At my wits end, this simply doesnt work. SITE IS DOWN


#1

Ok, today I was greeted to my website not loading https, the certificates are expired.
Heres what happens when I run certbot --update on my apache2 server

certbot --update

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: squidblacklist.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):1
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for squidblacklist.org
/usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from ‘char *’ to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. squidblacklist.org (tls-sni-01): urn:acme:error:malformed :: The request message was malformed :: Server only speaks HTTP, not TLS

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: squidblacklist.org
    Type: malformed
    Detail: Server only speaks HTTP, not TLS

    To fix these errors, please make sure that you did not provide any
    invalid information to the client, and try running Certbot again.

Ok hello McFly?!?!?!?

Any help would be greatly appreciated.

[Sat Dec 01 15:52:36.906516 2018] [ssl:warn] [pid 27475] AH01916: Init: (www.squidblacklist.org:443) You configured HTTP(80) on the standard HTTPS(443) port!

That sounds like it would be easy to fix, NOT!

Whats missing from my conf???

Include sites-enabled/

NameVirtualHost 1.2.3.4:80
NameVirtualHost 1.2.3.4:443

<VirtualHost 1.2.3.4:80>
<Directory /var/www/html/>

<VirtualHost 1.2.3.4:443>
<Directory /var/www/html/>

<VirtualHost 1.2.3.4:80>
ServerAdmin webmaster@squidblacklist.org
ServerName www.squidblacklist.org
ServerAlias squidblacklist.org
DocumentRoot /var/www/www.squidblacklist.org/
DirectoryIndex index.html
RewriteEngine on
RewriteCond %{HTTP_HOST} ^squidblacklist.org
RewriteRule ^(.*)$ http://www.squidblacklist.org$1 [R=permanent,L]
<Directory /var/www/www.squidblacklist.org/>
AuthType None
Options FollowSymLinks
AllowOverride All

CustomLog /var/log/apache2/www.squidblacklist.org.access.log combined
ErrorLog /var/log/apache2/www.squidblacklist.org.error.log
ServerSignature Off
ErrorDocument 404 /404.html
ErrorDocument 401 /401.html
<Directory /var/www/www.squidblacklist.org/downloads/squidblacklists>
Options FollowSymLinks
Options +Indexes
AllowOverride None
AuthType Basic
AuthName “Members Only”
AuthUserFile /etc/supersecret
Require valid-user

<Directory /var/www/www.squidblacklist.org/downloads/whitelists/>
Options FollowSymLinks
Options +Indexes
AllowOverride None
AuthType None

<Directory /var/www/www.squidblacklist.org/resolved/>
Options FollowSymLinks
Options +Indexes
AllowOverride None
AuthType Basic
AuthName “Members Only”
AuthUserFile /etc/supersecret
Require valid-user

<VirtualHost 1.2.3.4:443>
ServerAdmin webmaster@squidblacklist.org
ServerName www.squidblacklist.org
ServerAlias squidblacklist.org
DocumentRoot /var/www/www.squidblacklist.org/
DirectoryIndex index.html
RewriteEngine on
RewriteCond %{HTTP_HOST} ^squidblacklist.org
RewriteRule ^(.*)$ http://www.squidblacklist.org$1 [R=permanent,L]
<Directory /var/www/www.squidblacklist.org/>
AuthType None
Options FollowSymLinks
AllowOverride All

CustomLog /var/log/apache2/www.squidblacklist.org.access.log combined
ErrorLog /var/log/apache2/www.squidblacklist.org.error.log
ServerSignature Off
ErrorDocument 404 /404.html
ErrorDocument 401 /401.html
<Directory /var/www/www.squidblacklist.org/downloads/squidblacklists>
Options FollowSymLinks
Options +Indexes
AllowOverride None
AuthType Basic
AuthName “Members Only”
AuthUserFile /etc/supersecret
Require valid-user

<Directory /var/www/www.squidblacklist.org/downloads/whitelists/>
Options FollowSymLinks
Options +Indexes
AllowOverride None
AuthType None

<Directory /var/www/www.squidblacklist.org/resolved/>
Options FollowSymLinks
Options +Indexes
AllowOverride None
AuthType Basic
AuthName “Members Only”
AuthUserFile /etc/supersecret
Require valid-user


#2

Hi @Squidblacklist

the tls-sni-01 - challenge is deprecated. Support ends 2019-02-13

So it’s better you switch to another validation.

There is your DocumentRoot.

So try (one line)

certbot run -a webroot -i apache -w /var/www/www.squidblacklist.org/ 
-d squidblacklist.org -d www.squidblacklist.org

You have two ip addresses.

Your configuration



looks ok, your /.well-known/acme-challenge - subdirectory doesn’t send nonsense.


#3

FYI the Apache plugin also supports HTTP-01. You just need to tell it to do so with the --preferred-challenges=http-01 flag.

@Squidblacklist, your problem is that you’ve got a listen statement for port 443 but no corresponding SSLEngine on statement. Just remove the listen for 443 and rerun.


#4

I do not have two ip addresses, I am hidden behind Cloudflare, I do not expose my real ip. DDOS attacks and other threats are a real persistant problem on todays internet.

I do shut off the firewall when I need to update certbot.


#5

I have already added the ssl engine on option and all the correct key strings, it throws different errors at that point


#6

Have you tried the --preferred-challenges flag? Want to share the latest errors you are getting?