Let's Encrypt Certificates on Rocky Linux w/FIPS enabled

Server: Rocky 8.5 FIPS
Domain: roaddriversplus.com
Domain Registration: NOIP

In following Secure Apache with Let’s Encrypt Certificate on Rocky Linux and Generating SSL Keys - Let's Encrypt I'm having trouble getting the Cert:

[root@roaddriversplus administrator]# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: roaddriversplus.com
2: www.roaddriversplus.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for roaddriversplus.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: roaddriversplus.com
  Type:   connection
  Detail: 67.0.88.50: Fetching https://roaddriversplus.com/.well-known/acme-challenge/p8LVVcbKyRQ0IUGEPrnARMxFdmzpn5zYJffm8PhYPE0: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.

IP is pointing to my Server:

[root@roaddriversplus administrator]# dig roaddriversplus.com

; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> roaddriversplus.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2049
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;roaddriversplus.com.           IN      A

;; ANSWER SECTION:
roaddriversplus.com.    60      IN      A       67.0.88.50

;; Query time: 243 msec
;; SERVER: 10.30.177.1#53(10.30.177.1)
;; WHEN: Fri May 06 23:06:53 MDT 2022
;; MSG SIZE  rcvd: 64

and NOIP is showing my ISP IP:

as well as pfSense / Dynamic DNS Status and and I have the proper HTTP(S) ports open. What else can I check to get this working?

And this is my intranet infrastructure:
Kohan Network C

1 Like

According to DNS and the picture provided, you should choose both ("1,2").

It seems the HTTP challenge request was redirected to HTTPS and that request did not return the expected reply.

curl seems to find a similar problem:

curl -Ii https://roaddriversplus.com/.well-known/acme-challenge/Test_File-1234
curl: (8) Weird server reply

As for the domain itself too:

curl -Ii https://roaddriversplus.com/
curl: (8) Weird server reply
1 Like

Maybe this will help figure out what needs adjusting, this is my pfSense / Services / HAProxy Settings:

# Automaticaly generated, dont edit manually.
# Generated on: 2022-05-06 18:10
global
	maxconn			1000
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state

frontend wwwkohanyimcom
	bind			192.168.0.33:443 name 192.168.0.33:443   ssl crt-list /var/etc/haproxy/wwwkohanyimcom.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	errorfile			503 /var/etc/haproxy/errorfile_wwwkohanyimcom_503_MAINTENANCE
	acl			wwwkohanyim	var(txn.txnhost) -m str -i www.kohanyim.com
	acl			kohanyim	var(txn.txnhost) -m str -i kohanyim.com
	acl			wwwroaddriversplus	var(txn.txnhost) -m str -i www.roaddriversplus.com
	acl			roaddriversplus	var(txn.txnhost) -m str -i roaddriversplus.com
	acl			wwwschoolbusbook	var(txn.txnhost) -m str -i www.schoolbusbook.com
	acl			schoolbusbook	var(txn.txnhost) -m str -i schoolbusbook.com
	acl			aclcrt_wwwkohanyimcom	var(txn.txnhost) -m reg -i ^([^\.]*)\.kohanyim\.com(:([0-9]){1,5})?$
	http-request set-var(txn.txnhost) hdr(host)
	http-request  deny if { req.hdr_cnt(content-length) gt 1 }
	http-response deny if { res.hdr_cnt(content-length) gt 1 }
	use_backend www.kohanyim.com_ipvANY  if  wwwkohanyim aclcrt_wwwkohanyimcom
	use_backend kohanyim.com_ipvANY  if  kohanyim aclcrt_wwwkohanyimcom
	use_backend www.roaddriversplus.com_ipvANY  if  wwwroaddriversplus aclcrt_wwwkohanyimcom
	use_backend roaddriversplus.com_ipvANY  if  roaddriversplus aclcrt_wwwkohanyimcom
	use_backend www.schoolbusbook.com_ipvANY  if  wwwschoolbusbook aclcrt_wwwkohanyimcom
	use_backend schoolbusbook.com_ipvANY  if  schoolbusbook aclcrt_wwwkohanyimcom

