Did you actually type DUMP-VHOSTS rather than DUMP_VHOSTS?
2 Likes
Ok, I think we've got this licked!
apache2ctl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 www.safeandtacticalfirearmstraining.com (/etc/apache2/vhosts.d/STFT-vhost.conf:17)
*:443 www.safeandtacticalfirearmstraining.com (/etc/apache2/vhosts.d/STFT-vhost.conf:58)
Maybe. It really should show the ServerAlias too like it was earlier in this thread.
Can you post current contents of:
/etc/apache2/vhosts.d/STFT-vhost.conf
2 Likes
Yes, you are correct. I used DUMP-VHOSTS instead of DUMP_VHOSTS.
Still need to see this
2 Likes
cat vhosts.d/STFT-vhost.conf
# Template for a VirtualHost with SSL
# Note: to use the template, rename it to /etc/apache2/vhost.d/yourvhost.conf.
# Files must have the .conf suffix to be loaded.
#
# See /usr/share/doc/packages/apache2/README.QUICKSTART for further hints
# about virtual hosts.
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
<VirtualHost _default_:80>
# General setup for the virtual host
DocumentRoot "/srv/www/htdocs"
ServerName www.safeandtacticalfirearmstraining.com
ServerAlias safeandtacticalfirearmstraining.com
ServerAdmin geno11x11@gmail.com
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine off
# OCSP Stapling:
# Enable/Disable OCSP for this virtual host.
SSLUseStapling off
# You can use per vhost certificates if SNI is supported.
# SSLCertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# SSLCertificateFile /etc/apache2/ssl.crt/certificate.crt
# SSLCertificateKeyFile /etc/apache2/ssl.key/private.key
# SSLCertificateChainFile /etc/apache2/ssl.crt/ca-bundle.crt
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache2/ssl_request_log ssl_combined
</VirtualHost>
<IfDefine SSL>
<IfDefine !NOSSL>
##
## SSL Virtual Host Context
##
#Listen 80
#Listen 443
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/srv/www/htdocs"
ServerName www.safeandtacticalfirearmstraining.com
ServerAlias safeandtacticalfirearmstraining.com
ServerAdmin geno11x11@gmail.com
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# OCSP Stapling:
# Enable/Disable OCSP for this virtual host.
SSLUseStapling on
# You can use per vhost certificates if SNI is supported.
# SSLCertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
SSLCertificateFile /etc/apache2/ssl.crt/certificate.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/private.key
# SSLCertificateChainFile /etc/apache2/ssl.crt/ca-bundle.crt
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache2/ssl_request_log ssl_combined
</VirtualHost>
</IfDefine>
</IfDefine>
Okay. Well, the VirtualHost for port 80 has some peculiar and useless lines but it won't hurt. We can tidy that later.
Sometimes the ServerAlias does not appear in DUMP_VHOSTS but it was earlier so that is odd. Let's proceed with getting a fresh cert now.
Can you show output of these. Just want to reset our info as we proceed. Hopefully not many more steps
sudo certbot --version
sudo certbot certificates
1 Like
certbot --version
certbot 1.22.0
certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No certificates found.
Alright, first, comment out this line in your port 443 VirtualHost. It adds too many complications at this stage. It is important to have it off before proceeding.
SSLUseStapling on
Then restart Apache and and try this. Just show the result. Please do not proceed beyond that. (note the two -d options). This isn't the actual command we will use it is only a test.
sudo certbot certonly --dry-run --apache -d www.safeandtacticalfirearmstraining.com -d safeandtacticalfirearmstraining.com
2 Likes
sudo certbot certonly --dry-run --apache -d www.safeandtacticalfirearmstraining.com -d safeandtacticalfirearmstraining.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
ssl_module is statically linked but --apache-bin is missing; not disabling session tickets.
Simulating a certificate request for www.safeandtacticalfirearmstraining.com and safeandtacticalfirearmstraining.com
The dry run was successful.
safeandtacticalfirearmstrain
1 Like
That's promising. Let's now do this
sudo certbot --apache -d www.safeandtacticalfirearmstraining.com -d safeandtacticalfirearmstraining.com
If successful, you will have a cert and your port 80 VirtualHost will be updated to redirect HTTP to HTTPS. And, your HTTPS VirtualHost will have new lines for the location of the new cert files.
If it is not successful show the error. If it is show the STFT config file again so I can manually review all got changed properly.
2 Likes
sudo certbot --apache -d www.safeandtacticalfirearmstraining.com -d safeandtacticalfirearmstraining.com
ssl_module is statically linked but --apache-bin is missing; not disabling session tickets.
