How to force Apache 2.4 (httpd) to read fullchain.pem? certbot seems to work but I have an https:// issue X86_64 GNU/Linux (Linux 2 AMI)

I ran this command:

systemctl status httpd.service

It produced this output :

● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabl
ed)
  Drop-In: /usr/lib/systemd/system/httpd.service.d
           └─php-fpm.conf
   Active: failed (Result: exit-code) since Sat 2021-05-01 19:20:28 UTC; 25min ago
     Docs: man:httpd.service(8)
  Process: 5777 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/F
AILURE)
 Main PID: 5777 (code=exited, status=1/FAILURE)
   Status: "Reading configuration..."

May 01 19:20:28 ip-172-31-33-253.us-east-2.compute.internal systemd[1]: Starting The ...
May 01 19:20:28 ip-172-31-33-253.us-east-2.compute.internal httpd[5777]: AH00526: Syn...
May 01 19:20:28 ip-172-31-33-253.us-east-2.compute.internal httpd[5777]: Invalid comm...
May 01 19:20:28 ip-172-31-33-253.us-east-2.compute.internal systemd[1]: httpd.service...
May 01 19:20:28 ip-172-31-33-253.us-east-2.compute.internal systemd[1]: Failed to sta...
May 01 19:20:28 ip-172-31-33-253.us-east-2.compute.internal systemd[1]: Unit httpd.se...
May 01 19:20:28 ip-172-31-33-253.us-east-2.compute.internal systemd[1]: httpd.service...
Hint: Some lines were ellipsized, use -l to show in full.

I ran this command:
journalctl -xe
I produced this output:

May 01 19:46:12 ip-172-31-33-253.us-east-2.compute.internal ec2-instance-connect[6020]: 
May 01 19:46:12 ip-172-31-33-253.us-east-2.compute.internal ec2-instance-connect[6188]: 
May 01 19:46:12 ip-172-31-33-253.us-east-2.compute.internal ec2-instance-connect[6220]: 
May 01 19:46:12 ip-172-31-33-253.us-east-2.compute.internal sshd[5828]: Accepted publick
May 01 19:46:12 ip-172-31-33-253.us-east-2.compute.internal systemd[1]: Started Session 
-- Subject: Unit session-1302.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit session-1302.scope has finished starting up.
-- 
-- The start-up result is done.
May 01 19:46:12 ip-172-31-33-253.us-east-2.compute.internal systemd-logind[2472]: New se
-- Subject: A new session 1302 has been created for user ec2-user
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
-- 
-- A new session with the ID 1302 has been created for the user ec2-user.
-- 
-- The leading process of the session is 5828.
May 01 19:46:12 ip-172-31-33-253.us-east-2.compute.internal systemd[1]: Starting Session
-- Subject: Unit session-1302.scope has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit session-1302.scope has begun starting up.
May 01 19:46:12 ip-172-31-33-253.us-east-2.compute.internal sshd[5828]: pam_unix(sshd:se
May 01 19:47:04 ip-172-31-33-253.us-east-2.compute.internal dhclient[2799]: XMT: Solicit
May 01 19:47:22 ip-172-31-33-253.us-east-2.compute.internal dhclient[2702]: DHCPREQUEST 
May 01 19:47:22 ip-172-31-33-253.us-east-2.compute.internal dhclient[2702]: DHCPACK from
May 01 19:47:22 ip-172-31-33-253.us-east-2.compute.internal dhclient[2702]: bound to 172
May 01 19:47:22 ip-172-31-33-253.us-east-2.compute.internal ec2net[6285]: [get_meta] Que
May 01 19:47:22 ip-172-31-33-253.us-east-2.compute.internal ec2net[6286]: [get_meta] Get
May 01 19:47:22 ip-172-31-33-253.us-east-2.compute.internal ec2net[6289]: [get_meta] Try
May 01 19:47:22 ip-172-31-33-253.us-east-2.compute.internal ec2net[6292]: [remove_aliase
May 01 19:48:38 ip-172-31-33-253.us-east-2.compute.internal sshd[6296]: Did not receive 
ay 01 19:48:39 ip-172-31-33-253.us-east-2.compute.internal sshd[6297]: reverse mapping 
May 01 19:48:39 ip-172-31-33-253.us-east-2.compute.internal sshd[6297]: Invalid user sup
May 01 19:48:39 ip-172-31-33-253.us-east-2.compute.internal sshd[6297]: input_userauth_r
May 01 19:48:39 ip-172-31-33-253.us-east-2.compute.internal sshd[6297]: Connection close
May 01 19:49:06 ip-172-31-33-253.us-east-2.compute.internal dhclient[2799]: XMT: Solicit
lines 2531-2572/2572 (END)
1 Like

