Using certbot to authenticate domain - apache

My domain is advice.com. I'm running Apache webserver on Ubuntu 20.04 LTS. I've configured domain name as per this link:
Within my internet, I can access domain name www.advice.com which is mapped as 192.168.0.xxx
As per this tutorial https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-20-04, self signed certificate was generated for domain. However, it shows warning of not secure. I want to fetch certificates using certbot. When I ran this command ```sudo certbot --apache``
It produces following output:
http-01 challenge for www.advice.com Cleaning up challenges Some challenges have failed.
IMPORTANT NOTES. - The following errors were reported by the server:
Domain: www.advice.com
Type: unauthorized
Detail: Invalid response from http://www.advice.com/.well-known/acme-challenge/_fasLpkG_oxH7gK3K78GEG1L6x9TFRlGpm__5QiIWr4[3.33.152.147]: 404
To fix these errors, please makes sure that your domain name was entered correctly and the DNS A/AAA record(s) for that domain contain(s)the right IP address.
Looking into the solutions for this error, I also added acme-challenge directory in configuration file. I can access this file http://advice.com/.well-known/acme-challenge/test-file-1234
Here is the configuration of server:
ServerName advice.com
ServerAlias www.advice.com
DocumentRoot /var/www/advice.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName advice.com
ServerAlias www.advice.com
DocumentRoot /var/www/advice.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Redirect / https://advice.com/
DocumentRoot /var/www/advice.com/.well-known/acme-challenge
<Location "/.well-known/acme-challenge/">
#do nothing special for challenges / ignore bad requests
RedirectMatch 403 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
</Location>
<Location "/">
#redirect all other requests to HTTPS
Redirect permanent "/" https://%{HOST}/$1
</Location>
</VirtualHost>
Is it something related to configuration file? I just want to assign domain name to ubuntu server and make it secure for further work.

please make sure that you correctly added the A record pointing to your host IP address, and if error still exist, delete AAA record and just keep the A record

Related

Restricting direct access to ip address giving error

I'm trying to restrict direct access of my website through IP address. I want to only let people to see my website through domain.
When I made research I got one solution.
I added new VirtualHost in apache2 sites-available with my domain name and it worked with http://IP-ADDRESS but when someone try with https://IP-ADDRESS it can be accessible.
Again added another VirtualHost with port 433 to restrict https access too but it gives error.
My VirtualHost :
<VirtualHost *:80>
ServerName 157.245.247.15
ServerAlias localhost
ServerAdmin admin#localhost
DocumentRoot /var/www/my-site.com
<Location />
Order Allow,Deny
Deny from All
</Location>
ErrorLog ${APACHE_LOG_DIR}/157.245.247.15-error.log
CustomLog ${APACHE_LOG_DIR}/157.245.247.15-access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName 157.245.247.15
ServerAlias localhost
ServerAdmin admin#localhost
DocumentRoot /var/www/my-site.com
<Location />
Order Allow,Deny
Deny from All
</Location>
ErrorLog ${APACHE_LOG_DIR}/157.245.247.15-error.log
CustomLog ${APACHE_LOG_DIR}/157.245.247.15-access.log combined
</VirtualHost>
Error :
This site can’t provide a secure connection157.245.247.15 sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
Now i cannot access my website even IP or domain due to SSL Protocol Error. How it can be solved ?
My main goal is to block direct access to IP address in http or https.
My OS : Ubuntu
Web Server : Apache
Thanks
First of all you shouldn't use an ip address as servername or serveralias. You should use an fqdn (resolved by a dns or by en entry in your hosts file)
Second: i can't see any configuration about the https. Where are key, certificate and chain configured?
Third: your configuration is denying access to everything
<Location />
Order Allow,Deny
Deny from All
</Location>
and not giving access to anything else.

