Apache2 default page (not redirecting subdomains or www) after cert installed

Help
1

My domain is: clearpath.site and *.clearpath.site

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 19.10

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I am receiving the Apache2 Ubuntu Default page when visiting subdomains of my website - or at least some people are reaching the default page and some are not. I am sure it has to do with the .conf file setup incorrectly but I cannot seem to figure it out. It seems that www is the site that gives this page. Shouldn’t that be caught by the wildcard Alias?

check your website

  GNU nano 4.3                                         000-default.conf                                                   
<VirtualHost *:80>
        ServerName clearpath.site
        ServerAlias *.clearpath.site
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =clearpath.site [OR]
RewriteCond %{SERVER_NAME} =*.clearpath.site
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

And me VH for port 443:

<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerName clearpath.site
        ServerAlias *.clearpath.site
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        Alias /static /home/david/clearpath_project/static
        <Directory /home/david/clearpath_project/static>
                Require all granted
        </Directory>

        Alias /media /home/david/clearpath_project/media
        <Directory /home/david/clearpath_project/media>
                Require all granted
        </Directory>

        <Directory /home/david/clearpath_project/config>
                <Files wsgi.py>
                        Require all granted
                </Files>
        </Directory>
        WSGIScriptAlias / /home/david/clearpath_project/config/wsgi.py
        WSGIDaemonProcess django_app python-path=/home/david/clearpath_project python-home=/home/david/clearpath_project/>
        WSGIProcessGroup django_app


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/clearpath.site/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/clearpath.site/privkey.pem
</VirtualHost>
</IfModule>

Any help is appreciated.

1 Like
2

I’m not a big fan of “if servername X or servername Y then DO …”
When you probably want to always DO …

So, I would first update the four rewrite lines to:

RewriteEngine On
RewriteRule ^\.well-known\/acme-challenge\/ - [L]
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

[which basically says: when NOT a challenge request and NOT HTTPS redirect to HTTPS]

If that doesn’t fix the problem - which it probably won’t.
I would then check for name overlap with:
apachectl -S

[apache it tricky in that it will allow you to have name overlaps and never complain - unlike others]
[And it will serve from only the first match; so that may be why you don’t get your desired result]

1 Like
3

What do you mean by “name overlap”?

Also, when I run: apachectl -S I get:

AH00526: Syntax error on line 49 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/clearpath.site/fullchain.pem' does not exist or is empty
Action '-S' failed.
The Apache error log may have more information.
1 Like
4

When multiple vhost configs contain similar names or overlapping names.
Where the webserver could match the requested name with multiple vhosts.

Can we see this line (or entire file):

And the full contents of this folder:
ls -l /etc/letsencrypt/live/clearpath.site/

1 Like
5 
<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerName clearpath.site
        ServerAlias *.clearpath.site
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        Alias /static /home/david/clearpath_project/static
        <Directory /home/david/clearpath_project/static>
                Require all granted
        </Directory>

        Alias /media /home/david/clearpath_project/media
        <Directory /home/david/clearpath_project/media>
                Require all granted
        </Directory>

        <Directory /home/david/clearpath_project/config>
                <Files wsgi.py>
                        Require all granted
                </Files>
        </Directory>
        WSGIScriptAlias / /home/david/clearpath_project/config/wsgi.py
        WSGIDaemonProcess django_app python-path=/home/david/clearpath_project python-home=/home/david/clearpath_project/>
        WSGIProcessGroup django_app


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/clearpath.site/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/clearpath.site/privkey.pem
</VirtualHost>
</IfModule>

Looks like root has all rw permissions if I read this correctly:

lrwxrwxrwx 1 root root  38 Dec 18 20:43 cert.pem -> ../../archive/clearpath.site/cert1.pem
lrwxrwxrwx 1 root root  39 Dec 18 20:43 chain.pem -> ../../archive/clearpath.site/chain1.pem
lrwxrwxrwx 1 root root  43 Dec 18 20:43 fullchain.pem -> ../../archive/clearpath.site/fullchain1.pem
lrwxrwxrwx 1 root root  41 Dec 18 20:43 privkey.pem -> ../../archive/clearpath.site/privkey1.pem
-rw-r--r-- 1 root root 692 Dec 18 20:43 README
1 Like
6

hmm…
All that looks NORMAL and expected…

Please show:
ls -l /etc/letsencrypt/archive/clearpath.site/

7 
-rw-r--r-- 1 root root 1931 Dec 18 20:43 cert1.pem
-rw-r--r-- 1 root root 1647 Dec 18 20:43 chain1.pem
-rw-r--r-- 1 root root 3578 Dec 18 20:43 fullchain1.pem
-rw------- 1 root root 1704 Dec 18 20:43 privkey1.pem
8

Ok… that looks good too…
Please show this file:
/etc/letsencrypt/options-ssl-apache.conf

1 Like
9

This is safe to show?

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
1 Like
10

Yes (very) it should be all DEFAULT - but I want to check to be sure.
The only thing you NEVER EVER show is the contents of any PRIVKEY file.

1 Like
11

On the check your website it shows that I need a redirect but I have one?

1 Like
12

You have a broken config; as shown by the failed apachectl -S
But I don’t see WHERE…

Please show this output:
[NOT THE FILE CONTENTS]
ls -l /etc/letsencrypt/live/clearpath.site/fullchain.pem
ls -l /etc/letsencrypt/live/clearpath.site/privkey.pem

Then check the contents - don’t post these:
cat /etc/letsencrypt/live/clearpath.site/fullchain.pem
cat /etc/letsencrypt/live/clearpath.site/privkey.pem
ENSURE THERE IS CONTENT VISIBLE

1 Like
13 
david@clearpath:/etc/letsencrypt$ sudo ls -l /etc/letsencrypt/live/clearpath.site/fullchain.pem
lrwxrwxrwx 1 root root 43 Dec 18 20:43 /etc/letsencrypt/live/clearpath.site/fullchain.pem -> ../../archive/clearpath.site/fullchain1.pem
david@clearpath:/etc/letsencrypt$ sudo ls -l /etc/letsencrypt/live/clearpath.site/privkey.pem
lrwxrwxrwx 1 root root 41 Dec 18 20:43 /etc/letsencrypt/live/clearpath.site/privkey.pem -> ../../archive/clearpath.site/privkey1.pem

And yes, the keys exist.

14

Please show:
apachectl -t -D DUMP_VHOSTS
and
apachectl -t -D DUMP_RUN_CFG

15 
david@clearpath:/etc/apache2/sites-available$ sudo apachectl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 173.230.154.79. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  clearpath.site (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   clearpath.site (/etc/apache2/sites-enabled/000-default.conf:1)
16

So it sees both vhost configs well enough…
What about:
sudo apachectl -t -D DUMP_RUN_CFG

17 
david@clearpath:/etc/apache2/sites-available$ sudo apachectl -t -D DUMP_RUN_CFG
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 173.230.154.79. Set the 'ServerName' directive globally to suppress this message
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
18

HUH???

Please show:
sudo apachectl -S

19 
david@clearpath:/etc/apache2/sites-available$ sudo apachectl -S
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 173.230.154.79. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  clearpath.site (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   clearpath.site (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

I am totally lost now XD

20

That makes two of us!

Try removing these two lines:

and restart web server.

[I have to step out for a few (~20) minutes - I will return - if no one else chimes in]

1 Like