VPS and domain hosting vs DNS

Help
1

Hi, i got vps with IPv4 address, ipv6 is disabled on the server. On Apache also.
But i got also hosting with email in ovh. Hosting was bought to get 1 account email.
And its DNS ipv6 for my domain works, even i do not use it.

And i think that is the reason why i can not get cert.
What can i do now?
DOmain name muzeumndm.pl

1 Like
2

Your domain doesn’t have an AAAA record, so IPv6 is unlikely to be causing your problems.

Please fill out the error template, including the full output of Certbot, if you’d like assistance with a specific issue:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like
5

Hi @bktpl

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Auth - Pastebin.com

there you see the problem:

Domain: kborowy.pl
Type: unauthorized
Detail: The key authorization file from the server did not match
this challenge
"LPovItJb1NzUiB1IWzB93KiAY2RFIO_UNqS5QTYzsPk.mLtqr4q5hoPZsZnIA-RX9KklhSRlEdg_nSBHT75H_Oo"
!=
"LPovItJb1NzUiB1IWzB93KiAY2RFIO_UNqS5QTYzsPk.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8"

You have two different account keys.

One is managed via Webmin, the other via Certbot.

Webmin blocks / handles /.well-known/acme-challenge.

-->> Don't mix integrated solutions with Certbot.

-->> use the integrated solution to create a certificate.

2 Likes
6

OK i uninstalled webmin, and what now?
IMPORTANT NOTES:

7

Then your configuration is buggy. Additional definitions, multiple vHosts with the same combination of port and domain name.

Check

apachectl -S
1 Like
8

[KBKS@s1c ~]$ apachectl -S
VirtualHost configuration:
*:443 s1c.kborowy.pl (/etc/httpd/conf.d/ssl.conf:56)
*:80 is a NameVirtualHost
default server kborowy.pl (/etc/httpd/vhost/kborowy.pl.conf:1)
port 80 namevhost kborowy.pl (/etc/httpd/vhost/kborowy.pl.conf:1)
alias www.kborowy.pl
wild alias *.kborowy.pl
port 80 namevhost muzeumndm.pl (/etc/httpd/vhost/muzeumndm.pl.conf:1)
alias muzeumndm.pl
alias mndm.pl
wild alias *.muzeumndm.pl
port 80 namevhost ksiegowoscuslugi.pl (/etc/httpd/vhost/ksiegowoscuslugi.pl.conf:1)
alias ksiegowoscuslugi.pl
wild alias *.ksiegowoscuslugi.pl
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48 not_used
Group: name=“apache” id=48 not_used

9

As i see, https://httpd.apache.org/docs/2.4/vhosts/name-based.html, i can use other domains on the same port. So what may be the problem?

10

You have a lot of domain names in one command -> one certificate.

But there is no matching port 80 vHost.

  • Use webroot (but that’s terrible, if your domains have different webroots),
  • create different certificates: One vHost with two domain names -> create one certificate with the same two domain names
1 Like
11

I know its one cert, its ok for me. What You mean - “there is no matching port 80 vHost?” ? Can You explain please?

12

One vHost with the same set of domain names.

1 Like
13

Oh ok i understand what You mean now. So when i got one vhost file per domain, and i use Include to add it in httpd.conf - certbot will not work?

I has other VPS and did not get errors in this configuration.

14

its still not working. Can You help me with fix please?

15

The problem was in spaces and some configuration in vhost files, You were right but not in details:)
Please delete this topic.

1 Like
16

Can You help me with one more thing:

E http://kborowy.pl/ 80.241.221.175 301 https://www.kborowy.pl/ Wrong redirect one domain http to other domain https. First redirect to https without new dns query, so the server can send the HSTS header. That’s fundamental using HSTS (Http Strict Transport Security). First step: Add correct redirects http ⇒ https. Perhaps in your port 80 vHost something like “RewriteEngine on” + “RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]” (two rows, without the "). Don’t add this in your port 443 vHost, that would create a loop. Then recheck your domain, should be Grade C. There is the rule to select one https version as preferred version.
I https://www.kborowy.pl/ 80.241.221.175 200 Content problems or problems with resources included - http links, files doesn’t exist, different Content-Type definitions

How to fix it?
How to redirect to domain from http to https://www with HSTS ON and one redirection? is it possible?

17

in vhost 80
RewriteCond %{SERVER_NAME} =www.kborowy.pl [OR]
RewriteCond %{SERVER_NAME} =*.kborowy.pl [OR]
RewriteCond %{SERVER_NAME} =kborowy.pl
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

in vhost 443
RewriteCond %{HTTP_HOST} ^kborowy.pl$ [NC]
RewriteRule (.*) https://www.kborowy.pl$1 [R=301,L]

Tried also #RewriteCond %{HTTP_HOST} !^www. [OR]
#RewriteCond %{HTTPS} off
#RewriteCond %{HTTP_HOST} ^(?:www.)?(.+)$ [NC]
#RewriteRule ^ https://www.%1%{REQUEST_URI} [NE,L,R=301]

But not working all examples:
http://domain.com -> https://www.domain.com
http://www.domain.com -> https://www.domain.com
https://domain.com -> https://www.domain.com

18

Hello @bktpl. Just to get things straight: You have some domains running on Let’s Encrypt and some on self-signed certs, right? Is this just for testing some settings or because it was not working yet correctly?

Should all domains present the very same content (either by redirect or statically)?

To help you best, some more information are needed, thus I ask.

1 Like
19

Thank You for asking.
Currently im starting with all 3 domains. Started from kborowy.pl. I go almost all what i wanted now but:

  1. Not sure if i should redirect http to httpswww (with HSTS testing and than run) in one or two steps. So Can/Should it be http->https->httpswww as i got it now working or maybe http->httpswww direclty. If the second option is ok for HSTS later how can i achieve it with my rules. Currently got:
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [END,NE,R=permanent] in vh80 and
    this:
    RewriteCond %{HTTP_HOST} ^example.com$ [NC]
    RewriteRule (.*) https://www.example.com$1 [R=301,L] in vhost443.

Ill do the same conf for other 2 domains, after finishing with this one.

  1. All 3 domains should be on letsencrypt, why You say i got something on selfsight cert? Its my second question. When i test page on ssllabs i see one cert for s1c.kborowy.pl but im using it with sshd so i think it must look like this. ?

  2. Do You have any ideas how to add HTTP2 on Centos 7?

20

There is a new check of your domain - kborowy.pl - Make your website better - DNS, redirects, mixed content, certificates

So you have fixed your wrong Grade E, now you have Grade B. So your redirects are correct.

Read the output of your Grade-E-check. One step http + non-www -> https + www is wrong, that's the reason why that is Grade E.

1 Like
21

OK, I think, Juergen’s answer brought some insight to you. This should answer the first question.

Regarding the second question: I was referring to e.g. https://www.mndm.pl/. This one uses a self-signed certificate at the moment.
What are you meaning by the SSH part? The SSH does not use SSL certificates as far as I know.

I do not know much of CentOS. But I assume there is a mod_http2 module to be installed.

22

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.