How to clean a slate

Help
43

Nope .. well they do but that is at the web site instruction when I choose what help I want. Yes I close #1
(Apache). and the given one out of two choice

sudo certbot --apache

or.

sudo certbot certonly --apache -v

With all the fun I have been having I choose cert only

and I get this

root@triggerfish:/home/jason # apachectl start

Performing sanity check on apache24 configuration:

Syntax OK

Starting apache24.

root@triggerfish:/home/jason # sudo certbot certonly --apache -v

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Unable to read ssl_module file; not disabling session tickets.

Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: kasdivi.com

2: www.kasdivi.com

3: theoceanwindow.com

4: www.theoceanwindow.com

5: wandjbrewers.com

6: www.wandjbrewers.com

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel):

Requesting a certificate for kasdivi.com and 5 more domains

Performing the following challenges:

http-01 challenge for kasdivi.com

http-01 challenge for theoceanwindow.com

http-01 challenge for wandjbrewers.com

http-01 challenge for www.kasdivi.com

http-01 challenge for www.theoceanwindow.com

http-01 challenge for www.wandjbrewers.com

Waiting for verification...

Challenge failed for domain kasdivi.com

Challenge failed for domain theoceanwindow.com

Challenge failed for domain wandjbrewers.com

Challenge failed for domain www.kasdivi.com

Challenge failed for domain www.theoceanwindow.com

Challenge failed for domain www.wandjbrewers.com

http-01 challenge for kasdivi.com

http-01 challenge for theoceanwindow.com

http-01 challenge for wandjbrewers.com

http-01 challenge for www.kasdivi.com

http-01 challenge for www.theoceanwindow.com

http-01 challenge for www.wandjbrewers.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:

Domain: kasdivi.com

Type: connection

Detail: 209.160.65.133: Fetching http://kasdivi.com/.well-known/acme-challenge/q6EHgeUjSP_1-d2MDUd-_S09sl0pkgeH7kEGFUl6YTo: Connection refused

Domain: theoceanwindow.com

Type: connection

Detail: 209.160.64.187: Fetching http://theoceanwindow.com/.well-known/acme-challenge/_h9J52FQ6yYZDDKr7boctYypgNnYOyWUum-wcnRmmSQ: Connection refused

Domain: wandjbrewers.com

Type: connection

Detail: 209.160.65.133: Fetching http://wandjbrewers.com/.well-known/acme-challenge/5iC9qaC_HXZIQXDvRh-hAnfrQuEmZvh7G_JC5z_VKaM: Connection refused

Domain: www.kasdivi.com

Type: connection

Detail: 209.160.65.133: Fetching http://www.kasdivi.com/.well-known/acme-challenge/4D5lOj28gGb1eHIyOvrUpDn7nlZRy6uvcHHtSXnJvf4: Connection refused

Domain: www.theoceanwindow.com

Type: connection

Detail: 209.160.64.187: Fetching http://www.theoceanwindow.com/.well-known/acme-challenge/TlfqwB5YOsQUdcaE-63VS-oneRIa2D8m6uwMVHajoAw: Connection refused

Domain: www.wandjbrewers.com

Type: connection

Detail: 209.160.65.133: Fetching http://www.wandjbrewers.com/.well-known/acme-challenge/rOEHclvDgfDuNIEJCpmaskAEUT2SeiU3umhaJharYJw: Connection refused

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges

Error while running apachectl graceful.

apache24 not running? (check /var/run/httpd.pid).

Unable to restart apache using ['apachectl', 'graceful']

Encountered exception during recovery: certbot.errors.MisconfigurationError: Error while running apachectl graceful.

apache24 not running? (check /var/run/httpd.pid).

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Back to the connectivity.

44

Agreed.
You need a working HTTP site before you can secure it using HTTP-01 authentication.

Right now, it's not working:

curl -Ii http://www.wandjbrewers.com/
curl: (56) Recv failure: Connection reset by peer
45

Myy bad. Certbot crashes apache. I forgot to. restart apache All are back up

46

OK, let's see what we are working with:
sudo apachectl -t -D DUMP_VHOSTS

47 
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server kasdivi.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:2)
         port 80 namevhost kasdivi.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:2)
                 alias www.kasdivi.com
         port 80 namevhost theoceanwindow.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:33)
                 alias www.theoceanwindow.com
         port 80 namevhost wandjbrewers.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:57)
                 alias www.wandjbrewers.com
*:443                  is a NameVirtualHost
         default server www.kasdivi.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:17)
         port 443 namevhost www.kasdivi.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:17)
         port 443 namevhost www.theoceanwindow.com. (/usr/local/etc/apache24/extra/httpd-vhosts.conf:48)
         port 443 namevhost wandjbrewers.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:72)
         port 443 namevhost www.kasdivi.com (/usr/local/etc/apache24/extra/httpd-ssl.conf:121)
48

