Letsencrypt certificate not recognized

Help Aide (en français)
1

I'm new here. Hello everyone! I don't speak English (sorry) but I'll translate all your answers.

I work with Debian 11, and Apache.

root@1150-SRV:~# uname -a
Linux 1150-SRV 6.1.0-0.deb11.7-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.20-2~bpo11+1 (2023-04-23) x86_64 GNU/Linux

sub-domain : msrv.brusses.fr

In my box (Freebox), I've redirected ports 80 and 443 to the server machine.

1/ Only the server can log in at the URL msrv.brusses.fr, the local IP of the machine, and the public IP of the server.
Other workstations: no. Only the public IP. And even in the local network.

2/ Security alert on public IP and URL browsers. All workstations, including the server.

3/ The Owncloud client works, BUT only on the public IP.
NOT on the subdomain URL.

4/ The ping works on the server : ping msrv.brusses.fr but NOT on the other workstations. For them, only the public IP.

Comman dused :

[code]
certbot -d msrv.brusses.fr --certonly --manual --prefered-challenge-dns 
[/code]

the file /etc/hosts

127.0.0.1	localhost
Public IP   msrv.brusses.fr
Local Ip    msrv.brusses.fr
local IP	1150-SRV.brusses.fr	1150-SRV

# The following lines are desirable for IPv6 capable hosts
# Les lignes suivantes sont souhaitables pour les hôtes compatibles IPv6

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

the virtual host

<VirtualHost *:80>

	ServerName www.msrv.brusses.fr
    ServerAlias www.msrv.brusses.fr  # <<== Utile ?
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/html/owncloud

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

<Directory /var/www/>
       Options FollowSymLinks
       AllowOverride Limit Options FileInfo
       DirectoryIndex index.php
       Require all granted

       RewriteEngine on
       RewriteCond %{SERVER_NAME} =www.msrv.brusses.fr
       RewriteRule ^ http://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
       
       AllowOverride all
</Directory>


<VirtualHost *:443>

	ServerName www.msrv.brusses.fr
    ServerAlias www.msrv.brusses.fr  # <<== Utile ?
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/html/owncloud

    SSLEngine on
       
    SSLCertificateFile	/etc/letsencrypt/live/msrv.brusses.fr/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/msrv.brusses.fr/privkey.pem

    ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

<Directory /var/www/>
       Options FollowSymLinks
       AllowOverride Limit Options FileInfo
       DirectoryIndex index.php
       Require all granted

       RewriteEngine on
       
       RewriteCond %{SERVER_NAME} =www.msrv.brusses.fr
       RewriteRule ^ http://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
       
       AllowOverride all
</Directory>

In /etc/apache2/apache2.conf :

<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
</Directory>

<Directory /usr/share>
	AllowOverride None
	Require all granted
</Directory>

#<Directory /srv/msrv/brusses.fr>
#    Require host msrv.brusses.fr.conf
#	Options Indexes FollowSymLinks
#	AllowOverride None
#	Require all granted
#</Directory>

<Directory /var/www/html/owncloud>
    Require host msrv.brusses.fr.conf
#	Options Indexes FollowSymLinks    # CONSEILLE DE COMMENTER POUR RAISONS DE SECURITE
    AllowOverride all
#	AllowOverride None
	Require all granted
</Directory>

Where did I go wrong? Thanks a lot !

1 Like
2

Sorry to say there are many things wrong. Here are some key problems

First, you got a cert for your root name msrv.brusses.fr. But, your Apache server is using the www subdomain in its ServerName. You should probably have both names as -d values in your certbot command (-d msrv.brusses.fr -d www.msrv.brusses.fr).

Also, only your www domain has an IP in the public DNS. You won't be able to use your root name from the public internet without an IP.

You would normally use your root and www name as the ServerName and ServerAlias.
Doesn't matter which is which but both should be listed

Your rewrites are wrong. In your port 80 VHost you have the below which will create a loop as it redirects to itself for requests to your www name

And, this redirect in port 443 VHost redirects back to HTTP which should never be done. Even just changing it to HTTPS won't work without ensuring you don't create a loop like I just described

Lastly, right now both port 80 and port 443 are "filtered" from the public internet. This usually means they are both blocked by some sort of firewall.

