Small problems around my certificates

kameleon1er · June 24, 2022, 10:36pm

It produced this output:

My web server is (include version): Debian 10 / IspConfig 3.2

The operating system my web server runs on is (include version): Buster (Ddebian 10)

My hosting provider, if applicable, is: Scaleway / Ovh for domains

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): ispConfig 3.2

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.28.0

////////////////////////////////////////

Good evening or good morning to all of you depending on where you are in the world

It's been a long time since I've had to come around. My little Certbot worked fine, and still works fine. Thanks for that!

I upgraded my debian (9 >> 10) and my ispConfig (3 > 3.2) + Certbot Apache >> snap Certbot Apache.

I just did a "certbot renew --dry-run -v" and some small problems appear + a strange old error that seems to be still there and that I don't understand:

1. For the old error; my main domain (the first one installed is "democrasite.com" with which I configured my machine under ispConfig. However it is another domain (that I host) "ianpatrickimages.com" that comes up in all the certificates as a reference. So my question is; but why oO?
  --------------- point 2-----------------------------------
1. The little problems : >> # tail letsencrypt.log -v
  ==> letsencrypt.log <==
  File "/snap/certbot/2133/lib/python3.8/site-packages/certbot/main.py", line 19, in main
  return internal_main.main(cli_args)
  File "/snap/certbot/2133/lib/python3.8/site-packages/certbot/_internal/main.py", line 1744, in main
  return config.func(config, plugins)
  File "/snap/certbot/2133/lib/python3.8/site-packages/certbot/_internal/main.py", line 1630, in renew
  renewal.handle_renewal_request(config)
  File "/snap/certbot/2133/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 510, in handle_renewal_request
  raise errors.Error(
  certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
  2022-06-24 21:40:00,701:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)
  ------------------- End ------------------------

certbot renew --dry-run…
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/democrasite.com.conf

Simulating renewal of an existing certificate for www.ianpatrickimages.com and 13 more domains

Processing /etc/letsencrypt/renewal/kameleon.fr.conf

Simulating renewal of an existing certificate for kameleon.fr and www.kameleon.fr
Failed to renew certificate kameleon.fr with error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Unable to update challenge :: authorization must be pending

Processing /etc/letsencrypt/renewal/lucifart.com.conf

Simulating renewal of an existing certificate for lucifart.com and www.lucifart.com

Processing /etc/letsencrypt/renewal/srv-b.democrasite.com.conf

Simulating renewal of an existing certificate for srv-b.democrasite.com

Processing /etc/letsencrypt/renewal/www.democrasite.com.conf

Simulating renewal of an existing certificate for sandybeearts.com and 5 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: sandybeearts.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for sandybeearts.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for sandybeearts.com - check that a DNS record exists for this domain

Domain: www.sandybeearts.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for www.sandybeearts.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.sandybeearts.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate www.democrasite.com with error: Some challenges have failed.

Processing /etc/letsencrypt/renewal/www.kameleon.fr.conf

Simulating renewal of an existing certificate for www.kameleon.fr

The following simulated renewals succeeded:
/etc/letsencrypt/live/democrasite.com/fullchain.pem (success)
/etc/letsencrypt/live/lucifart.com/fullchain.pem (success)
/etc/letsencrypt/live/srv-b.democrasite.com/fullchain.pem (success)
/etc/letsencrypt/live/www.kameleon.fr/fullchain.pem (success)

The following simulated renewals failed:
/etc/letsencrypt/live/kameleon.fr/fullchain.pem (failure)
/etc/letsencrypt/live/www.democrasite.com/fullchain.pem (failure)

2 renew failure(s), 0 parse failure(s)

- - - - End - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

For sandybeearts.com it's ok… problem from the client renew hoster domain

Thanks for your help and bravo ! ^^

Osiris · June 24, 2022, 10:55pm

This is a rather weird error, we'd probably need to see the entire log to try to figure out why this happened.

