DeprecationWarning: signer and verifier have been deprecated./UPD: Cert installed, https won't work

Domain: rejushiiplotter.ru
Command: ./certbot-auto run
Output:
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
…
Obtaining a new certificate
/root/.local/share/letsencrypt/lib/python2.6/site-packages/acme/jose/jwa.py:110: DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
tls-sni-01 challenge for rejushiiplotter.ru
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. rejushiiplotter.ru (tls-sni-01): urn:acme:error:malformed :: The request message was malformed :: Server only speaks HTTP, not TLS

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: rejushiiplotter.ru
  Type: malformed
  Detail: Server only speaks HTTP, not TLS

  To fix these errors, please make sure that you did not provide any
  invalid information to the client, and try running Certbot again.

OS: centos-release-6-9.el6.12.3.x86_64
Server version: Apache/2.2.15 (Unix)

Perhaps there is another service already using port 443

I’ve checked it with netstat, it’s httpd.

then track down with vhost is using 443 and ensure all are set as expected

OK. Dealt with that. Now I have cert installed properly in /etc/letsencrypt/live/…
In domain-le-ssl.conf everything looks OK

DocumentRoot /var/www/html/plotterblog

DefaultType application/octet-stream
ScriptAlias /cgi-bin/ /var/www/html/plotterblog/cgi-bin/

<Directory /var/www/html/plotterblog/cgi-bin>
	Options ExecCGI FollowSymLinks
	AllowOverride  ALL
</Directory>

SSLCertificateFile /etc/letsencrypt/live/rejushiiplotter.ru/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/rejushiiplotter.ru/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/rejushiiplotter.ru/chain.pem

But both https:// and http:// won’t work.
In FF it’s “Secure Connection Failed”

Hello @aqwed11,

Seems you have some kind of multiplexer like sshttp so you can access to your https server and ssh server using the same port (443).

web server connection

$ curl -IkL rejushiiplotter.ru
HTTP/1.1 301 Moved Permanently
Date: Mon, 14 Aug 2017 11:56:14 GMT
Server: Apache/2.2.15 (CentOS)
Location: https://rejushiiplotter.ru/
Connection: close
Content-Type: text/html; charset=iso-8859-1

curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

ssh connection:

$ ssh -v rejushiiplotter.ru 443  (Edit: the right command is ssh -v -p443 rejushiiplotter.ru)
OpenSSH_7.1p2, OpenSSL 1.0.1g 7 Apr 2014
[...]
user@rejushiiplotter.ru's password:

So, seems you have not configured it properly to work with your Apache server..

Edit: The above ssh command is wrong it is not connecting to port 443 so it is not related to sshttp, sorry.
Good luck.
sahsanu

netstat -nlp shows that the only service that uses 443 is httpd. ssh uses another port.
And that part with

"Failed authorization procedure. rejushiiplotter.ru (tls-sni-01): urn:acme:error:malformed :: The request message was malformed :: Server only speaks HTTP, not TLS"

is already solved. At least I do not receive any warnings and everything looks OK. The site just won't open.
If it's smth that I must setup in apache config, please, tell me what it is. I've tried a lot of variants already.

Hi @aqwed11,

Forget what I said, it is not related to sshttp I mistyped the ssh command to connect to your server.

Cheers,
sahsanu

Did you install the mod_ssl module for your Apache?.

To check if it is installed:

rpm -i mod_ssl

or checking if it is being used by Apache:

httpd -M |grep ssl_module

and you should see a line like this:

ssl_module (shared)

If it is not installed then you must install it:

yum install mod_ssl

Cheers,
sahsanu

About 80% of the time, this is a result of having a different Apache configuration file (not the one related to your Let's Encrypt certificate) that tells Apache to listen on port 443, but does not include the SSLEngine and other TLS-related directives.

I would suggest checking with

grep -r 443 /etc/apache2

to see if you can find an inappropriate non-HTTPS-related configuration listening to port 443.

Hello!

Server only speaks HTTP, not TLS

This issue has been solved yesterday. At least I receive no warnings on that.
Yes, mod_ssl is installed and loaded by Apache. phpinfo() and httpd -M |grep ssl_module report it.

As for 443:
grep -r 443 /etc/httpd shows that Listen 443 is only added in ssl.conf.
Here's the full result:

/etc/httpd/conf.d/rejushiiplotter-le-ssl.conf:<VirtualHost 217.170.72.27:443>
/etc/httpd/conf.d/ssl.conf:Listen 443
/etc/httpd/conf.d/ssl.conf:
/etc/httpd/conf.d/ssl.conf:#ServerName www.example.com:443
/etc/httpd/certbot-auto: --hash=...

And iI've tried to edit ssl.conf and domain-le-ssl.conf as it was said here. No result.

It seems that Apache is taking ssl.conf settings for this vhost instead of vhhost's.

ssl.conf:

LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
VirtualHost default:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

<Files ~ ".(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars

<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars

SetEnvIf User-Agent ".MSIE."
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
/VirtualHost

domain-le-ssl.conf

IfModule mod_ssl.c
VirtualHost 217.170.72.27:443
ServerName rejushiiplotter.ru
ServerAlias www.rejushiiplotter.ru

  DocumentRoot /var/www/html/plotterblog
  
  DefaultType application/octet-stream
  ScriptAlias /cgi-bin/ /var/www/html/plotterblog/cgi-bin/

  <Directory /var/www/html/plotterblog/cgi-bin>
  	Options ExecCGI FollowSymLinks
  	AllowOverride  ALL
  </Directory>

SSLCertificateFile /etc/letsencrypt/live/rejushiiplotter.ru/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/rejushiiplotter.ru/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/rejushiiplotter.ru/chain.pem
/VirtualHost
/IfModule

Please show this public cert file.
It may help explain what is bound to 443.

