I don't see why your Apache returns a 403. Can you show contents of this file? Maybe there are multiple copies?
/usr/pkg/etc/httpd/httpd-vhosts.conf
Otherwise you will need to ask the support for whoever provides that package you use.
I don't see why your Apache returns a 403. Can you show contents of this file? Maybe there are multiple copies?
/usr/pkg/etc/httpd/httpd-vhosts.conf
Otherwise you will need to ask the support for whoever provides that package you use.
In /usr/pkg/etc/httpd.conf
there are only these includes:
Include etc/httpd/httpd-vhosts.conf
Include etc/httpd/httpd-ssl.conf
The contents of the file `
<VirtualHost *:80>
ServerName sauderenovada.pt
ServerAlias www.sauderenovada.pt
ServerAdmin webmaster@sauderenovada.pt
DocumentRoot /var/www/wordpress
<If "%{REQUEST_URI} !~ m#/\.well-known/acme-challenge/#">
Redirect permanent / https://sauderenovada.pt/
</If>
</VirtualHost>
<VirtualHost *:443>
ServerName sauderenovada.pt
ServerAlias www.sauderenovada.pt
ServerAdmin webmaster@sauderenovada.pt
DocumentRoot "/var/www/wordpress"
ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:///var/run/php-fpm/sauderenovada.pt.sock|fcgi://127.0.0.1:9000/var/www/wordpress timeout=300
DirectoryIndex index.html index.php
SSLEngine on
SSLCertificateFile /usr/pkg/etc/letsencrypt/live/www.sauderenovada.pt/cert.pem
SSLCertificateKeyFile /usr/pkg/etc/letsencrypt/live/www.sauderenovada.pt/privkey.pem
ErrorLog "/var/log/httpd/sauderenovada.pt-error_log"
CustomLog "/var/log/httpd/sauderenovada.pt-access_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
AliasMatch /.well-known/acme-challenge/(.*)$ /var/letsencrypt/http_challenges/$1
<directory /var/letsencrypt/http_challenges>
AllowOverride None
Require all granted
</directory>
<If "%{HTTP_HOST} == 'www.sauderenovada.pt'">
Redirect permanent / https://sauderenovada.pt/
</If>
<Directory /var/www/wordpress>
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
We need to see the Apache error log for that to know the reason. It is still puzzling as this is the same VirtualHost you had earlier except for the IF statement.
Look in the default error log file for reasons for the 403. If you don't have a default error log, change your VirtualHost to look like this. Restart Apache, try an HTTP request to that domain and then show content of that error log file.
<VirtualHost *:80>
ServerName sauderenovada.pt
ServerAlias www.sauderenovada.pt
ServerAdmin webmaster@sauderenovada.pt
ErrorLog "/var/log/httpd/sauderenovada.pt80-error_log" # NEW line
DocumentRoot /var/www/wordpress
<If "%{REQUEST_URI} !~ m#/\.well-known/acme-challenge/#">
Redirect permanent / https://sauderenovada.pt/
</If>
</VirtualHost>
Tried to access it again curl http://sauderenovada.pt
.
In the generic apache access log:
my.ip.at.remote - - [26/Nov/2024:18:47:31 +0000] "GET / HTTP/1.1" 403 199
The generic error.log
shows:
[Tue Nov 26 18:47:31 2024] [authz_core:error] [pid 7458:tid xxxxxx] [client my.ip.at.remote:55671] AH01630: client denied by server configuration
: /var/www/wordpress/
In the specific logs for the virtual host, there are no entries related to my http request, just for others trying to gain some information.
Yeah, I don't know why you would need this now and did not before but change your port 80 Virtual host to be like this
<VirtualHost *:80>
ServerName sauderenovada.pt
ServerAlias www.sauderenovada.pt
ServerAdmin webmaster@sauderenovada.pt
ErrorLog "/var/log/httpd/sauderenovada.pt80-error_log"
<Directory /var/www/wordpress/>
AllowOverride None
Require all granted
</Directory>
DocumentRoot /var/www/wordpress
<If "%{REQUEST_URI} !~ m#/\.well-known/acme-challenge/#">
Redirect permanent / https://sauderenovada.pt/
</If>
</VirtualHost>
Then try:
sudo certbot renew --dry-run
If that works re-run that without --dry-run
There's these setting at httpd.conf
:
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/var/www/htdocs"
<Directory "/var/www/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
We cross-posted. Please see my post just before yours.
Hi @MikeMcQ, sorry for the late response, but have limited time available.
You nailed it!
$ curl http:/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://sauderenovada.pt/">here</a>.</p>
</body></html>
And when simulating the renewal:
# certbot-3.12 renew --dry-run
Saving debug log to /var/letsencrypt/log/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/pkg/etc/letsencrypt/renewal/www.sauderenovada.pt.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for www.sauderenovada.pt and sauderenovada.pt
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/usr/pkg/etc/letsencrypt/live/www.sauderenovada.pt/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Thank you very much for your great support, @MikeMcQ!
You are welcome but I don't think this was my best result Usually they don't take so long
There are still a couple steps to get you running properly.
The first is to run without dry-run so you get a production cert. That was just a test.
sudo certbot renew
Once that works we need to fix the certificate config in your port 443 host. It is currently:
SSLCertificateFile /usr/pkg/etc/letsencrypt/live/www.sauderenovada.pt/cert.pem
But should be this (note fullchain.pem instead of cert.pem)
SSLCertificateFile /usr/pkg/etc/letsencrypt/live/www.sauderenovada.pt/fullchain.pem
And one final step about auto-reloading Apache which I will describe after these are done.
I made it difficult for you! ah ah
The certificate is renewed and the fullchain.pem
line was inserted instead of the cert.pem
one.
Excellent. I see you got a fresh production cert today. But, your Apache is not yet using it.
Run the command to gracefully reload your Apache and let me know what that command is. We can then describe how to reload that automatically when the cert renews.
I am not certain what it would be with your somewhat non-standard config. Thanks
The command used was apachectl graceful
.
It's working fine, now.
Excellent. Yes, your Apache is now using the latest cert and properly validates because of fullchain.pem (see: https://decoder.link/sslchecker/sauderenovada.pt/443)
One last thing is to adjust the Certbot renewal profile so that it will automatically reload Apache each time it gets a fresh cert. It is not required but otherwise you must regularly reload (or restart) Apache so it sees that latest one.
To update the profile do:
sudo certbot reconfigure --cert-name www.sauderenovada.pt --deploy-hook 'apachectl graceful'
When asks if you want it run during --dry-run respond r
for Run
(yes).
Should I use just this, or have something for sauderenovada.pt
as well?
Just that name. It is the name of the certificate "profile" that Certbot uses. It is not the actual domain name. It was shown in your prior commands like:
But, when using with --cert-name you leave off the .conf
That single profile is for your cert that has both domain names in it
It's done, it ran successfully.
Successfully updated configuration.
Changes will apply when the certificate renews.
Thank you very much @MikeMcQ, you have been of great help!
Hope you'll get double help in life of what you have just given me.
You are very welcome. I appreciate your nice attitude throughout.