You are right: There is a solution, which might be of interest for all Fedora (and maybe also CentOS/Archlinux/RedHat) users:
I needed to open the http port 80 in the Fedora default firewall - Up to now I did not even know that such a firewall existed.
Here:
you can read that the following commands are necessary to check the status, open the http port and restart the firewall to make the changes effective:
# firewall-cmd --get-active-zones
public
interfaces: eno1
# firewall-cmd --permanent --zone=public --add-service=http
success
# systemctl restart firewalld.service
Knowing the reason I have to correct myselves partially: Port 80 was never before open to the public due to the Fedora firewall. It was open in the router only, which is not sufficient. Addressing my server via http worked anyhow within my network, because there is no need to "cross" the firewall and I messed that up.
cerbot --apache
then worked like a charm:
Certificate renewal
# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: maier.dyn.cc
2: www.maier.dyn.cc
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/maier.dyn.cc.conf)
It contains these names: maier.dyn.cc
You requested these names for the new certificate: maier.dyn.cc,
www.maier.dyn.cc.
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for maier.dyn.cc
http-01 challenge for www.maier.dyn.cc
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/http-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/http-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/http-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf.d/http.conf to ssl vhost in /etc/httpd/conf.d/http-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.
The new certificate covers the following domains: https://maier.dyn.cc and
https://www.maier.dyn.cc
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=maier.dyn.cc
https://www.ssllabs.com/ssltest/analyze.html?d=www.maier.dyn.cc
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/maier.dyn.cc/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/maier.dyn.cc/privkey.pem
Your cert will expire on 2019-09-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
#
Main problem solved and I am really happy to have a working certificate again!
I would appreciate if you could assist with some hints on the following problems that now face the daylight: Still I get a grade "C" when testing my website again:
1. Errors
C |
Error - more then one version with Http-Status 200 |
C |
Error - no preferred version www or non-www |
(I suppose it should be than instead of then in the error message, just in case you care.)
How to fix these errors?
The second error appears strange to me, as http is rewritten to https for both, maier.dyn.cc as well as www.maier.dyn.cc.
I had to adapt the VirtualHost setup updated/created by Letsencrypt.
The current setup is
httpd.conf
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin post@xx.de
ServerName maier.dyn.cc
<Directory />
AllowOverride none
Require all denied
</Directory>
<Directory "/var/www">
AllowOverride None
Require all granted
</Directory>
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
AccessFileName .htaccess
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/*.conf
http_rewrite.conf
<VirtualHost *:80>
ServerAdmin post@xx.de
RewriteEngine on
RewriteCond %{SERVER_NAME} =maier.dyn.cc [OR]
RewriteCond %{SERVER_NAME} =www.maier.dyn.cc
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
ErrorLog logs/http_error_log
CustomLog logs/http_access_log combined
</VirtualHost>
ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ServerAdmin post@xx.de
DocumentRoot "/var/www/nextcloud/"
ServerName maier.dyn.cc
ServerAlias www.maier.dyn.cc
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/maier.dyn.cc/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/maier.dyn.cc/privkey.pem
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>
</VirtualHost>
2. Warnings
_acme-challenge.maier.dyn.cc |
|
missing entry or wrong length |
1 |
0 |
_acme-challenge.www.maier.dyn.cc |
|
missing entry or wrong length |
1 |
0 |
_acme-challenge.maier.dyn.cc.dyn.cc |
|
perhaps wrong |
1 |
0 |
_acme-challenge.maier.dyn.cc.maier.dyn.cc |
|
perhaps wrong |
1 |
0 |
_acme-challenge.www.maier.dyn.cc.maier.dyn.cc |
|
perhaps wrong |
1 |
0 |
_acme-challenge.www.maier.dyn.cc.www.maier.dyn.cc |
|
perhaps wrong |
1 |
0 |
3. Uncertainties: Lots of expired certificates
Does it make sense to remove the (many) expired certificates? Why?
Is there sort of a cleanup function that does the job?
(Expired) Certificates
Source crt.sh - old and new certificates, sometimes very slow.
Issuer last 7 days active num Certs
CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 1 1 13
CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1555995761 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-08 16:26:16 2019-09-06 16:26:16 maier.dyn.cc, www.maier.dyn.cc
2 entries duplicate nr. 1
957619905 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2018-11-18 23:10:33 2019-02-16 23:10:33 maier.dyn.cc
1 entries
849448725 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2018-09-19 20:21:42 2018-12-18 21:21:42 maier.dyn.cc
1 entries
[...many more]