frontend HTTPS-REDIRECT
	bind			192.168.0.33:80 name 192.168.0.33:80   
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	errorfile			503 /var/etc/haproxy/errorfile_HTTPS-REDIRECT_503_MAINTENANCE
	acl			ACME	var(txn.txnpath) -m beg -i /.well-known/acme-challenge/
	http-request set-var(txn.txnpath) path
	http-request redirect scheme https 
	http-request  deny if { req.hdr_cnt(content-length) gt 1 }
	http-response deny if { res.hdr_cnt(content-length) gt 1 }
	use_backend ACME-KOHANYIM-COM-PROD_ipvANY  if  ACME 

backend www.kohanyim.com_ipvANY
	mode			http
	id			102
	log			global
	errorfile			503 /var/etc/haproxy/errorfile_www.kohanyim.com_ipvANY_503_WWWKOHANHIMMAINT
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			wwwkohanyimcom 10.30.177.109:443 id 101 ssl check-ssl check inter 1000  verify none crt /var/etc/haproxy/server_clientcert_6272cb61bba27.pem 

backend kohanyim.com_ipvANY
	mode			http
	id			100
	log			global
	errorfile			503 /var/etc/haproxy/errorfile_kohanyim.com_ipvANY_503_KOHANHIMMAINT
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			kohanyimcom 10.30.177.110:443 id 101 ssl check-ssl check inter 1000  verify none crt /var/etc/haproxy/server_clientcert_6272e53ed8b63.pem 

backend www.roaddriversplus.com_ipvANY
	mode			http
	id			107
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			wwwroaddriversplus 10.30.177.105:443 id 101 ssl check-ssl check inter 1000  verify none crt /var/etc/haproxy/server_clientcert_62745549aa757.pem 

backend roaddriversplus.com_ipvANY
	mode			http
	id			103
	log			global
	errorfile			503 /var/etc/haproxy/errorfile_roaddriversplus.com_ipvANY_503_ROADDRIVERSPLUSMAINT
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			roaddriversplus 10.30.177.105:443 id 101 ssl check-ssl check inter 1000  verify none crt /var/etc/haproxy/server_clientcert_62745549aa757.pem 

backend www.schoolbusbook.com_ipvANY
	mode			http
	id			108
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			schoolbusbook 10.30.177.106:80 id 101 check inter 1000  

backend schoolbusbook.com_ipvANY
	mode			http
	id			104
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			schoolbusbook 10.30.177.106:80 id 101 check inter 1000  

backend ACME-KOHANYIM-COM-PROD_ipvANY
	mode			http
	id			105
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			ACME-BACKEND 127.0.0.1:4002 id 106

That I have not seen before.


I wanted to see it for myself but I just discovered my curl is more talkative than Rudy's:

❯ curl -Ii https://roaddriversplus.com/.well-known/acme-challenge/Test_File-1234
curl: (1) Received HTTP/0.9 when not allowed
1 Like

Maybe is my HTTPS-REDIRECT Frontend, I have:

ACME - Path starts with: - /.well-known/acme-challenge/

and

http-request redirect - rule: scheme https

??

If you can handle the acme challenge request in HTTP, that may workaround the current problem.

2 Likes

At first I had both HTTP in there own Frontend, HAProxy complained and suggested I merged them:

Multiple primary frontends (HTTPS-REDIRECT, ACME) with IP:Port "192.168.0.33:80", use Shared-Frontends instead.

instead of using the Shared Frontend, I just added the ACME into the HTTPS-REDIRECT.

I will put it back like I had it and see what happens.

I put the HTTP Frontends back like I had it before:

but I get the same results.

Did the same from a VM connected to a VPN in Canada with the same results as you:

root@vmxws1:~# curl -Ii https://roaddriversplus.com/.well-known/acme-challenge/Test_File-1234
curl: (1) Received HTTP/0.9 when not allowed

What does this mean?

And I did this with HTTP:

root@vmxws1:~# curl -Ii http://roaddriversplus.com/
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: https://roaddriversplus.com/
root@vmxws1:~# curl -Ii http://roaddriversplus.com/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: https://roaddriversplus.com/.well-known/acme-challenge/Test_File-1234

Let see what happens if I disable the HTTPS-REDIRECT Frontend.....

I understand there to be some issue with HEAD requests.
And possible certain user agents.

