Two Questions: (a) Renewal (b) Invalid Intermediate

For more information see https://httpd.apache.org/docs/current/mod/mod_ssl.html

1 Like

I'm sure that page would be helpful if I knew what I was looking for.

1 Like

"Intermediate" is probably a good keyword to search for.

1 Like

Thanks for nothing. I'll try and get some help elsewhere.

1 Like

Ah, I guess you want a simple cut and clear answer so you wont learn anything? I'm sorry if I refuse to give you a fish so you'd eat for one day. I'm trying to learn you how to fish, so you'll eat for the rest of your life.

I'm terribly sorry you don't see it that way.

Also, before I posted I obviously looked if "intermediate" is indeed a good keyword, which it is.....

Further more, some light reading for upcoming weekend: https://en.wikipedia.org/wiki/Autodidacticism

1 Like

That's typically what a help forum is for -- to help people. You're not helping anyone, you're just being jerkish. Knowing the solution saves a ton of time for me to be more productive helping other people, and I'd immediately know the solution for next time.

1 Like

Help can have many different forms. I choose to guide people, not just give answers.

That's your opinion. I've given you hints and tips where you can find the actual answer yourself.

That's also your opinion, which is allowed of course.

You realise that solution is just like, 5 minutes away, right? Even less probably. Click on the link, press "Ctrl-F", type in the keyword I actually provided against my better judgement, press "Search" or "Next", read and judge the section the keyword is present in et voila, you've found the solution. Or press "Next" again to go to the next section where you'll judge that section.

For this very specific issue, yes. But for a new issue, you'll might open a new thread on a Community such as this. If you'll learn on figuring out an issue and the solution to that issue yourself, you might be able to find the solution for the next problem yourself in stead of relying on other people. I would advice you to try and be more self-sufficient. I don't mean this jerkishly, but expecting other people to do all the work for you comes across a little lazy. That's one of the reasons I guide in stead of just answer. Almost everyone on this Community is a volunteer. We do this by choice. And personally, I detest lazy people expecting answers. On the other hand, if someone is willing to learn, guiding them to an answer is rather rewarding.

1 Like

What will we do when all the people that actually know how die off?

2 Likes

Not everyone who rides a train wants (or needs) to be a train driver.

2 Likes

Not everyone who rides the train steps out of the passenger cabin and into the engine room.
In all fairness, you did cross that line and are no longer "just a passenger" [your clients/users still are].

2 Likes

Hmm, well, I'll decline to debate the relative merits of trains, passengers and engine rooms and the various responsibilities, etc, but if I absolutely know the answer to something, and someone wants to know it, then I simply provide it; I really don't mind if they don't want to learn to fish. Horses for courses; your approach is not one that I'd endorse in this particular situation, but whatever help I get I appreciate, especially as I know it's offered freely.

Still, if you'd like to be even more helpful, maybe you can answer a related question:

Is there anything special I'd need to do in order to get certbot to properly issue certs for a bunch of domains which share the same IP address?

Reason I ask is that when I tried to get a cert done for any single domain of the bunch (i.e. sudo /var/lib/snapd/snap/bin/certbot certonly --apache), it seems to be successful, and provides the cert files, etc, but then the domain fails to work with https (although other sites on the same machine, using the same Apache server, with a GoDaddy-issued cert do work), and whynopadlock.com says (even though it says a cert is current) that "Your SSL certificate appears to be self signed", and "Your SSL certificate does not match your domain name!").

Any helpful hints? Thx!

3 Likes

I can certainly understand the efficiency concerns between researching solutions versus asking questions. It vastly depends upon the circumstances of both sides of the asker-askee equation. Let's please keep it civil though people.

https://community.letsencrypt.org/guidelines

2 Likes

Now, in regards to your questions...

Nope. Just avoid the rate limits.

You can create a maximum of 10 Accounts per IP Address per 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours. Hitting either account rate limit is very rare, and we recommend that large integrators prefer a design using one account for many customers. Exceeding these limits is reported with the error message too many registrations for this IP or too many registrations for this IP range.


certbot performs two functions: acquisition and installation.

