Certificate renewal is failing with missing /

rg305 · July 29, 2021, 7:02am

Haha I bet it's just as late (or later) where I am - LOL

Cheers from Miami

#FreeCuba

sektor1952 · July 29, 2021, 7:03am

I live in FL, but visiting my family up north.

Cool thanks for your help, I will do the same tweaks to the other 2 servers.

rg305 · July 29, 2021, 7:04am

It was my pleasure

sektor1952 · July 29, 2021, 7:09am

Have a blessed evening.

rg305 · July 29, 2021, 7:14am

It's past 3a.m. here, but I know what you mean.
Likewise to you too my friend

sektor1952 · July 29, 2021, 6:21pm

I have a question in regards to a server I have that houses multiple URL's under different DocumentRoot's I will still need the <virtualhost *:80> with the ServerName entry for each URL, but then use the config above for the letsencrypt stuff?

Osiris · July 29, 2021, 6:26pm

I'm having a hard time understanding. How do you mean "multiple URLs"? Are those multiple URLS with the same hostname but different paths? Or are all those URLs also all separate hostnames?

Because as far as I know, every distinct DocumentRoot would be for a separate hostname and that would indeed require a separate VirtualHost directive.

sektor1952 · July 29, 2021, 6:33pm

Sorry about that I meant 2 vhosts with 2 different domains, 1 lives in the main DocumentRoot and the other lives in a different DocumentRoot.

My question is would I specify the letsencrypt config that @rg305 assisted me with once or for each vhost entry?

Osiris · July 29, 2021, 6:39pm

This thread has 88 posts already, it is probably wise to specificy exactly what configuration you're refering to, so we don't misunderstand each other.

rg305 · July 29, 2021, 6:40pm

If you don't need anything specifically individualized to any domain, you can catch all HTTP requests and deal with them in one fell swoop using only one HTTP vhost config (as default).
If you don't plan on building the HTTPS vhost config, then you will need an HTTP vhost config for certbot to work from and may need one for each domain.
Whether using one HTTP vhost config, or many, they can all use the same challenge path.

I hope that was clear enough for you to proceed.
If you have any questions, just ask them.

sektor1952 · July 29, 2021, 6:42pm

This is the config I was referring to.

<VirtualHost *:80>
  DocumentRoot /some/unique/path
  <LocationMatch "^/(?!\.well-known)">
    #send all other requests to HTTPS
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1
  </LocationMatch>
</VirtualHost>

Osiris · July 29, 2021, 6:44pm

Well, that looks like quite a complicated piece of configuration. Not sure why it's there, but if somehow your Apache configuration requires it, it's probably also needed in other VirtualHosts?

sektor1952 · July 29, 2021, 6:47pm

I would like to keep the 2 sites individualized and the https config for letsencrypt already exists for both and just for reference I am experiencing the same issue that you helped me with early this morning. @rg305

rg305 · July 29, 2021, 6:47pm

Using that single HTTP vhost config, all HTTP challenge request will go to "/some/unique/path" regardless of the domain requested.
All other HTTP requests will be forwarded to HTTPS.
This, although simple, will not provide enough resource to allow certbot to configure the HTTPS vhost config for you.
So, you must not use an installer with it (Like: -i apache or -i nginx) and you will have to make the HTTPS vhost config yourself (just copy a working config and change the server name, document root, and cert files),

rg305 · July 29, 2021, 6:48pm

Be very clear here.
Do you also need separate HTTP sites or just the separate HTTPS sites?

rg305 · July 29, 2021, 6:49pm

HTTPS are already individualized.

sektor1952 · July 29, 2021, 6:52pm

Both sites are https with the same http to https redirect that is now erroring on renewal, so I was going to duplicate the same config with my other 2 servers, but when I remembered the second server was hosting 2 url's I wasn't sure if the one config would work for both or I needed to add it to each vhost entry.

Yes this server is setup the same as the other one just with an extra vhost entry.

rg305 · July 29, 2021, 6:52pm

Please show the error and the associated renewal.conf file.
[have you learned nothing - LOL]

sektor1952 · July 29, 2021, 6:54pm

yes https is already individualized as I mentioned yesterday evening it was working and then I started receiving the same error.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: jobboard.bearclaw.io
   Type:   connection
   Detail: Fetching
   https://careerportal.nlr.careers.well-known/acme-challenge/vzHnbexKuUG-KUdPoVU7smD4OFQQqROnFyuCXYcqQI8:
   Invalid host in redirect target
   "careerportal.nlr.careers.well-known". Check webserver config for
   missing '/' in redirect target.

Here is the httpd.conf

<VirtualHost *:80>
    ServerName careerportal.nlr.careers
    ServerAlias careerportal.nlr.careers
    Redirect 301 / "https://careerportal.nlr.careers"
RewriteEngine on
RewriteCond %{SERVER_NAME} =careerportal.nlr.careers
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
    ServerName careerportal.nlr.careers
    ServerAlias careerportal.nlr.careers
    ErrorLog /var/log/httpd/careerportal.nlr.careers-error.log
    LogLevel crit
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vh$
    LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
    CustomLog /var/log/httpd/careerportal.nlr.careers-access.log "combined"
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/careerportal.nlr.careers/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/careerportal.nlr.careers/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/careerportal.nlr.careers/chain.pem
</VirtualHost>
<VirtualHost *:80>
    ServerName bearclaw.io
    DocumentRoot /var/www/html/bearclaw.io
    RedirectMatch 301 / "https://bearclaw.io"
    ServerAlias www.bearclaw.io
RewriteEngine on
RewriteCond %{SERVER_NAME} =bearclaw.io [OR]
RewriteCond %{SERVER_NAME} =www.bearclaw.io
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
    DocumentRoot "/var/www/html/bearclaw.io"
    ServerName bearclaw.io
    ServerAlias www.bearclaw.io
    ErrorLog /var/log/httpd/bearclaw.io-error.log
LogLevel crit
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vh$
    LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
    CustomLog /var/log/httpd/bearclaw.io-access.log "combined"
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/bearclaw.io/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bearclaw.io/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/bearclaw.io/chain.pem
</VirtualHost>

rg305 · July 29, 2021, 6:58pm

In an overly dramatized story:

You enter a building looking for a specific business.
There are two attendants.
One has a sign that says: "I only speak HTTP"
The other has a sign the says: "I only speak HTTPS"
You approoach the "HTTP" guy and no sooner than you ask for the company name does he flip his sign over and it reads - "redirect all (non-challenge requests) to HTTPS".
So you then go to the "HTTPS" guy and he asks you which specific company are you looking for and then directs you to that floor/room.

When LE needs to make challenge requests the "HTTP" guy sends them all to the same path where they are all answered by the certbot that works only in that one room.

Topic		Replies	Views
Unauthorized invalid response from (cannot renew) Help	257	3088	February 26, 2021
Failed authorization procedure. Multiple virtualhosts apache Help	76	5827	August 21, 2018
Certbot renew unauthorized 404 not found on .well-known/acme-challenges Help	10	3292	August 14, 2019
Failed redirect Help	55	2934	November 14, 2021
Unable to renew certificates Help	50	2820	June 22, 2018

Certificate renewal is failing with missing /

Related topics