Need some help with Apache


#1

My domain is: www.ericsbinaryworld.com

I ran this command: certbot --apache

It produced this output: (the correct output)

My web server is (include version): apache

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is:Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Things went got FUBARed last night so I blew away the offending httpd.conf and the one created by certbot to get back to a situation where my website was working.

In an attempt to get the best help, here’s how things went.

I had a httpd.conf where I had definted the ServerName and document root in the body of the httpd.conf because it’s the only site on that VM. So certbot didn’t know what to do because I didn’t have virtual hosts.

So I created a virtualhost with the same info. (Perhaps important: I did not remove it from the general config when I created the virtualhost - so there were effectively 2 declarations for www.ericsbinaryworld.com)

Now certbot would install.

But I went to the “is your cert working correctly” page and it reported everything was good.

But when I tried t load the site, I got the error that it was a self-signed cert.

Couldn’t figure out how to get things fixed so I blew everything away. I noticed that there is an SSL.conf either in /conf/modules.d or conf.d/ . That one points to the self-signed cert.

So, question time:

  1. When I create the virtual host do I need to get rid of the info from further up the httpd config?
  2. Should my virtualhost be for www.ericsbinaryworld.com or ericsbinaryworld.com? When I tried to setup ServerAlias to make sure both circumstances were covered, I got an error on the cert-check site that the name didn’t match.
  3. Do I need to do anything to SSL.conf? or once I fix whatever I did wrong (if anything) with questions 1 and 2 does the httpd-someting.conf that certbot adds take care of things?

#2

Nope, the virtual host overrides the main configuration.

Assuming you want to use both names, I’d recommend creating two virtual hosts, one for each name, and configure one to just redirect to the other e.g. Redirect permanent "/" "https://www.ericsbinaryworld.com/". Alternatively if your existing configuration already handles conditionally redirecting, you can just put it in a single virtual host that matches both names (one as ServerName and one as ServerAlias).

In either case, you probably want to get a certificate covering both names (although in the first case you could instead get separate certificates for the two names).

Certbot should take care of things, though it might fail if your configuration is unusual and it can’t figure out how to modify it. In that case please post the actual configuration and the error you get and we can try to help :slight_smile:


#3

Does this happen automatically? Or do I need to specify something when using certbot?


#4

I would keep it clean and only have FQDNs appear in only one place.

You are still serving the self-signed cert (for both names):
https://www.ssllabs.com/ssltest/analyze.html?d=ericsbinaryworld.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.ericsbinaryworld.com


#5

It should ask what domains you want, and you can select both names e.g. 1,2

Or if you prefer, you can specify them on the command line using the -d option e.g. certbot -d ericsbinaryworld.com -d www.ericsbinaryworld.com

As long as you specify both names in a single command, it should get you a single certificate covering both names (or detect if you already have one).

Sure, it is cleaner and perhaps less confusing for someone else reading the configuration if you tidy it up. I just meant it’s not technically necessary :slight_smile:


#6

Thanks. I think by that point I wasn’t paying close attention and didn’t realize I could do both.


#7

Yeah, I had to blow it away last night and haven’t had a chance to reconfigure. I’ll post here with success or failure after I have another go at it.


#8

OK, looks like I have a successful setup now. I opted not to do auto-redirection, at least for now. (Because that made it a lot harder for me to do troubleshooting last night) Thanks for your help.

For anyone that finds this thread on Google, here’s what I did:

  • I removed www.ericsbinaryworld.com from the main httpd.conf and only put it in the VirtualHost directive. I put a ServerAlias for ericsbinaryworld.com. I ran certbot with a cert for both together. As of right now, viewing the site with Google Chrome says it’s SSL, but the images are insecure. I’ll have to fix that later with the Wordpress config. That’s what I did with my other site, but for some reason trying to do the same thing here led my wordpress site to become unavailable so I’ll have to investigate that further. Or maybe just implement httpd.conf redirection once I’m sure everything’s working.

By the way…is there a way to get the redirection that let’s encrypt would generate without running cerbot again (and risking breaking something)?


#9

You could manually adapt it from the Certbot source code. :slight_smile:


Or, consult the Apache documentation to learn how to make custom redirects of your choice:

https://httpd.apache.org/docs/current/mod/mod_rewrite.html

(There’s nothing better or more appropriate about what Certbot does to your Apache configuration in this regard than a rewrite directive that you create for yourself.)


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.