SSL Zen "Failed verification" missing cabundle.crt

griffin · May 13, 2021, 10:05pm

Yep, you have no port 443 vHost, which I suspected.

griffin · May 13, 2021, 10:06pm

What are the contents of these files?

/etc/apache2/sites-enabled/000-default.conf

What are the outputs of these commands?

sudo ls -lRa /etc/apache2/sites-available
sudo ls -lRa /etc/apache2/sites-enabled

Please put three backticks above and below each content and output, like this:

```
content/output
```

JuergenAuer · May 13, 2021, 10:18pm

That result

is expected.

Your "SSL Zen" doesn't work, so the port 443 vHost (or whatever that works with WordPress) wasn't created.

And it doesn't help to create that port manual.

Check, if there is a SSL Zen Update
Check, if there is a better log
Then share that.

The port 443 vHost is always created by the ACME client.

fredcolclough · May 13, 2021, 10:18pm

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/
        # Above line changed from "/var/www/html"  Apr 2021

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
---
fred@Fred-DME:~$ sudo ls -lRa /etc/apache2/sites-available
[sudo] password for fred:
/etc/apache2/sites-available:
total 28
drwxr-xr-x 2 root root 4096 May 13 15:15 .
drwxr-xr-x 8 root root 4096 May 12 19:51 ..
-rw-r--r-- 1 root root 1388 Apr 28 11:49 000-default.conf
-rw-r--r-- 1 root root 6351 May 12 21:08 default-ssl.conf
-rw-r--r-- 1 root root 6338 May 12 18:06 ORIG_default-ssl.conf
fred@Fred-DME:~$

fred@Fred-DME:~$ sudo ls -lRa /etc/apache2/sites-enabled
/etc/apache2/sites-enabled:
total 8
drwxr-xr-x 2 root root 4096 May 12 21:01 .
drwxr-xr-x 8 root root 4096 May 12 19:51 ..
lrwxrwxrwx 1 root root   35 Apr 26 17:40 000-default.conf -> ../sites-available/000-default.conf
fred@Fred-DME:~$

griffin · May 13, 2021, 10:19pm

I need you to edit your last post and put 3 backticks ``` above and below the contents of the conf file. Without them, the file gets cutoff. Notice that the VirtualHost closing tag is missing.

Where did you put your SSL directives?

fredcolclough · May 13, 2021, 10:23pm

fred@Fred-DME:/etc/apache2/sites-enabled$ sudo vi 000-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html/
    # Above line changed from "/var/www/html"  Apr 2021

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

~
~
~
~
~
~
~
~
~
~
"000-default.conf" 32 lines, 1388 characters

fredcolclough · May 13, 2021, 10:25pm

Dang, have I been putting my SSL entries to the wrong file? I've been putting them in /sites-available/default-ssl.conf

griffin · May 13, 2021, 10:27pm

Nope. You shouldn't be using either file.

Detailed instructions coming in a minute...

griffin · May 13, 2021, 10:51pm

First, let's build the correct conf file.

Using a text editor (e.g. nano) put the following contents into a new file named /etc/apache2/sites-available/fredcolclough.com.conf being sure to use sudo with the editor so that root is the group:owner of the file. Also, in both port 443 VirtualHosts below, be sure to put the complete path to the fullchain certificate file we discussed before next to the SSLCertificateFile directive and put the complete path to the private key file we discussed before next to the SSLCertificateKeyFile directive.

<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName fredcolclough.com
ServerAlias www.fredcolclough.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Redirect permanent / https://fredcolclough.com/
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName www.fredcolclough.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile 
SSLCertificateKeyFile 
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
Redirect permanent / https://fredcolclough.com/
</VirtualHost>

<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName fredcolclough.com
DocumentRoot /var/www/html/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile 
SSLCertificateKeyFile 
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
</VirtualHost>
</IfModule>

Second, let's disable/enable the configurations.

sudo a2dissite 000-default.conf
sudo a2ensite fredcolclough.com.conf
sudo apachectl -k graceful

Your https website (www.fredcolclough.com -> fredcolclough.com) should be working now with proper http to https redirects.

You will want to create a new certificate that includes both fredcolclough.com and www.fredcolclough.com since both should be working now. With this configuration, the canonical name of your website is fredcolclough.com without the www.

When you replace the certificate and private key files, be sure to reload apache!

sudo apachectl -k graceful

griffin · May 13, 2021, 11:01pm

Use the instructions in the link below to change the Site Address (URL) and WordPress Address (URL) settings in your WordPress to https://fredcolclough.com so that WordPress doesn't get confused about your address.

fredcolclough · May 13, 2021, 11:06pm

Just letting you know I'm working on that! Thx!

griffin · May 13, 2021, 11:07pm

No problem. It's a lot.

fredcolclough · May 13, 2021, 11:18pm

To chew on while I'm improving my VI skills! I can't get another cert issued by LetsEncrypt since they've tagged my domain for excessive certs! (From when it kept failing, so I kept trying...). Apparently it's for a WEEK! Is there a way to test to know we'll be good? Or a work-around?

griffin · May 13, 2021, 11:23pm

nano is much easier than vim

If you create a cert that covers both fredcolclough.com and www.fredcolclough.com, you should have no restrictions since it does not cover the exact same set of (sub)domains as your five duplicate certificates that cover only fredcolclough.com.

fredcolclough · May 13, 2021, 11:34pm

Agreed...nano in use now. when I copy & paste nano says it's a DOS file. Is that ok?

griffin · May 13, 2021, 11:37pm

That's probably the whole \r\n vs \n thing. Just be sure you actually get the newlines in there properly and you should be alright.

fredcolclough · May 13, 2021, 11:40pm

It looks fine in nano... but it's erroring out on restart: (I'm perusing the file very carefully for syntax)

fred@Fred-DME:/etc/apache2/sites-available$ sudo apachectl -k graceful
AH00526: Syntax error on line 6 of /etc/apache2/sites-enabled/fredcolclough.com.conf:
CustomLog takes two or three arguments, a file name, a custom log format string or format name, and an optional "env=" or "expr=" clause (see docs)
Action '-k graceful' failed.
The Apache error log may have more information.
fred@Fred-DME:/etc/apache2/sites-available$

griffin · May 13, 2021, 11:44pm

That's my bad. I forgot the " combined" at the end of the three CustomLog lines. I updated the text block above accordingly.

griffin · May 13, 2021, 11:46pm

You are editing the file in sites-available I hope. The file in sites-enabled should just be a symbolic link to the file in sites-available and not an actual file.

fredcolclough · May 13, 2021, 11:50pm

Yes, I'm updating in sites-available, and the symbolic link is in sites-enabled. You changed the file above? (nifty...) Rather than cp/ps the whole thing, what changed?

SSL Zen "Failed verification" missing cabundle.crt

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ "000-default.conf" 32 lines, 1388 characters

It looks fine in nano... but it's erroring out on restart: (I'm perusing the file very carefully for syntax)

~
~
~
~
~
~
~
~
~
~
"000-default.conf" 32 lines, 1388 characters