Installtion of Certbot on compiled apache

jbmoore · November 2, 2018, 11:46pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sonicspider.com

I’m a newbie and just trying it out… I have a compiled Apache located at /usr/local/apache

I ran this command:

certbot --apache certonly

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('There has been an error in parsing the file /etc/httpd/modsecurity.d/20_asl_useragents.conf on line 292: Syntax error',)
The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('There has been an error in parsing the file /etc/httpd/modsecurity.d/20_asl_useragents.conf on line 292: Syntax error',)

My web server is (include version):

Server version: Apache/2.4.20 (Unix)
Server built: Apr 23 2016 18:22:29

The operating system my web server runs on is (include version):

CentOS 7

My hosting provider, if applicable, is:

Self

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

stevenzhu · November 3, 2018, 3:11pm

Hi,

The error message reported claims that there is some syntax error at your ModSecurity files so that certbot can’t proceed to validation.

Could you please check /etc/httpd/modsecurity.d/20_asl_useragents.conf line 292?

Thank you

jbmoore · November 3, 2018, 4:35pm

Here is that line:

SecRule REQUEST_HEADERS:User-Agent “windows-update-agent” \

???

jmorahan · November 3, 2018, 5:50pm

That looks like a rule that’s split across multiple lines - what’s the next line?

Also, what version of certbot are you using?

jbmoore · November 3, 2018, 6:45pm

Here is the lines before and after…

#fake UA
SecRule REQUEST_URI "!(\.asmx$)" \
	"phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,chain,id:330090,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Comment Spammer User Agent (Fake Windows Update Agent)'"
292>> SecRule REQUEST_HEADERS:User-Agent "windows-update-agent" \

#Vadix bot
SecRule REQUEST_HEADERS:User-Agent "vadixbot" \
	"phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330095,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Vadixbot User Agent String'"

BTW… I have the latest version of ASL (Atomic Secured Linux) running and the line it is choking on are part of its configuration.

Version: I followed the directions on:

and used yum… so my assumption is that I installed the latest version provided through the yum system.

First I did:

$ yum -y install yum-utils

no errors… then…

$ sudo yum install python2-certbot-apache

no errors… then tried…

$ sudo certbot --apache

then tried… (based on my further reading and understanding…)

$ sudo certbot --apache certonly

both triggered the same error…

Thanks for looking at this…

jmorahan · November 6, 2018, 9:26pm

Hi, sorry for the delay getting back to you …

I’m not familiar with mod_security but that trailing backslash looks suspicious to me. I’d suspect there’s a line missing after 292, but Apache seems to accept it (or at least not choke on it). However, the parser that Certbot uses can’t seem to handle it correctly. Removing the trailing backslash seems to help, although I don’t know how that affects mod_security.

Another thing: you mentioned you’re using a compiled Apache. Certbot will try to configure Apache by making assumptions based on where your operating system normally puts the configuration files by default; if you compiled it yourself, your configuration is probably elsewhere, and Certbot might be looking in the wrong place. There are options to tell it where everything is - type certbot --help apache for the list.

jbmoore · November 20, 2018, 6:16am

Thanks… Sorry it took so long to get back, too many pies in the oven. Anyway, that was very helpful and I will review the switches, I think this will get me going a bit further.

Any documented examples of using these switches… of particular interest, off hand, are --apache-le-vhost-ext, --apache-server-root, --apache-logs-root.

My assumption might be:

–apache-server-root /usr/local/apache

would that be correct?

Thanks

jmorahan · November 21, 2018, 10:33am

--apache-le-vhost-ext is just the suffix that certbot adds to the filename when it creates a new HTTPS virtual host. --apache-logs-root is the directory containing Apache’s logs. I’m not sure what exactly --apache-server-root is, the documentation says “Apache server root directory” but on my system it defaults to /etc/apache2 which is where Ubuntu puts the configuration files, so I’m not sure what you should use for a custom compiled Apache (I haven’t compiled Apache myself since 2.0). If you’re just asking about the syntax then yes, your example is correct.

system · December 21, 2018, 10:33am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.