Certificate renewal simulation failure

Would you please post contents of those two files?

3 Likes

Sorry, I was late because I had to do the weekly food shopping. I return to the topic.

I understand that I should eliminate all references to meteoensevilla.es but before doing so I prefer to know your opinion

DocumentRoot /var/www/html RewriteEngine On # Some rewrite rules in this file were disabled on your HTTPS site, # because they have the potential to create redirection loops.

RewriteCond %{HTTPS} !=on

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

ServerName meteosanjuan.com
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/meteoensevilla.es/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/meteoensevilla.es/privkey.pem

<VirtualHost :80>
DocumentRoot /var/www/html
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.
) https://%{SERVER_NAME}/$1 [R=301,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteCond %{SERVER_NAME} =meteosanjuan.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ServerName meteosanjuan.com

<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ServerName www.meteosanjuan.com
SSLCertificateFile /etc/letsencrypt/live/meteoensevilla.es/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/meteoensevilla.es/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ServerName meteoensevilla.es
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/meteoensevilla.es/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/meteoensevilla.es/privkey.pem

<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ServerName www.meteoensevilla.es
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/meteoensevilla.es/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/meteoensevilla.es/privkey.pem

There are many improvements that could be made to that Apache config. But none that would cause a "500" server error. This looks like some sort of Apache install problem.

I am curious what does this show?

ls -l /var/www/html

You should also add lines for logging. Then, try accessing https://mateoensevilla.es and see what shows up in these log files. You should see the 500 in the access log and some other detail in the error log.

In the above 000-default.conf file, make the existing VirtualHost for mateoensevilla look like

<VirtualHost *:443>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ServerName meteoensevilla.es

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/meteoensevilla.es/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/meteoensevilla.es/privkey.pem
</VirtualHost>
3 Likes

I haven't understood this, honestly.

I just modified it as instructed

Just in case I just deleted the redirect from meteosanjuan.com to meteoensevilla.es, but neither of the two domains work. How strange everything is

You have now broken your redirect. You should put it back the way it was.

I will not be able to help if you keep making random changes.

We are trying to find out why your server sends a 500 error. It is not related to Let's Encrypt certs. It is something else.

What do the two log files have in them? If you don't know where to find them you should contact your hosting company

curl -i https://meteoensevilla.es
HTTP/1.0 500 Internal Server Error
Server: Apache/2.4.58 (Ubuntu)
Content-Type: text/html; charset=UTF-8
4 Likes

I'm very sorry, don't be angry, I apologize. It was an attempt to improve things. It will not happen again. Please keep helping me
I have left things as they were again, that is, to create the redirection from meteosanjuan.com to meteoensevilla.es
The hosting provider responds saying it may take a few minutes.

I think it refers to this

I think it refers to this. Although it doesn't do the redirection because I suppose you have to wait for it to become effective.

What do you suggest?

Maybe. Before your sanjuan domain redirection was using a cert from DigiCert. But, now the HTTPS requests to your sanjuan domain fail and have no cert. It was lost after you changed it and has not come back. You have to ask your hosting company about that.

What did they do to get your ensevilla.es domain working?

I am not sure what more I can do. You never had a problem getting Let's Encrypt certs. You got several of them with different domain names. Your problem has always been configuring your system properly to use them.

I was able to get your sudo certbot renew --dry-run working successfully. And, connections to your mateoensevilla.es were working with HTTPS but failing with Apache error 500.

Somehow your hosting company fixed the 500 error. And, they should probably fix the redirection for sanjuan domain now too.

3 Likes

That's right, this is important, since the certificates for meteoensevilla will be renewed automatically.

Much useless and redundant information has been removed.

Indeed, after checking the certificate I get an error that I cannot understand. However, the page works under https.

I don't know what else to do, I'm going to take note of everything you've told me.

If you have any further suggestions, listen carefully. Many thanks for everything

Hi @meteosanjuan,

HTTP is being served on Port 443, yet HTTPS is NOT.

HTTPS on Port 443, FAILING.

$ curl -Ii https://meteosanjuan.com:443
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

HTTP on Port 443, working

$ curl -Ii http://meteosanjuan.com:443
HTTP/1.1 400 Bad Request
Server: nginx
Date: Sat, 14 Sep 2024 23:15:43 GMT
Content-Type: text/html
Content-Length: 248
Connection: close
3 Likes

Did you change from Apache to nginx?

Edit
Yet Port 80 is still Apache.

$ curl -Ii http://meteosanjuan.com:80
HTTP/1.1 302 Found
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=15
Date: Sat, 14 Sep 2024 23:22:34 GMT
Server: Apache
Cache-Control: no-cache
Location: https://meteoensevilla.es
3 Likes

Bruce, the redirect is handled by some kind of service at their hosting company. They have no direct control of that.

You can see the DNS for the sanjuan domain is very different than the one for ensevilla

Before the redirect service was being handled by Apache - both http and https as you can see in my prior posts about that.

4 Likes

Fair enough Mike! :slight_smile:

4 Likes

I only have one topic left to ask.

sslchecker returns “It's all Good” with certificates when I enter www.meteoensevilla.es meteoensevilla.es and www.meteosanjuan.com but it gives an error when done with meteosanjuan.com

After many tests I think I give up. I can't think of anything to try and my hosting provider doesn't offer any help either.

Judging by the attached screen, the certificate for meteosanjuan.com still indicates that it is issued by letsencrypt when www.meteosanjuan.com is digicert.


It is as if the previous certificate had not been unlinked

It's possible that I'm saying something that doesn't make sense, but I don't know how to explain it.

Well, after an intense weekend (I don't know how many hours I've spent) it seems to be fixed.

I had information in some configuration files, I don't even remember which ones, that pointed to the meteosanjuan.com domain with the certificates generated by letsecrypt.

I don't even know how, but it's working. I just pray to God that the renewal of the certificates by certbot works.

Many thanks to everyone, especially to @MikeMcQ

4 Likes

You are welcome. Glad it is now working.

I see meteosanjuan correctly redirecting to meteoensevilla both for HTTP and HTTPS requests. It looks like your hosting service "Redirect" is handling that as I see a DigiCert certificate and different DNS settings for it compared to meteoensevilla. This is all good. I am just summarizing this success.

You can test the Let's Encrypt cert renewal for meteoensevilla any time with

sudo certbot renew --dry-run

The --dry-run will not damage your existing production certs. It is ony a test.

3 Likes

Thank you, you are part of what I achieved.

It has not been easy for me, I am quite persistent and it has cost me many hours of sleep. I decided to look in the Apache folder for "meteoensevilla.es" and discovered in the configuration files some cross references between the domains. I corrected them and with that part of the problem was solved. At least SSL checker already indicated that the domains were correct. Well in meteoensevilla when I put www I got an error but I solved this by putting a "serveralias" in the configuration file. I re-activated the redirection and the errors started again. I called my provider's service and they told me that I had to do the digicert certificate after the redirection and of course I did it before. In the end I don't know what they did but I didn't have to modify anything in my Apache server.

Fortunately that works, the simulation ends successfully, so I guess I won't have problems with the renewal of the certificate with letsencrypt.

Once again thank you very much

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.