OK Great Stick with me!

But some of the most important information in this output is cut off at the end of lines....
One more time please with:

systemctl status httpd.service -l

This will tell us specifically what the complaint is.

apache2ctl configtest

It parses the configuration files and either reports Syntax Ok or information about the particular syntax error. (Not always perfect but worth looking at)

5 Likes

I ran this command:

systemctl status httpd.service -l

It produced this output:

 httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/httpd.service.d
           └─php-fpm.conf
   Active: failed (Result: exit-code) since Sat 2021-05-01 19:20:28 UTC; 55min ago
     Docs: man:httpd.service(8)
  Process: 5777 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 5777 (code=exited, status=1/FAILURE)
   Status: "Reading configuration..."

May 01 19:20:28 ip-172-31-33-253.us-east-2.compute.internal systemd[1]: Starting The Apache HTTP Server...
May 01 19:20:28 ip-172-31-33-253.us-east-2.compute.internal httpd[5777]: AH00526: Syntax error on line 60 of /etc/httpd/conf/httpd.conf:
May 01 19:20:28 ip-172-31-33-253.us-east-2.compute.internal httpd[5777]: Invalid command 'DocumentRoot:', perhaps misspelled or defined by a module not 
included in the server configuration
May 01 19:20:28 ip-172-31-33-253.us-east-2.compute.internal systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
May 01 19:20:28 ip-172-31-33-253.us-east-2.compute.internal systemd[1]: Failed to start The Apache HTTP Server.
May 01 19:20:28 ip-172-31-33-253.us-east-2.compute.internal systemd[1]: Unit httpd.service entered failed state.
May 01 19:20:28 ip-172-31-33-253.us-east-2.compute.internal systemd[1]: httpd.service failed.

I ran this command:

apache2ctl configtest

It produced this command:

bash: apache2ctl: command not found

same with sudo at the beginning

1 Like

Ok so progress!

I'll bet we put a colon after DocumentRoot (SORRY I missed that!)

Invalid command 'DocumentRoot:', perhaps misspelled or defined

Should look like this:
DocumentRoot /var/www/html

no colon no quotes

6 Likes

Progress! Thx Rip, Thx Rip, Thx Rip!!!

I have removed colon and quotes, I still had an error. I removed the colons after ServerName and ServerAlias and know I can see my website! Without images but at least I can see it! There are still issues but it's a huge progress thanks to you. Thx!

I ran this command:

apachectl -S 

It produced this output:

AH00526: Syntax error on line 24 of /etc/httpd/conf/httpd-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/onearth.studio/fullchain.pem' does not exist or is empty

It looks like a permission issue

3 Likes

Your permissions look like mine except I cant tell by scanning the directory tree if fullchain.pem is empty or not.

Unfortunately I have been called to other duty for a bit but will return.
In the meantime maybe @griffin can help us move forward till then.

6 Likes

Thanks Rip, I have to stop for today, I'll be back tomorrow.

