LetsEncrypt / Certificate Renewal Issue (Ongoing Issue)

Help
1

My domain is:
lab.addmoreroutes.com

I ran this command:
certbot-auto -d lab.addmoreroutes.com

It produced this output:
root@eve-ng:~# certbot-auto -d lab.addmoreroutes.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lab.addmoreroutes.com
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/unetlab-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/unetlab-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/unetlab-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Future versions of Certbot will automatically configure the webserver so that all requests redirect to secure HTTPS access. You can control this behavior and disable this warning with the --redirect and --no-redirect flags.

Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://lab.addmoreroutes.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=lab.addmoreroutes.com

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/lab.addmoreroutes.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/lab.addmoreroutes.com/privkey.pem
    Your cert will expire on 2020-07-10. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again with the “certonly” option. To non-interactively renew all
    of your certificates, run “certbot-auto renew”

  • Some rewrite rules copied from
    /etc/apache2/sites-enabled/unetlab.conf were disabled in the vhost
    for your HTTPS site located at
    /etc/apache2/sites-available/unetlab-le-ssl.conf because they have
    the potential to create redirection loops.

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 16.04 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.3.0

1 Like
2

I am running a homelab (EVE-NG) and from time to time I manually update the Letsencrypt certificate and run into problems. These problems are of my own doing and I have a history of fumbling through this process. I tried before on doing a script to auto renew but was unsuccessful. Long story short…

I successfully renew my certificate but I am unable to access the server remotely and locally. Access forbidden when trying to access locally. Please help

3

root@eve-ng:~# tail -n 20 /opt/unetlab/data/Logs/ssl-error.log
[Fri Apr 10 18:15:10.377635 2020] [ssl:warn] [pid 14090] AH01909: eve-ng.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat Apr 11 06:25:01.594680 2020] [ssl:warn] [pid 14090] AH01909: eve-ng.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat Apr 11 12:35:33.538065 2020] [ssl:warn] [pid 14090] AH01909: eve-ng.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat Apr 11 12:35:47.183454 2020] [ssl:warn] [pid 14090] AH01909: eve-ng.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat Apr 11 12:56:50.689710 2020] [ssl:warn] [pid 14090] AH01909: eve-ng.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat Apr 11 12:56:55.107322 2020] [ssl:warn] [pid 14090] AH01909: eve-ng.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat Apr 11 12:56:57.366963 2020] [ssl:warn] [pid 14090] AH01909: eve-ng.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat Apr 11 12:58:36.665119 2020] [ssl:warn] [pid 14090] AH01909: eve-ng.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat Apr 11 13:01:49.553165 2020] [ssl:warn] [pid 14090] AH01909: eve-ng.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat Apr 11 13:11:58.883723 2020] [ssl:warn] [pid 14090] AH01909: eve-ng.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat Apr 11 13:12:26.674281 2020] [authz_core:error] [pid 9625] [client x.x.x.x:63583] AH01630: client denied by server configuration: /opt/unetlab/html/, referer: https://x.x.x.x
[Sat Apr 11 13:12:26.709888 2020] [authz_core:error] [pid 9625] [client x.x.x.x:63583] AH01630: client denied by server configuration: /opt/unetlab/html/favicon.ico, referer: https://x.x.x.x
[Sat Apr 11 13:12:49.958741 2020] [authz_core:error] [pid 9626] [client x.x.x.x:63599] AH01630: client denied by server configuration: /opt/unetlab/html/, referer: https://x.x.x.x

root@eve-ng:/etc/apache2/sites-enabled# sudo nano eveng-ssl.conf
GNU nano 2.5.3 File: eveng-ssl.conf

ServerAdmin webmaster@localhost DocumentRoot /opt/unetlab/html/ ErrorLog /opt/unetlab/data/Logs/ssl-error.log CustomLog /opt/unetlab/data/Logs/ssl-access.log combined Alias /Exports /opt/unetlab/data/Exports Alias /Logs /opt/unetlab/data/Logs SSLEngine on SSLProxyEngine on SSLCertificateFile /etc/letsencrypt/live/lab.addmoreroutes.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/lab.addmoreroutes.com/privkey.pem SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 # Many ciphers defined here require a modern version (1.0.1+) of OpenSSL. Some # require OpenSSL 1.1.0, which as of this writing was in pre-release. SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RS$ SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off SSLOptions +StdEnvVars SSLOptions +StdEnvVars Order allow,deny Allow from all ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on ProxyPassReverse http://127.0.0.1:8080/guacamole/ 
    <Location /html5/websocket-tunnel>
            Order allow,deny
            Allow from all
            ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
            ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
    </Location>
     ProxyPass /janus-ws ws://127.0.0.1:8188/
     ProxyPassReverse /janus-ws ws://127.0.0.1:8188/
     ProxyPass /chat-ws ws://127.0.0.1:9090/
     ProxyPassReverse /chat-ws ws://127.0.0.1:9090/
</VirtualHost>

root@eve-ng:~# certbot-auto --version
certbot 1.3.0

root@eve-ng:~# apachectl -t
Syntax OK

root@eve-ng:~# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 eve-ng.example.com (/etc/apache2/sites-enabled/eveng-ssl.conf:2)

1 Like
4

Your problem is within the Apache configuration (or lack thereof).

