Certbot Apache Plugin - Issues with Rewrite Rules in Apache Configuration

joostdb · April 2, 2017, 10:24pm

I ran Certbot successfully on other domains on this server. But this domain gives me troubles.
When generating the ssl vhost file, apache encounters a syntax error on a rewriterule.

AH00526: Syntax error on line 117 of /etc/apache2/sites-enabled/domain.com.vhost.err-le-ssl.conf:
RewriteRule: unknown flag 'permanent'

this is my vhost file:

<Directory /var/www/example.com>
	AllowOverride None
			Order Deny,Allow
	Deny from all
 # New directive needed in Apache 2.4.3:
   Require all granted
		</Directory>

<VirtualHost *:80>
				DocumentRoot /var/www/example.com/web
		
	ServerName example.com
	ServerAlias www.example.com 
ServerAlias www.aa.be aa.be 
ServerAlias www.aa1.com aa1.com 
ServerAlias *.aaa1.be aaa1.be
	ServerAdmin webmaster@example.com

	ErrorLog /var/log/ispconfig/httpd/example.com/error.log

	Alias /error/ "/var/www/example.com/web/error/"
	ErrorDocument 400 /error/400.html
	ErrorDocument 401 /error/401.html
	ErrorDocument 403 /error/403.html
	ErrorDocument 404 /error/404.html
	ErrorDocument 405 /error/405.html
	ErrorDocument 500 /error/500.html
	ErrorDocument 502 /error/502.html
	ErrorDocument 503 /error/503.html

	<IfModule mod_ssl.c>
	</IfModule>

	<Directory /var/www/example.com/web>
			# Clear PHP settings of this website
			<FilesMatch ".+\.ph(p[345]?|t|tml)$">
					SetHandler None
			</FilesMatch>
			Options +FollowSymLinks
			AllowOverride All
							Order allow,deny
			Allow from all
					</Directory>
	<Directory /var/www/clients/client1/web1/web>
			# Clear PHP settings of this website
			<FilesMatch ".+\.ph(p[345]?|t|tml)$">
					SetHandler None
			</FilesMatch>
			Options +FollowSymLinks
			AllowOverride All
							Order allow,deny
			Allow from all
					</Directory>




	# cgi enabled
<Directory /var/www/clients/client1/web1/cgi-bin>
					Order allow,deny
		Allow from all
				</Directory>
	ScriptAlias  /cgi-bin/ /var/www/clients/client1/web1/cgi-bin/
	<FilesMatch "\.(cgi|pl)$">
		SetHandler cgi-script
	</FilesMatch>
	# suexec enabled
	<IfModule mod_suexec.c>
		SuexecUserGroup web1 client1
	</IfModule>
	# php as fast-cgi enabled
# For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
	<IfModule mod_fcgid.c>
			IdleTimeout 300
			ProcessLifeTime 3600
			# MaxProcessCount 1000
			DefaultMinClassProcessCount 0
			DefaultMaxClassProcessCount 100
			IPCConnectTimeout 3
			IPCCommTimeout 600
			BusyTimeout 3600
	</IfModule>
	<Directory /var/www/example.com/web>
			<FilesMatch "\.php[345]?$">
				SetHandler fcgid-script
			</FilesMatch>
			FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php
			FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php3
			FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php4
			FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php5
			Options +ExecCGI
			AllowOverride All
							Order allow,deny
			Allow from all
					</Directory>
	<Directory /var/www/clients/client1/web1/web>
			<FilesMatch "\.php[345]?$">
				SetHandler fcgid-script
			</FilesMatch>
			FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php
			FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php3
			FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php4
			FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php5
			Options +ExecCGI
			AllowOverride All
							Order allow,deny
			Allow from all
					</Directory>

	RewriteEngine on
	RewriteCond %{HTTP_HOST}   ^aa1\.com$ [NC]
	
	RewriteRule   ^/(.*)$ http://www.example.com/jdb  [R=301,L]

	RewriteCond %{HTTP_HOST}   ^www\.aa1\.com$ [NC]
	
	RewriteRule   ^/(.*)$ http://www.example.com/jdb  [R=301,L]

	RewriteCond %{HTTP_HOST}   (^|\.)aa\.be$ [NC]
	