Do you plan to use this Apache server from the public internet?

6 Likes
3

Wonderful! Excellent answer!
I'm going to look into it.
I'll give you the answer, of course.

Yes.
Owncloud client connects and works. In the local network. By entering the public IP.

But it generates a warning message about this certificate.
Indeed, from the Internet, it should not be functional.

4

Good call Mike!

Would work better. Yes?
Same for the 443 block.
The rewrite block should point to where @Arnaud2 wants to present the content.
Other than that I shall expect you will sort it out. (as usual)
My 2 cents.

3 Likes
5

Hello !

I'm not very good :wink:
Exactly the same problems. I must have misunderstood your advice.

URL of this tip from Letsencrypt for the fullchain directive
https://fr-wiki.ikoula.com/fr/Mise_en_place_d%E2%80%99un_certificat_Let%E2%80%99s_Encrypt_avec_Apache_sur_Debian_10

Command used: certbot certonly -d www.msrv.brusses.fr -d msrv.brusses.fr --manual --rsa-key-size 4096 --preferred-challenge dns
So, once again, I recreated a TXT field in my subdomain name.
I redid the Apache vhost.

Here it is:

<VirtualHost *:80>

	ServerName msrv.brusses.fr
    ServerAlias www.msrv.brusses.fr  
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/html/owncloud

    Redirect permanent / https://www.msrv.brusses.fr/	
    
#    RewriteEngine on
#    RewriteCond %{HTTPS} off
#    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]	
	
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

<Directory /var/www/>
       Options FollowSymLinks
       AllowOverride Limit Options FileInfo
       DirectoryIndex index.php
       Require all granted
       
       AllowOverride all
</Directory>


<VirtualHost *:443>

	ServerName msrv.brusses.fr
    ServerAlias www.msrv.brusses.fr
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/html/owncloud

    SSLEngine on
       
#    SSLCertificateFile /etc/letsencrypt/live/msrv.brusses.fr/fullchain.pem ==>> refused by Apache
    SSLCertificateFile	/etc/letsencrypt/live/msrv.brusses.fr/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/msrv.brusses.fr/privkey.pem

    ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

I don't understand it at all.

Commands entered for verification :

root@1150-SRV:~# netstat -ntlp | grep ":80 "
Nothing. Apache no longer listens on port 80

root@1150-SRV:~# netstat -ntlp | grep ":443 "
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 6188/apache2

oot@1150-SRV:~# lsof -i:80
root@1150-SRV:~# lsof -i:443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
apache2 6188 root 3u IPv4 51537 0t0 TCP *:https (LISTEN)
apache2 6189 www-data 3u IPv4 51537 0t0 TCP *:https (LISTEN)
apache2 6190 www-data 3u IPv4 51537 0t0 TCP *:https (LISTEN)
apache2 6191 www-data 3u IPv4 51537 0t0 TCP *:https (LISTEN)
apache2 6192 www-data 3u IPv4 51537 0t0 TCP *:https (LISTEN)
apache2 6193 www-data 3u IPv4 51537 0t0 TCP *:https (LISTEN)
apache2 6230 www-data 3u IPv4 51537 0t0 TCP *:https (LISTEN)

root@1150-SRV:~# apache2ctl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 msrv.brusses.fr (/etc/apache2/sites-enabled/msrv.brusses.fr.conf:1)
*:443 msrv.brusses.fr (/etc/apache2/sites-enabled/msrv.brusses.fr.conf:30)

Where can the error lie?
Should I delete the virtualhost on port 80 ?

6

Why did you change this?
You should be using the fullchain.pem file.

You should have been asked to create two TXT records [before pressing ENTER]:
_acme-challenge.msrv.brusses.fr
_acme-challenge.www.msrv.brusses.fr

3 Likes
7

That doesn't use HTTP at all.

