Univention Corporate Server: no renewal possible

Help
1

Since last fall I permanently have any issues with the certificates which I could resolve. But now, I have no idea, what the reason of the problem below is.

I can call my server from internet with http and https. The recent Apache settings worked in the past while renewing the certificates.

My domain is: dav.kmvw-io.de ucs.kmvw-io.de web.kmvw-io.de smtp.kmvw-io.de mail.kmvw-io.de autodiscover.kmvw-io.de autoconfig.kmvw-io.de

I ran this command: sudo -u letsencrypt /usr/share/univention-letsencrypt/refresh-cert

It produced this output:
Sa 5. Feb 12:37:50 CET 2022
Refreshing certificate for following domains:
dav.kmvw-io.de ucs.kmvw-io.de web.kmvw-io.de smtp.kmvw-io.de mail.kmvw-io.de autodiscover.kmvw-io.de autoconfig.kmvw-io.de
Parsing account key...
Parsing CSR...
Found domains: ucs.kmvw-io.de
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying ucs.kmvw-io.de...
Traceback (most recent call last):
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in
main(sys.argv[1:])
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 149, in get_crt
raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for ucs.kmvw-io.de: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'url': u'http://ucs.kmvw-io.de/.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg', u'hostname': u'ucs.kmvw-io.de', u'addressUsed': u'84.153.195.198', u'port': u'80', u'addressesResolved': [u'84.153.195.198']}, {u'url': u'https://ucs.kmvw-io.de/[https:/ucs.kmvw-io.de/.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg', u'hostname': u'ucs.kmvw-io.de', u'addressUsed': u'84.153.195.198', u'port': u'443', u'addressesResolved': [u'84.153.195.198']}], u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/75460827640/cEDLYQ', u'token': u'3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg', u'error': {u'status': 403, u'type': u'urn:ietf:params:acme:error:unauthorized', u'detail': u'Invalid response from https://ucs.kmvw-io.de/[https:/ucs.kmvw-io.de/.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg [84.153.195.198]: "\n\n404 Not Found\n\n

Not Found

\n<p"'}, u'validated': u'2022-02-05T11:37:56Z', u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value': u'ucs.kmvw-io.de'}, u'expires': u'2022-02-12T11:37:54Z'}

My web server is (include version): Apache 2.4.25-3+deb9u12A~4.4.8.202202021239

The operating system my web server runs on is (include version): Univention Corporate Server 4.4.8 based on Debian GNU/Linux 9 (stretch)

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): PuTTy with root permissions, web-interface

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Univention Letsencrypt Version 1.2.2-20, contains acme.py but no "certbot"

2

It looks like there's a mismatch between what apache serves under .well-known/acme-challenge and where your acme client is writing the challenge files.

Does your acme client know the correct path for your apache's webroot?

3

I can call in my browser
https://ucs.kmvw-io.de/.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg

/usr/share/univention-letsencrypt/refresh-cert contails the line:

# get new signed certificate
/usr/share/univention-letsencrypt/acme_tiny.py --disable-check ${useStaging} --account-key "$DIR_LE/account.key" --csr "$DIR_LE/domain.csr" --acme-dir "/var/www/.well-known/acme-challenge/" > "$TMPFN"

and the folder /var/www/.well-known/acme-challenge/ is the right one.

In the error message above two times the entry containing that URL appear:

 https://ucs.kmvw-io.de/[https:/ucs.kmvw-io.de/.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg

looks strange, like a merge of two URLs and a missing square-bracket seems to be missing at the end.

4

I think you're right. At most, you missed an html as in /var/www/html/.well-known/acme-challenge/ but that depends on your config and your config only. (acme_tiny.py is strange, options mean different things)

Yes it looks strange but I don't know if that's an actual problem; can you check the apache access or error logs to see what's the actual address tried?

1 Like
5

In my configuration (default) the folder html only contains the debian Apache default index.html file. The acme_challenge folder really is in /var/www/.well-known and the apache config file "say" the same.

