Reactivate apache2 after letsencrypt installation


#1

Hi there!

I have installed letsencrypt onto my Raspi 2 and from now my apache2 won’t work right till now.

i’ll get always with the order

root@WoW:/home/pi# /etc/init.d/apache2 start
[…] Starting web server: apache2Action ‘start’ failed.
The Apache error log may have more information.
failed!
root@WoW:/home/pi#

the log file says that:

[Fri Dec 25 11:39:40 2015] [notice] caught SIGTERM, shutting down
[Fri Dec 25 11:47:09 2015] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)

my

nano /etc/apache2/sites-enabled/000-default

file includes this:

…VirtualHost *:80> // the > have to delete here
ServerAdmin webmaster@localhost

    DocumentRoot /var/www
    <Directory />
            Options FollowSymLinks
            AllowOverride None
    </Directory>
    <Directory /var/www/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride All
            Order allow,deny
            allow from all
    </Directory>
    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Order allow,deny
            Allow from all
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined

/VirtualHost> // the > have to delete here

VirtualHost *:443> // the > have to delete here
DocumentRoot /var/www
ServerName https://xy.no-ip.biz
SSLEngine on
SSLCertificateFile /root/server.crt
SSLCertificateKeyFile /root/server.key

/VirtualHost> // the > have to delete here

I have some other files

/etc/apache2/sites-enabled/

here:

root@WoW:/home/pi# ls -l /etc/apache2/sites-enabled/
total 12
lrwxrwxrwx 1 root root 26 Jun 19 2015 000-default -> …/sites-available/default
-rw-r–r-- 1 root root 878 Jun 24 2015 000-default.save
-rw-r–r-- 1 root root 1118 Jun 24 2015 000-default.saveold
-rw-r–r-- 1 root root 351 Dec 25 11:34 GzeJ2e4m.htm

the GzeJ2e4m.htm includes:

<VirtualHost *:80>
DocumentRoot /etc/apache2/sites-available/vhost/
ServerName xy.no-ip.biz/GzeJ2e4m.htm

<VirtualHost *:443>
DocumentRoot /etc/apache2/sites-available/vhost/
ServerName xy.no-ip.biz/GzeJ2e4m.htm
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

under

/etc/apache2/sites-available/vhost/GzeJ2e4m.htm

is my html saved.

Please help!


#2

The error indicates that the SSL certificate is not correctly defined in your apache config.

You said it was setto

SSLCertificateFile /root/server.crt
SSLCertificateKeyFile /root/server.key

YOu need these defined and pointing to the correct files. Where are your certificate files ( it depends which client you used. The default letsencrypt-auto would put them in /etc/letsencrypt/live/


#3

Hi!

But under

/etc/letsencrypt/live/xy.no-ip.biz/

I have other files and not server.crt or server.key

pi@WoW ~ $ sudo ls -l /etc/letsencrypt/live/xy.no-ip.biz/
total 0
lrwxrwxrwx 1 root root 45 Dec 25 11:41 cert.pem -> …/…/archive/xy.no-ip.biz/cert1.pem
lrwxrwxrwx 1 root root 46 Dec 25 11:41 chain.pem -> …/…/archive/xy.no-ip.biz/chain1.pem
lrwxrwxrwx 1 root root 50 Dec 25 11:41 fullchain.pem -> …/…/archive/xy.no-ip.biz/fullchain1.pem
lrwxrwxrwx 1 root root 48 Dec 25 11:41 privkey.pem -> …/…/archive/xy.no-ip.biz/privkey1.pem
pi@WoW ~ $

Why?

Now I have to change the file under

sudo nano /etc/apache2/ports.conf

“Listen 443” to “Listen 443 http” under ssl_module

and the apache2 is starting normal with the order

pi@WoW ~ $ sudo /etc/init.d/apache2 start
[…] Starting web server: apache2httpd (pid 31347) already running
. ok
pi@WoW ~ $

The

sudo nano /var/log/apache2/error.log

says that:

[Fri Dec 25 17:25:05 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Fri Dec 25 17:25:05 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Fri Dec 25 17:25:05 2015] [notice] Apache/2.2.22 (Debian) PHP/5.4.45-0+deb7u2 mod_ssl/2.2.22 OpenSSL/1.0.1e configured – resuming normal operations

but I can’t see no info about that the certificat ist from letsencrypt I see only the info from my ssl certicat

what should I do the bring the letsencrypt certicat to work?

kind regards!


#4

try setting;

SSLCertificateFile /etc/letsencrypt/live/xy.no-ip.biz/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xy.no-ip.biz/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/xy.no-ip.biz/chain.pem


#5

Hi!

with this

SSLCertificateFile /etc/letsencrypt/live/xy.no-ip.biz/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xy.no-ip.biz/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/xy.no-ip.biz/chain.pem

in

sudo nano /etc/apache2/sites-enabled/000-default

I get failure when I start the apache2

pi@WoW ~ $ sudo /etc/init.d/apache2 start
[…] Starting web server: apache2Action ‘start’ failed.
The Apache error log may have more information.
failed!
pi@WoW ~ $

What’s wrong?