This error is more simple: it's currently not resolvable. See e.g. sandybeearts.com | DNSViz and do a whois sandybeearts.com. While that latter whois would get results from OVH, it would also tell you the domain is currently in the "clientHold" status. And the ICANN link explaining that status says:

EPP Status Code	RDAP Status Mapping	What does it mean?	Should you do something?
clientHold	client hold	This status code tells your domain's registry to not activate your domain in the DNS and as a consequence, it will not resolve. It is an uncommon status that is usually enacted during legal disputes, non-payment, or when your domain is subject to deletion.	Often, this status indicates an issue with your domain that needs resolution. If so, you should contact your registrar to resolve the issue. If your domain does not have any issues, but you need it to resolve, you must first contact your registrar and request that they remove this status code.

kameleon1er · June 24, 2022, 11:01pm

Hi Osiris, thanks what logs do you need please ?

Osiris · June 24, 2022, 11:05pm

Preferably the entire letsencrypt.log from a renewal run including that certificate.

kameleon1er · June 24, 2022, 11:18pm

/var/log/letsencrypt# tail letsencrypt.log
2022-06-24 22:58:37,666:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet:
2022-06-24 22:58:37,666:DEBUG:certbot._internal.display.obj:Notifying user:   /etc/letsencrypt/live/democrasite.com/fullchain.pem expires on 2022-09-17 (skipped)
  /etc/letsencrypt/live/kameleon.fr/fullchain.pem expires on 2022-09-22 (skipped)
  /etc/letsencrypt/live/lucifart.com/fullchain.pem expires on 2022-08-11 (skipped)
  /etc/letsencrypt/live/srv-b.democrasite.com/fullchain.pem expires on 2022-09-19 (skipped)
  /etc/letsencrypt/live/www.democrasite.com/fullchain.pem expires on 2022-08-29 (skipped)
  /etc/letsencrypt/live/www.kameleon.fr/fullchain.pem expires on 2022-09-22 (skipped)
2022-06-24 22:58:37,666:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2022-06-24 22:58:37,666:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-06-24 22:58:37,666:DEBUG:certbot._internal.renewal:no renewal failures

Sorry, but where can I find that cert ?

Osiris · June 24, 2022, 11:21pm

Don't use tail, please show the entire log file contents.

kameleon1er · June 24, 2022, 11:31pm

Osiris, I'm just a padawan… could U please show me ? Thanks.