Here you get the access_log from same time as the letsencrypt output above:

18.192.36.99 - - [05/Feb/2022:12:37:56 +0100] "GET /.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg HTTP/1.1" 301 732 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.192.36.99 - - [05/Feb/2022:12:37:56 +0100] "GET /%5bhttps:/ucs.kmvw-io.de/.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg HTTP/1.1" 404 4320 "http://ucs.kmvw-io.de/.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.39.4.59 - - [05/Feb/2022:12:37:57 +0100] "GET /.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg HTTP/1.1" 301 732 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.116.86.117 - - [05/Feb/2022:12:37:57 +0100] "GET /.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg HTTP/1.1" 301 732 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [05/Feb/2022:12:37:57 +0100] "GET /.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg HTTP/1.1" 301 732 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.39.4.59 - - [05/Feb/2022:12:37:58 +0100] "GET /%5bhttps:/ucs.kmvw-io.de/.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg HTTP/1.1" 404 4320 "http://ucs.kmvw-io.de/.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.116.86.117 - - [05/Feb/2022:12:37:58 +0100] "GET /%5bhttps:/ucs.kmvw-io.de/.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg HTTP/1.1" 404 4320 "http://ucs.kmvw-io.de/.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [05/Feb/2022:12:37:58 +0100] "GET /%5bhttps:/ucs.kmvw-io.de/.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg HTTP/1.1" 404 4320 "http://ucs.kmvw-io.de/.well-known/acme-challenge/3HzF75dkdjH8al9MN6QuquqK-XKT76YhgOngrkFsYlg" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

The last three lins contain the 404 error, but what is the reason?
Very strange is the /%5b at the beginning of the URI, which stands for [

6

That's strange. Check how your CSR gets generated. What domains get included.

I assume there's some bug there. (And also in boulder, if it makes a request to some random path)

1 Like
7

I did add a few lines in my posting above, while you were writing your lastest posting.

Because Letsencrypt killed the domain.csr (set "0" bytes) I did create it manually.

root@ucs:/etc/univention/letsencrypt# openssl req -text -noout -verify -in domain.csr
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = ucs.kmvw-io.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
8

Yes, I assume you are asking for a certificate with literally

ucs.kmvw-io.de/[https:/ucs.kmvw-io.de

as a domain name, and similar ones. How do these strings get in your CSR, I do not know.

Why doesn't boulder catch it as an invalid domain, I don't know either

Check "Subject Alternative Name" not just "Common Name"

1 Like
9

I get:

root@ucs:/etc/univention/letsencrypt# openssl x509 -text -noout -in chain.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            xxxxxxxxxxxx
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Dec  5 07:05:58 2021 GMT
            Not After : Mar  5 07:05:57 2022 GMT
        Subject: CN = ucs.kmvw-io.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
...

X509v3 Subject Alternative Name:
                DNS:autoconfig.kmvw-io.de, DNS:autodiscover.kmvw-io.de, DNS:kmvw-io.de, DNS:mail.kmvw-io.de, DNS:smtp.kmvw-io.de, DNS:ucs.kmvw-io.de, DNS:web.kmvw-io.de
...
10

That's for the valid, already issued certificate. You need to check the CSR.

1 Like
11

Sorry, I did not read your posting propeerly enough :wink:

root@ucs:/etc/univention/letsencrypt# openssl req -in domain.csr -text -noout
root@ucs:/etc/univention/letsencrypt# openssl req -text -noout -verify -in domain.csr     verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = ucs.kmvw-io.de, CN = dav.kmvw-io.de, CN = mail.kmvw-io.de, CN = web.kmvw-io.de, CN = smtp.kmvw-io.de, CN = autoconfig.kmvw-io.de, CN = autodiscover.kmvw-io.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
...

It does not seem to contain alternate names. - Maybe caused by the error, which is the reason of this thread.