/etc/letsencrypt/live/onearth.studio/fullchain.pem is not empty:

-----BEGIN CERTIFICATE-----
MIIFETCRBB2gAwIBAgISBBlDZLmcqKTrsD98+KaIVsixMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBg....................................................................................................................
..........................................................................................................................................
...................................................................................................y9w8YFzCmeQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEAT..............................................................................................................................
.........................................................................................................................................
.............................LOEZDksd86wuoXvg==
-----END CERTIFICATE-----

It's there but Apache can't see it or read it!

1 Like

Sorry I'm late.

Well...


This DocumentRoot (everywhere):

DocumentRoot "var/www/html"

is relative to the ServerRoot (and should not be). It should be this (everywhere):

DocumentRoot "/var/www/html"

Once that's fixed, then reload apache:

sudo apachectl -k graceful

There are other aspects of your configuration files that could use some TLC too.


@Rip

Can you please use your Leader powers to edit this post:

to fix all of the backticks.

2 Likes

OK this is cool, just got back. Let me and @griffin ponder the issues and we'll pick um up tomorrow.
It would be cool if we knew what time zone you are in...

6 Likes

OK but that doesn't look like a complete cert (someone will correct me here)

5 Likes

Never mind we will pick it up when you have time and are ready.

6 Likes

I think @OnEarth obscured the certificate contents. This is unnecessary since the certificates are public knowledge anyhow via certificate transparency logs.

2 Likes

Hi Rip, Hi Griffin,

Thx both of you! I will try to catch up. I live in France (GMT+1). I didn't know that certificates are public (yes I've obscured it).

Do I need to put quotes for the DocumentRoot path (DocumentRoot "/var/www/html")? And then reload apache ?

sudo apachectl -k graceful

Glad to be back,
Jan

1 Like

It's morning in the Pacific Northwest and I see a WORKING LE CERTIFICATE!!!
Congrats @OnEarth

Whats Next?

4 Likes

"If it ain't broke....."
Once again, and for good measure, could you please show the output of:

sudo apachectl configtest
5 Likes

I ran this command:

sudo apachectl configtest

I got this output:

Syntax OK
1 Like

I ran this command:

apachectl -S

It produced this output:

AH00526: Syntax error on line 24 of /etc/httpd/conf/httpd-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/onearth.studio/fullchain.pem' 
does not exist or is empty
1 Like

Thanks... GREAT

Not necessary.
So It looks like most everything is falling in place...
https://www.ssllabs.com/ssltest/analyze.html?d=onearth.studio
Looking pretty good..

Points out that port 80 is closed though.
It is highly recommended to open port 80.

5 Likes

Rip, thanks for your answer and for Hardenize Report and for your recommendation to open port 80.

I've added:

Listen 80

to httpd.conf and restarted apache.

Since then onearth.studio is not redirected to https://onearth.studio

I ran this command:

sudo lsof -i -P -n | grep 80

It produced this output:

dhclient  2799     root    5u  IPv6   16294      0t0  UDP [fe80::882:16ff:fe69:fb1c]:546 
httpd    17875     root    4u  IPv6 1332879      0t0  TCP *:80 (LISTEN)
httpd    17876   apache    4u  IPv6 1332879      0t0  TCP *:80 (LISTEN)
httpd    17877   apache    4u  IPv6 1332879      0t0  TCP *:80 (LISTEN)
httpd    17878   apache    4u  IPv6 1332879      0t0  TCP *:80 (LISTEN)
httpd    17879   apache    4u  IPv6 1332879      0t0  TCP *:80 (LISTEN)
httpd    17880   apache    4u  IPv6 1332879      0t0  TCP *:80 (LISTEN)
httpd    17880   apache    6u  IPv6 1332891      0t0  TCP *:443 (LISTEN)

What shall I do?

2 Likes

Hi Jan!
I see your server is now listening on port 80 (Good Job!) :partying_face:

According to CertBot documentation you can use:

certbot --redirect --uir

to add redirects and "upgrade insecure requests".
Don't forget to restart apache.

5 Likes