How to force Apache 2.4 (httpd) to read fullchain.pem? certbot seems to work but I have an https:// issue X86_64 GNU/Linux (Linux 2 AMI)

griffin · May 2, 2021, 6:03pm

What says sudo apachectl -S now?

OnEarth · May 2, 2021, 6:09pm

THX RIP!
THX GRIFFIN!
THX TO ALL LET'S ENCRYPT COMMUNITY SUPPORT TEAM!

griffin · May 2, 2021, 6:10pm

You're quite welcome!

Rip · May 2, 2021, 6:11pm

Of course you are very welcome. Would you please show the output of:

sudo apachectl -S

To relieve our anxiety

OnEarth · May 2, 2021, 6:15pm

I ran this command:

sudo apachectl -S

It produced this answer:

AH00526: Syntax error on line 24 of /etc/httpd/conf/httpd-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/onearth.studio/fullchain.pem' does not
 exist or is empty

Still can't read fullchain.pem, should I post it?

Rip · May 2, 2021, 6:34pm

I'm pondering this.
Testing shows the certificate chain to be correct. But why this error?

sudo apachectl configtest shows "Syntax OK"
but
sudo apachectl -S shows the error.

~~Looking into a few workflows so as to verify the certificate.~~

Can we have another look at the output from:

sudo certbot certificates

OnEarth · May 2, 2021, 6:42pm

Thanks for your answer, I ran this command:

sudo certbot certificates

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: onearth.studio
    Serial Number: 4194300b99ca8a4ebb03f7cf8a68856c8b1
    Key Type: RSA
    Domains: onearth.studio www.onearth.studio
    Expiry Date: 2021-07-24 18:28:10+00:00 (VALID: 82 days)
    Certificate Path: /etc/letsencrypt/live/onearth.studio/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/onearth.studio/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Rip · May 2, 2021, 6:58pm

I think @Osiris has experience debugging this kind of thing. Maybe he'll give us a "leg up" and help us verify the certificate existence and validity.

@griffin is still working it too!

Osiris · May 2, 2021, 7:22pm

One would think the apachectl -S wasn't ran through sudo even when @OnEarth said he/she did so Usually this (the situation where the file and its contents do actually exist, but Apache says it doesn't) is the result of a permission problem.

Rip · May 2, 2021, 7:27pm

Is there a certbot command that can be used to fix permissions and file structure?

@OnEarth Are you certain that you ran: sudo apachectl -S ??

Osiris · May 2, 2021, 7:29pm

Not that I know of. But it's very rare for root not to be able to read the files in question.

griffin · May 2, 2021, 7:40pm

Does apache have directory access (execute permission) all the way up into live?

OnEarth · May 2, 2021, 7:45pm

Osiris, Rip and Griffin, I did a copy and paste with the

sudo apachectl -S

command I am pretty sure but who knows I might have done a mistake because now the output is different:

VirtualHost configuration:
*:80                   onearth.studio (/etc/httpd/conf/httpd.conf:58)
*:443                  is a NameVirtualHost
         default server ip-172-31-33-253.us-east-2.compute.internal (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost ip-172-31-33-253.us-east-2.compute.internal (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost onearth.studio (/etc/httpd/conf/httpd-le-ssl.conf:2)
                 alias www.onearth.studio
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/etc/httpd/htdocs"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

Rip · May 2, 2021, 7:47pm

Ok so I don't see the error now. This is good.
Definitely a difference!

OnEarth · May 2, 2021, 7:48pm

SO GREAT!
THANKS!

Rip · May 2, 2021, 7:52pm

Jan probably missed the sudo . (and I didn't think of it)

Thanks @Osiris

Rip · May 2, 2021, 8:25pm

Ok @OnEarth ,
Where to go from here?
I'm not seeing any images, looks like your site is based completely on a script that is wrapped in html.
I won't be able to help you fix that, but there are a couple other things you could do to "tighten things up a bit".
Please let us know if your are satisfied at this point or want to continue to tweak some more.

OnEarth · May 2, 2021, 9:09pm

Before the last time I ran sudo apachectl -S, I did not forgot sudo (I think) but after running

certbot --redirect --uir

I did forgot to restart apache, I don't know it it had any impact on the output of:

sudo apachectl -S

Thank you @Osiris

OnEarth · May 2, 2021, 9:25pm

Rip,

I would be very glad to "tighten things up a bit", let me know what I need to do.

It's getting late in France, I'll be back tomorrow.

My site is a React App with Stripe payment method, I will fix the issue with the images.

Thank you again, all of you, for your help and for your patience,
Jan

system · June 1, 2021, 9:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.