I did recreate the CSR and executed the script again - now I get different error messages:

root@ucs:/etc/univention/letsencrypt# sudo -u letsencrypt /usr/share/univention-letsencrypt/refresh-cert
Sa 5. Feb 16:48:05 CET 2022
Refreshing certificate for following domains:
kmvw-io.de autodiscover.kmvw-io.de autoconfig.kmvw-io.de dav.kmvw-io.de ucs.kmvw-io.de web.kmvw-io.de  smtp.kmvw-io.de mail.kmvw-io.de
Parsing account key...
Parsing CSR...
Found domains: ucs.kmvw-io.de
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying ucs.kmvw-io.de...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 149, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for ucs.kmvw-io.de: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'url': u'http://ucs.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA', u'hostname': u'ucs.kmvw-io.de', u'addressUsed': u'84.153.195.198', u'port': u'80', u'addressesResolved': [u'84.153.195.198']}], u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/75514231160/jxZ8lQ', u'token': u'HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA', u'error': {u'status': 403, u'type': u'urn:ietf:params:acme:error:unauthorized', u'detail': u'Invalid response from http://ucs.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA [84.153.195.198]: "<!DOCTYPE HTML PUBLIC \\"-//IETF//DTD HTML 2.0//EN\\">\\n<html><head>\\n<title>500 Internal Server Error</title>\\n</head><body>\\n<h1>Inter"'}, u'validated': u'2022-02-05T15:48:11Z', u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value': u'ucs.kmvw-io.de'}, u'expires': u'2022-02-12T15:48:09Z'}

Apache access_log:

18.159.196.172 - - [05/Feb/2022:16:48:11 +0100] "GET /.well-known/acme-challenge/HHIBIWc28
HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA HTTP/1.1" 500 817 "-" "Mozilla/5.0 (compatible; Let's E
ncrypt validation server; +https://www.letsencrypt.org)"
18.116.86.117 - - [05/Feb/2022:16:48:12 +0100] "GET /.well-known/acme-challenge/HHIBIWc28H
A8J_7-m3jnO65eyVUmLvxc99EzolEV0LA HTTP/1.1" 500 817 "-" "Mozilla/5.0 (compatible; Let's En
crypt validation server; +https://www.letsencrypt.org)"
34.221.255.206 - - [05/Feb/2022:16:48:12 +0100] "GET /.well-known/acme-challenge/HHIBIWc28
HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA HTTP/1.1" 500 817 "-" "Mozilla/5.0 (compatible; Let's E
ncrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [05/Feb/2022:16:48:14 +0100] "GET /.well-known/acme-challenge/HHIBIWc28H
A8J_7-m3jnO65eyVUmLvxc99EzolEV0LA HTTP/1.1" 500 817 "-" "Mozilla/5.0 (compatible; Let's En
crypt validation server; +https://www.letsencrypt.org)"
12

Making progress. Check your Apache config for why it responds with http error 500

Could test using this which should result in 404 to see why get 500 instead

 curl -I http://ucs.kmvw-io.de/.well-known/acme-challenge/ForumTest_123
2 Likes
13

@MikeMcQ:
Thank you - that helped me a little bit:
If I call https

curl -I https://ucs.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA
HTTP/1.1 200 OK
Date: Sat, 05 Feb 2022 16:36:02 GMT
Server: Apache/2.4.25 (Univention)
Strict-Transport-Security: max-age=15552000; includeSubDomains
Last-Modified: Sat, 05 Feb 2022 15:48:10 GMT
ETag: "57-5d7474b58d5a4"
Accept-Ranges: bytes
Content-Length: 87

it works.

If I call http

curl -I http://ucs.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA
HTTP/1.1 500 Internal Server Error
Date: Sat, 05 Feb 2022 16:34:41 GMT
Server: Apache/2.4.25 (Univention)
Connection: close
Content-Type: text/html; charset=iso-8859-1

I get the error 500.

Now I have to find out, why verification over http does not work anymore. I guess, that anywhere the is hidden a redirection to https.

14

Yes, Let's Encrypt always makes an HTTP request. You can redirect it to HTTPS if you want but best would be to respond correct to HTTP request.

2 Likes
15

I know this, because I am working since more than 2 years with Letsencrypt on several servers.

But since the trouble with the expired Letsencrypt root certificate and its "workarounds" to get the successor to work, a lot of problems raised.