	RewriteRule   ^/(.*)$ http://www.example.com/lva  [R=301,L]


	# add support for apache mpm_itk
	<IfModule mpm_itk_module>
		AssignUserId web1 client1
	</IfModule>

	<IfModule mod_dav_fs.c>
	# Do not execute PHP files in webdav directory
		<Directory /var/www/clients/client1/web1/webdav>
			<ifModule mod_security2.c>
				SecRuleRemoveById 960015
				SecRuleRemoveById 960032
			</ifModule>
			<FilesMatch "\.ph(p3?|tml)$">
				SetHandler None
			</FilesMatch>
		</Directory>
		DavLockDB /var/www/clients/client1/web1/tmp/DavLock
		# DO NOT REMOVE THE COMMENTS!
		# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
  # WEBDAV BEGIN
		# WEBDAV END
	</IfModule>

ahaw021 · April 2, 2017, 11:55pm

hi @joostdb

was this file created by certbot?

Andrei

joostdb · April 3, 2017, 7:29am

@ahaw021 Yes it was. It’s the vhost-ssl file that Certbot generates which produces a syntax error.
Apache check deletes this file immediately. So I can’t see what the syntax error is.

jmorahan · April 3, 2017, 7:55am

By any chance do you have an old broken backup copy of the vhost file named /etc/apache2/sites-enabled/domain.com.vhost.err still in the same directory?

ahaw021 · April 3, 2017, 8:15am

hmmm you error is with a re-write rule

I don’t believe certbot touches these.

@schoen - thoughts?

Andrei

joostdb · April 3, 2017, 8:28am

@jmorahan yes, there is such a file

jmorahan · April 3, 2017, 8:30am

Then the error is probably in that file. If it’s not in use, try moving it out of that directory.

joostdb · April 3, 2017, 9:15am

@jmorahan I thought this file is ignored by the server, but I will give it a try this evening.

schoen · April 3, 2017, 6:04pm

In the Certbot source code there are two versions that I think can currently be used, as follows:

REWRITE_HTTPS_ARGS = [
    "^", "https://%{SERVER_NAME}%{REQUEST_URI}", "[L,NE,R=permanent]"]
"""Apache version<2.3.9 rewrite rule arguments used for redirections to
https vhost"""

REWRITE_HTTPS_ARGS_WITH_END = [
    "^", "https://%{SERVER_NAME}%{REQUEST_URI}", "[END,NE,R=permanent]"]
"""Apache version >= 2.3.9 rewrite rule arguments used for redirections to
    https vhost"""

joostdb · April 3, 2017, 7:05pm

I’m not sure how you implement this. (I’m a novice, as you notices)

schoen · April 3, 2017, 8:01pm

Sorry, by “can currently be used” I meant “that Certbot might put into your Apache configuration”. I was hoping that might make clear whether or not there’s some problem with them, but maybe it doesn’t.

joostdb · April 3, 2017, 8:28pm

Is there a way to avoid this input?

jmorahan · April 3, 2017, 9:31pm

@joostdb what version of Apache are you using?

Also, did you try moving the domain.com.vhost.err file out of the /etc/apache2/sites-enabled/ directory? Did it help? My theory was that maybe if you had two files referring to the same ServerName, Apache and Certbot might have had different ideas as to which was the correct one to use, and Certbot might have based its HTTPS configuration on the wrong file. So if you move the file out of there and then run Certbot again, you might have better luck.

I'm not 100% sure but I think if, when Certbot asks you to choose between "Easy" and "Secure", you choose "Easy", it will not try to add a rewrite rule to your configuration. I'd recommend trying the above first, though.

Oh, and one more thing:

RewriteRule   ^/(.*)$ http://www.example.com/jdb  [R=301,L]

I remember older versions of Certbot used to have trouble with regular expressions that weren't in quotes. I don't know if that's since been fixed? If not, changing those to "^/(.*)$" might help.

joostdb · April 3, 2017, 9:54pm

You made my day! (and night).
So it was the domain.com.vhost.err that caused the problem. I removed it and the ssl generation worked like a charm.
Maybe an idea for the engeneers (@schoen) to ignore these .err files?

Cheers!

jmorahan · April 3, 2017, 9:59pm

Great, glad you got it working!

system · May 3, 2017, 10:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.