Univention Corporate Server: no renewal possible

That's strange. Check how your CSR gets generated. What domains get included.

I assume there's some bug there. (And also in boulder, if it makes a request to some random path)

1 Like

I did add a few lines in my posting above, while you were writing your lastest posting.

Because Letsencrypt killed the domain.csr (set "0" bytes) I did create it manually.

root@ucs:/etc/univention/letsencrypt# openssl req -text -noout -verify -in domain.csr
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = ucs.kmvw-io.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

Yes, I assume you are asking for a certificate with literally

ucs.kmvw-io.de/[https:/ucs.kmvw-io.de

as a domain name, and similar ones. How do these strings get in your CSR, I do not know.

Why doesn't boulder catch it as an invalid domain, I don't know either

Check "Subject Alternative Name" not just "Common Name"

1 Like

I get:

root@ucs:/etc/univention/letsencrypt# openssl x509 -text -noout -in chain.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            xxxxxxxxxxxx
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Dec  5 07:05:58 2021 GMT
            Not After : Mar  5 07:05:57 2022 GMT
        Subject: CN = ucs.kmvw-io.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
...

X509v3 Subject Alternative Name:
                DNS:autoconfig.kmvw-io.de, DNS:autodiscover.kmvw-io.de, DNS:kmvw-io.de, DNS:mail.kmvw-io.de, DNS:smtp.kmvw-io.de, DNS:ucs.kmvw-io.de, DNS:web.kmvw-io.de
...

That's for the valid, already issued certificate. You need to check the CSR.

1 Like

Sorry, I did not read your posting propeerly enough :wink:

root@ucs:/etc/univention/letsencrypt# openssl req -in domain.csr -text -noout
root@ucs:/etc/univention/letsencrypt# openssl req -text -noout -verify -in domain.csr     verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = ucs.kmvw-io.de, CN = dav.kmvw-io.de, CN = mail.kmvw-io.de, CN = web.kmvw-io.de, CN = smtp.kmvw-io.de, CN = autoconfig.kmvw-io.de, CN = autodiscover.kmvw-io.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
...

It does not seem to contain alternate names. - Maybe caused by the error, which is the reason of this thread.

I did recreate the CSR and executed the script again - now I get different error messages:

root@ucs:/etc/univention/letsencrypt# sudo -u letsencrypt /usr/share/univention-letsencrypt/refresh-cert
Sa 5. Feb 16:48:05 CET 2022
Refreshing certificate for following domains:
kmvw-io.de autodiscover.kmvw-io.de autoconfig.kmvw-io.de dav.kmvw-io.de ucs.kmvw-io.de web.kmvw-io.de  smtp.kmvw-io.de mail.kmvw-io.de
Parsing account key...
Parsing CSR...
Found domains: ucs.kmvw-io.de
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying ucs.kmvw-io.de...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 149, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for ucs.kmvw-io.de: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'url': u'http://ucs.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA', u'hostname': u'ucs.kmvw-io.de', u'addressUsed': u'84.153.195.198', u'port': u'80', u'addressesResolved': [u'84.153.195.198']}], u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/75514231160/jxZ8lQ', u'token': u'HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA', u'error': {u'status': 403, u'type': u'urn:ietf:params:acme:error:unauthorized', u'detail': u'Invalid response from http://ucs.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA [84.153.195.198]: "<!DOCTYPE HTML PUBLIC \\"-//IETF//DTD HTML 2.0//EN\\">\\n<html><head>\\n<title>500 Internal Server Error</title>\\n</head><body>\\n<h1>Inter"'}, u'validated': u'2022-02-05T15:48:11Z', u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value': u'ucs.kmvw-io.de'}, u'expires': u'2022-02-12T15:48:09Z'}

Apache access_log:

