How do i install “lets Encrypt on Joomla!3 standalone Apache2 server?

sp2l · May 16, 2018, 12:21am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://www.sp2kmh.ampr.org

I ran this command: see explanation below…

It produced this output: see explanation below…

My web server is (include version): Linux linux 3.16.0-5-686-pae #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) i686 GNU/Linux

The operating system my web server runs on is (include version): Debian 8.10 i686

My hosting provider, if applicable, is: not applicable

I can login to a root shell on my machine (yes or no, or I don’t know): definitely YES!

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): not applicable

Just created Let’s Encrypt ssl certificates: crt.sh ID 464422159

Applied relevant modifications to Apache config files.

Certificates operate properly on my main site: https://www.sp2l.ampr.org
but can not find the way how to apply certs to Joomla!3 (3.8.7) instance
running on the same machine.

All suggestions and/or guidance will be very much appreciated.

Best regards.
Tom - SP2L@wp.pl

rg305 · May 16, 2018, 12:52am

What value is in the $live_site variable in your configuration.php file?

sp2l · May 16, 2018, 7:06am

Greetings.

Now, value is as follow:
public $live_site = ‘http://www.sp2kmh.ampr.org’;

Been changing above back and forth to :
public $live_site = ‘https://www.sp2kmh.ampr.org’;

Also, simultaneously tinkered with value of:
public $force_ssl = ‘0’;
changing it from “0” to “1” or “2”, but to na avail.

Apache2 config files been changed automatically
during certificate request process.

Below, rewrite rules from apache2 000-default.conf file:

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.sp2kmh.ampr.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Next, newly added lines in /default-ssl.conf file:

ServerName www.sp2kmh.ampr.org
SSLCertificateFile /etc/letsencrypt/live/sp2l.ampr.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sp2l.ampr.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

Please note, site document root is: /var/www
whereas Joomla!3 www.sp2kmh.ampr.org site is deployed
in underneath directory: /var/www/sp2kmh

Frankly speaking, I can’t figure out how to “inform” Joomla!3
about presence/availability of Let’s Encrypt certificates that I have.

Seem that I’m possibly missing something obvious
but not necessarily visible at the first glance, apparently.

When all new ssl rules are in force, apache server
redirects www.sp2kmh.ampr.org site to:
https://www.sp2kmh.ampr.org/news.php
but I see content of https://www.sp2l.ampr.org/news.php
which of course is wrong and is not
what I’m expecting to see:
https://www.sp2kmh.ampr.org

Does all above ring bell, please?

Best regards.
Tom - SP2L@wp.pl

rg305 · May 16, 2018, 7:34am

http://www.sp2kmh.ampr.org
and
https://www.sp2kmh.ampr.org
are up but display two different sites.
That is, https://www.sp2kmh.ampr.org forwards to:
https://www.sp2kmh.ampr.org/news.php
which isn’t even accessible by http:
http://www.sp2kmh.ampr.org/news.php fails 404

The https site has a different logo and home page links to: http://linux.sp2l.ampr.org/

Please show:
grep -Eri 'servername|serveralias|listen|SSLCertificateFile' /etc/apache
certbot certificates

sp2l · May 16, 2018, 8:48am

Greetings.

O.K., here we go…

root@linux:/# grep -Eri ‘servername|serveralias|listen|SSLCertificateFile’

/etc/apache2/apache2.conf: ServerName linux.sp2l.ampr.org

/etc/apache2/sites-available/direct.conf: ServerName 87.251.250.110
/etc/apache2/sites-available/direct.conf: ServerName 44.165.2.2

/etc/apache2/sites-available/000-default-le-ssl.conf: ServerName sp2l.ampr.org
/etc/apache2/sites-available/000-default-le-ssl.conf: ServerAlias www.sp2l.ampr.org
/etc/apache2/sites-available/000-default-le-ssl.conf: SSLCertificateFile /etc/letsencrypt/live/sp2l.ampr.org/fullchain.pem

/etc/apache2/sites-available/000-default.conf: ServerName sp2l.ampr.org
/etc/apache2/sites-available/000-default.conf: ServerAlias www.sp2l.ampr.org
/etc/apache2/sites-available/000-default.conf: ServerName www.poland.net-44.ampr.org
/etc/apache2/sites-available/000-default.conf: ServerName www.sp2kmh.ampr.org

/etc/apache2/sites-available/default-ssl.conf: ServerName www.sp2l.ampr.org
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateFile /etc/letsencrypt/live/sp2l.ampr.org/fullchain.pem

