HighSierra and AutoInstall with Apache failing. need advice

rachalmers · October 2, 2017, 3:44pm

On my own Server here, Apache 2.4, Virtual Hosts. Mac HighSierra.
Apache configured and working fine. Homebrew installed and working for other stuff as well.
Did the lets get a cert without messing with the configs thing and straight up got this.

$ sudo certbot --apache certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘There has been an error in parsing the file /etc/apache2/httpd.conf on line 697: Syntax error’,)
The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘There has been an error in parsing the file /etc/apache2/httpd.conf on line 697: Syntax error’,)

certbot is apparently installed.

$sudo certbot certonly returns almost the whole deal, but times out. Filling out the command line options as requested by prompts.

then
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. robert-chalmers.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://robert-chalmers.uk/.well-known/acme- challenge/Bs__JuQjUT7cE_UH6dn6YSlC2Iv3LfhVDi5jRIsSfRI: Timeout, quantum-radio.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://quantum- radio.net/.well-known/acme-challenge/Is-Eua2IP1dHYqVZhfX21G6iCg_mrXTb344pXx82bns: Timeout, robert- chalmers.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://robert-chalmers.uk/.well-known/acme-challenge/2L8MajWihFFNBw_Q0hZnnjkgDIJQ0On2lxhbQVfIHhY: Timeout

IMPORTANT NOTES:
 - The following errors were reported by the server:

Domain: robert-chalmers.uk
Type: connection
Detail: Fetching
http://robert-chalmers.uk/.well-known/acme-challenge/Bs__JuQjUT7cE_UH6dn6YSlC2Iv3LfhVDi5jRIsSfRI:
Timeout

Domain: quantum-radio.net
Type: connection
Detail: Fetching
http://quantum-radio.net/.well-known/acme-challenge/Is-Eua2IP1dHYqVZhfX21G6iCg_mrXTb344pXx82bns:
Timeout

Domain: robert-chalmers.com
Type: connection
Detail: Fetching
http://robert-chalmers.uk/.well-known/acme-challenge/2L8MajWihFFNBw_Q0hZnnjkgDIJQ0On2lxhbQVfIHhY:
Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

schoen · October 2, 2017, 4:17pm

Hi @rachalmers,

Could you post the version of Certbot from certbot --version, and also the contents of the Apache configuration file that it said it encountered an error in parsing?

rachalmers · October 2, 2017, 4:30pm

$ certbot --version
certbot 0.18.2

I can’t get httpd.conf attached. It’s all over the place with formatiing

schoen · October 2, 2017, 5:02pm

Could you post it to a site like https://pastebin.com/ and then just post the link here?

rachalmers · October 2, 2017, 8:22pm

Dropbox

schoen · October 2, 2017, 9:06pm

Thanks! It looks like you forgot the </IfModule> that corresponds to your <IfModule mod_deflate.c> line. It’s opened, but never closed.

rachalmers · October 3, 2017, 7:16am

Thanks. That solved that one. I sure didn’t see that mistake.

as usual, it presents me with another one.

Error while running apachectl configtest.

AH00526: Syntax error on line 13 of /etc/letsencrypt/options-ssl-apache.conf:
Setting Compression mode unsupported; not implemented by the SSL library

Cleaning up challenges
Error while running apachectl configtest.

AH00526: Syntax error on line 13 of /etc/letsencrypt/options-ssl-apache.conf:
Setting Compression mode unsupported; not implemented by the SSL library

The offending line on line 13 is
SSLCompression off

I wonder can I just comment that line out - will it overwrite it on the next run?

Edit: Yes, commenting out that line allowed the certbot to run.

schoen · October 3, 2017, 4:25pm

I’m glad you got it to work!

Disabling compression is meant to protect against a vulnerability known as CRIME

If your server doesn’t allow you to disable compression, it’s possible that your server could be vulnerable to CRIME. (You might also decide that the attack scenarios are unlikely in the context of how your server is used.) You can find out whether you’re vulnerable in principle by using a scanner like

https://www.ssllabs.com/ssltest/

system · November 2, 2017, 4:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.