Debian 8 - SSL Certificate is not working

I have recently moved a website from my old web server with 123-reg.co.uk to a new Linode web server hosted with Linode.
I am running Apache with Debian 8.9.
123-reg provided me with an SSL certificate for my website which, of course, was deactivated when I moved the website to the new server. So I set to work manually reactivating the certificate on my new server.
I was able to get the necessary SSL files (CA Bundle, Key and Certificate) from 123-reg and I followed Linode's instructions to setup the SSL certificate on their servers using the following tutorials:
First tutorial and
second tutorial.
Here is the site's config file:
<VirtualHost *:80>
# All of the files here exist on the server
SSLEngine On
SSLCertificateFile /etc/ssl/certs/zetec-it.com.crt
SSLCertificateKeyFile /etc/ssl/private/zetec-it.com.key
SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
The setup seems legit, but when I attempt to access the website via https the browser states that the connection isn't secure.
I'm fairly new to server admin; does anyone have any suggestions or potential solutions?
You need a VirtualHost which is listening on port 443 in order to have working HTTPS. You configured your VirtualHost to listen on Port 80 while having SSLEngine On.
In order to get https working you would only need to change <VirtualHost *:80> to <VirtualHost *:443>.
Once you did that, you would not have a configuration that handles http connections to (there would not be any VirtualHost waiting for connections for ServerName zetec-it.com).
There are generally to ways to go to serve http connections requesting the same hostname:
You redirect them to https using something like this (uses mod_rewrite in order to redirect to the same path):
<VirtualHost *:80>
ServerName zetec-it.com
ServerAlias www.zetec-it.com
RewriteEngine on
RewriteRule ^ https://zetec-it.com%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
You deliver the same content through http as well
<VirtualHost *:80>
# All of the files here exist on the server
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
Either way you need two config files, the https one (which is basically your example from above, remember to replace 80 with 443) and one for http which I gave you 2 examples for.
You can put them into separate files, remember to activate them in this case.

Apache Redirect & HTTPS

I guess I am trying to do three things at once, but I am trying to:
direct example.com to example.com.au
direct example.com.au to www.example.com.au
direct HTTP to HTTP
That is, four variations all directed to the HTTPS version.
Here are the sections in the configuration file:
<VirtualHost *:80>
ServerName example.com.au
ServerAlias www.example.com.au example.com www.example.com
ServerAdmin …
Redirect permanent / https://www.example.com.au/
</VirtualHost>
<VirtualHost *:443>
ServerName www.example.com.au:443
ServerAlias example.com.au www.example.com example.com
ServerAdmin …
VirtualDocumentRoot /whatever/example.com/www
CustomLog logs/example.log combined env=!dontlog
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.example.com.au/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com.au/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.example.com.au/chain.pem
</VirtualHost>
The problem is that although the redirection appears to be working, the certificate doesn’t seem to apply. When I attempt to open the following in my browser (without the www):
https://example.com.au/
I get the following message:
The certificate is only valid for www.example.com.au
Now I thought that the redirect should tell the browser that it’s really going to https://www.example.com.au, but:
the address bar stays the same
the certificate is invalid, presumably because the address bar stays the same
The question is: How do I configure the virtual host to redirect these variations to SSL using the one certificate?
My DNS server is properly set up (all names resolve correctly) and the LetsEncrypt is correct and current. Only the domain has been changed to protect the innocent.
The reason for the warning is: your browser, when trying to reach https://example.com.au/, can't trust that 301 Redirect respond really came from example.com.au, since there is no such hostname in the certificate.
Since you are already using Let's encrypt certs, all you need is to split your :443 VirtualHost into 4 separate vhosts, each with its own cert, and then configure 3 of them with redirection to https://www.example.com.au/ (or, if possible, get a cert that will match all needed hostnames).

