29, 2018, 11:45pm

Yes, I think you're right. But also, I noticed this line:

touch YOURDOMAIN.com or org or gov.conf

I suppose that could easily be misread and you might create a file named YOURDOMAIN.com whereas I believe it actually needs to be YOURDOMAIN.com.conf ie the name must end with .conf or the default Include directive won't pick it up.

oguruma · May 29, 2018, 11:53pm

cloud.rangelmedianetwork.com.conf

jmorahan · May 29, 2018, 11:54pm

Ah, well, so much for that theory then. @rg305’s advice should still be good though

oguruma · May 30, 2018, 12:07am

Well I have started over with a fresh jail. Apache is installed. #ItWorks!

rg305 · May 30, 2018, 12:09am

Order matters: Socks go on before you put on your shoes!

In this case, get the cert then redirect to https.

oguruma · May 30, 2018, 12:18am

I am not 100% sure I follow. Which part of the guide is giving me the steps in the wrong order?

Nextcloud is installed.

I used the virtualhost:80 from the guide, but commented out

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

So far, I can access the site from outside my LAN.