Requesting a certificate for www.safeandtacticalfirearmstraining.com and safeandtacticalfirearmstraining.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.safeandtacticalfirearmstraining.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/www.safeandtacticalfirearmstraining.com/privkey.pem
This certificate expires on 2024-06-22.
These files will be updated when the certificate renews.
Deploying certificate
Successfully deployed certificate for www.safeandtacticalfirearmstraining.com to /etc/apache2/vhosts.d/STFT-vhost.conf
Successfully deployed certificate for safeandtacticalfirearmstraining.com to /etc/apache2/vhosts.d/STFT-vhost.conf
Congratulations! You have successfully enabled HTTPS on https://www.safeandtacticalfirearmstraining.com and https://safeandtacticalfirearmstraining.com
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Excellent. Looks good. Seems to be behaving well with new cert but please show the STFT-vhost.conf file so I can look for any issues going forward.
The next steps are to ensure your auto-renew will work and is setup. It normally is but OpenSuse I am not sure.
2 Likes
cat vhosts.d/STFT-vhost.conf
# Template for a VirtualHost with SSL
# Note: to use the template, rename it to /etc/apache2/vhost.d/yourvhost.conf.
# Files must have the .conf suffix to be loaded.
#
# See /usr/share/doc/packages/apache2/README.QUICKSTART for further hints
# about virtual hosts.
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
<VirtualHost _default_:80>
# General setup for the virtual host
DocumentRoot "/srv/www/htdocs"
ServerName www.safeandtacticalfirearmstraining.com
ServerAlias safeandtacticalfirearmstraining.com
ServerAdmin geno11x11@gmail.com
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine off
# OCSP Stapling:
# Enable/Disable OCSP for this virtual host.
SSLUseStapling off
# You can use per vhost certificates if SNI is supported.
# SSLCertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# SSLCertificateFile /etc/apache2/ssl.crt/certificate.crt
# SSLCertificateKeyFile /etc/apache2/ssl.key/private.key
# SSLCertificateChainFile /etc/apache2/ssl.crt/ca-bundle.crt
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache2/ssl_request_log ssl_combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =safeandtacticalfirearmstraining.com [OR]
RewriteCond %{SERVER_NAME} =www.safeandtacticalfirearmstraining.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfDefine SSL>
<IfDefine !NOSSL>
##
## SSL Virtual Host Context
##
#Listen 80
#Listen 443
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/srv/www/htdocs"
ServerName www.safeandtacticalfirearmstraining.com
ServerAlias safeandtacticalfirearmstraining.com
ServerAdmin geno11x11@gmail.com
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# OCSP Stapling:
# Enable/Disable OCSP for this virtual host.
# SSLUseStapling on
# You can use per vhost certificates if SNI is supported.
# SSLCertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# SSLCertificateChainFile /etc/apache2/ssl.crt/ca-bundle.crt
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache2/ssl_request_log ssl_combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.safeandtacticalfirearmstraining.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.safeandtacticalfirearmstraining.com/privkey.pem
</VirtualHost>
</IfDefine>
</IfDefine>
Good. No problems there. You could remove all the "ssl" related lines from your port 80 VirtualHost. They have no meaning there.
Check that the renew command works
sudo certbot renew --dry-run
And, you need to check if you have the renew scheduled. It's done with a cronjob or systemd timer. Here is a topic to check if it is setup on your OpenSuse
https://eff-certbot.readthedocs.io/en/latest/using.html#automated-renewals
Lastly, ideally you would switch to the "snap" install of Certbot. The version you have is fairly old and dependent on what OpenSuse includes with it. But, installing snap on that is complicated. I am not suggesting any changes now but just informing about a possible future issue. The install options are below but the "messy" part are in the snap install linked to in these steps:
2 Likes
sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.safeandtacticalfirearmstraining.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ssl_module is statically linked but --apache-bin is missing; not disabling session tickets.
Simulating renewal of an existing certificate for www.safeandtacticalfirearmstraining.com and safeandtacticalfirearmstraining.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/www.safeandtacticalfirearmstraining.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Good. You just need to check whether the renew command is automatically scheduled per the link I provided in my prior post
2 Likes
I deleted the SSL lines in STFT-vhosts.conf
If it's complicated and messy I'll stick with what is working now. I enjoy learning but I'm probably a low intermediate level linux user.
I'll work on cron - what happens if the renewal is late?
If the renewal does not run your certificate will expire after 90 days. You should be able to follow the instructions in the link I provided about scheduling the renew
1 Like
Great. Looks like I'm in business. Thank you for all your valuable time and patience. I intend to go over the steps you and rg305 went through to diagnose the problems. I might have a few more questions.
3 Likes