kameleon1er · June 24, 2022, 11:47pm

Sorry , it's late …

2022-06-24 22:58:00,881:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2022-06-24 22:58:02,052:DEBUG:certbot._internal.main:certbot version: 1.28.0
2022-06-24 22:58:02,053:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/2133/bin/certbot
2022-06-24 22:58:02,053:DEBUG:certbot._internal.main:Arguments: ['-q', '--preconfigured-renewal']
2022-06-24 22:58:02,053:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,P$
2022-06-24 22:58:02,105:DEBUG:certbot._internal.log:Root logging level set at 40
2022-06-24 22:58:02,107:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/democrasite.com.conf
2022-06-24 22:58:02,166:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f1b4514ba00> and installer <certbot._i$
2022-06-24 22:58:02,227:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-06-24 22:58:06,327:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-06-24 22:58:06,330:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/democrasite.com/cert3.pem is signed by the certificate's issuer.
2022-06-24 22:58:06,331:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/democrasite.com/cert3.pem is: OCSPCertStatus.GOOD
2022-06-24 22:58:06,337:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2022-06-24 22:58:06,338:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2022-06-24 22:58:06,338:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/kameleon.fr.conf
2022-06-24 22:58:06,390:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-06-24 22:58:12,546:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-06-24 22:58:12,549:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/kameleon.fr/cert12.pem is signed by the certificate's issuer.
2022-06-24 22:58:12,553:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/kameleon.fr/cert12.pem is: OCSPCertStatus.GOOD
2022-06-24 22:58:12,556:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2022-06-24 22:58:12,558:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2022-06-24 22:58:12,559:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/lucifart.com.conf
2022-06-24 22:58:12,616:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-06-24 22:58:18,776:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-06-24 22:58:18,779:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/lucifart.com/cert11.pem is signed by the certificate's issuer.
2022-06-24 22:58:18,780:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/lucifart.com/cert11.pem is: OCSPCertStatus.GOOD
2022-06-24 22:58:18,783:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2022-06-24 22:58:18,785:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2022-06-24 22:58:18,785:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/srv-b.democrasite.com.conf
2022-06-24 22:58:18,825:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-06-24 22:58:25,126:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-06-24 22:58:25,127:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/srv-b.democrasite.com/cert1.pem is signed by the certificate's issuer.
2022-06-24 22:58:25,129:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/srv-b.democrasite.com/cert1.pem is: OCSPCertStatus.GOOD
2022-06-24 22:58:25,130:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2022-06-24 22:58:25,131:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2022-06-24 22:58:25,131:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/www.democrasite.com.conf
2022-06-24 22:58:25,185:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-06-24 22:58:31,325:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-06-24 22:58:31,327:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/www.democrasite.com/cert13.pem is signed by the certificate's issuer.
2022-06-24 22:58:31,328:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/www.democrasite.com/cert13.pem is: OCSPCertStatus.GOOD
2022-06-24 22:58:31,330:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2022-06-24 22:58:31,332:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2022-06-24 22:58:31,332:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/www.kameleon.fr.conf
2022-06-24 22:58:31,372:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-06-24 22:58:37,654:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-06-24 22:58:37,655:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/www.kameleon.fr/cert1.pem is signed by the certificate's issuer.
2022-06-24 22:58:37,657:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/www.kameleon.fr/cert1.pem is: OCSPCertStatus.GOOD
2022-06-24 22:58:37,658:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal

2022-06-24 22:58:37,659:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2022-06-24 22:58:37,665:DEBUG:certbot._internal.plugins.selection:Selecting plugin: * apache
Description: Apache Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f1b45040130>
2022-06-24 22:58:37,665:DEBUG:certbot.plugins.storage:Plugin storage file /etc/letsencrypt/.pluginstorage.json was empty, no values loaded
2022-06-24 22:58:37,666:DEBUG:certbot._internal.display.obj:Notifying user:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-06-24 22:58:37,666:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet:
2022-06-24 22:58:37,666:DEBUG:certbot._internal.display.obj:Notifying user:   /etc/letsencrypt/live/democrasite.com/fullchain.pem expires on 2022-09-17 (skipped)
  /etc/letsencrypt/live/kameleon.fr/fullchain.pem expires on 2022-09-22 (skipped)
  /etc/letsencrypt/live/lucifart.com/fullchain.pem expires on 2022-08-11 (skipped)
  /etc/letsencrypt/live/srv-b.democrasite.com/fullchain.pem expires on 2022-09-19 (skipped)
  /etc/letsencrypt/live/www.democrasite.com/fullchain.pem expires on 2022-08-29 (skipped)
  /etc/letsencrypt/live/www.kameleon.fr/fullchain.pem expires on 2022-09-22 (skipped)
2022-06-24 22:58:37,666:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2022-06-24 22:58:37,666:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-06-24 22:58:37,666:DEBUG:certbot._internal.renewal:no renewal failures

kameleon1er · June 25, 2022, 1:38pm

I think it's ok
but is this form of domain normal ? :