Incorrect site redirection using Apache/RSA WebAgent

We are using CentOS based Apache 2.4.20 along with RSA WebAgent version 7.1. We have two internal (for now) sites we are protecting with RSA WebAgent, and which have vhost entries that look like this:
<VirtualHost *:80>
ServerAdmin webmaster#ourcompany.com
ServerName server1.ourcompany.lan
ServerAlias server1
ServerAlias server1.ourcompany.lan
SetOutputFilter DEFLATE
ProxyRequests Off
ProxyPass / http://10.40.50.60:8080/
ProxyPassReverse / http://10.40.50.60:8080/
ErrorLog "|/usr/sbin/cronolog -S /var/log/httpd/app1-error.log /var/log/httpd/app1/error-%Y-%m-%d.log"
LogLevel warn
CustomLog "|/usr/sbin/cronolog -S /var/log/httpd/app1-access.log /var/log/httpd/app1/access-%Y-%m-%d.log" combined
ServerSignature Off
</VirtualHost>
and...
<VirtualHost *:80>
ServerAdmin webmaster#ourcompany.com
ServerName app2.ourcompany.lan
ServerAlias app2
ServerAlias app2.ourcompany.lan
SetOutputFilter DEFLATE
ProxyRequests Off
ProxyPass / http://10.40.50.61:8080/
ProxyPassReverse / http://10.40.50.61:8080/
ErrorLog "|/usr/sbin/cronolog -S /var/log/httpd/app2-error.log /var/log/httpd/app2/error-%Y-%m-%d.log"
LogLevel warn
CustomLog "|/usr/sbin/cronolog -S /var/log/httpd/app2-access.log /var/log/httpd/app2/access-%Y-%m-%d.log" combined
ServerSignature Off
</VirtualHost>
Both of these sites can be logged onto successfully via RSA WebAgent so we know they work. The problem we have is when the user logs onto one site (say app1.ourcompany.lan), and then subsequently attempts logon to the second site(app2.ourcompany.lan) using same browser instance (different tab). In this case once the RSA authentication has succeeded the user is not redirected to the correct site (app2) but is instead redirected to the first site (app1). This issue also occurs in the reverse order as well (once logged on to app2 the subsequent logon attempt for app1 will redirect user to app2).
At this point we are not sure if this is an RSA WA config issue or an Apache issue. Any help or insights are appreciated.
Well we know the cause of the problems now, but not the why. The cause was identical cookie names being used for each of the two sites. The fix was to simply rename one of the cookies to something different. Restart apache and presto now it all works. Why this is happening is the mystery. From all we've read cookie names should be cross-usable on separate sites. It could be that each site is really just a different subdomain and not a different domain. Regardless the solution is fine for our needs.

SSL Certificates and Apache Virtual Hosts

I am encountering a very curious problem with my ubuntu server setup. I am running a few websites using a LAMP stack.
One of the websites has a dedicated ip and a comodo ssl certificate. The other websites are on a shared ip and use let'sencrypt ssl certificates.
Here's the virtual host config for the website on the dedicated ip:
# domain: example.com
# public: /home/myhomefolder/public/example.com/
<VirtualHost actual_dedicated_ip:80>
# Admin email, Server Name (domain name), and any aliases
ServerAdmin admin#example.com
ServerName www.example.com
ServerAlias example.com
Redirect permanent / https://www.example.com/
# Index file and Document Root (where the public files are located)
DirectoryIndex index.html index.php
DocumentRoot /home/myhomefolder/public/example.com/public
# Log file locations
LogLevel warn
ErrorLog /home/myhomefolder/public/example.com/log/error.log
CustomLog /home/myhomefolder/public/example.com/log/access.log combined
</VirtualHost>
<VirtualHost actual_dedicated_ip:443>
SSLEngine On
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/apache2/ssl/www.example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.example.com.key
SSLCertificateChainFile /etc/apache2/ssl/www.example.com.ca-bundle
<Directory /home/myhomefolder/public/example.com/public>
Require all granted
AllowOverride ALL
</Directory>
ServerAdmin admin#example.com
ServerName example.com
DocumentRoot /home/myhomefolder/public/example.com/public
ErrorLog /home/myhomefolder/public/example.com/log/https_error.log
CustomLog /home/myhomefolder/public/example.com/log/https_access.log combined
</VirtualHost>
Everything works fine except on specific networks (so far I can only reproduce this on my iphone when connected to Verizon LTE but not when connected to wifi) I get either an error saying "Safari cannot open the page because too many redirects occurred" or I get a prompt with "cannot verify server identity" and the certificate details is for another websites on the same host but a different ip.
Any ideas of what may be causing this?
So I finally got to the bottom of this. It looks like verizon is using ipv6 and my vhost had only ipv4 configuration. As soon as I added my ipv6 ip in my vhost, the problem went away.