2 Likes
8

Ah...
I changed it because Apache refused to restart.

But no, certbot didn't ask me to add the 2 "acme_challenge" .
I'm going to add a second TXT field to the sub-domain.
Thanks a lot!

@ rg305 : You say, "It doesn't use the http protocol at all?"
Isn't that the point?

1 Like
9

Not sure I get the point.
You show DNS authentication and then follow it with tons of HTTP related information [which does not apply].

Understand that if you process this request manually, you will have to continue processing all such future requests manually.
The idea is to automate the renewals.

2 Likes
10

I misunderstood, sorry.

Certbot told me that there was already a certificate for this subdomain.
He didn't suggest I create 2.

So my syntax was wrong?
But I've followed many, many tutorials.

It should be :
1- remove the TXT fields in the subdomain's DNS ?

  1. enter the renewal syntax?
  2. restore this fullchain.pem line?

Have I understood correctly?
It's very difficult to translate, correct and so on. But it doesn't matter. It has to work :wink:

One participant asked me why I had deleted it.
Because service apache2 restart -> crash. journal-ctl-xe.

I'm already going to hand in this fullchain directive.
I give the return.
Thank you very much for your help.

1 Like
11

HTTP authentication requires the webserver to serve a specific file [for each name requested].
DNS authentication requires the DNS zone to serve a TXT record [for each name requested].

HTTP authentication can usually be automated easily.
DNS automation is more difficult to automate.
DNS authentication requires the ACME client to use an API [plugin] to update the DNS zone; And the DSP must support such updates.

2 Likes
12

Here are the sub-domain parameters.
Is there anything wrong here?
Thank you.

	Type	Nom d’hôte	Valeur	Service	Actions
	MX	msrv	mx00.ionos.fr	Mail	
	MX	msrv	mx01.ionos.fr	Mail	
	CNAME	autodiscover.msrv	adsredir.ionos.info	Mail	
	TXT	@	"v=spf1 include:_spf-eu.ionos.com ~all"	SPF	
	A	@	217.160.0.170	Webhosting	
	AAAA	@	Ipv6	Webhosting	
	A	www	Public IP from my domain	Webhosting	
	AAAA	Ipv6 from my domain OR sub-domain	Webhosting	
	MX	@	mx00.1and1.fr	- 	
	MX	@	mx01.1and1.fr	- 	
	CNAME	_domainconnect	_domainconnect.1and1.com	Enregistrement standard 	
	CNAME	autodiscover	adsredir.1and1.info	Enregistrement standard 	
	TXT	_acme-challenge.msrv	"What certbot generated"	- 	
	A	www.msrv	"Ip pulic"	- 	
	TXT	_acme-challenge.www.msrv	"What certbot generated"	- 	
	CNAME	s0f4kxqq7a5pzn7ws6y15ftwrv0eg87d	s20160709114804.brusses.fr	-
1 Like
13

This is not permanently useful because every time you need to renew, the value that goes here will be different. That is different from some other services that use TXT records to verify your ownership of a domain name, where the same TXT record can be used forever. For Let's Encrypt, the TXT record is different for every certificate renewal.

4 Likes
14

Exactly.
The problem is that I had already made it work for my server, but now I can't find the technique...

15

Can we start again? Right now I see both your domain names working fine for HTTPS but using a DigiCert wildcard certificate. The DigiCert cert expires next month. Your IPv4 and IPv6 are both working so that is good.

I see you got a Let's Encrypt cert yesterday with your two domain names. But, your Apache server is not using this cert.

Can you show us your nginx config again? And, the output of this?

certbot certificates
3 Likes
16

Yes ! Of course!