*:8080 srv-b.democrasite.com.democrasite.com.democrasite.com

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: democrasite.com
    Serial Number: 40b558e91ab907db84851b917fb67b0d66d
    Key Type: RSA
    Domains: www.ianpatrickimages.com alainroussel.com alleray.fr auberjazzday.fr cobaltateliers.com democrasite.com ianpatrickimages.com vmxparis.com www.alainroussel.com www.alleray.fr www.auberjazzday.fr www.cobaltateliers.com www.democrasite.com www.vmxparis.com
    Expiry Date: 2022-09-17 18:08:28+00:00 (VALID: 84 days)
    Certificate Path: /etc/letsencrypt/live/democrasite.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/democrasite.com/privkey.pem
  Certificate Name: kameleon.fr
    Serial Number: 48a16c23158ba959c37a6cd611597c23e97
    Key Type: RSA
    Domains: kameleon.fr www.kameleon.fr
    Expiry Date: 2022-09-22 19:48:52+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/kameleon.fr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kameleon.fr/privkey.pem
  Certificate Name: lucifart.com
    Serial Number: 47e0a9a054a7a5c1424bca7363d059b539a
    Key Type: RSA
    Domains: lucifart.com www.lucifart.com
    Expiry Date: 2022-08-11 02:01:01+00:00 (VALID: 46 days)
    Certificate Path: /etc/letsencrypt/live/lucifart.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/lucifart.com/privkey.pem
  Certificate Name: srv-b.democrasite.com
    Serial Number: 38c6b6005d1169a69a5e2f388686efabf3a
    Key Type: RSA
    Domains: srv-b.democrasite.com
    Expiry Date: 2022-09-19 22:00:15+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/srv-b.democrasite.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/srv-b.democrasite.com/privkey.pem
  Certificate Name: www.democrasite.com
    Serial Number: 48698c55635aa582d20661cc68ac9ee75d4
    Key Type: RSA
    Domains: sandybeearts.com democrasite.com opaz-ateliers.com www.democrasite.com www.opaz-ateliers.com www.sandybeearts.com
    Expiry Date: 2022-08-29 02:07:49+00:00 (VALID: 64 days)
    Certificate Path: /etc/letsencrypt/live/www.democrasite.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.democrasite.com/privkey.pem
  Certificate Name: www.kameleon.fr
    Serial Number: 4c795b0e2d62743620f2c9cdb614a540471
    Key Type: RSA
    Domains: www.kameleon.fr
    Expiry Date: 2022-09-22 19:33:50+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.kameleon.fr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.kameleon.fr/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

apachectl -S
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.vhost:7
VirtualHost configuration:
[2001:bc8:47b0:170a::1]:80 democrasite.com (/etc/apache2/sites-enabled/100-democrasite.com.vhost:305)
[2001:bc8:47b0:170a::1]:443 democrasite.com (/etc/apache2/sites-enabled/100-democrasite.com.vhost:443)
*:8081 srv-b.democrasite.com.democrasite.com.democrasite.com (/etc/apache2/sites-enabled/000-apps.vhost:9)
*:8080 srv-b.democrasite.com.democrasite.com.democrasite.com (/etc/apache2/sites-enabled/000-ispconfig.vhost:9)
*:443 is a NameVirtualHost
default server democrasite.com (/etc/apache2/sites-enabled/100-democrasite.com.vhost:145)
port 443 namevhost democrasite.com (/etc/apache2/sites-enabled/100-democrasite.com.vhost:145)
alias www.democrasite.com
alias www.opaz-ateliers.com
alias opaz-ateliers.com
alias www.vmxparis.com
alias vmxparis.com
alias www.sandybeearts.com
alias sandybeearts.com
alias www.ianpatrickimages.com
alias ianpatrickimages.com
alias www.alainroussel.com
alias alainroussel.com
alias www.alleray.fr
alias alleray.fr
alias www.auberjazzday.fr
alias auberjazzday.fr
alias www.cobaltateliers.com
alias cobaltateliers.com
port 443 namevhost kameleon.fr (/etc/apache2/sites-enabled/100-kameleon.fr.vhost:126)
alias www.kameleon.fr
port 443 namevhost lucifart.com (/etc/apache2/sites-enabled/100-lucifart.com.vhost:126)
alias www.lucifart.com
*:80 is a NameVirtualHost
default server srv-b.democrasite.com.democrasite.com.democrasite.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost srv-b.democrasite.com.democrasite.com.democrasite.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost democrasite.com (/etc/apache2/sites-enabled/100-democrasite.com.vhost:7)
alias www.democrasite.com
alias www.opaz-ateliers.com
alias opaz-ateliers.com
alias www.vmxparis.com
alias vmxparis.com
alias www.sandybeearts.com
alias sandybeearts.com
alias www.ianpatrickimages.com
alias ianpatrickimages.com
alias www.alainroussel.com
alias alainroussel.com
alias www.alleray.fr
alias alleray.fr
alias www.auberjazzday.fr
alias auberjazzday.fr
alias www.cobaltateliers.com
alias cobaltateliers.com
port 80 namevhost kameleon.fr (/etc/apache2/sites-enabled/100-kameleon.fr.vhost:7)
alias www.kameleon.fr
port 80 namevhost lucifart.com (/etc/apache2/sites-enabled/100-lucifart.com.vhost:7)
alias www.lucifart.com
port 80 namevhost master.kameleon.fr (/etc/apache2/sites-enabled/100-master.kameleon.fr.vhost:7)
alias www.master.kameleon.fr
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex fcgid-pipe: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33

