Apache2 vhosts domain and subdomain certificate problems

if:

certbot-auto --apache -d acegames.de -d www.acegames.de -d cloud.acegames.de

then:

if:

certbot-auto --apache -d acegames.de -d www.acegames.de -d download.acegames.de

then:

same error with download.acegames.de

OK, then the only thing I can think is pretty much as before - either stop listening on port 443, or provide https on port 443.

If you are unsure on exactly where you are listening on port 443 - I’d suggest starting with a grep of port 443 on all your apache config files … alternatively upload them all to pastebin.com so we can review them.

So i’ve visited pastebin.com
if you wish other configs too, just ask me for them.

/etc/apache2/mods-enabled/ssl.conf = http://pastebin.com/iTLD1cSm

/etc/apache2/sites-enabled/ = http://pastebin.com/78GVGrw4

/etc/apache2/apache2.conf = http://pastebin.com/uNrV27XW

/etc/apache2/envvars = http://pastebin.com/fzJSiDyW

/etc/apache2/ports.conf = http://pastebin.com/zRaeyiUY

/etc/letsencrypt/cli.ini = noting in it…

/etc/letsencrypt/options-ssl-apache.conf = http://pastebin.com/YXtpiUg5

In your default-ssl.conf you have it listening on port 443, but you have no SSL configuration.

The easiest method my be to just disable this (a2dissite default-ssl then reload apache), then try to obtain the certs.

the default-ssl.conf previously wasnt activated. i activated when going through the config files and reconizingnizing this. then i tested the command

root@553182-561:~# certbot-auto --apache -d acegames.de -d www.acegames.de -d do
wnload.acegames.de -d cloud.acegames.de

Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

[Sun Nov 06 23:15:45.645728 2016] [alias:warn] [pid 3657] AH00671: The Alias directive in /etc/phpmyadmin/apache.conf at line 3 will probably never match because it overlaps an earlier Alias.
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist

the phpmyadmin warn is known by me and im goona fix it by time. the other thing...i have no clue why it is now unable to find its files for the TLS_SNI_01 tests

It's unable to find the files because your server is not listening on port 443 with https.

could you please describe what you want me to do in a bit more detail. thank you.

i am trying to understand what is wrong but currently im not getting it…

At the moment you haven’t got apache running - so I’m assuming there is an error in your apache config.

Do you have a backup of the working apache config ? if so I’d restore that.

If you don’t have - then my understanding was the on in pastebin was working - so use that (although it does have Include /etc/phpmyadmin/apache.conf twice in the /etc/apache2/apache2.conf so you will need to remove one)

If neither of the above, then what does “apachectl configtest” give as output.

[Mon Nov 07 19:34:35.157710 2016] [ssl:emerg] [pid 10403] AH02572: Failed to configure at least one certificate and key for 553182-561.pph-server.de:443
[Mon Nov 07 19:34:35.157773 2016] [ssl:emerg] [pid 10403] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Mon Nov 07 19:34:35.157776 2016] [ssl:emerg] [pid 10403] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed

Error log if i try to start apache2 service.
553182-561.pph-server.de is my servers hostname.

apachectl configtest only prints out Syntax OK.

no i dont have a backup but this is the exact same configuration as on pastebin (except for this doubled include...).

should i deactivate the default-ssl.conf site again?

sorry i was offline for some time.
i just deactivated the SSLEngine option in default-ssl.conf and were again at the state of post #21:

Failed authorization procedure. cloud.acegames.de (tls-sni-01):
urn:acme:error:connection :: The server could not connect to
the client to verify the domain :: Failed to connect to
137.74.140.78:443 for TLS-SNI-01 challenge.

Your server is still listening on port 443 ( with http )

but where? i just dont get where its set that http is listening on port 443

⁣​

I’m not sure on your current files. You did have default-ssl.conf (in sites enabled ) that was listening on port 443 with http only

1 Like

If you run “apachectl -t -D DUMP_VHOSTS” (or apache2ctl on some systems), you should be able to see where each host is defined, including all the SSL/443 ones.

