Problems with getting Certbot setup to work

I am very sorry for the long pause, I just got access to the router. I did change the opened port from 433 to 443, now the website can be opened with encryption via https://eekhof.org . I would however still like to activate the automatic redirect to https - With my earlier methods I always got prompted if I want to activate it when running certbot --apache, but with this new version the prompt didn't appear. Is there some easy way to do it via certbot?

apachectl -t -D DUMP_VHOSTS yields:

VirtualHost configuration:
*:443                  eekhof.org (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server raspberrypi.eekhof.org (/etc/apache2/sites-enabled/000-default-le-ssl.conf:49)
         port 80 namevhost raspberrypi.eekhof.org (/etc/apache2/sites-enabled/000-default-le-ssl.conf:49)
         port 80 namevhost eekhof.org (/etc/apache2/sites-enabled/000-default-le-ssl.conf:94)
                 alias www.eekhof.org
         port 80 namevhost eekhof.org (/etc/apache2/sites-enabled/000-default.conf:1)
                 alias www.eekhof.org

Welcome back. I see a couple things we should sort out. The first is this name/port overlap. Can you show the contents of both of these? Maybe put in separate posts to better separate them.

/etc/apache2/sites-enabled/000-default-le-ssl.conf
/etc/apache2/sites-enabled/000-default.conf

Note: I know you showed one of these earlier but it looks like it has had some changes since then so best to start fresh.

4 Likes

I'd like to add that several certs were issued recently.
Some with just the base name and some that included the "www".
[prepare for emails in about 60 days - re: the unrenewed cert(s)]

We should review which cert(s) remain and which are being used.

Afterwhich, I would like to see both names being used in the HTTPS vhost:

[only one name is being shown now]

4 Likes

Alright, here is the 000-default.conf:

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	ServerName eekhof.org
	ServerAlias www.eekhof.org

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	<Directory "/var/www/html/privateusers/lucas">
		AuthType Basic
		AuthName "lucas"
		AuthUserFile /etc/apache2/.htpasswd
		Require valid-user
	</Directory>

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.eekhof.org [OR]
RewriteCond %{SERVER_NAME} =eekhof.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

And here is the 000-default-le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	#EIGENS VON LUCAS EEKHOF HINZUGEFUEGT:
	<Directory "/var/www/html/privateusers/lucas">
		AuthType Basic
		AuthName "lucas"
		AuthUserFile /etc/apache2/.htpasswd
		Require valid-user
	</Directory>



ServerName eekhof.org
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.eekhof.org
SSLCertificateFile /etc/letsencrypt/live/eekhof.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/eekhof.org/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	<Directory "/var/www/html/privateusers/lucas">
		AuthType Basic
		AuthName "lucas"
		AuthUserFile /etc/apache2/.htpasswd
		Require valid-user
	</Directory>



RewriteEngine on
RewriteCond %{SERVER_NAME} =www.eekhof.org [OR]
RewriteCond %{SERVER_NAME} =eekhof.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	ServerName eekhof.org
	ServerAlias www.eekhof.org

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	<Directory "/var/www/html/privateusers/lucas">
		AuthType Basic
		AuthName "lucas"
		AuthUserFile /etc/apache2/.htpasswd
		Require valid-user
	</Directory>



RewriteEngine on
RewriteCond %{SERVER_NAME} =www.eekhof.org [OR]
RewriteCond %{SERVER_NAME} =eekhof.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
</IfModule>

Oh ok, thanks. certbot certificates yields:

Found the following certs:
  Certificate Name: eekhof.org
    Serial Number: 36ed81e664bfc8f29d047e8fc9153092845
    Key Type: RSA
    Domains: eekhof.org www.eekhof.org
    Expiry Date: 2022-12-15 05:54:12+00:00 (VALID: 81 days)
    Certificate Path: /etc/letsencrypt/live/eekhof.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/eekhof.org/privkey.pem

And for the second part of your message I am not really sure how to display the names being used in the HTTPS vhost...

2 Likes

Ok, first step. This should be easy. Your two port 80 VirtualHosts for eekhof.org/www.eekhof.org are identical. Let's remove all these lines from your 000-default-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	ServerName eekhof.org
	ServerAlias www.eekhof.org

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	<Directory "/var/www/html/privateusers/lucas">
		AuthType Basic
		AuthName "lucas"
		AuthUserFile /etc/apache2/.htpasswd
		Require valid-user
	</Directory>

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.eekhof.org [OR]
RewriteCond %{SERVER_NAME} =eekhof.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
</IfModule>
3 Likes

Second step. You have an "extra" port 80 VirtualHost in your -le-ssl.conf file. It doesn't hurt anything but it doesn't add any value either. I think it just adds confusion to your config so I recommend also deleting these lines from your -le-ssl.conf file. In the future, if you want to create a different default port 80 VirtualHost just make a new .conf file for it.