Let's have a look at this file:

49 
<VirtualHost *:80>
    ServerAdmin admin@theoceanwindow.com
    DocumentRoot "/usr/local/www/kasdivi.com"
    ServerName kasdivi.com
    ServerAlias www.kasdivi.com
 <Directory "/">
        Allow from all
        AllowOverride All
        Options Indexes FollowSymLinks Includes
        Require all granted
 </Directory>
    ErrorLog "/var/log/kasdivi.com-error_log"
    CustomLog "/var/log/kasdivi.com-access_log" common
 Redirect permanent / https://kasdivi.com
</VirtualHost>
<VirtualHost *:443>
    ServerAdmin admin@theoceanwindow.com
    DocumentRoot "/usr/local/www/kasdivi.com"
  <Directory "/">
        Allow from all
        AllowOverride All
        Options Indexes FollowSymLinks Includes
        Require all granted
 </Directory>
   SSLEngine on
   SSLCertificateFile /usr/local/etc/ssl/apache/server.crt
   SSLCertificateKeyFile /usr/local/etc/ssl/apache/server.key
   ServerName www.kasdivi.com
      ErrorLog "/var/log/kasdivi.com-error_log"
    CustomLog "/var/log/kasdivi.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin admin@theoceanwindow.com
    DocumentRoot "/usr/local/www/theoceanwindow.com"
    ServerName theoceanwindow.com
    ServerAlias www.theoceanwindow.com
 <Directory "/">
        Allow from all
        AllowOverride All
        Options Indexes FollowSymLinks Includes
        Require all granted
 </Directory>
    ErrorLog "/var/log/theoceanwindow.com-error_log"
    CustomLog "/var/log/theoceanwindow.com-access_log" common
 #Redirect permanent / https://kasdivi.com
</VirtualHost>
<VirtualHost *:443>
 ServerAdmin admin@theoceanwindow.com
    DocumentRoot "/usr/local/www/theoceanwindow.com"
  <Directory "/">
        Allow from all
        AllowOverride All
        Options Indexes FollowSymLinks Includes
 </Directory>
</VirtualHost>
  <VirtualHost *:80>
    ServerAdmin admin@theoceanwindow.com
    DocumentRoot "/usr/local/www/wandjbrewers.com"
    ServerName wandjbrewers.com
    ServerAlias www.wandjbrewers.com
 <Directory "/">
        Allow from all
        AllowOverride All
        Options Indexes FollowSymLinks Includes
        Require all granted
 </Directory>
    ErrorLog "/var/log/wandjbrewers.com-error_log"
    CustomLog "/var/logwandjbrewers.com-access_log" common
 #Redirect permanent / https://kasdivi.com
</VirtualHost>
<VirtualHost *:443>
    ServerAdmin admin@theoceanwindow.com
    DocumentRoot "/usr/local/www/wandjbrewers.com"
  <Directory "/">
        Allow from all
        AllowOverride All
        Options Indexes FollowSymLinks Includes
        Require all granted
 </Directory>
   SSLEngine on
   SSLCertificateFile /usr/local/etc/ssl/apache/server.crt
   SSLCertificateKeyFile /usr/local/etc/ssl/apache/server.key
   ServerName wandjbrewers.com
      ErrorLog "/var/log/wandjbrewers.com-error_log"
    CustomLog "/var/log/wandjbrewers.coms_log" common
</VirtualHost>

hope I formatted this right

50

All that looks good [to me].

The problem must be outside the web server.
Do you have any firewalls, and/or any software/appliances that can block IPs?

51

II sent my IPFW configuration and was advised it wasn't a problem. but here it is

