Install on CentOS 7


#1

Hi,

I put my server into permissive mode and the installer script via https://certbot.eff.org/lets-encrypt/centosrhel7-apache
and the site now flags up as insecure…
Any tips? I’ve had a read through Installer for Centos 7? but it does not resolve my issue. I’ve checked open ports and it reports

443/tcp open https

Thanks,

Phill.


#2

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#3

My domain is: phillw.net

I ran this command: the instructions at https://certbot.eff.org/lets-encrypt/centosrhel7-apache

It produced this output: Congratulations! You have successfully enabled https://phillw.net and
https://www.phillw.net

My web server is (include version): Server version: Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): Linux phillw.net 3.10.0-862.3.3.el7.x86_64 #1 SMP Fri Jun 15 04:15:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: It is a bare metal server running on an OVH server farm

I can login to a root shell on my machine (yes or no, or I don’t know): it’s the only way I can log on :slight_smile:


#4

Thanks!

Interestingly, the https://www.phillw.net/ works fine while the https://phillw.net/ doesn’t. I would speculate that your Apache virtual hosts only mention the former, or that you have a _default_ HTTPS virtual host with a self-signed which is taking priority and should be deleted.


#5

so, add phillw.net to virtual hosts even though it is the primary domain?


#6

Yes, Apache is using the domain name to choose which virtual host to use and therefore which certificate to present. It needs to know that that name refers to the same virtual host as www.phillw.net.


#7

ServerName phillw.net:80

<VirtualHost *:80>
ServerName www.phillw.net
ServerAlias phillw.net

What needs editing?


#8

I’m guessing I need to add on the ssl port?


#9

You should have a similar -le-ssl.conf file. If it already has the ServerAlias, then that’s OK; in this case you should look for an HTTPS virtual host with _default_ in order to remove it.


#10

I do have that file and it starts:

<VirtualHost *:443>
ServerName www.phillw.net
ServerAlias phillw.net


#11

Try grep -r _default on your Apache configuration directory to look for the _default_ HTTPS virtual host which may need to be removed.


#12

/etc/httpd/conf#grep -r _default
root@phillw:/etc/httpd/conf#

as in nothing. Any other ideas? We are this close I can taste the finishing line!!!

Regards,

Phill.


#13

Maybe in /etc/httpd rather than /etc/httpd/conf?


#14

this one?
root@phillw:/etc/httpd#grep -r _default
conf.d/ssl.conf:


#15

#16

3rd time lucky…


#17

VirtualHost default:443


#18

I believe that if you get rid of that virtual host and reload Apache, your site will work. This is a problem that quite a few other people have had in the past, with a similar symptom.


#19

The site is now totally unreachable…
This site can’t be reached
phillw.net refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED


#20

I believe you have to make sure you have

Listen 443

in your main Apache configuration (in some systems it’s in a file called ports.conf).