1- Is it an OK tutorial?
2- Is my configuration OK?
<VirtualHost *:80>
ServerAdmin root@localhost
ServerAlias www.mymy.net
DocumentRoot /var/www/wordpress
<Directory "/var/www/wordpress">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>
ErrorLog /var/log/httpd/wordpress_error.log
CustomLog /var/log/httpd/wordpress_access.log common
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
ServerName mymy.net
ServerAlias www.mymy.net
DocumentRoot /var/www/wordpress
<Directory "/var/www/wordpress">
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/httpd/wordpress_error.log
CustomLog /var/log/httpd/wordpress_access.log combined
</VirtualHost>
If yes, then why I got below error:
# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.
And:
# journalctl -xe
Aug 25 12:00:46 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:46 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:46 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:46 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:48 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:48 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:48 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:49 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:50 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:50 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
At a quick glance, there seem to be several problems with it:
It's using certbot-auto rather than the EPEL package of certbot
It has you create the port 443 virtual host before you have the certificate
After certbot installs the cert, it has you manually specify the cert again in the config files
And for heaven's sake, it has you use vi as a text editor
That guide seems determined to have you do things the hard way, and doesn't do you the corresponding favor of explaining why. Now, of these issues, the first isn't the cause of your problem, but the second could be. The output of systemctl status httpd could give you some more information about what's going on. But personally, I'd ditch this guide and start with the official docs.
Thank you.
What is the problem of “certbot-auto” ?
In the document, the “sudo certbot --apache” is an automated way and I want to know, can it detect my Apache config file (I created a separate file under the conf.d directory) or write configuration into “httpd.conf” file?
The purpose of certbot-auto is to install certbot on distros which don't have an existing package. CentOS does have such a package, and it's reasonably up-to-date. Let yum do its thing.
It should.
I believe it writes its own .conf file rather than altering httpd.conf.
No, it really didn't. Apache is using a self-signed cert, not the Let's Encrypt cert. You're going to need to track down the reason for this in the Apache config files.
Thank you for your reply.
The certbot created some config files under “/etc/httpd/conf.d” directory and automatically add some lines to my Virtual Host config file.
The Apache config file is as below:
ServerRoot "/etc/httpd"
ServerName www.mywebsite.net
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
<Directory "/var/www/html">
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html index.php
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/*.conf
#Security
TraceEnable off
ServerSignature Off
ServerTokens Prod
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
TimeOut 60
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
ErrorDocument 500 "Oh sorry dear."
FileETag MTime
KeepAlive On
MaxKeepAliveRequests 100
MaxConnectionsPerChild 1000
UseCanonicalName Off
LimitInternalRecursion 5
LimitRequestFields 500
AcceptPathInfo Off
MaxRanges 100
KeepAliveTimeout 4
# Modules
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule headers_module modules/mod_headers.so
RequestReadTimeout header=20-600,MinRate=500 body=20,MinRate=500
What is my config problem?
The “MISMATCH” problem is because of below file:
$ cat /etc/httpd/conf.d/wp-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin root@localhost
ServerName mywebsite.net
ServerAlias www.mywebsite.net
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
DocumentRoot /var/www/wordpress
<Directory "/var/www/wordpress">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>
ErrorLog /var/log/httpd/wordpress_error.log
CustomLog /var/log/httpd/wordpress_access.log common
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mywebsite.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mywebsite.net/privkey.pem
When I change “ServerName” then Apache can’t start.
# cat ssl_error_log
[Tue Sep 01 23:23:12.171835 2020] [ssl:warn] [pid 349886:tid 140135623199040] AH01909: www.mywebsite.net:443:0 server certificate does NOT include an ID which matches the server name
[Tue Sep 01 23:23:12.228405 2020] [ssl:warn] [pid 349886:tid 140135623199040] AH01909: www.mywebsite.net:443:0 server certificate does NOT include an ID which matches the server name
In the below image, “Key Exchange” and “Cipher Strength” are not 100. How can I improve them?
Those two lines from the log are warnings and wouldn't prevent Apache from starting.
This would imply you've got everything properly working now.. In the same post you're claiming your Apache won't start.. I'm confused.. Everything is working OK now?
Also, getting a 100 % score on SSLLabs has been discussed earlier. Please use the Search feature to find such threads.
Thank you for your reply.
When I change “ServerName mywebsite.net” to “ServerName www.mywebsite.net” then Apache is working, but I can’t browse my site. It show me an error about the https certificate. I want to change it because of the “MISMATCH” error:
You also have a ServerAlias for your www subdomain. So changing ServerName to that same hostname doesn't actually do anything usefull. You should keep it the way it was.
It's very frustrating you're redacting your hostname. Now we can't really debug your issue.
I'm betting you forgot a hostname in your certificate, but I can't verify that.
The hostname (or hostnames, if you've used subdomains too) you've used to get your Let's Encrypt certificate. We're talking about website hostnames, most often used in virtual hosts in webservers. Although in "older" times the hostname of a service was equal to the hostname of the machine, in modern times those are often not equivalent any longer.
I'm pretty sure it didn't actually say "mydomain.net" but your actual domain name. That is what I meant with hostname. I still have no idea what you're trying to accomplish by editing /etc/hostname and /etc/hosts.........
You didn't read the thread correctly. You're inputting a private key, while the x509 program expects a certificate, just like the error message said.
Also, no offence, but if you don't really know what you're doing, do you think its wise to do it? For example, Public Key Pinning can leave your site unreachable if the pinned key has been changed by another. And I don't think PKP is necessary for the 100 % score..
Also, why do you want a 100 % score anyway? You realise this would leave your site unaccessible for older clients?
And another note: "regular" Diffie-Hellman key exchange is very, very slow. It's better to choose only elliptic curve Diffie-Hellman. Or if you really require older DH, use one of the safer pre-defined groups from RFC 7919. You can read more about it on an older version of the Mozilla Server Side TLS guide.
You do realize that post is almost five years old - things have changed since then.
And it wasn't published by LetsEncrypt - it was posted by someone just like you.
OK.
How can I use the pre-defined DH groups ffdhe2048, ffdhe3072 or ffdhe4096?
100% score is not mandatory?
What is the problem of below configuration?
SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
SSLCipherSuite ALL:+HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