I'll point out that this VirtualHost has the ServerName commented out. That is the only difference to your eekhof VHost.

<IfModule mod_ssl.c>
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	<Directory "/var/www/html/privateusers/lucas">
		AuthType Basic
		AuthName "lucas"
		AuthUserFile /etc/apache2/.htpasswd
		Require valid-user
	</Directory>

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.eekhof.org [OR]
RewriteCond %{SERVER_NAME} =eekhof.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
</IfModule>
3 Likes

The -le-ssl.conf file already shows the addition of the ServerAlias to your port 443 VirtualHost recommended by rg305.

So, after the above two changes please show fresh output of this:

apachectl -t -D DUMP_VHOSTS

We should have a clean config to work with now.

Then, don't run certbot yet. But, just explain what you don't think is working with redirects. Because I see the basic redirects working fine and it looks correct in your config. Is it just the different message from certbot?

3 Likes

This order might be throwing off the output:

Try changing it to:

ServerName eekhof.org
ServerAlias www.eekhof.org
Include /etc/letsencrypt/options-ssl-apache.conf

This entire section should be removed from the file: 000-default-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	ServerName eekhof.org
	ServerAlias www.eekhof.org

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	<Directory "/var/www/html/privateusers/lucas">
		AuthType Basic
		AuthName "lucas"
		AuthUserFile /etc/apache2/.htpasswd
		Require valid-user
	</Directory>



RewriteEngine on
RewriteCond %{SERVER_NAME} =www.eekhof.org [OR]
RewriteCond %{SERVER_NAME} =eekhof.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
</IfModule>
3 Likes

@LucasTrever That's the same section I suggested be removed in post #27. You don't need to do it twice :slight_smile:

4 Likes

Hey,

Thanks, I implemented all the changes suggested above.

apachectl -t -D DUMP_VHOSTS now yields:

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server eekhof.org (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost eekhof.org (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
                 alias www.eekhof.org
         port 443 namevhost eekhof.org (/etc/apache2/sites-enabled/000-default-le-ssl_backup.conf:2)
                 alias www.eekhof.org
*:80                   is a NameVirtualHost
         default server raspberrypi.eekhof.org (/etc/apache2/sites-enabled/000-default-le-ssl_backup.conf:49)
         port 80 namevhost raspberrypi.eekhof.org (/etc/apache2/sites-enabled/000-default-le-ssl_backup.conf:49)
         port 80 namevhost eekhof.org (/etc/apache2/sites-enabled/000-default-le-ssl_backup.conf:94)
                 alias www.eekhof.org
         port 80 namevhost eekhof.org (/etc/apache2/sites-enabled/000-default.conf:1)
                 alias www.eekhof.org

Concerning the redirects - It now seems to me that all the redirects work, even if I try to connect to http://eekhof.org, I get redirected to https://eekhof.org.

The only thing that still worries me if the fact that when I enter the page https://eekhof.org/privateusers/lucas/lucas.html which prompts me for authentification, Chrome still tells me that the "website is insecure", and not properly encrypted...

I would recommend to disable the backup configuration files: currently Apache also loads the backups, which I do not think is a good idea.

4 Likes

Yes, first you must remove the backup file from your sites-enabled.

Can you show the actual error? Because I don't see any reason it would be a failure with the certificate.

4 Likes

Oh yes of course, sorry - I deleted the backup file, now sudo apachectl -t -D DUMP_VHOSTS yields:

VirtualHost configuration:
*:443                  eekhof.org (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   eekhof.org (/etc/apache2/sites-enabled/000-default.conf:1)

Regarding the problem with the certificate, here I took a screenshot from Chrome (I don't know if this kind of issue is outside the scope of this forum, since it could also be browser related - It did not show this warning when I used another Browser (Tor)):

1 Like

What happened to this alias that you had earlier?

What shows when you click on the Learn More for that error?

4 Likes

I'm not entirely sure, I just deleted the backup file and reran the command...

The "Learn More" just sends me to this generic information site:

I can't well explain either of those issues - the missing ServerAlias or the chrome warning.

My best guess on chrome warning is it is related to your basic auth. Because just typing in http://eekhof.org redirects to https: and shows the "padlock". It is only with the URI with your auth that shows that. Does it still show that warning after a successful login?

4 Likes

Well, it seems to me that everything works properly at the moment nonetheless, but thanks :slight_smile:

That might very well be, the page after the login shows a secure padlock again.

2 Likes