Loncapa server, no other web services, certbot fails re virtual host

nmoore · December 19, 2018, 7:27pm

The only thing this machine runs is an instance of the loncapa online homework system, so there’s nothing else being served via http. I don’t see any virtual host sections in the main httpd.conf file. Grateful for any help!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: loncapa.winona.edu

I ran this command: certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): loncapa.winona.edu
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for loncapa.winona.edu
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

My web server is (include version):
[root@WSU-Lon-Capa conf]# apachectl -V
Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
Server built: Jun 22 2018 01:19:25
Server’s Module Magic Number: 20120211:24
Server loaded: APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture: 64-bit
Server MPM: prefork
threaded: no
forked: yes (variable process count)
Server compiled with…
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
-D DEFAULT_SCOREBOARD=“logs/apache_runtime_status”
-D DEFAULT_ERRORLOG=“logs/error_log”
-D AP_TYPES_CONFIG_FILE=“conf/mime.types”
-D SERVER_CONFIG_FILE=“conf/httpd.conf”

The operating system my web server runs on is (include version): Linux, RHEL 7.6

My hosting provider, if applicable, is: Minnesota State University system

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

JuergenAuer · December 19, 2018, 7:35pm

Hi @nmoore

that shouldn't be so difficult. Edit your main httpd.conf file. There should be a

Listen 80

Directive. Then add

<VirtualHost *:80>
    DocumentRoot "PathToYourDocumentRoot"
    ServerName loncapa.winona.edu

    # Other directives here
</VirtualHost>

Then you have a minimal configuration.

nmoore · December 19, 2018, 7:59pm

Thanks @Juergen.

That allowed certbot to successfully run. However, my webserver is now unresponsive. I assume when you said the text “PathToYourDocumentRoot” you meant something like /var/www/html ?

JuergenAuer · December 19, 2018, 8:03pm

Yes. There you must write your real document root.

Your http works. There is a redirect http -> https.

Your https has a timeout.

Domainname	Http-Status	redirect	Sec.	G
• http://loncapa.winona.edu/
52.162.238.218	301	https://loncapa.winona.edu/	0.233	A

• https://loncapa.winona.edu/
52.162.238.218	-14		10.023	T
Timeout - The operation has timed out

Is there a blocking firewall?

nmoore · December 19, 2018, 8:06pm

There wasn’t a blocking firewall a few hours ago.

httpd.conf somehow reads the following after I copy and pasted. This is not what you were talking about originally.

# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
<VirtualHost *:80>
    DocumentRoot "PathToYourDocumentRoot"
    ServerName loncapa.winona.edu

    # Other directives here
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =loncapa.winona.edu
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Also, the DNS maps the ip to loncapa.winona.edu so I included:
ServerName loncapa.winona.edu:80

JuergenAuer · December 19, 2018, 8:10pm

This is the redirect http -> https Certbot has added.

But you must change the DocumentRoot to your correct value.

And Certbot may have created a new configuration file. There is now also the wrong value "PathToYourDocumentRoot".

So Apache tries to find "PathToYourDocumentRoot" - and can't find this directory.

nmoore · December 19, 2018, 8:12pm

Ok, that makes sense. I was going crazy trying to figure out where the three Rewrite lines came from!

nmoore · December 19, 2018, 8:26pm

Still doesn’t work with (I think) the appropriate document root.

Listen 80
<VirtualHost *:80>
    DocumentRoot "/home/httpd/html"
    ServerName loncapa.winona.edu

    # Other directives here
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =loncapa.winona.edu
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

and

[root@WSU-Lon-Capa conf]# ls /home/httpd/
captchadb     cgi-bin  lib       lonIDs   lonUsers  prtspool  sockets  zipspool
captchaspool  html     lonCerts  lonTabs  perl      scantron  webdav
[root@WSU-Lon-Capa conf]# ls /home/httpd/html/
adm       favicon.ico  lon-status      priv  res
ckeditor  index.html   origindex.html  raw   userfiles

Related, because it is a cloud service it has an untypeable hostname,
[root@WSU-Lon-Capa conf]# hostname --fqdn
WSU-Lon-Capa.iel215phooculndmj5ogxpf3zg.ex.internal.cloudapp.net

But our local dns maps loncapa.winona.edu to the machine’s ip address 52.162.238.218 (as you already saw) Does the mismatch between hostname, IP and domainname matter?

JuergenAuer · December 19, 2018, 9:38pm

No, that shouldn't be a problem. One hostname, one or two ip addresses - but a lot of domain names and vHosts.

--

Now I see:

Domainname	Http-Status	Sec.	G
• http://loncapa.winona.edu/
52.162.238.218	200	0.233	H

• https://loncapa.winona.edu/
52.162.238.218	200	2.196	N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

So there is no redirect. Your https works (accepting the wrong certificate there is a Login page), but uses the wrong self signed certificate.

So it looks that you have

deactivated your VirtualHost or
a standard configuration which is used instead.

So check your configuration if there is a /etc/apache2/sites-enabled/ directory with vHost-files.

And check, if there is a separate ssl.conf - file.

Somewhere must be something like

SLCertificateFile /usr/local/apache/conf/ssl.crt/domainname.crt (or server.crt)
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domainname.key (or server.key)

nmoore · December 20, 2018, 12:57am

Continuing the discussion from Loncapa server, no other web services, certbot fails re virtual host:

There was a firewall restriction (port 443) that was cleared this afternoon.

After re-running the certbot program I got the following dialog

[root@WSU-Lon-Capa etc]# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: loncapa.winona.edu
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/loncapa.winona.edu.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enhancement redirect was already set.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://loncapa.winona.edu

When I look in the file that certbot quotes, I see the same error as before

[root@WSU-Lon-Capa conf]# cat /etc/httpd/conf/httpd-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
    DocumentRoot "PathToYourDocumentRoot"
    ServerName loncapa.winona.edu

    # Other directives here
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/loncapa.winona.edu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/loncapa.winona.edu/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/loncapa.winona.edu/chain.pem
</VirtualHost>
</IfModule>

I changed the following line,

DocumentRoot "/home/httpd/html"

then reran certbot, installing old cert (this probably isn’t necessary though…). After restarting httpd the error persists.

There is an ssl.conf file in /etc/httpd/conf.d/ssl.conf but it seems very vanilla - no certbot or loncapa changes that I can see.

rg305 · December 20, 2018, 6:10am

ServerName doesn't use port.
That should be:
ServerName loncapa.winona.edu

JuergenAuer · December 20, 2018, 11:36am

Certbot doesn't understand your configuration.

This configuration is ok (with the modified DocumentRoot).

But your system doesn't use this configuration file. So there

must be a second configuration file which is used instead. So share the content of this ssl.conf - file.

rg305 · December 20, 2018, 12:06pm

I can’t find anything online to mention https.
You might have to put this behind a proxy.
Which most likely could be run on the same box / same IP / same FQDN.

nmoore · December 20, 2018, 3:50pm

Thanks for the conversation Jurgen. I had to abandon the install. Hope to resume this work in a few weeks.

rg305 · December 20, 2018, 7:14pm

I did find one site that mentions Loncapa and SSL:
https://loncapa.msu.edu/adm/help/Domain_Configuration_SSL.hlp

It doesn’t mention LetsEncrypt, so it would have to be tweaked a bit for that to work; but (at first glance) it seems doable

system · January 19, 2019, 7:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.