1 Like

root@553182-561:~# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
137.74.140.78:* is a NameVirtualHost
default server acegames.de (/etc/apache2/sites-enabled/000-default.conf:1)
port * namevhost acegames.de (/etc/apache2/sites-enabled/000-default.conf:1)
alias www.acegames.de
port * namevhost cloud.acegames.de (/etc/apache2/sites-enabled/001-cloud.acegames.de.conf:1)
port * namevhost ts.acegames.de (/etc/apache2/sites-enabled/002-ts.acegames.de.conf:1)
alias teamspeak.acegames.de
port * namevhost status.acegames.de (/etc/apache2/sites-enabled/003-status.acegames.de.conf:1)
port * namevhost download.acegames.de (/etc/apache2/sites-enabled/004-download.acegames.de.conf:1)
port * namevhost files.acegames.de (/etc/apache2/sites-enabled/005-files.acegames.de.conf:1)
port * namevhost en.ts.acegames.de (/etc/apache2/sites-enabled/006-en.ts.acegames.de.conf:1)
port * namevhost en.status.acegames.de (/etc/apache2/sites-enabled/007-en.status.acegames.de.conf:1)
port * namevhost en.acegames.de (/etc/apache2/sites-enabled/008-en.acegames.de.conf:1)
port * namevhost phpmyadmin.acegames.de (/etc/apache2/sites-enabled/009-phpmyadmin.acegames.de.conf:1)
port * namevhost mailboxes.acegames.de (/etc/apache2/sites-enabled/010-mailboxes.acegames.de.conf:1)
port * namevhost wiki.acegames.de (/etc/apache2/sites-enabled/011-wiki.acegames.de.conf:1)
port * namevhost admin.acegames.de (/etc/apache2/sites-enabled/012-admin.acegames.de.conf:1)
port * namevhost clouds.acegames.de (/etc/apache2/sites-enabled/013-clouds.acegames.de.conf:1)
*:443 553182-561.pph-server.de (/etc/apache2/sites-enabled/default-ssl.conf:2)
root@553182-561:~#

There you go. That file contains a VirtualHost configured to listen to port 443 (HTTPS) on every IP on the system. You'll probably want to disable/remove the configuration there.

$ a2dissite default-ssl.conf

a2dissite default-ssl.conf
Site default-ssl disabled.
To activate the new configuration, you need to run:

service apache2 reload

$ service apache2 reload

$ apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
137.74.140.78:* is a NameVirtualHost
default server acegames.de (/etc/apache2/sites-enabled/000-default.conf:1)
port * namevhost acegames.de (/etc/apache2/sites-enabled/000-default.conf:1)
alias www.acegames.de
port * namevhost cloud.acegames.de (/etc/apache2/sites-enabled/001-cloud.acegames.de.conf:1)
port * namevhost ts.acegames.de (/etc/apache2/sites-enabled/002-ts.acegames.de.conf:1)
alias teamspeak.acegames.de
port * namevhost status.acegames.de (/etc/apache2/sites-enabled/003-status.acegames.de.conf:1)
port * namevhost download.acegames.de (/etc/apache2/sites-enabled/004-download.acegames.de.conf:1)
port * namevhost files.acegames.de (/etc/apache2/sites-enabled/005-files.acegames.de.conf:1)
port * namevhost en.ts.acegames.de (/etc/apache2/sites-enabled/006-en.ts.acegames.de.conf:1)
port * namevhost en.status.acegames.de (/etc/apache2/sites-enabled/007-en.status.acegames.de.conf:1)
port * namevhost en.acegames.de (/etc/apache2/sites-enabled/008-en.acegames.de.conf:1)
port * namevhost phpmyadmin.acegames.de (/etc/apache2/sites-enabled/009-phpmyadmin.acegames.de.conf:1)
port * namevhost mailboxes.acegames.de (/etc/apache2/sites-enabled/010-mailboxes.acegames.de.conf:1)
port * namevhost wiki.acegames.de (/etc/apache2/sites-enabled/011-wiki.acegames.de.conf:1)
port * namevhost admin.acegames.de (/etc/apache2/sites-enabled/012-admin.acegames.de.conf:1)
port * namevhost clouds.acegames.de (/etc/apache2/sites-enabled/013-clouds.acegames.de.conf:1)

Statusupdate:

SSL_POROTOCOL_ERROR remains for the 3 vhosts

the certificate-creation error remains without changes.

Failed authorization procedure. download.acegames.de (tls-sni-01):
urn:acme:error:connection :: The server could not connect to
the client to verify the domain :: Failed to connect to
137.74.140.78:443 for TLS-SNI-01 challenge.

now doing a full server restart. again...

nothing changes

so the server cannot connect to it self on port 443.
if i visit the site in the browser i get to see the same as when i visit acegames.de. it may be a dumb thought but couldnt it be that the server doesnt allow it because in 000-default.conf its

<VirtualHost acegames.de>
instead of
<VirtualHost acegames.de:80> or <VirtualHost *:80>

On a different thread - Supplied wrong domain names (?) - vhost setup apache

There was an issue where the “IfModule mod_ssl.c” was not being recognised.

Can you have a look at that thread - and then comment out the “IfModule mod_ssl.c” lines and see if you have the same issue.

Also, I assume you did install mod_ssl ?

And yes, you should generally be specifying a port

1st:
only commented out the

(SSL Engine = off)
(not existing Certificates are commented out)

nothing changes. certificate error remains. SSL_POROTOCOL_ERROR remains on the 3 vhosts.

2nd:

remains commented out

SSL Engine = on
(not existing Certificates are commented out)

and apache2 is down. (httpd not running)

i did not install it by myself. it should have been installed automaticly.
but if i try to install it from the packages database (apt-get) it doesnt find it

added :80 after domain in every vhost except for default-ssl.conf

OK, did you run "a2enmod ssl" to enable ssl ?

and what is the current state of your config files ? as you posted on pastebin before ?