Renewal fails with login

Only one seen.

8 Likes

Please show:
find /etc/apache2 -name .htaccess

7 Likes
# cat /etc/apache2/ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

What about router port forwarding mix up?

It almost seems like we aren't reaching that http VirtualHost

8 Likes

There are none in the /etc tree, in the /var/www tree,

# cat /var/www/TheveninsKeep.com/html/.htaccess
AddHandler application/x-httpd-php .php .php5 .html .htm

1 Like

Let know once that's done [and Apache has been restarted]

6 Likes

completed, restarted, no errors on start

That would definitely do this!
Let's have a look at the NAT table.

6 Likes

yahtzee

website	Port-Remap	80	80	TCP or UDP	eth0.v2102	192.168.1.21	443	
website-ssl	Port-Remap	443	443	TCP or UDP	eth0.v2102	192.168.1.21	443	

Rule changed

website-ssl	Port-Remap	443	443	TCP or UDP	eth0.v2102	192.168.1.21	443	
website	Port-Remap	80	80	TCP or UDP	eth0.v2102	192.168.1.21	80
2 Likes

B I N G O !

Now we're getting somewhere:

curl http://theveninskeep.com/.well-known/acme-challenge/Test_File-1234
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at theveninskeep.com Port 80</address>
</body></html>

No more 400 - now 404 ! ! !

8 Likes

cert renew success, conf changed back

I'd think twice about that.

8 Likes

It's back to the

<VirtualHost *:80>
#ServerAdmin admin@TheveninsKeep.com
ServerName TheveninsKeep.com
DocumentRoot /var/www/TheveninsKeep.com/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
        #<Directory "/var/www/TheveninsKeep.com/html">
        #       AuthType Basic
        #       AuthName "Restricted Content"
        #       AuthUserFile /var/www/TheveninsKeep.com/passwords
        #       Require valid-user
        #</Directory>
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI}
</VirtualHost>

I did a dry-run again after renew just to check and it returned success

That is a bad idea; If you intend on securing that same directory via HTTPS and authenticated logins.

If you come through the front door - a key is required
If you come through the back door - well come on in!

7 Likes

that was my original thought. So just leave it as testfile?

I would make a completely separate path - dedicated to only the challenge requests.
But I'm the paranoid type - Who said that?

10 Likes

not it, but thanks for the pointer. The root is now pointed to a very pointed message.

1 Like

I believe this was my thought process when I made that router change lol. back door, what back door, go around

1 Like

Totally agree! But, doesn't the apache plug-in do that for them as part of the temp changes?

_az (a certbot dev) recently described the temp changes in linked thread. I haven't setup a test myself to verify but he should know.

OH. Super glad you found the culprit !

7 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.