Look at these:

curl -v https://roaddriversplus.com/404
*   Trying 67.0.88.50...
* TCP_NODELAY set
* Connected to roaddriversplus.com (67.0.88.50) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=roaddriversplus.com
*  start date: May  5 21:53:05 2022 GMT
*  expire date: Aug  3 21:53:04 2022 GMT
*  subjectAltName: host "roaddriversplus.com" matched cert's "roaddriversplus.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET /404 HTTP/1.1
> Host: roaddriversplus.com
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
<!doctype html>
<html>
  <head>
    <meta charset='utf-8'>
    <meta name='viewport' content='width=device-width, initial-scale=1'>
    <title>Server Maintenance Page powered by: Rocky Linux</title>
    <style type="text/css">
      /*<![CDATA[*/

      html {
        height: 100%;
        width: 100%;
      }
        body {
  background: rgb(20,72,50);
  background: -moz-linear-gradient(180deg, rgba(20,72,50,1) 30%, rgba(0,0,0,1) 90%)  ;
  background: -webkit-linear-gradient(180deg, rgba(20,72,50,1) 30%, rgba(0,0,0,1) 90%) ;
  background: linear-gradient(180deg, rgba(20,72,50,1) 30%, rgba(0,0,0,1) 90%);
  background-repeat: no-repeat;
  background-attachment: fixed;
  filter: progid:DXImageTransform.Microsoft.gradient(startColorstr="#3c6eb4",endColorstr="#3c95b4",GradientType=1);
        color: white;
        font-size: 0.9em;
        font-weight: 400;
        font-family: 'Montserrat', sans-serif;
        margin: 0;
        padding: 10em 6em 10em 6em;
        box-sizing: border-box;

      }


  h1 {
    text-align: center;
    margin: 0;
    padding: 0.6em 2em 0.4em;
    color: #fff;
    font-weight: bold;
    font-family: 'Montserrat', sans-serif;
    font-size: 2em;
  }
  h1 strong {
    font-weight: bolder;
    font-family: 'Montserrat', sans-serif;
  }
  h2 {
    font-size: 1.5em;
    font-weight:bold;
  }

  .title {
    border: 1px solid black;
    font-weight: bold;
    position: relative;
    float: right;
    width: 150px;
    text-align: center;
    padding: 10px 0 10px 0;
    margin-top: 0;
  }

  .description {
    padding: 45px 10px 5px 10px;
    clear: right;
    padding: 15px;
  }

  .section {
    padding-left: 3%;
   margin-bottom: 10px;
  }

  img {

    padding: 2px;
    margin: 2px;
  }
  a:hover img {
    padding: 2px;
    margin: 2px;
  }

  :link {
    color: rgb(199, 252, 77);
    text-shadow:
  }
  :visited {
    color: rgb(122, 206, 255);
  }
  a:hover {
    color: rgb(16, 44, 122);
  }
  .row {
    width: 100%;
    padding: 0 10px 0 10px;
  }

  footer {
    padding-top: 6em;
    margin-bottom: 6em;
    text-align: center;
    font-size: xx-small;
    overflow:hidden;
    clear: both;
  }

  .summary {
    font-size: 140%;
    text-align: center;
  }

  #rocky-poweredby img {
    margin-left: -10px;
  }

  #logos img {
    vertical-align: top;
  }

  /* Desktop  View Options */

  @media (min-width: 768px)  {

    body {
      padding: 10em 20% !important;
    }

    .col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6,
    .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12 {
      float: left;
    }

    .col-md-1 {
      width: 8.33%;
    }
    .col-md-2 {
      width: 16.66%;
    }
    .col-md-3 {
      width: 25%;
    }
    .col-md-4 {
      width: 33%;
    }
    .col-md-5 {
      width: 41.66%;
    }
    .col-md-6 {
      border-left:3px ;
      width: 50%;


    }
    .col-md-7 {
      width: 58.33%;
    }
    .col-md-8 {
      width: 66.66%;
    }
    .col-md-9 {
      width: 74.99%;
    }
    .col-md-10 {
      width: 83.33%;
    }
    .col-md-11 {
      width: 91.66%;
    }
    .col-md-12 {
      width: 100%;
    }
  }

  /* Mobile View Options */
  @media (max-width: 767px) {
    .col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6,
    .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12 {
      float: left;
    }

    .col-sm-1 {
      width: 8.33%;
    }
    .col-sm-2 {
      width: 16.66%;
    }
    .col-sm-3 {
      width: 25%;
    }
    .col-sm-4 {
      width: 33%;
    }
    .col-sm-5 {
      width: 41.66%;
    }
    .col-sm-6 {
      width: 50%;
    }
    .col-sm-7 {
      width: 58.33%;
    }
    .col-sm-8 {
      width: 66.66%;
    }
    .col-sm-9 {
      width: 74.99%;
    }
    .col-sm-10 {
      width: 83.33%;
    }
    .col-sm-11 {
      width: 91.66%;
    }
    .col-sm-12 {
      width: 100%;
    }
    h1 {
      padding: 0 !important;
    }
  }