18.159.196.172 - - [05/Feb/2022:16:48:11 +0100] "GET /.well-known/acme-challenge/HHIBIWc28
HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA HTTP/1.1" 500 817 "-" "Mozilla/5.0 (compatible; Let's E
ncrypt validation server; +https://www.letsencrypt.org)"
18.116.86.117 - - [05/Feb/2022:16:48:12 +0100] "GET /.well-known/acme-challenge/HHIBIWc28H
A8J_7-m3jnO65eyVUmLvxc99EzolEV0LA HTTP/1.1" 500 817 "-" "Mozilla/5.0 (compatible; Let's En
crypt validation server; +https://www.letsencrypt.org)"
34.221.255.206 - - [05/Feb/2022:16:48:12 +0100] "GET /.well-known/acme-challenge/HHIBIWc28
HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA HTTP/1.1" 500 817 "-" "Mozilla/5.0 (compatible; Let's E
ncrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [05/Feb/2022:16:48:14 +0100] "GET /.well-known/acme-challenge/HHIBIWc28H
A8J_7-m3jnO65eyVUmLvxc99EzolEV0LA HTTP/1.1" 500 817 "-" "Mozilla/5.0 (compatible; Let's En
crypt validation server; +https://www.letsencrypt.org)"

Making progress. Check your Apache config for why it responds with http error 500

Could test using this which should result in 404 to see why get 500 instead

 curl -I http://ucs.kmvw-io.de/.well-known/acme-challenge/ForumTest_123
2 Likes

@MikeMcQ:
Thank you - that helped me a little bit:
If I call https

curl -I https://ucs.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA
HTTP/1.1 200 OK
Date: Sat, 05 Feb 2022 16:36:02 GMT
Server: Apache/2.4.25 (Univention)
Strict-Transport-Security: max-age=15552000; includeSubDomains
Last-Modified: Sat, 05 Feb 2022 15:48:10 GMT
ETag: "57-5d7474b58d5a4"
Accept-Ranges: bytes
Content-Length: 87

it works.

If I call http

curl -I http://ucs.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA
HTTP/1.1 500 Internal Server Error
Date: Sat, 05 Feb 2022 16:34:41 GMT
Server: Apache/2.4.25 (Univention)
Connection: close
Content-Type: text/html; charset=iso-8859-1

I get the error 500.

Now I have to find out, why verification over http does not work anymore. I guess, that anywhere the is hidden a redirection to https.

Yes, Let's Encrypt always makes an HTTP request. You can redirect it to HTTPS if you want but best would be to respond correct to HTTP request.

2 Likes

I know this, because I am working since more than 2 years with Letsencrypt on several servers.

But since the trouble with the expired Letsencrypt root certificate and its "workarounds" to get the successor to work, a lot of problems raised.

Very strange: If I call f.ex. web.kmvw-io.de with http, I get reply. If I call it with the .well-known over http, I get an error 500 but everything still worked in December.

Something must have changed in your Apache setup since then. If you can't figure it out show the results of this and maybe someone here will see problem.

sudo apachectl -S
2 Likes

Seems to look good:

root@ucs:/etc/univention/letsencrypt# apachectl -S
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server ucs.kmvw-io.de (/etc/apache2/sites-enabled/000-default.conf:13)
         port 80 namevhost ucs.kmvw-io.de (/etc/apache2/sites-enabled/000-default.conf:13)
         port 80 namevhost ucs-sso.kmvw-io.de (/etc/apache2/sites-enabled/univention-saml.conf:63)
*:443                  is a NameVirtualHost
         default server ucs.kmvw-io.de (/etc/apache2/sites-enabled/default-ssl.conf:17)
         port 443 namevhost ucs.kmvw-io.de (/etc/apache2/sites-enabled/default-ssl.conf:17)
         port 443 namevhost dav.kmvw-io.de (/etc/apache2/sites-enabled/kdav.conf:2)
         port 443 namevhost kmvw-io.de (/etc/apache2/sites-enabled/univention-letsencrypt.conf:21)
         port 443 namevhost autodiscover.kmvw-io.de (/etc/apache2/sites-enabled/univention-letsencrypt.conf:42)
         port 443 namevhost autoconfig.kmvw-io.de (/etc/apache2/sites-enabled/univention-letsencrypt.conf:63)
         port 443 namevhost web.kmvw-io.de (/etc/apache2/sites-enabled/univention-letsencrypt.conf:84)
         port 443 namevhost ucs.kmvw-io.de (/etc/apache2/sites-enabled/univention-letsencrypt.conf:105)
         port 443 namevhost smtp.kmvw-io.de (/etc/apache2/sites-enabled/univention-letsencrypt.conf:126)
         port 443 namevhost mail.kmvw-io.de (/etc/apache2/sites-enabled/univention-letsencrypt.conf:147)
         port 443 namevhost ucs-sso.kmvw-io.de (/etc/apache2/sites-enabled/univention-saml.conf:38)
         port 443 namevhost web.kmvw-io.de (/etc/apache2/sites-enabled/web.kmvw-io.de.conf:3)
                 alias web.kmvw-io.de
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ldap-cache: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33