<VirtualHost *:80>

	ServerName msrv.brusses.fr
    ServerAlias www.msrv.brusses.fr  
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/html/owncloud

    Redirect permanent / https://www.msrv.brusses.fr/	
    
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

<Directory /var/www/>
       Options FollowSymLinks
       AllowOverride Limit Options FileInfo
       DirectoryIndex index.php
       Require all granted
       
       AllowOverride all
</Directory>


<VirtualHost *:443>

	ServerName msrv.brusses.fr
    ServerAlias www.msrv.brusses.fr
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/html/owncloud

    SSLEngine on
       
    SSLCertificateFile	/etc/letsencrypt/live/msrv.brusses.fr/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/msrv.brusses.fr/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/msrv.brusses.fr/fullchain.pem

    ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Nothing has changed.
Except right now. I've just deleted the AAA entries in the subdomain: the server is in ipv4, so what's the use? Wrong operation, no doubt.

You say ngnix? I use Apache. There is no configuration only for Apache.

What do you think of this? It's a bit mysterious.

Some test commands :

root@1150-SRV:~# netstat -tulpen
Connexions Internet actives (seulement serveurs)
Proto Recv-Q Send-Q Adresse locale          Adresse distante        Etat        Utilisatr  Inode      PID/Program name    
tcp        0      0 0.0.0.0:43487           0.0.0.0:*               LISTEN      0          17999      -                   
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      0          18267      690/cupsd           
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      0          17978      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      117        20136      761/mariadbd        
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      0          20324      976/perl            
tcp        0      0 0.0.0.0:51005           0.0.0.0:*               LISTEN      0          15263      697/rpc.mountd      
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      0          31667      3007/apache2        
tcp        0      0 0.0.0.0:41045           0.0.0.0:*               LISTEN      0          15254      697/rpc.mountd      
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      0          16623      1/init              
tcp        0      0 0.0.0.0:38561           0.0.0.0:*               LISTEN      0          19538      697/rpc.mountd      
tcp6       0      0 :::2049                 :::*                    LISTEN      0          17990      -                   
tcp6       0      0 :::59167                :::*                    LISTEN      0          17943      697/rpc.mountd      
tcp6       0      0 :::42759                :::*                    LISTEN      0          18001      -                   
tcp6       0      0 :::111                  :::*                    LISTEN      0          15462      1/init              
tcp6       0      0 :::55405                :::*                    LISTEN      0          15248      697/rpc.mountd      
tcp6       0      0 :::37577                :::*                    LISTEN      0          15259      697/rpc.mountd      
udp        0      0 0.0.0.0:111             0.0.0.0:*                           0          14627      1/init              
udp        0      0 0.0.0.0:631             0.0.0.0:*                           0          20120      805/cups-browsed    
udp        0      0 0.0.0.0:10000           0.0.0.0:*                           0          20325      976/perl            
udp        0      0 0.0.0.0:43006           0.0.0.0:*                           108        15205      640/avahi-daemon: r 
udp        0      0 0.0.0.0:2049            0.0.0.0:*                           0          17989      -                   
udp        0      0 0.0.0.0:35436           0.0.0.0:*                           0          15261      697/rpc.mountd      
udp        0      0 0.0.0.0:60090           0.0.0.0:*                           0          19535      697/rpc.mountd      
udp        0      0 0.0.0.0:60225           0.0.0.0:*                           0          15251      697/rpc.mountd      
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           108        15203      640/avahi-daemon: r 
udp        0      0 0.0.0.0:39628           0.0.0.0:*                           0          17998      -                   
udp6       0      0 :::48724                :::*                                0          17940      697/rpc.mountd      
udp6       0      0 :::48932                :::*                                0          18000      -                   
udp6       0      0 :::111                  :::*                                0          16626      1/init              
udp6       0      0 :::49717                :::*                                0          19540      697/rpc.mountd      
udp6       0      0 :::42210                :::*                                0          15257      697/rpc.mountd      
udp6       0      0 :::2049                 :::*                                0          17991      -                   
udp6       0      0 :::44277                :::*                                108        15206      640/avahi-daemon: r 
udp6       0      0 :::5353                 :::*                                108        15204      640/avahi-daemon: r