#6

can you post (or put in pastebin) your complete /etc/apache2/sites-enabled/000-default file ( and a rough outline of other files you have in there that may conflict )

a default ( for ssl) would look something like;

< IfModule mod_ssl.c>
< VirtualHost default:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/xy.no-ip.biz/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xy.no-ip.biz/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/xy.no-ip.biz/chain.pem
< FilesMatch “.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
< /FilesMatch>
< Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
< /Directory>
< /VirtualHost>
< /IfModule>


#7

Hi
mins looks like this:

http://pastebin.com/V0jnnw8f


#8

The "ServerName https://xy.no-ip.biz " part should not include the https://

Try commenting it out, or change it to “ServerName xy.no-ip.biz


#9

Hi

this brings no change

http://pastebin.com/eiEZvRMF

because

pi@WoW ~ $ sudo /etc/init.d/apache2 start
[…] Starting web server: apache2Action ‘start’ failed.
The Apache error log may have more information.
failed!
pi@WoW ~ $

should I take your item

< IfModule mod_ssl.c>
< VirtualHost default:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/xy.no-ip.biz/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xy.no-ip.biz/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/xy.no-ip.biz/chain.pem
< FilesMatch “.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
< /FilesMatch>
< Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
< /Directory>
< /VirtualHost>
< /IfModule>

kind regards


#10

Does the apache error log show anything useful ?

Testing your config file on one of my servers - it worked perfectly. I’d suspect the error may be in one of the other apache config files you have. Hopefully the error log will give some clues.


#11

No it stand nothing else in there:

look:

[Fri Dec 25 20:18:05 2015] [error] Unable to configure verify locations for client authentication

Waht should I do now?


#12

Do you mean there are no other files in /etc/apache2/sites-available ?

The error log of;

verify locations for client authentication

Suggests that the path for the certs is wrong. Do the three files exist ?
/etc/letsencrypt/live/xy.no-ip.biz/cert.pem
/etc/letsencrypt/live/xy.no-ip.biz/privkey.pem
/etc/letsencrypt/live/xy.no-ip.biz/chain.pem
and what are the permissions of them ?


#13

That error is because you are using SSLCACertificateFile:
SSLCACertificateFile /etc/letsencrypt/live/xy.no-ip.biz/privkey.pem

and you should use SSLCertificateChainFile:
SSLCertificateChainFile /etc/letsencrypt/live/xy.no-ip.biz/chain.pem

Cheers,
sahsanu


#14

here are the answer of the files in there:

pi@WoW ~ $ ls -l /etc/apache2/sites-available
total 16
-rw-r–r-- 1 root root 1103 Dec 25 20:17 default
-rw-r–r-- 1 root root 7570 Jun 22 2015 default-ssl
drwxr-xr-x 2 root root 4096 Dec 25 11:02 vhost

the files look like that they are under the tree archives - I don’t know why

pi@WoW ~ $ sudo ls -l /etc/letsencrypt/live/xy.no-ip.biz/
total 0
lrwxrwxrwx 1 root root 45 Dec 25 11:41 cert.pem -> …/…/archive/xy.no-ip.biz/cert1.pem
lrwxrwxrwx 1 root root 46 Dec 25 11:41 chain.pem -> …/…/archive/xy.no-ip.biz/chain1.pem
lrwxrwxrwx 1 root root 50 Dec 25 11:41 fullchain.pem -> …/…/archive/xy.no-ip.biz/fullchain1.pem
lrwxrwxrwx 1 root root 48 Dec 25 11:41 privkey.pem -> …/…/archive/xy.no-ip.biz/privkey1.pem

pi@WoW ~ $ sudo ls -l /etc/letsencrypt/archive/xy.no-ip.biz/
total 16
-rw-r–r-- 1 root root 1814 Dec 25 11:41 cert1.pem
-rw-r–r-- 1 root root 1675 Dec 25 11:41 chain1.pem
-rw-r–r-- 1 root root 3489 Dec 25 11:41 fullchain1.pem
-rw-r–r-- 1 root root 1704 Dec 25 11:41 privkey1.pem
pi@WoW ~ $

should I move them to the directory

/etc/letsencrypt/live/xy.no-ip.biz/

and should I change this from the other user?

SSLCACertificateFile /etc/letsencrypt/live/xy.no-ip.biz/privkey.pem

and you should use SSLCertificateChainFile:

SSLCertificateChainFile /etc/letsencrypt/live/xy.no-ip.biz/chain.pem


#15

Hi!

Now I have changed my /etc/apache2/sites-enabled/000-default with the contend of

pi@WoW ~ $ sudo ls -l /etc/letsencrypt/archive/xy.no-ip.biz/
total 16
-rw-r–r-- 1 root root 1814 Dec 25 11:41 cert1.pem
-rw-r–r-- 1 root root 1675 Dec 25 11:41 chain1.pem
-rw-r–r-- 1 root root 3489 Dec 25 11:41 fullchain1.pem
-rw-r–r-- 1 root root 1704 Dec 25 11:41 privkey1.pem

to that

http://pastebin.com/BgJtzb8w

and start the apache2 and all function is good.

pi@WoW ~ $ sudo /etc/init.d/apache2 start
[ ok ] Starting web server: apache2.
pi@WoW ~ $

and the https side shows the Let’s Encrypt certificat

I think all is working for me - or do you think something other?


#16

I can see that you are using this conf:

SSLCertificateFile /etc/letsencrypt/archive/xy.no-ip.biz/cert1.pem
SSLCertificateKeyFile /etc/letsencrypt/archive/xy.no-ip.biz/privkey1.pem
SSLCertificateChainFile /etc/letsencrypt/archive/xy.no-ip.biz/chain1.pem

You should not use that path /etc/letsencrypt/archive/xy.no-ip.biz/ you should use /etc/letsencrypt/live/xy.no-ip.biz/:

SSLCertificateFile /etc/letsencrypt/live/xy.no-ip.biz/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xy.no-ip.biz/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/xy.no-ip.biz/chain.pem

In live dir there are symbolic links to the last issued cert, key, etc. if you keep using archive in your apache conf, the next time you renew your cert, the name in archive will change to cert2.pem, privkey2.pem and so on. So you will need to edit again your apache conf to correct the right path to your cert, key., if you use the live dir, next time you renew your certs you will only need to reload apache, you won’t need to edit your apache conf.

Cheers,
sahsanu