Acquiring a certificate is comparatively easy.

If you're seeing a warning about self-signed certificates, it means that your acquired certificates aren't installed (in memory). Try restarting your webserver.

1 Like

That won't actually install the cert(s).
It ONLY gets the cert(s).

So this is expected:

Start your troubleshooting with:
sudo apachectl -S

2 Likes

Thx for the info'. I'm actually attempting this on a different server to the previous stuff I was doing, which I'd kinda used as a trial-run, where I eventually got it all working okay, so I figured it should be fairly straightforward, with the same version of CentOS and the same version of Apache, but guess I'm missing something.

Yeah, I was only trying to get the certs, rather than install them, and I manually added the code-block to the vhost in the same manner as before. Also restarted the server, after I tried a couple of different domains, each time, but same problemo. Curious. I'm just trying to do one domain at a time for now, but seems to make little difference.

1 Like

I bow to Rudy's (@rg305) excellent suggestion. Post the output of that command with three backticks on the lines above and below the output.

1 Like

Okay, well, please excuse the slight obfuscation of unrelated domains in the output, but the one I'm attempting this with is shopviews.com, the information of which I've kept as-is. Other than domain names everything is precisely as output.

Actually, I needed to do "httpd -S" on the CentOS server, as apachectl -S didn't produce anything:

$ sudo httpd -S
VirtualHost configuration:
10.0.0.5:*             xyz.com (/etc/httpd/conf/httpd.conf:396)
10.0.0.5:443           xyz.com (/etc/httpd/conf/httpd.conf:428)
51.141.109.36:443      shopviews.com (/etc/httpd/conf/httpd.conf:824)
*:443                  dgbvm.internal.cloudapp.net (/etc/httpd/conf.d/ssl.conf:56)
*:80                   is a NameVirtualHost
         default server xxx.net (/etc/httpd/conf/httpd.conf:464)
         port 80 namevhost xxx.net (/etc/httpd/conf/httpd.conf:464)
                 alias www.xxx.net
                 alias yyy.com
                 alias www.yyy.com
                 alias dpp.com
                 alias www.dpp.com
         port 80 namevhost sbs.co.uk (/etc/httpd/conf/httpd.conf:509)
                 alias www.sbs.co.uk
         port 80 namevhost www.aaa.co.uk (/etc/httpd/conf/httpd.conf:544)
                 alias aaa.co.uk
         port 80 namevhost www.bbb.us (/etc/httpd/conf/httpd.conf:574)
                 alias bbb.us
         port 80 namevhost www.shopviews.com (/etc/httpd/conf/httpd.conf:796)
                 alias shopviews.com
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: MODSEC_2.5
Define: MODSEC_2.9
User: name="apache" id=48
Group: name="apache" id=48

I've tried using a vhost both as (a) and then as (b) below, but same result with each.

<VirtualHost 51.141.109.36:443>
ServerName shopviews.com
ServerAlias www.shopviews.com
...
</VirtualHost>


<VirtualHost *:443>
ServerName shopviews.com
ServerAlias www.shopviews.com
...
</VirtualHost>

FYI, note that the 10.0.0.5 IP address is mapped to a secondary public IP address, and is separate to all the others. That is, all the other domains listed share a completely different IP (as given). (and, as already noted, the domain with the GoDaddy cert, xyz.com, works fine).

Thank you in advance for any help in the right direction.

2 Likes

How is this working?
10.0.0.5:* xyz.com (/etc/httpd/conf/httpd.conf:396)
Are you really trying to bind httpd to every single port on that IP?

This will only bind if this address is actual on the local system:
51.141.109.36:443 shopviews.com (/etc/httpd/conf/httpd.conf:824)
Please show:
sudo ifconfig | grep -Ei 'add|inet'

Please show the server block that contains: /etc/httpd/conf/httpd.conf:796

2 Likes

Okay, got it working. Thx.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.