We'll find out once they quit stopping Apache before-hand 
3 Likes
3 Likes
Removing the pre- and post- hooks worked; root cert looks good now. Any advice on shrinking recipes? Also, thank you for all of your help so far!
1 Like
Before starting recipes let's finish with the root domain. I forgot to include the deploy hook to reload Apache. Since Apache was not reloaded it is still using the older cert for jns.enterprises.
It's unfortunate you have an older Certbot as there are better options but this should work
sudo certbot renew --cert-name jns.enterprises --deploy-hook "service apache2 reload"
A reload simply updates the configs without disrupting active requests (unlike stop/start)
3 Likes
Done. From what I can tell it worked as expected.
2 Likes
Yes, that much worked. But, your Apache config is not correct for the certs. Would you please show the VirtualHost config for jns.enterprises ? Just need to see ALL the lines with sslcertificate in them (I think you have 3).
@JNSEnterprises And, jumping ahead a bit. Show the result of this --dry-run
sudo certbot certonly --cert-name recipes.jns.enterprises --webroot -w /var/www/html -d recipes.jns.enterprises --dry-run --deploy-hook "service apache2 reload"
Should ask you to confirm removal of the other two domains and allow that update
2 Likes
These three?
SSLCertificateFile /etc/letsencrypt/live/jns.enterprises/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/jns.enterprises/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/jns.enterprises/privkey.pem
Dry run on removing the domains appears to have worked. Any reason not to execute that piece now?
Should be fine to do without --dry-run now
Also, for this
Change these 3 lines to be just these 2. Follow this pattern for all of your VirtualHosts as they all have the same error
SSLCertificateFile /etc/letsencrypt/live/jns.enterprises/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/jns.enterprises/privkey.pem
Currently your certs fail validation although browsers might ignore the error. Still, best to have it right. Check them with a SSL Checker site like this one
3 Likes
I was able to shrink the cert and make the configuration changes you suggested, and in validating through the SSL Checker site have all green checkmarks. Looks like all is good?
1 Like
Certainly much progress made and at least all are working reliably. To recap ...
jns.enterprises cert renewal now works and uses ---webroot with a deploy-hook to gracefully reload Apache.
recipes.jns.enterprises switched from standalone to --webroot also with a graceful deploy-hook reload. And, shrunk to just its own domain name.
And, all 4 domain names now use the proper Apache sslcertificate lines
But,
football.jns.enterprises still uses --standalone which requires Apache to be stopped to renew that cert. This would be fairly easy to switch to --webroot like with recipes
webmail.jns.enterprises also uses --standalone but would need fix of a faulty redirect before converting to --webroot.
So, it's up to you how to proceed. football and webmail should renew fine they just require downtime to Apache while cert renewed. If you don't care I don't care
There is also the issue of you using an older Certbot but I am just not sure how easy it is to use the snap install for Certbot on Raspian 11.
3 Likes
Could we take a look at the faulty redirect? I don't really know what that means, but it doesn't sound good.
Sure, we'll need to see the VirtualHost definitions (port 80 and 443) for that domain. Please use 3 backticks before and after otherwise we will lose some Apache tags. Like:
```
VirtualHost info
```
Symptoms are:
This request redirects okay
curl -IL http://webmail.jns.enterprises
HTTP/1.1 302 Found
Location: https://webmail.jns.enterprises
(not sure why I get 500 but that's a different problem)
HTTP/1.0 500 Internal Server Error
Date: Tue, 12 Sep 2023 16:55:40 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
This does not redirect correctly.
Probably not affecting routine use but affects Let's Encrypt HTTP Challenge
Note a slash is missing before Test ...
curl -IL http://webmail.jns.enterprises/Test
HTTP/1.1 302 Found
Server: Apache
Location: https://webmail.jns.enterprisesTest
... so when following the redirect this happens
curl: (6) Could not resolve host: webmail.jns.enterprisesTest
3 Likes
Hopefully this works:
Alias /roundcubeemail /var/www/html/roundcubeemail/public_html
# users will prefer a simple URL like http://webmail.example.com
<VirtualHost *:80>
DocumentRoot /var/www/html/roundcubeemail/public_html
ServerName webmail.jns.enterprises
Redirect / https://webmail.jns.enterprises
<Directory /var/www/html/roundcubeemail>
Options -Indexes
AllowOverride All
</Directory>
<Directory /var/www/html/roundcubeemail/config>
Order Deny,Allow
Deny from All
</Directory>
<Directory /var/www/html/roundcubeemail/temp>
Order Deny,Allow
Deny from All
</Directory>
<Directory /var/www/html/roundcubeemail/logs>
Order Deny,Allow
Deny from All
</Directory>
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/html/roundcubeemail/public_html
ServerName webmail.jns.enterprises
<Directory /var/www/html/roundcubeemail>
Options -Indexes
AllowOverride All
</Directory>
<Directory /var/www/html/roundcubeemail/config>
Order Deny,Allow
Deny from All
</Directory>
<Directory /var/www/html/roundcubeemail/temp>
Order Deny,Allow
Deny from All
</Directory>
<Directory /var/www/html/roundcubeemail/logs>
Order Deny,Allow
Deny from All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/webmail.jns.enterprises/fullchain>
SSLCertificateKeyFile /etc/letsencrypt/live/webmail.jns.enterprises/privkey.p>
</VirtualHost>
</IfModule>
1 Like
Hmm. I don't see anything to cause that failing redirect. Check the base apache config and any .htaccess you might have.
Also check that this is the actual config files handling that domain with
sudo apache2ctl -t -D DUMP_VHOSTS
(you might need httpd or apachectl instead of apache2ctl - I don't recall RaspPi)
You can use Let's Debug to test your changes
3 Likes
Okay, looks like I've fixed it. Issue was 6th line from the top. Needed a / on the end:
Redirect / https://webmail.jns.enterprises/
1 Like
Good eye.
If you want to get football and webmail on webroot method just follow this pattern. Make sure the dry-run works first. Just swap out both instances of NAME for the other domain name. I think with your Alias the webroot path (-w folder) is the same but not certain.
3 Likes
Dry and live runs both worked - any other issues you've seen with the certs/server workings? If not, thank you so much for your help! As you can probably tell, back when I set things up I was just trying to get the pages to load (using various Google'd resources); it's nice to have everything working properly now!
I take that back, webmail didn't work - too early in the morning and I was thinking recipes. Here's the webmail error:
Command:
sudo certbot certonly --cert-name webmail.jns.enterprises --webroot -w /var/www/html -d webmail.jns.enterprises --dry-run --deploy-hook "service apache2 reload"
Output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not due for renewal, but simulating renewal for dry run
Simulating renewal of an existing certificate for webmail.jns.enterprises
Performing the following challenges:
http-01 challenge for webmail.jns.enterprises
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain webmail.jns.enterprises
http-01 challenge for webmail.jns.enterprises
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: webmail.jns.enterprises
Type: unauthorized
Detail: 136.32.171.191: Invalid response from
https://webmail.jns.enterprises/.well-known/acme-challenge/iutrJ46IfA_TwcctCWXpZM0c5nRi2D-71yCvxPVQb2M:
404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
1 Like
The 404 Error means it could not find the challenge token. Probably because the webroot path is different for your webmail. Can you show the virtual host config for that?
3 Likes
Yep that did it. Thank you again!
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.