root@1150-SRV:~# netstat -tap
Connexions Internet actives (serveurs et établies)
Proto Recv-Q Send-Q Adresse locale          Adresse distante        Etat        PID/Program name    
tcp        0      0 0.0.0.0:43487           0.0.0.0:*               LISTEN      -                   
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN      690/cupsd           
tcp        0      0 0.0.0.0:nfs             0.0.0.0:*               LISTEN      -                   
tcp        0      0 localhost:mysql         0.0.0.0:*               LISTEN      761/mariadbd        
tcp        0      0 0.0.0.0:webmin          0.0.0.0:*               LISTEN      976/perl            
tcp        0      0 0.0.0.0:51005           0.0.0.0:*               LISTEN      697/rpc.mountd      
tcp        0      0 0.0.0.0:https           0.0.0.0:*               LISTEN      3007/apache2        
tcp        0      0 0.0.0.0:41045           0.0.0.0:*               LISTEN      697/rpc.mountd      
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      1/init              
tcp        0      0 0.0.0.0:38561           0.0.0.0:*               LISTEN      697/rpc.mountd      
tcp6       0      0 [::]:nfs                [::]:*                  LISTEN      -                   
tcp6       0      0 [::]:59167              [::]:*                  LISTEN      697/rpc.mountd      
tcp6       0      0 [::]:42759              [::]:*                  LISTEN      -                   
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      1/init              
tcp6       0      0 [::]:55405              [::]:*                  LISTEN      697/rpc.mountd      
tcp6       0      0 [::]:37577              [::]:*                  LISTEN      697/rpc.mountd

root@1150-SRV:~# netstat -ntlp | grep ":80 "
root@1150-SRV:~# 
root@1150-SRV:~# 
root@1150-SRV:~# netstat -ntlp | grep ":443 "
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      3007/apache2
root@1150-SRV:~# netstat -ntlp | grep ":80 "
root@1150-SRV:~# **Nothing**
root@1150-SRV:~# 
root@1150-SRV:~# netstat -ntlp | grep ":443 "
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      3007/apache2

root@1150-SRV:~# lsof -i:80
Nothing

root@1150-SRV:~# lsof -i:443
COMMAND  PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
apache2 3007     root    3u  IPv4  31667      0t0  TCP *:https (LISTEN)
apache2 3008 www-data    3u  IPv4  31667      0t0  TCP *:https (LISTEN)
apache2 3009 www-data    3u  IPv4  31667      0t0  TCP *:https (LISTEN)
apache2 3010 www-data    3u  IPv4  31667      0t0  TCP *:https (LISTEN)
apache2 3011 www-data    3u  IPv4  31667      0t0  TCP *:https (LISTEN)
apache2 3012 www-data    3u  IPv4  31667      0t0  TCP *:https (LISTEN)
apache2 3040 www-data    3u  IPv4  31667      0t0  TCP *:https (LISTEN)

root@1150-SRV:~# apache2ctl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   msrv.brusses.fr (/etc/apache2/sites-enabled/msrv.brusses.fr.conf:1)
*:443                  msrv.brusses.fr (/etc/apache2/sites-enabled/msrv.brusses.fr.conf:26)
17

Sorry, I misspoke when I said nginx. Yes, it's Apache but that Apache config you show is not what is running because I see a DigiCert certificate. You can see for yourself using a site like this SSL Checker (link here)

Can you show output of

certbot certificates

Also, show this

apachectl -t -D DUMP_VHOSTS

As a note, below is not correct for any version of Apache. Versions prior to 2.4.8 use the ChainFile but then would be chain.pem and not fullchain.pem. See (this topic)

3 Likes
18 
root@1150-SRV:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: msrv.brusses.fr
    Serial Number: 31c54a6be0e19762304caa139457ea57aec
    Key Type: RSA
    Domains: msrv.brusses.fr
    Expiry Date: 2023-09-18 06:21:51+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/msrv.brusses.fr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/msrv.brusses.fr/privkey.pem
19

Thanks for the certs. Now show this too. I think on your Debian you use httpd instead of apachectl

2 Likes
20 
root@1150-SRV:~# httpd -t -D DUMP_VHOSTS
bash: httpd : commande introuvable