When I try to renew cert, getting 400 Bad Request!

<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        ServerName orin.app
        ServerAlias www.orin.app *.orin.app

        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options Indexes FollowSymLinks Multiviews
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLCertificateFile /etc/letsencrypt/live/orin.app/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/orin.app/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.orin.app [OR]
RewriteCond %{SERVER_NAME} =orin.app
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Oop there it is. That's the culprit.

1 Like

There may be more to that “culpriticity”…
Like where does it turn SSL on?
Globally?

1 Like

Any idea how can I fix it?

1 Like

Start by removing those 3 lines from the HTTP (*:80) section.

1 Like

Not particularly important, but the rewrite statement only covers two names (www.orin.app & orin.app).
While the block also include the wildcard alias ("*.orin.app").
So, if you try to connect to this site via any other name, it will not redirect to HTTPS; it will actually connect such requests to the DocumentRoot ("/var/www/html/") folder.

To cover all possible names that have reached that site, don’t try to list them at all.
Just rewrite anything that isn’t HTTPS to HTTPS.
For that, you can change/replace:
RewriteCond %{SERVER_NAME} =www.orin.app [OR]
RewriteCond %{SERVER_NAME} =orin.app
to/with:
RewriteCond %{HTTPS} !=on

2 Likes

After those (or any) changes, restart Apache.

Then we can have another look at the output of:
apachectl -S

1 Like

I did the changes but now I got another error which is;

Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. orin.app (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://orin.app/.well-known/acme-challenge/mu4H_90OhA8E-52G5-9vjsqr3H2y1WTzYdfNx8a9daU [209.97.178.67]: "<html class=\"no-js\" lang=\"EN\" class=\"entering\">\n    <head>\n        <meta charset=\"utf-8\">\n        <meta http-equiv=\"x-ua-compati"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: orin.app
   Type:   unauthorized
   Detail: Invalid response from
   https://orin.app/.well-known/acme-challenge/mu4H_90OhA8E-52G5-9vjsqr3H2y1WTzYdfNx8a9daU
   [209.97.178.67]: "<html class=\"no-js\" lang=\"EN\"
   class=\"entering\">\n    <head>\n        <meta charset=\"utf-8\">\n
   <meta http-equiv=\"x-ua-compati"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Also, this is how apachectl -S looks like now,

VirtualHost configuration:
*:443                  orin.app (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   orin.app (/etc/apache2/sites-enabled/000-default.conf:4)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
1 Like

This:

Does NOT match this:

1 Like

sudo cat /etc/apache2/sites-enabled/000-default-le-ssl.conf
sudo cat /etc/apache2/sites-enabled/000-default.conf

1 Like

sudo vim /etc/apache2/sites-enabled/000-default-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost

        ServerName orin.app
        ServerAlias www.orin.app
        ServerAlias *.orin.app

        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/orin.app/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/orin.app/privkey.pem
</VirtualHost>
</IfModule>

sudo vim /etc/apache2/sites-enabled/000-default.conf

# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On

<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        ServerName orin.app
        ServerAlias www.orin.app *.orin.app

        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options Indexes FollowSymLinks Multiviews
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined


RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
~
1 Like

Something doesn’t add up.
The aliases are not being shown in the apcahectl -S output.
[I’ve never seen that happen before]

1 Like

I would hope not. The first is from apachectl -S while the second is from /etc/apache2/sites-enabled/000-default.conf.

The first shows:

The second

shows:

1 Like

That looks like the same file to me - but NOT the same/expected output.

1 Like

@rg305

I'm not understanding the mismatch you're seeing. :thinking:

apachectl -S ->

/etc/apache2/sites-enabled/000-default.conf ->

Are you thinking that the aliases should appear too?

Don't they always?

1 Like

Honestly, I’m not sure. I’ll check into it.

I almost want to duplicate the sections
leaving them identical except one as:
ServerName orin.app
the other as:
ServerName www.orin.app
and a third if needed as:
ServerName *.orin.app
[but implementing that third one requires proper ordering as the wilcdard will match the other two so it can not come before them or they will never be used]

And then see what says?:
apachectl -S

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.