00010   4551249   774332866 allow ip from any to any via lo0
00013   4805547  3754766641 allow tcp from any to any 443 in setup keep-state :default
00014    333740   279189034 allow tcp from any to any 443 out setup keep-state :default
00015    782338    67590504 allow ip from table(1) to any
00016     15719     4788372 allow tcp from any to any 9000 in setup keep-state :default
00017         0           0 allow tcp from any to any 9000 out setup keep-state :default
00018    817478    51338447 deny log ip from table(22) to any
00020         0           0 deny ip from any to 127.0.0.0/8
00030         0           0 deny ip from 127.0.0.0/8 to any
00045       479       19164 deny ip from 176.111.0.0/16 to any
00050         0           0 check-state :default
00060   1185060   919579779 allow tcp from any to any established
00070    215128    61038908 allow ip from any to any out keep-state :default
00080     50537     2550509 allow icmp from any to any
00110      6296      395674 allow tcp from any to any 21 in setup keep-state :default
00120         0           0 allow tcp from any to any 21 out setup keep-state :default
00130     35095     4347852 allow tcp from any to any 22 in setup keep-state :default
00140         0           0 allow tcp from any to any 22 out setup keep-state :default
00150     17988     3674871 allow tcp from any to any 25 in setup keep-state :default
00160         0           0 allow tcp from any to any 25 out setup keep-state :default
00170   1362892   153217650 allow udp from any to any 53 in keep-state :default
00175     23662     2398484 allow tcp from any to any 53 in setup keep-state :default
00180         0           0 allow udp from any to any 53 out setup keep-state :default
00185         0           0 allow tcp from any to any 53 out setup keep-state :default
00200    130864    21047007 allow tcp from any to any 80 in setup keep-state :default
00210         0           0 allow tcp from any to any 80 out setup keep-state :default
00215     10423     1336820 allow tcp from any to any 110 in setup keep-state :default
00216         0           0 allow tcp from any to any 110 out setup keep-state :default
00220    120795    54643770 allow tcp from any to any 143 in setup keep-state :default
00225         0           0 allow tcp from any to any 143 out setup keep-state :default
00227         0           0 allow tcp from any to any 443 in setup keep-state :default
00228         0           0 allow tcp from any to any 443 out setup keep-state :default
00230     40518     6383154 allow tcp from any to any 465 in setup keep-state :default
00235         0           0 allow tcp from any to any 465 out setup keep-state :default
00250      8918      981622 allow tcp from any to any 587 in setup keep-state :default
00255         0           0 allow tcp from any to any 587 out setup keep-state :default
00260     10925     1825989 allow tcp from any to any 993 in setup keep-state :default
00265         0           0 allow tcp from any to any 993 out setup keep-state :default
00270     12258     2081533 allow tcp from any to any 995 in setup keep-state :default
00275         0           0 allow tcp from any to any 995 out setup keep-state :default
00500 273950524 17648570196 deny log ip from any to any
65535         9         526 deny ip from any to any

Just to make sure I shut down the firewall. and run cerbot again. Same errors also once again in crashed

Hmm thinking of that I checked the apache error log and hot this

[Sat May 11 11:46:00.878553 2024] [ssl:warn] [pid 51161] AH01909: www.kasdivi.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat May 11 11:46:00.896482 2024] [ssl:warn] [pid 51161] AH01916: Init: (www.theoceanwindow.com.:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Sat May 11 11:47:12.981445 2024] [ssl:warn] [pid 512] AH01909: www.kasdivi.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat May 11 11:47:12.982043 2024] [ssl:warn] [pid 512] AH01916: Init: (www.theoceanwindow.com.:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Sat May 11 11:47:12.995909 2024] [ssl:warn] [pid 513] AH01909: www.kasdivi.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat May 11 11:47:12.996422 2024] [ssl:warn] [pid 513] AH01916: Init: (www.theoceanwindow.com.:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Sat May 11 11:47:13.052858 2024] [core:warn] [pid 513] AH00098: pid file /var/run/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[Sat May 11 11:47:13.056984 2024] [mpm_prefork:notice] [``

think that might be a path to look at

52

Is there anything else that can block?
Any software?
Any appliance?

53

could the apache error be an issue I same to have some issue on port 443 and 80

54

recap:
It's NOT the web server.
It's NOT the ACME client.

Have you spoken with your ISP about the "connection refused" problem?

55

so thei issues in the apache error log about confusion between pot 443 and port 80 not an issue

This is the same ISP that I used when I did it right abut too make sure I did the same effort remotely and same issue

56

Could my issues because of a lack of a CAA record??

57

If you have no CAA records, everything is permitted.

58

thanks.

59

Ok just for the heck of it ad certificates are proving to be a nightmare for me I tried again and I get his error "Unable to read ssl_module file; not disabling session tickets." and it duplicates one of my domains.

1: kasdivi.con
2: kasdivi.com
3: www.kasdivi.com
4: theoceanwindow.com
5: www.theoceanwindow.com
6: wandjbrewers.com
7: www.wandjbrewers.com

Thoughjts and wishes?

60

Ok I think I have I working. I ran sudo certbot certonly. entered my three domains and got a certificate. which appears to work