Osiris · June 25, 2022, 2:53pm

Looking at your apachectl output it's from ISPConfig. I don't have experience with that so I dunno if it's normal or not.

rg305 · June 25, 2022, 8:01pm

The challenge request would come in on port 80 - all those other ports are not relevant to pass/fail HTTP authentication requests.

To that end, the first thing we need to look at is the file:

kameleon1er · June 25, 2022, 10:56pm

@rg305 , Hi, thanks

<Directory /var/www/master.kameleon.fr>
                AllowOverride None
                                Require all denied
                </Directory>

<VirtualHost *:80>


                                                                        DocumentRoot /var/www/master.kameleon.fr/web

                ServerName master.kameleon.fr
                ServerAlias www.master.kameleon.fr
                ServerAdmin webmaster@master.kameleon.fr


                ErrorLog /var/log/ispconfig/httpd/master.kameleon.fr/error.log

                Alias /error/ "/var/www/master.kameleon.fr/web/error/"
                ErrorDocument 400 /error/400.html
                ErrorDocument 401 /error/401.html
                ErrorDocument 403 /error/403.html
                ErrorDocument 404 /error/404.html
                ErrorDocument 405 /error/405.html
                ErrorDocument 500 /error/500.html
                ErrorDocument 502 /error/502.html
                ErrorDocument 503 /error/503.html


                <Directory /var/www/master.kameleon.fr/web>
                                # Clear PHP settings of this website
                                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                SetHandler None
                                </FilesMatch>
                                Options +SymlinksIfOwnerMatch
                                AllowOverride All
                                                                Require all granted
                                                </Directory>
                <Directory /var/www/clients/client0/web6/web>
                                # Clear PHP settings of this website
                                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                SetHandler None
                                </FilesMatch>
                                Options +SymlinksIfOwnerMatch
                                AllowOverride All
                                                                Require all granted
                                                </Directory>

