Mageia installation issues

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: its-safe.com

I ran this command: /usr/local/bin/certbot-auto --apache --debug

It produced this output:
Installing Python packages…
Installation succeeded.
/opt/eff.org/certbot/venv/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a 2.7.x release that supports hmac.compare_digest as soon as possible.
utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘There has been an error in parsing the file /etc/httpd/conf/conf.d/security.conf on line 17: Syntax error’,)

My web server is (include version): :Apache version is 2.4.
4

The operating system my web server runs on is (include version):
Mageia release 3 (Official) for i586

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No, manually editing for now.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

 /usr/local/bin/certbot-auto --version
/opt/eff.org/certbot/venv/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a 2.7.x release that supports hmac.compare_digest as soon as possible.
  utils.PersistentlyDeprecated2018, 
certbot 0.35.1

Hi @SecurityDad,

Welcome to the community forum!

Can you post the contents of /etc/httpd/conf/conf.d/security.conf please?

1 Like

miscellaneous security settings

disable TRACE (CVE-2009-2823)

TraceEnable Off

# This protects rpm backup files from beeing served, these files could # contain sensible information. Require all denied
# This protects ssi and php files from beeing served if the module is not
# installed, it prevents presumptive source code theft.
<IfModule !mod_include.c>
    <FilesMatch "\.(shtml)$">
        ErrorDocument 403 "<h1>403 Forbidden: Execute Access Forbidden</h1>\
        <p>The server is currently not serving ssi scripts.</p><p>This \
        could mean the server administrator is doing maintenance or has \
        orphan ssi files laying around, please contact the server \
        administrator or come back later. Thank you.</p>
        Require all denied
    </FilesMatch>
</IfModule>

<IfModule !mod_php.c>
    <FilesMatch "\.(php|php3|php4|php5|phps|phtml)$">
        ErrorDocument 403 "<h1>403 Forbidden: Execute Access Forbidden</h1>\
        <p>The server is currently not serving php scripts.</p><p>This \
        could mean the server administrator is doing maintenance or has \
        orphan php files laying around, please contact the server \
        administrator or come back later. Thank you.</p>
        Require all denied
    </FilesMatch>
</IfModule>

I’m able to reproduce this on Mageia 3, but Mageia 3 is way old and crusty and has been EOL since 2014 http://blog.mageia.org/en/2014/11/26/lets-say-goodbye-to-mageia-3/. I would recommend an upgrade to Mageia 7 post-haste.

urpmi apache
urpmi python
urpmi python-pip
urpmi augeas
pip install pip --upgrade
pip install setuptools --upgrade
pip install certbot --upgrade
pip install certbot-apache --upgrade
httpd
certbot --apache --debug
[root@7999df154eab conf.d]# certbot --apache --debug
/usr/lib64/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
  utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('There has been an error in parsing the file /etc/httpd/conf/conf.d/security.conf on line 17: Syntax error',)

If I comment out the internals of the FilesMatch block, I can get certbot to correctly parse the config.

[root@7999df154eab conf.d]# cat security.conf 
# miscellaneous security settings

# disable TRACE (CVE-2009-2823)
TraceEnable Off

<IfModule mod_dir.c>
    # This protects rpm backup files from beeing served, these files could
    # contain sensible information.
    <FilesMatch "\.(rpmorig|rpmsave)$">
	Require all denied
    </FilesMatch>

    # This protects ssi and php files from beeing served if the module is not
    # installed, it prevents presumptive source code theft.
    <IfModule !mod_include.c>
	<FilesMatch "\.(shtml)$">
#	    ErrorDocument 403 "<h1>403 Forbidden: Execute Access Forbidden</h1>\
#	    <p>The server is currently not serving ssi scripts.</p><p>This \
#	    could mean the server administrator is doing maintenance or has \
#	    orphan ssi files laying around, please contact the server \
#	    administrator or come back later. Thank you.</p>
#	    Require all denied
	</FilesMatch>
    </IfModule>

