Installtion of Certbot on compiled apache


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sonicspider.com

I’m a newbie and just trying it out… I have a compiled Apache located at /usr/local/apache

I ran this command:

certbot --apache certonly

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('There has been an error in parsing the file /etc/httpd/modsecurity.d/20_asl_useragents.conf on line 292: Syntax error',)
The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('There has been an error in parsing the file /etc/httpd/modsecurity.d/20_asl_useragents.conf on line 292: Syntax error',)

My web server is (include version):

Server version: Apache/2.4.20 (Unix)
Server built: Apr 23 2016 18:22:29

The operating system my web server runs on is (include version):

CentOS 7

My hosting provider, if applicable, is:

Self

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

Hi,

The error message reported claims that there is some syntax error at your ModSecurity files so that certbot can’t proceed to validation.

Could you please check /etc/httpd/modsecurity.d/20_asl_useragents.conf line 292?

Thank you


#3

Here is that line:

SecRule REQUEST_HEADERS:User-Agent “windows-update-agent” \

???


#4

That looks like a rule that’s split across multiple lines - what’s the next line?

Also, what version of certbot are you using?


#5

Here is the lines before and after…

#fake UA
SecRule REQUEST_URI "!(\.asmx$)" \
	"phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,chain,id:330090,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Comment Spammer User Agent (Fake Windows Update Agent)'"
292>> SecRule REQUEST_HEADERS:User-Agent "windows-update-agent" \

#Vadix bot
SecRule REQUEST_HEADERS:User-Agent "vadixbot" \
	"phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330095,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Vadixbot User Agent String'"

BTW… I have the latest version of ASL (Atomic Secured Linux) running and the line it is choking on are part of its configuration.

Version: I followed the directions on:

and used yum… so my assumption is that I installed the latest version provided through the yum system.

First I did:

$ yum -y install yum-utils

no errors… then…

$ sudo yum install python2-certbot-apache

no errors… then tried…

$ sudo certbot --apache

then tried… (based on my further reading and understanding…)

$ sudo certbot --apache certonly

both triggered the same error…

Thanks for looking at this…


#6

Hi, sorry for the delay getting back to you …

I’m not familiar with mod_security but that trailing backslash looks suspicious to me. I’d suspect there’s a line missing after 292, but Apache seems to accept it (or at least not choke on it). However, the parser that Certbot uses can’t seem to handle it correctly. Removing the trailing backslash seems to help, although I don’t know how that affects mod_security.

Another thing: you mentioned you’re using a compiled Apache. Certbot will try to configure Apache by making assumptions based on where your operating system normally puts the configuration files by default; if you compiled it yourself, your configuration is probably elsewhere, and Certbot might be looking in the wrong place. There are options to tell it where everything is - type certbot --help apache for the list.