razot
November 15, 2020, 8:58am
1
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
compari-zone.com
I ran this command:
followed the instructions here - https://www.linode.com/docs/guides/how-to-install-certbot-on-centos-8/
It produced this output:
I'm getting the Fedora test page with status code 403
My web server is (include version):
Apache/2.4.46 (Fedora)
The operating system my web server runs on is (include version):
Fedora 32
My hosting provider, if applicable, is:
Linode
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
certbot 1.9.0
1 Like
rg305
November 15, 2020, 9:57am
2
Hi and welcome!
Let's see what we can do...
What says?:
apachectl -S
1 Like
Osiris
November 15, 2020, 10:03am
3
Your Fedora test page however is fully secure! Isn't that what you wanted?
Also, that Linode guide uses certbot-auto
wrapper script, which is being deprecated. Be aware that the script might not be upgraded or work at all in the future.
1 Like
razot
November 15, 2020, 10:04am
4
Hi!
$ apachectl -S
apachectl: The "-S" option is not supported.
$ apachectl status
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2020-11-15 08:51:26 UTC; 1h 11min ago
Docs: man:httpd.service(8)
Main PID: 72230 (httpd)
Status: "Total requests: 28; Idle/Busy workers 99/1;Requests/sec: 0.00655; Bytes served/sec: 88 B/sec"
Tasks: 318 (limit: 9501)
Memory: 89.9M
CPU: 10.343s
CGroup: /system.slice/httpd.service
├─72230 /usr/sbin/httpd -DFOREGROUND
├─72231 /usr/sbin/httpd -DFOREGROUND
├─72232 /usr/sbin/httpd -DFOREGROUND
├─72233 /usr/sbin/httpd -DFOREGROUND
├─72234 /usr/sbin/httpd -DFOREGROUND
├─72235 /usr/sbin/httpd -DFOREGROUND
├─72237 /usr/sbin/httpd -DFOREGROUND
├─72265 /usr/sbin/httpd -DFOREGROUND
└─72487 /usr/sbin/httpd -DFOREGROUND
Nov 15 08:51:25 compari-zone.com systemd[1]: Starting The Apache HTTP Server...
Nov 15 08:51:26 compari-zone.com systemd[1]: Started The Apache HTTP Server.
Nov 15 08:51:26 compari-zone.com httpd[72230]: Server configured, listening on: port 443, port 80
1 Like
razot
November 15, 2020, 10:07am
5
Hi Osiris,
When accessing with http, I can see my website up and running (now it will redirect to https).
I expected to see it with https too.
What other details I can provide to help you help me ?
1 Like
rg305
November 15, 2020, 10:07am
6
HTTP redirects to HTTPS.
HTTPS returns 403.
What does the HTTPS vhost config look like?
1 Like
razot
November 15, 2020, 10:13am
7
My http vhost:
<VirtualHost *:80>
ServerName compari-zone.com
ServerAlias localhost
Alias /static /var/www/my_site/static/
WSGIScriptAlias / /var/www/my_site/newsite/wsgi.py
#WSGIDaemonProcess apache user=apache group=apache
WSGIDaemonProcess compari-zone.com processes=2 threads=15
WSGIProcessGroup compari-zone.com
<Directory /var/www/my_site/newsite>
Require all granted
</Directory>
DocumentRoot /var/www/my_site/newsite
CustomLog /var/www/my_site/tmp.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =compari-zone.com [OR]
RewriteCond %{SERVER_NAME} =localhost
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
My https vhost:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName compari-zone.com
ServerAlias localhost
Alias /static /var/www/my_site/static/
WSGIScriptAlias / /var/www/my_site/newsite/wsgi.py
#WSGIDaemonProcess apache user=apache group=apache
#WSGIDaemonProcess compari-zone.com processes=2 threads=15
#WSGIProcessGroup compari-zone.com
<Directory /var/www/my_site/newsite>
Require all granted
DirectoryIndex index.html
</Directory>
DocumentRoot /var/www/my_site/newsite
CustomLog /var/www/my_site/tmp.log combined
SSLCertificateFile /etc/letsencrypt/live/compari-zone.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/compari-zone.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
1 Like
rg305
November 15, 2020, 10:15am
8
Try removing both:
<IfModule mod_ssl.c>
</IfModule>
Because:
curl -Iki https://compari-zone.com/
HTTP/1.1 403 Forbidden
Summary
Date: Sun, 15 Nov 2020 10:16:08 GMT
Server: gws mod_wsgi/4.6.8 Python/3.8
Last-Modified: Tue, 28 Jan 2020 18:21:43 GMT
ETag: "15bc-59d374bbd1bc0"
Accept-Ranges: bytes
Content-Length: 5564
Content-Type: text/html; charset=UTF-8
curl -Iki https://compari-zone.com/static
HTTP/1.1 404 Not Found
Summary
Date: Sun, 15 Nov 2020 10:16:13 GMT
Server: gws mod_wsgi/4.6.8 Python/3.8
Content-Type: text/html; charset=iso-8859-1
1 Like
razot
November 15, 2020, 10:21am
9
Thanks,
Removed and restarted httpd
I'm getting the same output from the command you executed
1 Like
rg305
November 15, 2020, 10:25am
10
Then there is another vhost config that is taking precedence.
Please show:
grep -Ri 'servername|virtual|listen|serveralias|ssl|root' /etc/apache2/
[if not @/etc/apache2/
replace with w/e your apache configs are]
1 Like
razot
November 15, 2020, 10:34am
11
This command returned:
grep: /etc/httpd/run/wsgi.74867.0.1.sock: No such device or address
grep: /etc/httpd/run/cgisock.74867: No such device or address
But I do have another vhost (the default one) in ssl.conf:
<VirtualHost _default_:443>
1 Like
Hi @razot
if that doesn't work, what says
httpd -S
Your port 80 has the same DocumentRoot like your port 443. So if you have a 403, that vHost isn't used -> it's unrelevant.
2 Likes
razot
November 15, 2020, 10:36am
13
$ httpd -S
httpd -S
VirtualHost configuration:
*:80 compari-zone.com (/etc/httpd/conf/httpd.conf:84)
*:443 is a NameVirtualHost
default server compari-zone.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost compari-zone.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost compari-zone.com (/etc/httpd/conf/httpd-le-ssl.conf:1)
alias localhost
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/czone/Themis"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: MODSEC_2.5
Define: MODSEC_2.9
User: name="apache" id=48
Group: name="apache" id=48
1 Like
There is your bug. Two vHosts with the same domain name.
Merge these two in one.
1 Like
rg305
November 15, 2020, 10:37am
15
Duplicate name.
You can probably remove the ssl.conf
file.
[I would move it elsewhere, just in case you need it later]
1 Like
razot
November 15, 2020, 10:48am
16
Thank you JuergenAuer, rg305 and Osiris!
Fixed the bug you found and now my site is accessible again!
Best support I ever got
4 Likes
system
Closed
December 15, 2020, 11:02am
17
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.