My domain is:
zabbix.ucheba.mcdir.ru
I ran this command:
sudo certbot renew --dry-run
It produced this output:
Domain: zabbix.ucheba.mcdir.ru
Type: unauthorized
Detail: Invalid response from http://zabbix.ucheba.mcdir.ru/login
[host_ip]: "\n<html lang=“en”>\n \n
From that it would seem that the challenge requests are being forced to a login page.
How could it happen? Because i took first cert and everything worked fine. Who should i do?
There are many reasons this can happen.
Mainly because something "changed".
Please show the vhost config file for that domain name.
DocumentRoot /usr/share/zabbix`
DirectoryIndex index.php
<VirtualHost *:80>
ServerName zabbix.ucheba.mcdir.ru
ServerAlias www.zabbix.ucheba.mcdir.ru
ServerAdmin email
Redirect permanent / https://zabbix.ucheba.mcdir.ru
#DocumentRoot /usr/share/zabbix
#DirectoryIndex index.php
<Directory /usr/share/zabbix>
DirectoryIndex index.php
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName zabbix.ucheba.mcdir.ru
ServerAdmin email
DirectoryIndex index.php
#DocumentRoot /usr/share/zabbix
# Use HTTP Strict Transport Security to force client to use secure connections only.
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Referer logging is used to allow websites and web servers to identify where people are visiting them from, for promotional or statistical purposes.
Header always set Referrer-Policy "no-referrer"
SSLCertificateFile /etc/letsencrypt/live/zabbix.ucheba.mcdir.ru/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/zabbix.ucheba.mcdir.ru/privkey.pem
SSLEngine on
SSLProtocol all -TLSv1 -TLSv1.1 -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-A$
</VirtualHost>
</IfModule>
There is no exclusion for the challenge requests, so it just goes to whatever you are doing for https.
You can replace:
With:
#set the site document root
#here you use a dedicated path for challenge files only
DocumentRoot /some-fake-document-root
#allow the HTTP users access to the site document root
<Directory /some-fake-document-root>
AllowOverride None
Require all granted
</Directory>
#set the default action for non challenge requests
<LocationMatch "^/(?!\.well-known)">
#send requests that don't have ".well-known" to HTTPS
RedirectMatch ^/(.*)$ https://zabbix.ucheba.mcdir.ru/$1
</LocationMatch>
Note: You may have to create the “/some-fake-document-root” folder.
And chmod
it with 777 so that “everyone” can access it.
I changed everything as you said but i receive the same error
Please show the config as it is now.
And the output of:
sudo apachectl -S
I’m still seeing 302 redirects (to /login
) for challenge type requests:
curl -Iki http://zabbix.ucheba.mcdir.ru/.well-known/acme-challenge/test-file
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /login
Pragma: no-cache
Set-Cookie: redirect_to=%2F.well-known%2Facme-challenge%2Ftest-file; Path=/; HttpOnly; SameSite=Lax
X-Frame-Options: deny
Date: Sat, 11 Jul 2020 22:18:27 GMT
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 is a NameVirtualHost
port 80 namevhost zabbix.ucheba.mcdir.ru (/etc/apache2/sites-enabled/zabbix.ucheba.mcdir.ru.conf:4)
alias www.zabbix.ucheba.mcdir.ru
*:443 is a NameVirtualHost
port 443 namevhost zabbix.ucheba.mcdir.ru (/etc/apache2/sites-enabled/zabbix.ucheba.mcdir.ru.conf:33)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/usr/share/zabbix"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
Please show this file:
/etc/apache2/sites-enabled/zabbix.ucheba.mcdir.ru.conf
be sure to add lines (to your post here) above and below the file with three back ticks; as follows:
```
YOUR POST
```
I posted it before but i can do it again
DocumentRoot /usr/share/zabbix
DirectoryIndex index.php
<VirtualHost *:80>
ServerName zabbix.ucheba.mcdir.ru
ServerAlias www.zabbix.ucheba.mcdir.ru
ServerAdmin myemail
#Redirect permanent / https://zabbix.ucheba.mcdir.ru
#DocumentRoot /usr/share/zabbix
#DirectoryIndex index.php
#<Directory /usr/share/zabbix>
# DirectoryIndex index.php
# Options FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>
#set the site document root
#here you use a dedicated path for challenge files only
DocumentRoot /usr/share/fake_root_doc
#allow the HTTP users access to the site document root
<Directory /usr/share/fake_root_doc>
AllowOverride None
Require all granted
</Directory>
#set the default action for non challenge requests
<LocationMatch "^/(?!\.well-known)">
#send requests that don't have ".well-known" to HTTPS
RedirectMatch ^/(.*)$ https://zabbix.ucheba.mcdir.ru/$1
</LocationMatch>
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName zabbix.ucheba.mcdir.ru
ServerAdmin myemail
DirectoryIndex index.php
#DocumentRoot /usr/share/zabbix
# Use HTTP Strict Transport Security to force client to use secure connections only.
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Referer logging is used to allow websites and web servers to identify where people are visiting them from, for promotional or statistical purposes.
Header always set Referrer-Policy "no-referrer"
SSLCertificateFile /etc/letsencrypt/live/zabbix.ucheba.mcdir.ru/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/zabbix.ucheba.mcdir.ru/privkey.pem
SSLEngine on
SSLProtocol all -TLSv1 -TLSv1.1 -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
</VirtualHost>
</IfModule>
The redirection is NOT coming from that code.
Do you have an .htaccess
file?
[or any other method to redirect requests to /login
]
curl -Iki http://zabbix.ucheba.mcdir.ru/
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /login
Pragma: no-cache
Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
X-Frame-Options: deny
Date: Sun, 12 Jul 2020 22:57:36 GMT
I dont have htaccess and curl works for me another way
curl -Iki http://zabbix.ucheba.mcdir.ru/
HTTP/1.1 302 Found
Date: Mon, 13 Jul 2020 10:28:11 GMT
Server: Apache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: https://zabbix.ucheba.mcdir.ru/
Content-Type: text/html; charset=iso-8859-1
Try that same thing from the Internet.
I have the same as yours from the Internet but i dont know where is the problem
Then you need to learn how your network “works”.
There is an obvious difference between what you see from the inside and what is seen form the outside.
Is there an IPS or some other type of inline device that might be handling HTTP connections?
I dont use any kind of ips or waf except ufw of course
And yet the difference exists…
[and continues to go unexplained]