/etc/apache2/ports.conf: Listen 80
/etc/apache2/ports.conf: Listen 443
/etc/apache2/ports.conf: Listen 443

Both domains are registered with UCSD.edu DNS servers
and have same IP address: 87.251.250.110
Domain linux.sp2l.ampr.org is also registered
with UCSD.edu but have IP address: 44.165.2.2

Best regards.
Tom - SP2L@wp.pl

rg305 · May 16, 2018, 9:59am

Making some progress…
Please show:
certbot certificates
ls -l /etc/apache2/sites-enabled/
/etc/apache2/ports.conf (you can leave out any lines that start with #)
/etc/apache2/sites-available/000-default-le-ssl.conf
/etc/apache2/sites-available/default-ssl.conf

sp2l · May 16, 2018, 10:53am

Greetings again.

Another bunch of lines follows…

root@linux:/# ls -l /etc/letsencrypt/archive/sp2l.ampr.org
total 16
-rw-r–r-- 1 root root 2204 May 16 00:22 cert1.pem
-rw-r–r-- 1 root root 1647 May 16 00:22 chain1.pem
-rw-r–r-- 1 root root 3851 May 16 00:22 fullchain1.pem
-rw-r–r-- 1 root root 1708 May 16 00:22 privkey1.pem
root@linux:/#

root@linux:/etc/apache2# ls -l /etc/apache2/sites-enabled/
total 0
lrwxrwxrwx 1 root root 35 Feb 19 20:15 000-default.conf -> …/sites-available/000-default.conf
lrwxrwxrwx 1 root root 52 May 16 00:23 000-default-le-ssl.conf -> /etc/apache2/sites-available/000-default-le-ssl.conf
lrwxrwxrwx 1 root root 45 Mar 23 01:31 default-ssl.conf -> /etc/apache2/sites-available/default-ssl.conf
lrwxrwxrwx 1 root root 30 Feb 19 20:15 direct.conf -> …/sites-available/direct.conf
root@linux:/etc/apache2# ls -l /etc/apache2/ports.conf
-rw-r–r-- 1 root root 796 Jan 26 2017 /etc/apache2/ports.conf
root@linux:/etc/apache2# ls -l /etc/apache2/sites-available/000-default-le-ssl.conf
-rw-r–r-- 1 root root 4627 May 16 00:23 /etc/apache2/sites-available/000-default-le-ssl.conf
root@linux:/etc/apache2# ls -l /etc/apache2/sites-available/default-ssl.conf
-rw-r–r-- 1 root root 6928 May 16 08:57 /etc/apache2/sites-available/default-ssl.conf
root@linux:/etc/apache2# ls -l /etc/apache2/sites-enabled/

Best regards.
Tom - SP2L

rg305 · May 16, 2018, 4:48pm

This should give the detail needed to solve this riddle…

Please show

`certbot certificates`

and
cat /etc/apache2/ports.conf
cat /etc/apache2/sites-available/000-default-le-ssl.conf
cat /etc/apache2/sites-available/000-default.conf
cat /etc/apache2/sites-available/default-ssl.conf

To make it easier to read and understand, please post them individually and remove any lines starting with # or add \ in front of the # lines - thanks

sp2l · May 16, 2018, 10:06pm

Greetings!

Profoundly checked two files:
my original one 000-default.conf
and new one generated by Let’s Encrypt
installation procedure, 000-default-le-ssl.conf

It appeared that new file was missing whole block
related to www.sp2kmh.ampr.org site.
Therefore redirection wasn’t working properly.

Nonetheless there is still minor issue as above site
is showing black padlock and yellow triangle
with white exclamation mark inside, apparently.
Need to investigate matter further.

Anyways, thank you very much for kind support
and your time devoted in order to solve issue.

Best regards.
Tom - SP2L@wp.pl

schoen · May 16, 2018, 10:33pm

This is a mixed content problem (about loading insecure resources inside a secure page).

You can look at the page source and search for http:// to find these resources. Or, whenever it finishes, maybe this scan:

https://www.whynopadlock.com/results/705df912-9c81-4556-af14-5d43f2f2171c

sp2l · May 17, 2018, 6:45am

Hello Seth.

Bingo!!! Perfect catch, indeed!
I appreciate very much your concise and substantive answer - thank you.

Checking further, I found A LOT of “http://…” in a lot
of files that constitute Joomla!3 CMS governing SP2KMH site.

I replaced just some of “http://…” by “https://…”
and now whilst refreshing web browser window
a green(!) padlock pops up for split second!

Have a nice day.

Best regards.
Tom - SP2L@wp.pl

system · June 16, 2018, 6:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.