Mod_md and Subdomain: '503 Service Unavailable' for now

Quantum · April 25, 2023, 2:03pm

My domain is: https://icf.quantum-equities.com

I ran this command: In Apache virtualhosts.conf: SSLEngine on

It produced this output: '503 Service Unavailable' for now. There are no SSL certificates configured and no other module contributed any.

My web server is (include version): Apache 2.4.53

The operating system my web server runs on is (include version): CentOS Stream 9.1

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): n/a

In other words,quantum-equities.com is fine with mod_md. But its subdomain is not. mod_md seems to think it doesn't need a cert.

MikeMcQ · April 25, 2023, 2:23pm

Welcome back @Quantum

We don't see mod_md problems here very often. The 503 Service Unavailable sounds like a possible temp problem reaching the Let's Encrypt Server. These are rare and should not repeat except maybe during a known LE outage (which we don't have right now).

Is this the first time you are using mod_md for these domains?

If so, I'd suggest reviewing your mod_md config and perhaps asking on the github for it. I know mod_md is now packaged in Apache but you still might find more expertise there. There are some here who know mod_md but I am not one of them.
https://httpd.apache.org/docs/trunk/mod/mod_md.html

Quantum · April 25, 2023, 2:31pm

Yes first time setup with mod_md.

I've found that in virtualhosts.conf I can set:
MDomain quantum-equities.com icf.quantum-equities.com
And it does associate the cert with icf, However, when I go to icf.quantum-equities.com it gives that black screen with:
Error code: SSL_ERROR_BAD_CERT_DOMAIN
... and wants me to confirm the exception. Alarming to visitors.

IOW it's not either wildcarding quantum-equities.com, or adding icf.quantum-equities.com to the common name in the cert.

MikeMcQ · April 25, 2023, 2:46pm

Yes, I see the wrong cert configured for your icf subdomain.

In your cert history I see a cert for your root domain and a www subdomain you got on Apr23 (link here)

Sometimes it takes a while (24H even) for new certs to appear in the public logs.

Can you show the Apache config files for the mod_md settings and the VirtualHost it applies to? Maybe I will see something or someone else with more expertise will see it.

Quantum · April 25, 2023, 3:04pm

<MDomain quantum-equities.com icf.quantum-equities.com>
  MDRequireHttps permanent
</MDomain>

#************ quantum-equities.com ************
<VirtualHost *:80>
    ServerName quantum-equities.com
    ServerAlias www.quantum-equities.com
    Redirect permanent / https://quantum-equities.com/
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot "/srv/html/QE/"
    ServerName quantum-equities.com
    ServerAlias www.quantum-equities.com

    Protocols h2 http/1.1 acme-tls/1

    <If "%{HTTP_HOST} == 'www.quantum-equities.com'">
      Redirect permanent / https://quantum-equities.com/
    </If>

    CustomLog /var/log/httpd/qe_access.log combined
    ErrorLog /var/log/httpd/qe_error.log

      DirectoryIndex index.html index.php

# All SSL is taken care of in /etc/httpd/conf.d/ssl/conf
    SSLEngine on

</VirtualHost>


#************ icf.quantum-equities.com ************
<VirtualHost *:80>
    ServerName icf.quantum-equities.com
    ServerAlias www.icf.quantum-equities.com
    Redirect permanent / https://icf.quantum-equities.com/
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot "/srv/html/ICF/"
    ServerName icf.quantum-equities.com
    ServerAlias www.icf.quantum-equities.com

    Protocols h2 http/1.1 acme-tls/1

    <If "%{HTTP_HOST} == 'www.icf.quantum-equities.com'">
      Redirect permanent / https://icf.quantum-equities.com/
    </If>

    CustomLog /var/log/httpd/icf_access.log combined
    ErrorLog /var/log/httpd/icf_error.log

      DirectoryIndex index.html index.php

# All SSL is taken care of in /etc/httpd/conf.d/ssl/conf
    SSLEngine on

</VirtualHost>

MikeMcQ · April 25, 2023, 3:49pm

That works. Also, 3 backticks before and after works good too

Like
```
apache config
```
I got called away for a bit but will study later

Quantum · April 25, 2023, 4:01pm

Thanks but that's what I originally had. Got "Service unavailable" at the website. It's supposed to be a valid method if I want a separate cert for the subdomain, just as the above method is valid to have one cert for two domains according to the very good docs.

I think it's more sensible to have one cert for both domain names since they have the same root and I don't want to be a clod and ask for a million certs.

I have found in the logs that there was an error where my DNS registrar did not have www.icf.quantum-equities.com . Maybe that was the problem. I've corrected that at the registrar now, but mod_md has hammered LE so much that I am disabled for at least an hour.

MikeMcQ · April 25, 2023, 4:04pm

The cert used by any one VirtualHost must have all the names listed for ServerName and for ServerAlias

You can have one cert for all the names in all your VirtualHosts or one cert for each VirtualHost with just their names.

It looks like mod_md with the auto default collects all the ServerAlias names for the cert. I only looked at the example in the Apache docs and not the github so sure if that says your method was OK then that's good.

And, yes, your DNS must have an A and/or AAAA records for each of these names too.

If the 503 was a request to your server that's a different issue probably not related to the cert itself. Often that is a proxy to another server that is failing but other causes possible.

EDIT: The Staging system is helpful when testing once a problem occurs to avoid the rate limits you describe

Quantum · April 25, 2023, 5:16pm

Yes my above config is correct. The prob was in the httpd error logs -- I had only set icf.quantum-equities.com but not www.icf.quantum-equities.com at my domain registrar, yet called for www. in the virtual-hosts file.

Picky-picky... :j

Osiris · April 25, 2023, 5:21pm

Euh, having the hostname actually registered in the DNS is quite straightforward and I wouldn't say stuff is picky about that.

Quantum · April 25, 2023, 5:23pm

(I was being facetious, as evidenced by my :j ...)

Quantum · April 25, 2023, 5:47pm

Does anyone know whether, with mod_md this is needed in crontab?
49 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

... or is this just detritus left over from my prior efforts?

rg305 · April 25, 2023, 5:51pm

Does using mod_md automatically renew the certs?

Osiris · April 25, 2023, 6:07pm

(I'm not familiar with that emoji "syntax".)

Bruce5051 · April 25, 2023, 6:07pm

I am guessing it means joke.

rg305 · April 25, 2023, 6:12pm

Nneither is Wikipedia:

MikeMcQ · April 25, 2023, 6:12pm

Yes. mod_md is an ACME Client and takes care of renewals. I'm surprised more people don't use it.

You don't need acme.sh anymore

rg305 · April 25, 2023, 6:17pm

Haven't gotten around to looking into it; It's only been around for 6 years... LOL

Bruce5051 · April 25, 2023, 6:17pm

It Could be from the days of ASCII art - Wikipedia and Usenet - Wikipedia

Quantum · April 25, 2023, 6:19pm

@rg305 yes, it pretty much does everything, requests the initial certs, scans all aliases to include, does updates 30 days before expiry, and so on. You do have to have it set up right, and the docs I linked above will get you there. mod_md is really quite a massive improvement over certbot.

The only caveat is my problem above, and that you must restart Apache weekly in case the cert changes so the new one will take effect. systemd can not do that, so it has to be a cron job:
# crontab -e
0 01 * * Sun /usr/bin/systemctl restart httpd.service

Osiris it just takes a minuscule bit of common sense if your first language is English. Look at it sideways and it's two eyes with a half-smile. (sardonic)

And Bruce5051 yes, I am 68yo.