Need some help with Apache

dotaku · December 12, 2018, 2:30pm

My domain is: www.ericsbinaryworld.com

I ran this command: certbot --apache

It produced this output: (the correct output)

My web server is (include version): apache

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is:Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Things went got FUBARed last night so I blew away the offending httpd.conf and the one created by certbot to get back to a situation where my website was working.

In an attempt to get the best help, here’s how things went.

I had a httpd.conf where I had definted the ServerName and document root in the body of the httpd.conf because it’s the only site on that VM. So certbot didn’t know what to do because I didn’t have virtual hosts.

So I created a virtualhost with the same info. (Perhaps important: I did not remove it from the general config when I created the virtualhost - so there were effectively 2 declarations for www.ericsbinaryworld.com)

Now certbot would install.

But I went to the “is your cert working correctly” page and it reported everything was good.

But when I tried t load the site, I got the error that it was a self-signed cert.

Couldn’t figure out how to get things fixed so I blew everything away. I noticed that there is an SSL.conf either in /conf/modules.d or conf.d/ . That one points to the self-signed cert.

So, question time:

When I create the virtual host do I need to get rid of the info from further up the httpd config?
Should my virtualhost be for www.ericsbinaryworld.com or ericsbinaryworld.com? When I tried to setup ServerAlias to make sure both circumstances were covered, I got an error on the cert-check site that the name didn’t match.
Do I need to do anything to SSL.conf? or once I fix whatever I did wrong (if anything) with questions 1 and 2 does the httpd-someting.conf that certbot adds take care of things?

jmorahan · December 12, 2018, 3:47pm

Nope, the virtual host overrides the main configuration.

Assuming you want to use both names, I'd recommend creating two virtual hosts, one for each name, and configure one to just redirect to the other e.g. Redirect permanent "/" "https://www.ericsbinaryworld.com/". Alternatively if your existing configuration already handles conditionally redirecting, you can just put it in a single virtual host that matches both names (one as ServerName and one as ServerAlias).

In either case, you probably want to get a certificate covering both names (although in the first case you could instead get separate certificates for the two names).

Certbot should take care of things, though it might fail if your configuration is unusual and it can't figure out how to modify it. In that case please post the actual configuration and the error you get and we can try to help

dotaku · December 12, 2018, 4:37pm

Does this happen automatically? Or do I need to specify something when using certbot?

rg305 · December 12, 2018, 4:38pm

I would keep it clean and only have FQDNs appear in only one place.

You are still serving the self-signed cert (for both names):
https://www.ssllabs.com/ssltest/analyze.html?d=ericsbinaryworld.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.ericsbinaryworld.com

jmorahan · December 12, 2018, 4:57pm

It should ask what domains you want, and you can select both names e.g. 1,2

Or if you prefer, you can specify them on the command line using the -d option e.g. certbot -d ericsbinaryworld.com -d www.ericsbinaryworld.com

As long as you specify both names in a single command, it should get you a single certificate covering both names (or detect if you already have one).

Sure, it is cleaner and perhaps less confusing for someone else reading the configuration if you tidy it up. I just meant it's not technically necessary

dotaku · December 12, 2018, 6:59pm

Thanks. I think by that point I wasn't paying close attention and didn't realize I could do both.

dotaku · December 12, 2018, 7:00pm

Yeah, I had to blow it away last night and haven’t had a chance to reconfigure. I’ll post here with success or failure after I have another go at it.

dotaku · December 13, 2018, 12:17am

OK, looks like I have a successful setup now. I opted not to do auto-redirection, at least for now. (Because that made it a lot harder for me to do troubleshooting last night) Thanks for your help.

For anyone that finds this thread on Google, here’s what I did:

I removed www.ericsbinaryworld.com from the main httpd.conf and only put it in the VirtualHost directive. I put a ServerAlias for ericsbinaryworld.com. I ran certbot with a cert for both together. As of right now, viewing the site with Google Chrome says it’s SSL, but the images are insecure. I’ll have to fix that later with the Wordpress config. That’s what I did with my other site, but for some reason trying to do the same thing here led my wordpress site to become unavailable so I’ll have to investigate that further. Or maybe just implement httpd.conf redirection once I’m sure everything’s working.

By the way…is there a way to get the redirection that let’s encrypt would generate without running cerbot again (and risking breaking something)?

schoen · December 13, 2018, 12:25am

You could manually adapt it from the Certbot source code.

github.com

certbot/certbot/blob/f6219ddf196f1de0c4d12e1bb5c1f6d737a6e844/certbot-apache/certbot_apache/http_01.py#L13


      
          import os
          
          from acme.magic_typing import Set  # pylint: disable=unused-import, no-name-in-module
          from certbot import errors
          from certbot.plugins import common
          from certbot_apache.obj import VirtualHost  # pylint: disable=unused-import
          from certbot_apache.parser import get_aug_path
          
          logger = logging.getLogger(__name__)
          
          class ApacheHttp01(common.TLSSNI01):
              """Class that performs HTTP-01 challenges within the Apache configurator."""
          
              CONFIG_TEMPLATE22_PRE = """\
                  RewriteEngine on
                  RewriteRule ^/\\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ {0}/$1 [L]
          
              """
              CONFIG_TEMPLATE22_POST = """\
                  <Directory {0}>
                      Order Allow,Deny

github.com

certbot/certbot/blob/80cd134847edd1b860315796d3accf1a46171b16/certbot-apache/certbot_apache/constants.py#L28


      
              'cfdd7c18d2025836ea3307399f509cfb1ebf2612c87dd600a65da2a8e2f2797b',
              '80720bd171ccdc2e6b917ded340defae66919e4624962396b992b7218a561791',
              'c0c022ea6b8a51ecc8f1003d0a04af6c3f2bc1c3ce506b3c2dfc1f11ef931082',
          ]
          """SHA256 hashes of the contents of previous versions of all versions of MOD_SSL_CONF_SRC"""
          
          AUGEAS_LENS_DIR = pkg_resources.resource_filename(
              "certbot_apache", "augeas_lens")
          """Path to the Augeas lens directory"""
          
          REWRITE_HTTPS_ARGS = [
              "^", "https://%{SERVER_NAME}%{REQUEST_URI}", "[L,NE,R=permanent]"]
          """Apache version<2.3.9 rewrite rule arguments used for redirections to
          https vhost"""
          
          REWRITE_HTTPS_ARGS_WITH_END = [
              "^", "https://%{SERVER_NAME}%{REQUEST_URI}", "[END,NE,R=permanent]"]
          """Apache version >= 2.3.9 rewrite rule arguments used for redirections to
              https vhost"""
          
          OLD_REWRITE_HTTPS_ARGS = [

Or, consult the Apache documentation to learn how to make custom redirects of your choice:

https://httpd.apache.org/docs/current/mod/mod_rewrite.html

(There's nothing better or more appropriate about what Certbot does to your Apache configuration in this regard than a rewrite directive that you create for yourself.)

system · January 12, 2019, 12:25am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.