Would you show the contents of this:

UPDATE: And this too for comparison since it works better

2 Likes

000.default.conf:

<VirtualHost *:80>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
</VirtualHost>

univention-letsencrypt.conf:



alias /.well-known/acme-challenge/ /var/www/.well-known/acme-challenge/

<Directory /var/www/.well-known/acme-challenge/>
                   AllowOverride None
                   Options -Indexes
                   Require all granted
</Directory>

<IfModule mod_ssl.c>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ServerName kmvw-io.de
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud
</VirtualHost>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ServerName autodiscover.kmvw-io.de
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud
</VirtualHost>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ServerName autoconfig.kmvw-io.de
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud
</VirtualHost>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ServerName web.kmvw-io.de
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud
</VirtualHost>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ServerName ucs.kmvw-io.de
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud
</VirtualHost>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ServerName smtp.kmvw-io.de
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud
</VirtualHost>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ServerName mail.kmvw-io.de
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud
</VirtualHost>

</IfModule>

default-ssl.conf

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud


    Redirect 301 /.well-known/carddav https://ucs.kmvw-io.de/nextcloud/remote.php/dav
    Redirect 301 /.well-known/caldav https://ucs.kmvw-io.de/nextcloud/remote.php/dav
    Redirect 301 /.well-known/webfinger https://ucs.kmvw-io.de/nextcloud/index.php/.well-known/webfinger
    Redirect 301 /.well-known/nodeinfo https://ucs.kmvw-io.de/nextcloud/index.php/.well-known/nodeinfo
</VirtualHost>
</IfModule>

Are there any files in that folder? Can you show them?

The post you made that showed result of apachectl -S is missing. Did you delete it?

2 Likes

No, it is there: Univention Corporate Server: no renewal possible - #17 by Mornsgrans

Edit: It became hidden by the forum spam filter and needed a review by admin.

The folder /etc/apache2/ucs-sites.conf.d contains three config files. All these files were auto-generated by UCS last summer.

1st:

root@ucs:/etc/univention/letsencrypt# cat /etc/apache2/ucs-sites.conf.d/ucs-sites.conf
#...
RewriteEngine on
RewriteOptions Inherit
ProxyPreserveHost on
ProxyTimeout 600

RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}

DocumentRoot /var/www/
CustomLog /var/log/apache2/access.log combined
RedirectMatch ^/$ /univention/

2nd:

root@ucs:/etc/univention/letsencrypt# cat /etc/apache2/ucs-sites.conf.d/collabora-code.conf

#######################################
# generated by code app join script, do not edit manually #
#######################################

# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode

# Container uses a unique non-signed certificate
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

# WOPI discovery URL
ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

# Admin Console websocket
ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /lool https://127.0.0.1:9980/lool
ProxyPassReverse    /lool https://127.0.0.1:9980/lool

# Capabilities
ProxyPass /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
ProxyPassReverse /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities

3rd:

root@ucs:/etc/univention/letsencrypt# cat /etc/apache2/ucs-sites.conf.d/univention-portal.conf
#...
ProxyPass /univention/portal/portal.json http://127.0.0.1:8095/ retry=0
ProxyPassReverse /univention/portal/portal.json http://127.0.0.1:8095/

<Directory /var/www/univention/portal/>
        <FilesMatch "(portal|apps)\.json|portal\.css">
                Header set Cache-Control "max-age=0, must-revalidate"
        </FilesMatch>
</Directory>
<Directory /var/www/univention/portal/icons>
        Header set Cache-Control "max-age=0, must-revalidate"
</Directory>