  </style>
  </head>
  <body>
    <h1>The Kohanyim of Yah'uah - <strong>Maintenance</strong></h1>

    <div class='row'>

      <div class='col-sm-12 col-md-6 col-md-6 col-md-offset-12'>


        <div class='section'>
          <h2>Just visiting?</h2>

          <p>This website you are visiting is going through maintenance.</p>

          <p>If you would like the let the administrators of this website know
          that you've seen this page instead of the page you've expected, you
          should send them an email. In general, mail sent to the name
          "webmaster" and directed to the website's domain should reach the
          appropriate person.</p>

          <p>The most common email address to send to is:
          <strong>"webmaster@example.com"</strong></p>

          <h2>Note:</h2>
          <p>The Rocky Linux distribution is a stable and reproduceable platform
          based on the sources of Red Hat Enterprise Linux (RHEL). With this in
          mind, please understand that:

        <ul>
          <li>Neither the <strong>Rocky Linux Project</strong> nor the
          <strong>Rocky Enterprise Software Foundation</strong> have anything to
          do with this website or its content.</li>
          <li>The Rocky Linux Project nor the <strong>RESF</strong> have
          "hacked" this webserver: This test page is included with the
          distribution.</li>
        </ul>
        <p>For more information about Rocky Linux, please visit the
          <a href="https://rockylinux.org/"><strong>Rocky Linux
          website</strong></a>.
        </p>
        </div>
      </div>
      <div class='col-sm-12 col-md-6 col-md-6 col-md-offset-12'>
        <div class='section'>

          <h2>I am the admin, what do I do?</h2>

        <p>You may now add content to the webroot directory for your
        software.</p>

        <p><strong>For systems using the
        <a href="https://httpd.apache.org/">Apache Webserver</strong></a>:
        You can add content to the directory <code>/var/www/html/</code>.
        Until you do so, people visiting your website will see this page. If
        you would like this page to not be shown, follow the instructions in:
        <code>/etc/httpd/conf.d/welcome.conf</code>.</p>

        <p><strong>For systems using
        <a href="https://nginx.org">Nginx</strong></a>:
        You can add your content in a location of your
        choice and edit the <code>root</code> configuration directive
        in <code>/etc/nginx/nginx.conf</code>.</p>

        <div id="logos">
          <a href="https://rockylinux.org/" id="rocky-poweredby"><img src= "icons/poweredby.png" alt="[ Powered by Rocky Linux ]" /></a> <!-- Rocky -->
          <img src="poweredby.png" /> <!-- webserver -->
        </div>
      </div>
      </div>

      <footer class="col-sm-12">
      <a href="https://apache.org">Apache&trade;</a> is a registered trademark of <a href="https://apache.org">the Apache Software Foundation</a> in the United States and/or other countries.<br />
      <a href="https://nginx.org">NGINX&trade;</a> is a registered trademark of <a href="https://">F5 Networks, Inc.</a>.
      </footer>

  </body>
* TLSv1.3 (IN), TLS Unknown, Unknown (21):
* TLSv1.3 (IN), TLS alert, Client hello (1):
* Connection #0 to host roaddriversplus.com left intact
curl -Iv https://roaddriversplus.com/404
*   Trying 67.0.88.50...
* TCP_NODELAY set
* Connected to roaddriversplus.com (67.0.88.50) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=roaddriversplus.com
*  start date: May  5 21:53:05 2022 GMT
*  expire date: Aug  3 21:53:04 2022 GMT
*  subjectAltName: host "roaddriversplus.com" matched cert's "roaddriversplus.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> HEAD /404 HTTP/1.1
> Host: roaddriversplus.com
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* stopped the pause stream!
* Closing connection 0
* TLSv1.3 (OUT), TLS Unknown, Unknown (21):
* TLSv1.3 (OUT), TLS alert, Client hello (1):
curl: (8) Weird server reply
1 Like

After disabling the HTTPS-REDIRECT Frontend, I ran both HTTP(S)