 # suexec enabled
                <IfModule mod_suexec.c>
                        SuexecUserGroup web6 client0
                </IfModule>
                # php as fast-cgi enabled
        # For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
                <IfModule mod_fcgid.c>
                                FcgidIdleTimeout 300
                                FcgidProcessLifeTime 3600
                                # FcgidMaxProcesses 1000
                                FcgidMaxRequestsPerProcess 5000
                                FcgidMinProcessesPerClass 0
                                FcgidMaxProcessesPerClass 10
                                FcgidConnectTimeout 3
                                FcgidIOTimeout 600
                                FcgidBusyTimeout 3600
                                FcgidMaxRequestLen 1073741824
                </IfModule>
                <Directory /var/www/master.kameleon.fr/web>
                                <FilesMatch "\.php[345]?$">
                                        SetHandler fcgid-script
                                </FilesMatch>
                                FCGIWrapper /var/www/php-fcgi-scripts/web6/.php-fcgi-starter .php
                                FCGIWrapper /var/www/php-fcgi-scripts/web6/.php-fcgi-starter .php3
                                FCGIWrapper /var/www/php-fcgi-scripts/web6/.php-fcgi-starter .php4
                                FCGIWrapper /var/www/php-fcgi-scripts/web6/.php-fcgi-starter .php5
                                Options +ExecCGI
                                AllowOverride All
                                                                Require all granted
                                                </Directory>
                <Directory /var/www/clients/client0/web6/web>
                                <FilesMatch "\.php[345]?$">
                                        SetHandler fcgid-script
                                </FilesMatch>
                                FCGIWrapper /var/www/php-fcgi-scripts/web6/.php-fcgi-starter .php
                                FCGIWrapper /var/www/php-fcgi-scripts/web6/.php-fcgi-starter .php3
                                FCGIWrapper /var/www/php-fcgi-scripts/web6/.php-fcgi-starter .php4
                                FCGIWrapper /var/www/php-fcgi-scripts/web6/.php-fcgi-starter .php5
                                Options +ExecCGI
                                AllowOverride All
                                                                Require all granted
                                                </Directory>
   # add support for apache mpm_itk
                <IfModule mpm_itk_module>
                        AssignUserId web6 client0
                </IfModule>

                <IfModule mod_dav_fs.c>
                # Do not execute PHP files in webdav directory
                        <Directory /var/www/clients/client0/web6/webdav>
                                <ifModule mod_security2.c>
                                        SecRuleRemoveById 960015
                                        SecRuleRemoveById 960032
                                </ifModule>
                                <FilesMatch "\.ph(p3?|tml)$">
                                        SetHandler None
                                </FilesMatch>
                        </Directory>
                        DavLockDB /var/www/clients/client0/web6/tmp/DavLock
                        # DO NOT REMOVE THE COMMENTS!
                        # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
                        # WEBDAV END
                </IfModule>

 <IfModule mpm_itk_module>
                        AssignUserId web6 client0
                </IfModule>

                <IfModule mod_dav_fs.c>
                # Do not execute PHP files in webdav directory
                        <Directory /var/www/clients/client0/web6/webdav>
                                <ifModule mod_security2.c>
                                        SecRuleRemoveById 960015
                                        SecRuleRemoveById 960032
                                </ifModule>
                                <FilesMatch "\.ph(p3?|tml)$">
                                        SetHandler None
                                </FilesMatch>
                        </Directory>
                        DavLockDB /var/www/clients/client0/web6/tmp/DavLock
                        # DO NOT REMOVE THE COMMENTS!
                        # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
                        # WEBDAV END
                </IfModule>




</VirtualHost>

I just compared it with another vhost on my machine, this one is strange ; incomplete. All this part is missing minimum… :

 <IfModule mod_ssl.c>
                SSLEngine on
                SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                # SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM$
                SSLHonorCipherOrder     on
                # <IfModule mod_headers.c>
                # Header always add Strict-Transport-Security "max-age=15768000"
                # </IfModule>
                SSLCertificateFile /var/www/clients/client0/web1/ssl/kameleon.fr-le.crt
                SSLCertificateKeyFile /var/www/clients/client0/web1/ssl/kameleon.fr-le.key
                                  SSLUseStapling on
                  SSLStaplingResponderTimeout 5
                  SSLStaplingReturnResponderErrors off
                      </IfModule>

                <Directory /var/www/kameleon.fr/web>
                                # Clear PHP settings of this website
                                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                SetHandler None
                                </FilesMatch>
                                Options +SymlinksIfOwnerMatch
                                AllowOverride All
                                                                Require all granted
                                                </Directory>
                <Directory /var/www/clients/client0/web1/web>
                                # Clear PHP settings of this website
                                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                SetHandler None
                                </FilesMatch>
                                Options +SymlinksIfOwnerMatch
                                AllowOverride All
                                                                Require all granted
                                                </Directory>

system · July 25, 2022, 10:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.