    <IfModule !mod_php.c>
	<FilesMatch "\.(php|php3|php4|php5|phps|phtml)$">
#	    ErrorDocument 403 "<h1>403 Forbidden: Execute Access Forbidden</h1>\
#	    <p>The server is currently not serving php scripts.</p><p>This \
#	    could mean the server administrator is doing maintenance or has \
#	    orphan php files laying around, please contact the server \
#	    administrator or come back later. Thank you.</p>
#	    Require all denied
	</FilesMatch>
    </IfModule>
</IfModule>
[root@7999df154eab conf.d]# certbot --apache --debug
/usr/lib64/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
  utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): ^C

Doing some further digging, I found that the Mageia 3 security.conf is missing a closing " at the end of each ErrorDocument which causes certbot to bail out with the error we’ve both received. Simply adding a closing " as shown below will allow certbot to work.

[root@7999df154eab conf.d]# cat security.conf 
# miscellaneous security settings

# disable TRACE (CVE-2009-2823)
TraceEnable Off

<IfModule mod_dir.c>
    # This protects rpm backup files from beeing served, these files could
    # contain sensible information.
    <FilesMatch "\.(rpmorig|rpmsave)$">
	Require all denied
    </FilesMatch>

    # This protects ssi and php files from beeing served if the module is not
    # installed, it prevents presumptive source code theft.
    <IfModule !mod_include.c>
	<FilesMatch "\.(shtml)$">
	    ErrorDocument 403 "<h1>403 Forbidden: Execute Access Forbidden</h1>\
	    <p>The server is currently not serving ssi scripts.</p><p>This \
	    could mean the server administrator is doing maintenance or has \
	    orphan ssi files laying around, please contact the server \
	    administrator or come back later. Thank you.</p>"
	    Require all denied
	</FilesMatch>
    </IfModule>

    <IfModule !mod_php.c>
	<FilesMatch "\.(php|php3|php4|php5|phps|phtml)$">
	    ErrorDocument 403 "<h1>403 Forbidden: Execute Access Forbidden</h1>\
	    <p>The server is currently not serving php scripts.</p><p>This \
	    could mean the server administrator is doing maintenance or has \
	    orphan php files laying around, please contact the server \
	    administrator or come back later. Thank you.</p>"
	    Require all denied
	</FilesMatch>
    </IfModule>
</IfModule>

Best of luck out there.

1 Like

We are getting closer. Almost there I believe.

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for its-safe.com
Waiting for verification…
Challenge failed for domain its-safe.com
http-01 challenge for its-safe.com
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 1381, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 1132, in run
certname, lineage)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 120, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py”, line 406, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py”, line 349, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py”, line 385, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py”, line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py”, line 154, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.
Please see the logfiles in /var/log/letsencrypt for more details.

Can you post the certbot command you’re running please?

The command I am using is the following:

/usr/local/bin/certbot-auto --apache --debug

At the end of the processing I see the following:

AuthorizationError: Some challenges have failed.
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:

There is no file available in the hosting directory called:

.well-known/acme-challenge/9z5hPe0r6NkmSPXFfu25D4TJpkwjE7Uml_ZIt1TtOo

What is this anyway? A find command is not locating this information.

@SecurityDad,

.well-known/acme-challenge/9z5hPe0r6NkmSPXFfu25D4TJpkwjE7Uml_ZIt1TtOo is the ACME challenge. You can read more about it at https://tools.ietf.org/html/rfc8555#section-8.3.

Can you post your apache vhost configuration please?

Here it is:
more its-safe.com.conf
<VirtualHost *:80>
ServerName its-safe.com
ServerAlias www.its-safe.com
ServerAlias its-safe.com.No-JunkMail.com
ServerAdmin webmaster@its-safe.com
DocumentRoot /home/aewhale/web/its-safe.com/html
<directory /home/aewhale/web/its-safe.com/html>
Options +Includes +ExecCGI +FollowSymLinks

ErrorLog /home/aewhale/web/its-safe.com/logs/error_log
#TransferLog /home/aewhale/web/its-safe.com/logs/access_log
CustomLog /home/aewhale/web/its-safe.com/logs/access_log combined
ScriptAlias /cgi-bin/ /home/aewhale/web/its-safe.com/cgi-bin/

AddType text/css .css

Is there something missing?