There is no LE cert than can cover that redirection.
A step in the wrong direction...
You need to fix your Apache TLS configuration.
Start with the output of:
apachectl -t -D DUMP_VHOSTS
6 Likes
VirtualHost configuration:
*:444 dav.bcae.us (/etc/apache2/sites-enabled/baikal-ssl.conf:1)
*:443 mail.bcae.us (/etc/apache2/sites-enabled/rainloop-ssl.conf:1)
What do you mean by that? Does that mean I can't redirect in the way I'm doing and need to set up my DNS better?
Redirection to HTTPS requires a certificate to cover the new/redirected name.
You redirected to an IP address.
So, you would need a cert that covers that IP address.
[not the name that resolves to that IP address; Where the cert contains the actual IP address]
LE doesn't provide certs with IP addresses in the SAN/name.
So...
You would have to redirect HTTPS to a name [not an IP address].
OR
All clients will be warned about the certificate name mismatch.
5 Likes
Is that the entire output of?;
Just those two line?
In any case, we should review the file:
/etc/apache2/sites-enabled/rainloop-ssl.conf
6 Likes
Yes, that is all for that output besides the line right above that, which is a title that mentions...
VirtualHost configuration:
<VirtualHost *:443>
ServerName mail.bcae.us
DocumentRoot "/var/www/rainloop/"
# SSL Configuration
SSLEngine On
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCertificateFile /etc/letsencrypt/live/bcae.us/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bcae.us/privkey.pem
# Log Files
ErrorLog "/var/log/apache2/rainloop_error_log"
TransferLog "/var/log/apache2/rainloop_access_log"
<Directory />
Options +Indexes +FollowSymLinks +ExecCGI
AllowOverride All
Order deny,allow
Allow from all
Require all granted
</Directory>
<Directory /var/www/rainloop/data>
Options -Indexes
Deny from all
</Directory>
</VirtualHost>
OK, I think I just realized what is going on here!
mail.bcae.us resolves to IP addresses:
Name: mail.bcae.us
Address: 74.208.236.56
Address: 2607:f1c0:100f:f000::200
And the "redirection" is to IP address:
https://47.181.175.21:443
So...
You're probably trying to secure "https://mail.bcae.us/" at IP 47.181.175.21.
Let me know if I'm getting warm...
Well, if so, that is not how that is done.
6 Likes
That is correct.
Can you update the DNS entry for that name?
OR
Can you create a new name/DNS entry...?
Like: webmail.bcae.us
7 Likes
Yes I can. I'm fairly techy however I'm a bit green on how to properly setup DNS entries. If you lay out a game plan I can follow it.
basicaly, I wanted www.bcae.us to be like a short-hand domain (SHD) that points to our long-hand domain name (LHD). That LHD is on a 3rd party hosting provider.
Then I have 2 web apps at the moment that I plan on having that SHD subdomain point to. The one we've been discussing is mail.bcae.us, I have it hit my personal server via https://IP:PORT.
That's the goal.
Here is what I am presently seeing (i.e. information to potentially assist in debugging).
$ curl -I https://mail.bcae.us/
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error
$ curl https://mail.bcae.us/
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error
$ curl -I http://mail.bcae.us/
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 336
Connection: keep-alive
Keep-Alive: timeout=15
Date: Fri, 16 Dec 2022 16:43:32 GMT
Server: Apache
Last-Modified: Mon, 10 Oct 2022 04:23:55 GMT
ETag: "150-5eaa68715dec7"
Accept-Ranges: bytes
$ nslookup
> mail.bcae.us
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: mail.bcae.us
Address: 74.208.236.56
Name: mail.bcae.us
Address: 2607:f1c0:100f:f000::200
> set q=soa
> mail.bcae.us
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
*** Can't find mail.bcae.us: No answer
Authoritative answers can be found from:
bcae.us
origin = ns1077.ui-dns.biz
mail addr = hostmaster.1und1.com
serial = 2017060132
refresh = 28800
retry = 7200
expire = 604800
minimum = 600
> server ns1077.ui-dns.biz.
Default server: ns1077.ui-dns.biz.
Address: 217.160.81.77#53
Default server: ns1077.ui-dns.biz.
Address: 2001:8d8:fe:53:0:d9a0:514d:100#53
> mail.bcae.us
Server: ns1077.ui-dns.biz.
Address: 217.160.81.77#53
*** Can't find mail.bcae.us: No answer
> set q=cname
> mail.bcae.us
Server: ns1077.ui-dns.biz.
Address: 217.160.81.77#53
*** Can't find mail.bcae.us: No answer
> set q=aaaa
> mail.bcae.us
Server: ns1077.ui-dns.biz.
Address: 217.160.81.77#53
Name: mail.bcae.us
Address: 2607:f1c0:100f:f000::200
> set q=a
> mail.bcae.us
Server: ns1077.ui-dns.biz.
Address: 217.160.81.77#53
Name: mail.bcae.us
Address: 74.208.236.56
>
Using this online tool https://dnsspy.io/ one can see the towards the bottom
Here are the results for the domain bcae.us DNS Spy report for bcae.us
1 Like
Btw, that is correct. So how would it be done?
You would either:
- take full control of the FQDN [
mail.bcae.us] and point it to your IP - use a new FQDN [
somethingELSE.bcae.us] and point it to your IP
Then you could handle all things related to your IP at your IP.
3 Likes
not sure how to do that? Is that as simple as pointing the main www.bcae.us to IP, then creating virtual hosts for the subdomains there?
If "www" is already being used for something else somewhere else, that that would break their use.
You can make your own name for your own use.
5 Likes
Ok right now I have the mail.bcae.us showing up with the wildcard cert. So the www.bcae.us is routing to my personal server IP, same IP as the mail app.
Now there is an intermittent "timed out" happening. It looks good several times with near instant response. Then other times it just times out.
I'm concerned that something is off with the DNS or IP routing maybe? Thoughts...?
dns lookup fail gets different error, so guess time to check your ISP?
2 Likes
I'm not sure I understand completely. But enlighten me a bit. Are you using a tool to verify there is a problem with my domain, and if so what tool please? Thank you