The domain:

is not covered; as shown by the config:

And the error logs show that the "default" server name is not covered by the cert:

You've already done all the work to get a valid cert and all the troubleshooting...
Now, you just need to understand all of it and take the proper action.

1 Like
5

I didnt do too much troubleshooting besides posting some logs and ouput. Can you guide me in the right direction as far as the Apache configuration you mentioned ?

1 Like
6

Not really.
This is an LE community forum - not an Apache community forum.
[a simple web search should provide you all the information needed and even examples]

1 Like
7

I have corrected some things but still not having the best of luck. I have tried doing a number of Google searches on Apache configuration but just not seeing it at the moment. Keep in mind that I am a novice at best when it comes to Linux.

root@eve-ng:~# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 lab.addmoreroutes.com (/etc/apache2/sites-enabled/eveng-ssl.conf:2)

root@eve-ng:~# tail -n 20 /opt/unetlab/data/Logs/ssl-error.log
[Sat Apr 11 13:13:44.071087 2020] [authz_core:error] [pid 9628] [client x.x.x.x:63606] AH01630: client denied by server configuration: /opt/unetlab/html/, referer: https://x.x.x.x/
[Sat Apr 11 13:13:44.089161 2020] [authz_core:error] [pid 9628] [client x.x.x.x:63606] AH01630: client denied by server configuration: /opt/unetlab/html/favicon.ico, referer: https://x.x.x.x/

8

What is the config?:

9

Blockquote


ServerAdmin webmaster@localhost
ServerName lab.addmoreroutes.com
ServerAlias www.lab.addmoreroutes.com
DocumentRoot /opt/unetlab/html/
ErrorLog /opt/unetlab/data/Logs/ssl-error.log
CustomLog /opt/unetlab/data/Logs/ssl-access.log combined
Alias /Exports /opt/unetlab/data/Exports
Alias /Logs /opt/unetlab/data/Logs
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/letsencrypt/live/lab.addmoreroutes.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/lab.addmoreroutes.com/privkey.pem
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
# Many ciphers defined here require a modern version (1.0.1+) of OpenSSL. Some
# require OpenSSL 1.1.0, which as of this writing was in pre-release.
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RS$
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars

<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars

<Location /html5/>
Order allow,deny
Allow from all
ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on
ProxyPassReverse http://127.0.0.1:8080/guacamole/

    <Location /html5/websocket-tunnel>
            Order allow,deny
            Allow from all
            ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
            ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
    </Location>
     ProxyPass /janus-ws ws://127.0.0.1:8188/
     ProxyPassReverse /janus-ws ws://127.0.0.1:8188/
     ProxyPass /chat-ws ws://127.0.0.1:9090/
     ProxyPassReverse /chat-ws ws://127.0.0.1:9090/
</VirtualHost>

Blockquote

10

Where is the "default" ("location /") handler?

11

Not sure of what you mean ? please elaborate…Linux/Apache rookie here

12

Will handles requests like:
http[s]://[www.]lab.addmoreroutes.com/html5/[*]

Will handles requests like:
http[s]://[www.]lab.addmoreroutes.com/html5/websocket-tunnel[/*]

What handles any requests NOT like either of those?
Like just:
http[s]://[www.]lab.addmoreroutes.com[/*]

13

I dont believe its there or am I missing something

14

Yes, exactly, you are missing something.
What do you want requests to https://lab.addmoreroutes.com/ to do?

Maybe you want to just redirect them to https://addmoreroutes.com/
Maybe you want to show them a “splash” page that says: “This is for official LAB workers only - stay out!”
Maybe you want to display kittens trying to catch balls of yarn…

You decide and control what happens.
You need to decide.
Then you need to make it do whatever you decided.
That “happens” within a “location” section [the one that is missing].

15

Whats an example look like ?

16 
<Location "/">
   #redirect all "lost and unfound" requests to main site
   return 301 https://addmoreroutes.com/
</Location>

See: http://httpd.apache.org/docs/current/mod/core.html#location

17

I was able to look at a backup file on the Server dating back to August of last year when this was working and the location block seems similar with no extra config. The http/https requests redirect to a EVE-NG login page

18

[we’re getting off track]

What does certbot certificates say?

19

what command are you looking for me to run ?

20

Probably

certbot-auto certificates

in your environment.