File: localhost.crt Line 1 Col 0 1440 bytes 100%
-----BEGIN CERTIFICATE-----
MIID+jCCAuKgAwIBAgICKgowDQYJKoZIhvcNAQELBQAwgbExCzAJBgNVBAYTAi0t
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
bml0MRkwFwYDVQQDDBBuZXcub2t0b3ByaW50LnJ1MSQwIgYJKoZIhvcNAQkBFhVy
b290QG5ldy5va3RvcHJpbnQucnUwHhcNMTcwODEzMTYwNTIxWhcNMTgwODEzMTYw
NTIxWjCBsTELMAkGA1UEBhMCLS0xEjAQBgNVBAgMCVNvbWVTdGF0ZTERMA8GA1UE
BwwIU29tZUNpdHkxGTAXBgNVBAoMEFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsM
FlNvbWVPcmdhbml6YXRpb25hbFVuaXQxGTAXBgNVBAMMEG5ldy5va3RvcHJpbnQu
cnUxJDAiBgkqhkiG9w0BCQEWFXJvb3RAbmV3Lm9rdG9wcmludC5ydTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN1dbTPk86jfNCGknxLGt6S7ZIjaqZQq
1sjgV0vUSzRv9c/mwCb/A8WQCzki1DKXeRP1Bn/ClV5M6Z2lhM0VkX+Wm+mzwUBS
0LJQczWykgFEtND3C6nph2py/jg0wAtp3IS+l5TvTqs1viAGdQNjxsVEhh+ayZpI
pwjGH2WolfA54SxaGxUGFXAUia9vV+UNv6eC1u1cwF6+04y30q2a1VI4yEZOWqqg
Z+8wyrvffHWH7iS4brV1mGxjCu+DbcRiyhVUs+kngU/mx0TpNVC+og4/IyxSl2ec
Qmims30fGL4jw4kE6LUS/yPHPVJLXjB9lrKb5/0jYWkYqEblKuymhs0CAwEAAaMa
MBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQELBQADggEBAN0X
zmYf+aChrRGUOz10iBoKM+KCmIDH73oDVLTSg8jfl2idCUy4no3t4JNNvBJrghas
nm86NSZW3KmcyBiXyq3ExFn7Km9XjvzHFD935oP44c/0Es8v82sVZxAG2aMmjUFl
0k3YKHGFh+bIQUglTk1bdMujKlBMwV7GCR+gnuGEUV1bbmFRmJGP2BMUi2comkIY
IPl8hvN2uwpw5sK+57BkNLD+r7ZuYtZ8ZQAbnYbTS9jiZbpfjorA+4JIf8JmskrX
2GtR9LGfnLqq6qjmIznlo6mZN3noYupY3KBHesJd1RsrTU4c5b+LX/wU7n7fRI2n
Nf2PXOI6AT5dbw0OCzQ=
-----END CERTIFICATE-----

That cert was created two days ago and has these details:

new.oktoprint.ru1.jpg409×508 41.6 KB

new.oktoprint.ru2.jpg409×508 58.8 KB

Do you recognize it?

Yes. One of our subdomains.
But the cert was intended not for this domain but for rejushiiplotter.ru and I can’t find any traces for this subdomain in apache confs.
How can I make certificate for this domain with cerbot? And thank you.

You do have a cert for that domain - please show public cert:

[quote="aqwed11, post:11, topic:40107"]
SSLCertificateFile /etc/letsencrypt/live/rejushiiplotter.ru/cert.pem
/quote]

I believe the problem is with port 443 access not the cert.

The port is open
netstat -tulpn
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1023/httpd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1023/httpd
and iptables is set.
OK, stuck. Donno what else to do.

It looks like you’re stlil getting HTTP instead of HTTPS on port 443.

While I don’t see anything immediately wrong with your ssl.conf, I wonder if you could first look in your Apache error log to see if Apache encountered any errors in parsing it, and in any case temporarily disable its use by causing it not to be included, to see if that clears up the problem somehow.

Hi @aqwed11,

Just a test, could you please modify your domain-le-ssl.conf file?.

Change this part:

SSLCertificateFile /etc/letsencrypt/live/rejushiiplotter.ru/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/rejushiiplotter.ru/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/rejushiiplotter.ru/chain.pem

To this:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/rejushiiplotter.ru/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/rejushiiplotter.ru/privkey.pem
#Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/rejushiiplotter.ru/chain.pem

Restart Apache and try again to connect to your https site.

Cheers,
sahsanu

The latest lines from error log, corresponding to the issue:

[Tue Aug 15 19:29:39 2017] [notice] caught SIGTERM, shutting down
[Tue Aug 15 19:29:39 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Aug 15 19:29:39 2017] [notice] Digest: generating secret for digest authentication …
[Tue Aug 15 19:29:39 2017] [notice] Digest: done
[Tue Aug 15 19:29:39 2017] [notice] Apache/2.2.15 (Unix) PHP/5.6.30 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured – resuming normal operations