Certificate renewal is failing with missing /

rg305 · July 29, 2021, 3:48am

Ok let's go the other route:
Let's fix this line instead; as it would match all unmatched names:
Redirect 301 / "https://bearclawats.com"
needs to be:
~~Redirect 301 / "https://bearclawats.com/"~~
[standby thinking]

sektor1952 · July 29, 2021, 3:49am

Ok, fixing the line, 1 sec.

rg305 · July 29, 2021, 3:50am

Wait - that won't fix this.
It will just send all requests for all names to one single HTTPS name.

rg305 · July 29, 2021, 3:51am

You need this (without condition - for all conditions):

sektor1952:

RewriteEngine on
#RewriteCond %{SERVER_NAME} =bearclaw.io [OR]
#RewriteCond %{SERVER_NAME} =www.bearclaw.io
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
#RewriteCond %{SERVER_NAME} =bearclawats.com [OR]
#RewriteCond %{SERVER_NAME} =www.bearclawats.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

sektor1952 · July 29, 2021, 3:55am

I just did what you suggested and reloaded apache, the result is the same from when we removed the redirect line.

rg305 · July 29, 2021, 3:57am

Please hold off on running certbot until asked to do so.
You run the risk of hitting a rate limit.

sektor1952 · July 29, 2021, 3:57am

I have been running it with --dry-run, just an FYI but I will hold off.

rg305 · July 29, 2021, 3:59am

--dry-run is the right thing to do!
You can do those as much as you like

rg305 · July 29, 2021, 4:00am

OK, let's see the vhost config for prod, please show this file:

sektor1952 · July 29, 2021, 4:01am

I know, which is why I use it until the issue is resolved, but this is definitely puzzling.

sektor1952 · July 29, 2021, 4:08am

Sure thing, here you go.

## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host
SSLEngine on
#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3
#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA

sektor1952 · July 29, 2021, 4:09am

I really don't have anything in ssl.conf for that vhost.

rg305 · July 29, 2021, 4:11am

That can't be right - part of the file is missing and it has no servername...
How can this be?:

OK, maybe prod.bearclaw.io is the servers defined name (elsewhere).
[this is bad practice and Apache looks the other way all too often]

sektor1952 · July 29, 2021, 4:13am

Hold on, let me copy that again 1 sec. Sorry about that.

rg305 · July 29, 2021, 4:14am

Do you really even use https://prod.bearclaw.io/ ?
Or you just need the cert for other services?

sektor1952 · July 29, 2021, 4:15am

I use https://prod.bearclaw.io for webmin, which is essentially like an admin portal. By the way here is line 56

##

## SSL Virtual Host Context

##

<VirtualHost _default_:443>

rg305 · July 29, 2021, 4:18am

I think I understand what is going on here.
This is really running on sheer luck.
We need to fix this from the ground up.
There is no real functional HTTP, nor HTTPS, site for prod.
[it merely hangs on by the default settings in the default ssl.conf file]

rg305 · July 29, 2021, 4:19am

Do you know how to write a vhost config file?
Do you know all the things that you would need in it (or can we just go with the bare minimums)?

sektor1952 · July 29, 2021, 4:19am

Correct there is a different service that runs on port 10000, but I configured it to use letsencrypt cert.

rg305 · July 29, 2021, 4:21am

So do you...

[on port 443]

I do understand that you need the cert - but that is easier to get than to write a whole site (that won't ever be used).