Apache server broken after certificate revoked


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output: Client with the currently selected authenticator does not support any combinatio n of challenges that will satisfy the CA.

My web server is (include version): Apache

The operating system my web server runs on is (include version): DEBIAN

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

I created a certificate for one of the websites in this server: admin.esiconta.com

It didn’t work properly, so I tried to revoke and delete, after that… Apache is down. I Have this in the apache error log:

[Fri Jan 18 09:47:30.203762 2019] [ssl:emerg] [pid 7065] AH02572: Failed to configure at least one certificate and key for admin.esiconta.com:443
[Fri Jan 18 09:47:30.203791 2019] [ssl:emerg] [pid 7065] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Jan 18 09:47:30.203817 2019] [ssl:emerg] [pid 7065] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Jan 18 09:47:30.203831 2019] [ssl:emerg] [pid 7065] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned


#3

Hi @esija

deleting / revoking certificates if the private key isn’t comprimised is always a bad idea.

So remove your complete https - configuration and start new with a http config.


#4

Thank you so much for your fast reply. My company app is down and I´m really worried with this.

How can I do this? I mean, the web service is totally down.

What do I have to “delete” or “purge” for this to work again?


#5

You have a vHost with port 443. There are links to the certificate. But the certificate doesn’t exist, because you have deleted it.

So remove this vHost (and perhaps the standard 443 vHost).


#6

Do you mean from “/etc/apache2/sites-enabled/admin.esiconta.com”?

OK, I will delete:

<VirtualHost *:443>

								DocumentRoot /var/www/admin.esiconta.com/web
					
	ServerName admin.esiconta.com
	ServerAdmin webmaster@admin.esiconta.com

	ErrorLog /var/log/ispconfig/httpd/admin.esiconta.com/error.log

	Alias /error/ "/var/www/admin.esiconta.com/web/error/"
	ErrorDocument 400 /error/400.html
	ErrorDocument 401 /error/401.html
	ErrorDocument 403 /error/403.html
	ErrorDocument 404 /error/404.html
	ErrorDocument 405 /error/405.html
	ErrorDocument 500 /error/500.html
	ErrorDocument 502 /error/502.html
	ErrorDocument 503 /error/503.html

	<IfModule mod_ssl.c>
	SSLEngine on
	SSLProtocol All -SSLv2 -SSLv3
	# SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
	SSLHonorCipherOrder     on
	# <IfModule mod_headers.c>
	# Header always add Strict-Transport-Security "max-age=15768000"
	# </IfModule>
	SSLCertificateFile /var/www/clients/client1/web8/ssl/admin.esiconta.com-le.crt
	SSLCertificateKeyFile /var/www/clients/client1/web8/ssl/admin.esiconta.com-le.key
			SSLCertificateChainFile /var/www/clients/client1/web8/ssl/admin.esiconta.com-le.bundle
					SSLUseStapling on
	SSLStaplingResponderTimeout 5
	SSLStaplingReturnResponderErrors off
			</IfModule>

	<Directory /var/www/admin.esiconta.com/web>
			# Clear PHP settings of this website
			<FilesMatch ".+\.ph(p[345]?|t|tml)$">
					SetHandler None
			</FilesMatch>
			Options +FollowSymLinks
			AllowOverride All
							Require all granted
					</Directory>
	<Directory /var/www/clients/client1/web8/web>
			# Clear PHP settings of this website
			<FilesMatch ".+\.ph(p[345]?|t|tml)$">
					SetHandler None
			</FilesMatch>
			Options +FollowSymLinks
			AllowOverride All
							Require all granted
					</Directory>




	# suexec enabled
	<IfModule mod_suexec.c>
		SuexecUserGroup web8 client1
	</IfModule>
	# php as fast-cgi enabled
# For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
	<IfModule mod_fcgid.c>
			FcgidIdleTimeout 300
			FcgidProcessLifeTime 3600
			# FcgidMaxProcesses 1000
			FcgidMaxRequestsPerProcess 5000
			FcgidMinProcessesPerClass 0
			FcgidMaxProcessesPerClass 10
			FcgidConnectTimeout 3
			FcgidIOTimeout 600
			FcgidBusyTimeout 3600
			FcgidMaxRequestLen 1073741824
	</IfModule>
	<Directory /var/www/admin.esiconta.com/web>
			<FilesMatch "\.php[345]?$">
				SetHandler fcgid-script
			</FilesMatch>
			FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php
			FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php3
			FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php4
			FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php5
			Options +ExecCGI
			AllowOverride All
							Require all granted
					</Directory>
	<Directory /var/www/clients/client1/web8/web>
			<FilesMatch "\.php[345]?$">
				SetHandler fcgid-script
			</FilesMatch>
			FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php
			FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php3
			FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php4
			FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php5
			Options +ExecCGI
			AllowOverride All
							Require all granted
					</Directory>



