I’m at my wit’s end and have thoroughly messed up my letsencrypt/certbot setup, to the effect that neither my domain nor subdomain work anymore.
The scenario:
I have a domain (velko.men) which I self-host, with DNS services provided by the Norwegian webhost Domeneshop.
The main domain points to one local IP. The machine on this IP serves my Nextcloud, we can call it Box 1 for clarity. This is an Odroid ARM box, with Nextcloudpi installed on top of Armbian Buster. Box 1 has had a working Letsencrypt setup for some weeks.
I thought I’d like to self-host a web radio station on its own subdomain, so I installed regular Ubuntu server on an old laptop (Box 2), installed Azuracast via Docker, changed my DNS setup to add a subdomain (hjarteleg.velko.men) and set up reverse proxy on Box 1 to point to Box 2. I did this by adding a “domain.conf” file in /etc/apache2/sites-available:
<VirtualHost *:80>
ServerName hjarteleg.velko.men
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
ProxyPass http://LAN_IP_HERE/
ProxyPassReverse http://LAN_IP_HERE/
</Location>
</VirtualHost>
<VirtualHost *:443>
ServerName hjarteleg.velko.men
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
ProxyPass https://LAN_IP_HERE/
ProxyPassReverse https://LAN_IP_HERE/
</Location>
</VirtualHost>
I followed this by sudo apache2ctl -k graceful on Box 1 to make Apache load the new config.
I also ran sudo a2enmod proxy_http and sudo a2enmod proxy to make sure Apache would function as a reverse proxy.
Then, on Box2, I ran the recommended certbot command inside Docker:
./docker.sh letsencrypt-create hjarteleg.velko.men
This seems to have been successful, but after this, none of my domains have worked. The Firefox error is SSL_ERROR_RX_RECORD_TOO_LONG.
To overcome the problem, I have tried
Uninstalling Azuracast on Box 2 (and, I hoped, also the certificate I obtained) and reinstalling. No change.
Trying to make a wildcard DNS record on Box 1, using my webhost’s certbot DNS plugin and their API keys they provided. The result seems to have been successful, but none of my domains work.
Checked which is the default domain on Box 1 with apache2ctl -S. The result indicated that my new subdomain, hjarteleg.velko.men, was the new default domain.
Tried to rename the files in /etc/apache2/sites-available on Box 1 to make the default domain appear first, because I read that Apache reads the files in alphabetical order(!), and restarted Apache. The result of apache2ctl -S now omits the subdomain altogether:
VirtualHost configuration:
*:80 localhost (/etc/apache2/sites-enabled/000-default.conf:1)
*:4443 localhost (/etc/apache2/sites-enabled/ncp.conf:2)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: MODSEC_2.5
Define: MODSEC_2.9
User: name=“www-data” id=33
Group: name=“www-data” id=33
Needless to say, none of my domains work, and I am at loss. Help is appreciated.
a2ensite <site> where '<site>' is the name of your site's Virtual Host configuration file, located in /etc/apache2/sites-available/, without the .conf extension.
do all tls on box1 and go unencrypted from box1 to box2, using an http proxy.
the first mode is a lot more complicated. I’d suggest generating a certificate for box2 on box1, and then going unencrypted on your local network. (edit: you can have both go encrypted if you find a way to make both machines validate, using --apache on box1 should be enough)
I think he tried to do all TLS on box one.
But may have forgot to enable the newly added config file.
[placing a config file in the sites-available folder doesn’t always automatically enable it]
[placing a config file in the sites-enabled folder may have that effect…]
See: a2ensite
Listen 4443
<VirtualHost _default_:4443>
DocumentRoot /var/www/ncp-web
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# 2 days to avoid very big backups requests to timeout
TimeOut 172800
<IfModule mod_authnz_external.c>
DefineExternalAuth pwauth pipe /usr/sbin/pwauth
</IfModule>
</VirtualHost>
<Directory /var/www/ncp-web/>
AuthType Basic
AuthName "ncp-web login"
AuthBasicProvider external
AuthExternal pwauth
SetEnvIf Request_URI "^" noauth
SetEnvIf Request_URI "^index\.php$" !noauth
SetEnvIf Request_URI "^/$" !noauth
SetEnvIf Request_URI "^/wizard/index.php$" !noauth
SetEnvIf Request_URI "^/wizard/$" !noauth
<RequireAll>
<RequireAny>
Require host localhost
Require local
Require ip 192.168
Require ip 172
Require ip 10
Require ip fe80::/10
Require ip fd00::/8
</RequireAny>
<RequireAny>
Require env noauth
Require user ncp
</RequireAny>
</RequireAll>
</Directory>
This is the file that seems to give me velko.men:4443, which is the local administration page that is only reachable from the inside. From the outside, velko.men should point to the Nextcloud instance. I would think that /etc/sites-available/001-nextcloud.conf is the file for that:
Thanks a million Will try once I’m (more) sure I don’t mess up things even more. The underscore in 000-default.conf is there by default, so I can’t tell what it is for.
Note that I am referring to files in /etc/apache2/sites-available, not in …/sites-enabled. I checked that 000-default.conf is the same in the sites-enabled folder.
do you want a certificate for both, or one certificate for each?
it’s fine to tell certbot to only make that, if you want one certificate for each.
otherwise you need to look in the apache config and understand why is certbot not recognizing your domain (probably the underscore) – or you can just type the domains instead of numbers.
PROBLEM SOLVED thanks to @9peppe’s competent and friendly help. Thank you very much! Steps to solve the problem:
$ sudo a2ensite 001-nextcloud
Enabling site 001-nextcloud.
To activate the new configuration, you need to run:
systemctl reload apache2
$ sudo systemctl reload apache2
$ sudo certbot --apache