HTTPS:

root@vmxws1:~# curl -v https://roaddriversplus.com/404
*   Trying 67.0.88.50:443...
* Connected to roaddriversplus.com (67.0.88.50) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=roaddriversplus.com
*  start date: May  5 21:53:05 2022 GMT
*  expire date: Aug  3 21:53:04 2022 GMT
*  subjectAltName: host "roaddriversplus.com" matched cert's "roaddriversplus.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET /404 HTTP/1.1
> Host: roaddriversplus.com
> User-Agent: curl/7.74.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Received HTTP/0.9 when not allowed

* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (1) Received HTTP/0.9 when not allowed

root@vmxws1:~# curl -Iv https://roaddriversplus.com/404

HTTP:

root@vmxws1:~# curl -v http://roaddriversplus.com/404

GET /404 HTTP/1.1
Host: roaddriversplus.com
User-Agent: curl/7.74.0
Accept: /

  • Received HTTP/0.9 when not allowed

  • Closing connection 0
    curl: (1) Received HTTP/0.9 when not allowed

root@vmxws1:~# curl -Iv http://roaddriversplus.com/404
*   Trying 67.0.88.50:80...
* Connected to roaddriversplus.com (67.0.88.50) port 80 (#0)
> HEAD /404 HTTP/1.1
> Host: roaddriversplus.com
> User-Agent: curl/7.74.0
> Accept: */*
>
* Received HTTP/0.9 when not allowed

* Closing connection 0
curl: (1) Received HTTP/0.9 when not allowed

Then I ran the certboot --apache but, still got:

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: roaddriversplus.com
  Type:   connection
  Detail: 67.0.88.50: Fetching http://roaddriversplus.com/.well-known/acme-challenge/tKKGdtUb8fCGOEklQZygUzoo_0B2g9-lTCamuH7285E: Timeout after connect (your server may be slow or overloaded)

  Domain: www.roaddriversplus.com
  Type:   connection
  Detail: 67.0.88.50: Fetching http://www.roaddriversplus.com/.well-known/acme-challenge/F0j4sW6ZkUfb1b3cQF85_YMBOaykX48UkkJpk1ZFfYU: Timeout after connect (your server may be slow or overloaded)

What's keeping this from completing the Cert..... :sob:

Are you running curl tests from the same server?
[although helpful, that won't show a real-world view]

Step #1: You need a working HTTP site.
I see:

curl http://roaddriversplus.com/
curl: (52) Empty reply from server
1 Like

It means your http server (or some firewall in between) isn't playing nice or is misconfigured -- badly.

1 Like

No, from a VM on another OS that is connected in Canada via VPN.

1 Like

On this Rocky VM I do have SELinux policy enabled, could that be the problem as well as having FIPS enable?

SELinux is reporting:

SELinux is preventing /usr/libexec/geoclue from search access on the directory 11095.
SELinux is preventing /usr/sbin/spice-vdagentd from search access on the directory 11383.

Is there a port on this VM that needs to be open other than HTTP(S)?

ALSO: I do have Snort and pfBlockerNG running on pfSense.

I believe it's just your webserver.

Check your configuration against ssl-config.mozilla.org

Could some port forwarding be missing?

2 Likes

I think there is something wrong with the default ssl.conf of Rocky:

#
# When we also provide SSL we have to listen to the 
# standard HTTPS port in addition.
#
Listen 443 https

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names.  NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly. 
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
ServerName roaddriversplus.com:443
ServerAlias www.roaddriversplus.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   List the protocol versions which clients are allowed to connect with.
#   The OpenSSL system profile is used by default.  See
#   update-crypto-policies(8) for more details.
#SSLProtocol all -SSLv3
#SSLProxyProtocol all -SSLv3

#   User agents such as web browsers are not configured for the user's
#   own preference of either security or performance, therefore this
#   must be the prerogative of the web server administrator who manages
#   cpu load versus confidentiality, so enforce the server's cipher order.
SSLHonorCipherOrder on

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
#   The OpenSSL system profile is configured by default.  See
#   update-crypto-policies(8) for more details.
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM

#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that restarting httpd will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/roaddriversplus/ROADDRIVERSPLUS_CERT.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/certs/roaddriversplus/ROADDRIVERSPLUS_CERT.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convenience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth  10

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context. 
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is sent or allowed to be received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is sent and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers. Use
#     this only for browsers where you know that their SSL implementation
#     works correctly. 
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

What do you think, do I need all these settings?

proablably not that config: tls is working fine, just server behind that is answering http/0.9(got response without any header) can most thing outside web browser doesn't like it

3 Likes