Very strange: If I call f.ex. web.kmvw-io.de with http, I get reply. If I call it with the .well-known over http, I get an error 500 but everything still worked in December.

16

Something must have changed in your Apache setup since then. If you can't figure it out show the results of this and maybe someone here will see problem.

sudo apachectl -S
2 Likes
17

Seems to look good:

root@ucs:/etc/univention/letsencrypt# apachectl -S
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server ucs.kmvw-io.de (/etc/apache2/sites-enabled/000-default.conf:13)
         port 80 namevhost ucs.kmvw-io.de (/etc/apache2/sites-enabled/000-default.conf:13)
         port 80 namevhost ucs-sso.kmvw-io.de (/etc/apache2/sites-enabled/univention-saml.conf:63)
*:443                  is a NameVirtualHost
         default server ucs.kmvw-io.de (/etc/apache2/sites-enabled/default-ssl.conf:17)
         port 443 namevhost ucs.kmvw-io.de (/etc/apache2/sites-enabled/default-ssl.conf:17)
         port 443 namevhost dav.kmvw-io.de (/etc/apache2/sites-enabled/kdav.conf:2)
         port 443 namevhost kmvw-io.de (/etc/apache2/sites-enabled/univention-letsencrypt.conf:21)
         port 443 namevhost autodiscover.kmvw-io.de (/etc/apache2/sites-enabled/univention-letsencrypt.conf:42)
         port 443 namevhost autoconfig.kmvw-io.de (/etc/apache2/sites-enabled/univention-letsencrypt.conf:63)
         port 443 namevhost web.kmvw-io.de (/etc/apache2/sites-enabled/univention-letsencrypt.conf:84)
         port 443 namevhost ucs.kmvw-io.de (/etc/apache2/sites-enabled/univention-letsencrypt.conf:105)
         port 443 namevhost smtp.kmvw-io.de (/etc/apache2/sites-enabled/univention-letsencrypt.conf:126)
         port 443 namevhost mail.kmvw-io.de (/etc/apache2/sites-enabled/univention-letsencrypt.conf:147)
         port 443 namevhost ucs-sso.kmvw-io.de (/etc/apache2/sites-enabled/univention-saml.conf:38)
         port 443 namevhost web.kmvw-io.de (/etc/apache2/sites-enabled/web.kmvw-io.de.conf:3)
                 alias web.kmvw-io.de
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ldap-cache: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33
18

Would you show the contents of this:

UPDATE: And this too for comparison since it works better

2 Likes
19

000.default.conf:

<VirtualHost *:80>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
</VirtualHost>

univention-letsencrypt.conf:



alias /.well-known/acme-challenge/ /var/www/.well-known/acme-challenge/

<Directory /var/www/.well-known/acme-challenge/>
                   AllowOverride None
                   Options -Indexes
                   Require all granted
</Directory>

<IfModule mod_ssl.c>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ServerName kmvw-io.de
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud
</VirtualHost>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ServerName autodiscover.kmvw-io.de
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud
</VirtualHost>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ServerName autoconfig.kmvw-io.de
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud
</VirtualHost>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ServerName web.kmvw-io.de
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud
</VirtualHost>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ServerName ucs.kmvw-io.de
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud
</VirtualHost>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ServerName smtp.kmvw-io.de
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud
</VirtualHost>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ServerName mail.kmvw-io.de
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud
</VirtualHost>

</IfModule>

default-ssl.conf

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud


    Redirect 301 /.well-known/carddav https://ucs.kmvw-io.de/nextcloud/remote.php/dav
    Redirect 301 /.well-known/caldav https://ucs.kmvw-io.de/nextcloud/remote.php/dav
    Redirect 301 /.well-known/webfinger https://ucs.kmvw-io.de/nextcloud/index.php/.well-known/webfinger
    Redirect 301 /.well-known/nodeinfo https://ucs.kmvw-io.de/nextcloud/index.php/.well-known/nodeinfo
</VirtualHost>
</IfModule>
20

Are there any files in that folder? Can you show them?

The post you made that showed result of apachectl -S is missing. Did you delete it?

2 Likes