I have a Raspberry Pi 4 with apache2 where I run Nextcloud. I have a certificate for my domain and I use certbot.
I moved my data directory to a new device. After that I can access my Nextcloud files but when I want to see other Nextcloud apps (like calendar), I’m geting an internal server error.
The apache2 error.log says:
localhost:4443:0 server certificate does NOT include an ID which matches the server name
ssl_stapling_init_cert: can’t retrieve issuer certificate!
Unable to configure certificate localhost:4443:0 for stapling
My domain is: https://ortmann-media.eu
My web server is (include version): Apache/2.4.38 (Raspbian)
The operating system my web server runs on is (include version): Raspbian GNU/Linux 10 (buster)
My hosting provider, if applicable, is: self hosted
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot): certbot 0.31.0
Hi @GambaJo
GambaJo:
localhost:4443:0 server certificate does NOT include an ID which matches the server name
ssl_stapling_init_cert: can’t retrieve issuer certificate!
Unable to configure certificate localhost:4443:0 for stapling
My domain is: https://ortmann-media.org
it's not possible to check your domain because the port doesn't answer.
Checked to see if there is a certificate - https://check-your-website.server-daten.de/?q=ortmann-media.org
There is no valid certificate.
So OCSP-Stapling can't work.
1 Like
Ups, sorry. Wrong domain. Should be https://ortmann-media.eu
Ok, there is a new certificate (and a new check) - https://check-your-website.server-daten.de/?q=ortmann-media.eu#ct-logs
Issuer
not before
not after
Domain names
LE-Duplicate
next LE
Let's Encrypt Authority X3
2020-03-25
2020-06-23
ortmann-media.eu, www.ortmann-media.eu - 2 entries
Let's Encrypt Authority X3
2020-03-25
2020-06-23
ortmann-media.eu - 1 entries
But the certificate with two domain names isn't used, so the www version isn't secure. Ok, not relevant if you use only the non-www version.
The port 4443 is invisible, so it's unknown if this port is configured.
What says
apachectl -S
Can that port talk with Letsencrypt via port 80?
OCSP - Url: http://ocsp.int-x3.letsencrypt.org
must work.
apachectl -S
AH00526: Syntax error on line 6 of /etc/apache2/sites-enabled/ncp.conf:
SSLCertificateKeyFile: file '/etc/ssl/private/ssl-cert-snakeoil.key' does not exist or is empty
Action '-S' failed.
The Apache error log may have more information.
Port 4443 is not forwarded but works in my network.
How can I check this?
Disable that not working vHost. Or add there your correct certificate.
GambaJo:
How can I check this?
curl http://ocsp.int-x3.letsencrypt.org
should work. But if your Apache doesn't start because of a missing file, that's the first problem.
Sorry for the late answer.
/etc/apache2/sites-enabled/ncp.conf:
Listen 4443
DocumentRoot /var/www/ncp-web
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# 2 days to avoid very big backups requests to timeout
TimeOut 172800
<IfModule mod_authnz_external.c>
DefineExternalAuth pwauth pipe /usr/sbin/pwauth
</IfModule>
</VirtualHost>
<Directory /var/www/ncp-web/>
AuthType Basic
AuthName "ncp-web login"
AuthBasicProvider external
AuthExternal pwauth
SetEnvIf Request_URI "^" noauth
SetEnvIf Request_URI "^index\.php$" !noauth
SetEnvIf Request_URI "^/$" !noauth
SetEnvIf Request_URI "^/wizard/index.php$" !noauth
SetEnvIf Request_URI "^/wizard/$" !noauth
<RequireAll>
<RequireAny>
Require host localhost
Require local
Require ip 192.168
Require ip 172
Require ip 10
Require ip fe80::/10
Require ip fd00::/8
</RequireAny>
<RequireAny>
Require env noauth
Require user ncp
</RequireAny>
</RequireAll>
</Directory>
But the SSL files exists.
curl http://ocsp.int-x3.letsencrypt.org
When I do this there is no result, so I think it’s ok.
system
Closed
May 11, 2020, 9:01am
8
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.