	# add support for apache mpm_itk
	<IfModule mpm_itk_module>
		AssignUserId web8 client1
	</IfModule>

	<IfModule mod_dav_fs.c>
	# Do not execute PHP files in webdav directory
		<Directory /var/www/clients/client1/web8/webdav>
			<ifModule mod_security2.c>
				SecRuleRemoveById 960015
				SecRuleRemoveById 960032
			</ifModule>
			<FilesMatch "\.ph(p3?|tml)$">
				SetHandler None
			</FilesMatch>
		</Directory>
		DavLockDB /var/www/clients/client1/web8/tmp/DavLock
		# DO NOT REMOVE THE COMMENTS!
		# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
  # WEBDAV BEGIN
		# WEBDAV END
	</IfModule>

#7

Still not working… is like the 80 port is blocked. I dont have ping to the server


#8

Yep, your http is blocked ( https://check-your-website.server-daten.de/?q=admin.esiconta.com )

Domainname Http-Status redirect Sec. G
http://admin.esiconta.com/
37.187.144.223 -2 1.086 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.187.144.223:80
https://admin.esiconta.com/
37.187.144.223 -2 1.070 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.187.144.223:443
http://admin.esiconta.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
37.187.144.223 -2 1.076 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.187.144.223:80

Your http port 80 must be open to use http validation.


#9

I still have this in the Apache error.log

[Fri Jan 18 13:16:54.815858 2019] [ssl:warn] [pid 18718] AH01906: ns3111216.ip-37-187-144.eu:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Jan 18 13:16:54.817134 2019] [ssl:warn] [pid 18718] AH01906: ns3111216.ip-37-187-144.eu:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Jan 18 13:16:54.817351 2019] [ssl:emerg] [pid 18718] AH02572: Failed to configure at least one certificate and key for admin.esiconta.com:443
[Fri Jan 18 13:16:54.817368 2019] [ssl:emerg] [pid 18718] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Jan 18 13:16:54.817376 2019] [ssl:emerg] [pid 18718] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Jan 18 13:16:54.817386 2019] [ssl:emerg] [pid 18718] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Fri Jan 18 13:16:54.817390 2019] [ssl:emerg] [pid 18718] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed


#10

Then you have a second vHost with port 443. Make a backup and remove this second vHost. Perhaps you have to remove a “listen 443” - directive.


#11

Where can I have this second vHost?

How can I remove the listen 443?

Sorry, I´m not an expert. You are my saviour!!! :frowning:


#12

Check your main apache config file. I’m not so firm with debian, but if you have a config

/etc/apache2/sites-enabled/admin.esiconta.com

then /etc/apache2 is your start.


#13

I have found one “Listen 443” in the ports.conf. But if I delete this, all the SSL won’t work, right?

This is the content of the file:

If you just change the port or add more ports here, you will likely also

have to change the VirtualHost statement in

/etc/apache2/sites-enabled/000-default.conf

Listen 80

Listen 443 Listen 443

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

NameVirtualHost *:80

NameVirtualHost *:443


#14

If you don’t have a certificate (valide or invalide), then 443 can’t work.


#15

Yes but I have 3 websites…

2 are running valids certificates and 1 is running his “missing one”.


#16

Then change the links of your incorrect config to one of the working certificates.

So Apache has correct files instead of these messages:

[Fri Jan 18 13:16:54.817368 2019] [ssl:emerg] [pid 18718] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?


#17

I tried, but still the same errors… Even restarting the apache2 service:

[Fri Jan 18 13:52:39.699043 2019] [ssl:warn] [pid 2957] AH01906: ns3111216.ip-37-187-144.eu:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Jan 18 13:52:39.724450 2019] [ssl:warn] [pid 2957] AH01906: ns3111216.ip-37-187-144.eu:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Jan 18 13:52:39.724957 2019] [ssl:emerg] [pid 2957] AH02572: Failed to configure at least one certificate and key for admin.esiconta.com:443
[Fri Jan 18 13:52:39.724999 2019] [ssl:emerg] [pid 2957] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Jan 18 13:52:39.725017 2019] [ssl:emerg] [pid 2957] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Jan 18 13:52:39.725040 2019] [ssl:emerg] [pid 2957] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Fri Jan 18 13:52:39.725049 2019] [ssl:emerg] [pid 2957] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed


#18

Any clue of what to try?


#19

Since your situation is “urgent”…
Try DNS validation (manually, if needed).


#20

Thank you very much for your answer, but as I said, I´m not an expert.

Could you please be more technically specific?