Well, here are a number of checks in the attached file.
ufw status and log, iptables, apache log looking for "amazonaws", search for rewrite condition ou setEnvIf,...
I don't see anything that could be a problem.
The only thing may be a conflict with the IfDefine and IfModule of my virtual-host... I don't think so... but I don't have enough knowledge to be very clear about that.
curl -I http://sesstim4.timone.univ-amu.fr -A "Let's Encrypt validation server"
You did not include the full path, nor the full header.
Try:
curl -Ii http://sesstim4.timone.univ-amu.fr/.well-known/acme-challenge/sometestfile \
-A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
Notice the difference the "NOT" makes:
[you make have to scroll right to see it]
curl -Ii http://sesstim4.timone.univ-amu.fr/.well-known/acme-challenge/testfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (52) Empty reply from server
curl -Ii http://sesstim4.timone.univ-amu.fr/.well-known/acme-challenge/testfile -A "Mozilla/5.0 (compatible; Let's Encrypt NOT validation server; +https://www.letsencrypt.org)"
HTTP/1.1 200 OK
Date: Thu, 16 Nov 2023 15:29:57 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Wed, 15 Nov 2023 09:48:51 GMT
ETag: "7-60a2dcf879284"
Accept-Ranges: bytes
Content-Length: 7
In fact, it can be replicated with a much shorter user agent header:
[again, scroll right to see it all]
curl -Ii http://sesstim4.timone.univ-amu.fr/.well-known/acme-challenge/testfile -A "Let's Encrypt validation server;"
curl: (52) Empty reply from server
Well, I'm not sure I understand what you're pointing out and how it should direct me. Whether I do it with or without "NOT" I get the same answer.
jcdufour@sesstim4:~$ curl -Ii http://sesstim4.timone.univ-amu.fr/.well-known/acme-challenge/testfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
HTTP/1.1 200 OK
Date: Thu, 16 Nov 2023 15:42:46 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Wed, 15 Nov 2023 09:48:51 GMT
ETag: "7-60a2dcf879284"
Accept-Ranges: bytes
Content-Length: 7
jcdufour@sesstim4:~$ curl -Ii http://sesstim4.timone.univ-amu.fr/.well-known/acme-challenge/testfile -A "Mozilla/5.0 (compatible; Let's Encrypt NOT validation server; +https://www.letsencrypt.org)"
HTTP/1.1 200 OK
Date: Thu, 16 Nov 2023 15:43:00 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Wed, 15 Nov 2023 09:48:51 GMT
ETag: "7-60a2dcf879284"
Accept-Ranges: bytes
Content-Length: 7
I was thinking about that. It could STILL be Palo Alto problem!
The four packets shown are probably not enough to actually make the user agent reach the webserver. It might even be the firewall sending the reset packet ([R.]) in the last packet. What might be happening is that the firewall passes the first three packets (TCP handshake) and when it actually receives the HTTP request with the user agent, it closes the connection by sending a reset packet to Let's Encrypt as wel as the downstream webserver.
Well, then it shows it is NOT the server.
Back we go to the Palo Alto firewall.
Please refer your IT firewall people to:
As a temporary workaround...
Have you tried getting a cert from any other CA?
Yes, I've just set up a RENATER certificate. This service is the French version of the contract signed between GΓANT Association and the commercial certification provider Sectigo, for the benefit of some thirty national Education and Research networks in Europe, including RENATER.
The certificate is valid for one year, but I'd prefer to benefit from a self-renewing Let's Encrypt certificate.
And just before, I had successfully installed a ZeroSSL certificate
You can automate the renewals for ZeroSSL - until the firewall folks correct the Palo Alto problem.
I've asked the firewall people to look at our conversation...but I don't know if they'll do it. I hope they will.
Concerning ZeroSSL, my understanding is that the free version doesn't allow you to obtain more than 3 certificates. So 3 x 90 days: 270 days (less than the RENATER certificate).
hmm...
I thought it was always free is you use ACME.
[but I don't use ZeroSSL - so, I can't be sure]
In any case, 60+60+90 = a lot more than you firewall team would need to fix the problem!
LOL
That's only if you're using their web interface. When using their ACME API, you can issue as many certificates if you want. The only downside to their ACME API is, is that they won't issue certs for IP addresses that way. But otherwise, you can do whatever you want, no limit.
Hereβs a comparison of ACME CAs
And another
Thank you. It's very useful
The administrators have checked the palo alto firewall. They installed ubuntu 22.04 server on the same IP range as my sesstim4 server and found no problem when running the certbot --apache command and were able to generate the certificate without any problem. So the problem comes from the configuration of my sesstim4 server. But I don't know what's wrong. The only clue I have (but I'm not expert enough to explore it) are my somewhat peculiar virtual-hosts with "IfDefine" and "IfModule" to manage WSGI with the problem that is reported here [Apache] Certbot Fail attempt to install cert on WSGI Β· Issue #8373 Β· certbot/certbot Β· GitHub.
I've also noticed that the apache2ctl -M command generates an error
jcdufour@sesstim4:~$ apache2ctl -M
AH00526: Syntax error on line 17 of /etc/apache2/sites-enabled/virtual-host-ssl.conf:
SSLCertificateKeyFile: file '/etc/ssl/private/sesstim4.timone.univ-amu.fr_RENATER.key' does not exist or is empty
Action '-M' failed.
The Apache error log may have more information.
While systemctl status apache2 does not reveal any problem.
jcdufour@sesstim4:~$ systemctl status apache2
β apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-11-17 09:10:47 CET; 5 days ago
Docs: Apache HTTP Server Version 2.4 Documentation - Apache HTTP Server Version 2.4
Process: 54304 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
Main PID: 22698 (apache2)
Tasks: 57 (limit: 19028)
Memory: 169.8M
CPU: 56.602s
CGroup: /system.slice/apache2.service
ββ22698 /usr/sbin/apache2 -k start
ββ54350 /usr/sbin/apache2 -k start
ββ54351 /usr/sbin/apache2 -k start
ββ54352 /usr/sbin/apache2 -k start
ββ54353 /usr/sbin/apache2 -k start
ββ54354 /usr/sbin/apache2 -k start
ββ54355 /usr/sbin/apache2 -k start
ββ54356 /usr/sbin/apache2 -k start
ββ54526 /usr/sbin/apache2 -k start
nov. 18 00:00:01 sesstim4 systemd[1]: Reloading The Apache HTTP Server...
nov. 18 00:00:01 sesstim4 systemd[1]: Reloaded The Apache HTTP Server.
nov. 19 00:00:01 sesstim4 systemd[1]: Reloading The Apache HTTP Server...
Do you have any suggestions?
curl -Ii http://sesstim4.timone.univ-amu.fr/.well-known/acme-challenge/testfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"curl: (52) Empty reply from server
curl -Ii http://sesstim4.timone.univ-amu.fr/.well-known/acme-challenge/testfile -A "Mozilla/5.0 (compatible; Let's NOT Encrypt validation server; +https://www.letsencrypt.org)"HTTP/1.1 200 OK
Date: Wed, 22 Nov 2023 12:51:56 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Wed, 15 Nov 2023 09:48:51 GMT
ETag: "7-60a2dcf879284"
Accept-Ranges: bytes
Hello,
you were right, the palo alto firewall settings were indeed at fault. My server was behind not one but 2 !!! palo alto firewalls, and the second one didn't let the ACME protocol through.
I can now benefit from a let's encrypt certificate and automatic renewal.
Thank you for your help and patience with me.
Kind regards
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.