Maybe I could solve the http-problem:
after setting

ucr set apache2/force_https=yes

and restarting Apache I did the curl instructions mentioned above again:

root@ucs:/etc/univention/letsencrypt# curl -I http://web.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA
HTTP/1.1 301 Moved Permanently
Date: Sat, 05 Feb 2022 20:15:03 GMT
Server: Apache/2.4.25 (Univention)
Location: https://web.kmvw-io.de/%5bhttps:/web.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA
Content-Type: text/html; charset=iso-8859-1

root@ucs:/etc/univention/letsencrypt# curl -I http://ucs.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA
HTTP/1.1 301 Moved Permanently
Date: Sat, 05 Feb 2022 20:15:30 GMT
Server: Apache/2.4.25 (Univention)
Location: https://ucs.kmvw-io.de/%5bhttps:/ucs.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA
Content-Type: text/html; charset=iso-8859-1

Please notice the entry in the lines starting with "Location"

I think you should reverse what you just did with forcing redirects since it did not work. Ideally your port 80 http server would handle the challenge requests anyway.

Can you try copying these lines which do seem to work from your port 443 VirtualHost and add them to your 000.default.conf file? Don't forget to restart Apache after.

2 Likes

Getting the same:

root@ucs:/etc/univention/letsencrypt# curl -I http://autoconfig.kmvw-io.de/.well-known/acme-challenge/nh_11HrXJHoeCet5DDdh8E82V8vb1Vx5ucOhpsj5L8k
HTTP/1.1 301 Moved Permanently
Date: Sat, 05 Feb 2022 21:05:13 GMT
Server: Apache/2.4.25 (Univention)
Location: https://autoconfig.kmvw-io.de/%5bhttps:/autoconfig.kmvw-io.de/.well-known/acme-challenge/nh_11HrXJHoeCet5DDdh8E82V8vb1Vx5ucOhpsj5L8k
Content-Type: text/html; charset=iso-8859-1

with /%5b in the "Location" line. - Yes, I did restart Apache after changing 000-default.conf

The problem is, that I do not know the changes in the configuration before last successful renewal. - I think, I will give up and try a new installation, if there are no new ideas . - Damn...

Thank you for your support.

2 Likes

I could solve the problem!!

The output of the curl instruction in my postings above

root@ucs:/etc/univention/letsencrypt# curl -I http://web.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA
HTTP/1.1 301 Moved Permanently
Date: Sat, 05 Feb 2022 20:15:03 GMT
Server: Apache/2.4.25 (Univention)
Location: https://web.kmvw-io.de/%5bhttps:/web.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA
Content-Type: text/html; charset=iso-8859-1

showed a /%5b.in the line starting with Location

This morning in the Univention knowledge-base I could find a guide, how to redirect http to https and configure Letsencrypt manually.

One step is:

Then create /var/www/.htaccess with the following content:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) [https://%{HTTP_HOST}%{REQUEST_URI}

The RewiteRule contains a "[" . So I did check my .htaccess file and could find the RewriteRule in it. I did remove the RewriteRule - line, restarted Apache and executed

root@ucs:/etc/univention/letsencrypt# sudo -u letsencrypt /usr/share/univention-letsencrypt/refresh-cert
So 6. Feb 09:04:35 CET 2022
Refreshing certificate for following domains:
kmvw-io.de autodiscover.kmvw-io.de autoconfig.kmvw-io.de ucs.kmvw-io.de web.kmvw-io.de  smtp.kmvw-io.de mail.kmvw-io.de
Parsing account key...
Parsing CSR...
Found domains: web.kmvw-io.de, ucs.kmvw-io.de, mail.kmvw-io.de, autoconfig.kmvw-io.de, smtp.kmvw-io.de, autodiscover.kmvw-io.de, kmvw-io.de
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying autodiscover.kmvw-io.de...
autodiscover.kmvw-io.de verified!
Verifying kmvw-io.de...
kmvw-io.de verified!
Verifying mail.kmvw-io.de...
mail.kmvw-io.de verified!
Verifying smtp.kmvw-io.de...
smtp.kmvw-io.de verified!
Verifying ucs.kmvw-io.de...
ucs.kmvw-io.de verified!
Verifying web.kmvw-io.de...
web.kmvw-io.de verified!
Verifying autoconfig.kmvw-io.de...
autoconfig.kmvw-io.de verified!
Signing certificate...
Certificate signed!
Certificate refreshed at So 6. Feb 09:05:17 CET 2022

Yeah! - Success!!! :sunglasses:

Then I added the RewiriteRule-line in the .htaccess again and restarted Apache.

Now I will ask in the Univention forum, why the RewriteRule suddenly generates garbage.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.