Update certificate with certbot to add subdomain - ssl

I have a domain with a LetsEncrypt certificate installed and apache conf setup to forward www to non-www and non-ssl to ssl. Everything was working great until I decided to add a subdomain and tried to generate a new certificate to cover both.
Now I get the following output when I run certbot:
root#arthas:~# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: domain.com
2: playground.domain.com
3: www.playground.domain.com
4: www.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2,3,4
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/domain.com.conf)
It contains these names: domain.com, www.domain.com
You requested these names for the new certificate: domain.com,
playground.domain.com, www.playground.domain.com, www.domain.com.
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for playground.domain.com
http-01 challenge for www.domain.com
http-01 challenge for www.playground.domain.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Created an SSL vhost at /etc/apache2/sites-enabled/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
An unexpected error occurred:
ValueError: Unable to set value to path!
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
- Unable to install the certificate
- Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at: /etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2019-07-19.
To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option.
To non-interactively renew *all* of your certificates, run "certbot renew"
- Some rewrite rules copied from /etc/apache2/sites-enabled/000-default.conf were disabled in the vhost for your HTTPS site located at /etc/apache2/sites-enabled/000-default-le-ssl.conf because they have the potential to create redirection loops.
Also, I've copied in the contents of my 000-default.conf file below:
# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.domain.com [OR]
RewriteCond %{SERVER_NAME} =domain.com [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName playground.domain.com
ServerAlias www.playground.domain.com
DocumentRoot /var/www/html/playground
<Directory /var/www/html/playground>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.playground.domain.com [OR]
RewriteCond %{SERVER_NAME} =playground.domain.com [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Same error message for me when trying to install certificates for multiple domains in one go. If you have all VirtualHost in the same configuration file and don't want to separate them, try installing certificate for the domains separately.
Example:
When you need to install certificates for the following domains
domain01.com
www.domain01.com
domain02.com
www.domain02.com
At the step
Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1,2,3,4
enter 1, 2 instead of 1,2,3,4, then repeat to install for 3, 4

When you running this command make sure you have the order correct as well. So for example: example.org should be before mail.example.org in the request. Otherwise especially when using the Route 53 option get strange zone error messages.

It looks like you have several .conf files that may be causing conflict.
Method 1: place all <VirtualHost *:80> and <VirtualHost *:443>
rules in the same configuration file
Method 2: keep them separate and
add Include /path/to/httpd-le-ssl.conf to the end of
000-default.conf
Run $ sudo certbot renew --dry-run to check whether your revised config succeeds or fails.
Using --dry-run won't impact your limits as you troubleshoot and fix the configuration. Once it completes successfully, you could run certbot in various ways and expect things to work.

I have faced same problemm. Below step have been solved my problem.
Remove your all existing certbot file if you already tried to setup SSL.
Follow this link how to remove existing Certbot files from your system
https://askubuntu.com/a/1195603/871518
Separate all individual domain from a single vhost.conf file.
Example :
domain1.conf
domain2.conf
Enable vhost in your created two new file by typing :
a2ensite domain1.conf
a2esnite domain2.conf
Run certbot command :
sudo certbot --apache
Probably you will see 4 domain list if "serverAlias" contain in your virtual list :
1. domain1.com
2. domain2.com
3. www.domain1.com
4. www.domain2.com
Select only 1 and 3 in first journey
Yes, successfully you have done domain1.com SSL support and again follow same things for SSL support domain2.com :
sudo certbot --apache

Related

redirect enhancement + redirect vhost with apache2 and certbot

I am trying to install a valid HTTPS certificate but I get a vhost error.
# sudo certbot --apache -d mysite.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/mysite.com.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying certificate
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl-le-ssl.conf
Successfully deployed certificate for mysite.com to /etc/apache2/sites-enabled/000-default-le-ssl-le-ssl.conf
Failed redirect for mysite.com
Unable to set the redirect enhancement for mysite.com.
NEXT STEPS:
- The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running:
certbot install --cert-name mysite.com
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
I have this in /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ServerName mysite.com
ServerAlias www.mysite.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} = foo.mysite.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
How can this be fixed? It was working well.

Docker Reverse Proxy

I have a collection of web applications, with each running inside its own Docker Containers. I can access them locally via http://localhost:9001, for example. I want to access them remotely via https://site.example.com, instead. I have a wildcard Let's Encrypt certificate for example.com.
I understand I need Apache to do direct traffic from FQDN to Port. So I have setup a VirtualHost (below). Normal web activity seems to work fine. I can navigate the website normally.
However, when I try to login using OAuth (e.g. BitBucket), I get a URI redirect mismatch error. This does not happen when I run this outside of a container. I think there is something wrong with my Proxy setup. Is anyone able to advise how to rectify?
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName site.example.com
ServerSignature Off
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:9001/
ProxyPassReverse / http://127.0.0.1:9001/
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem
AllowEncodedSlashes NoDecode
</VirtualHost>
For such use case, Traefik is a very adapted tool. Coupled with docker-compose, you can setup multiple docker containers on the same host, each one having its own endpoint. To access them remotely, you just have then to bind remote host's IP address to all your endpoints (or use a public DNS that does it for you).
Here is a docker-compose.yml example using Traefik.
version: "3"
services:
traefik:
image: traefik:latest
command: --api --docker --logLevel=DEBUG
ports:
- "80:80"
- "443:443"
- "8082:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=false"
your_first_container:
image: <YOUR_IMAGE>
labels:
- "traefik.frontend.rule=Host:site.example.com"
- "traefik.port=9001"

https is not working with my installed ssl (apache 2.4.25 & letsencrypt)

I am trying to install ssl on my web-site for the first time and cannot get it running.
I installed certbot to my host and installed letsencrypt certificates for web sites
5: site3.ru
6: dav.site3.ru
7: www.site3.ru
And now site3.ru completely not working both http and https.
dav.site3.ru is working, but only with http.
apachectl -v
Server version: Apache/2.4.25 (Debian)
# uname -a
Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux
# cat /etc/debian_version
9.5
root#debian:/home/schel4ok# apt-get install python-certbot-apache -t stretch-backports
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
python-certbot-apache
1 upgraded, 0 newly installed, 0 to remove and 97 not upgraded.
Need to get 3,810 B of archives.
After this operation, 3,072 B of additional disk space will be used.
Get:1 http://deb.debian.org/debian stretch-backports/main amd64 python-certbot-apache all 0.28.0-1~bpo9+1 [3,810 B]
Fetched 3,810 B in 0s (22.0 kB/s)
Reading changelogs... Done
(Reading database ... 67111 files and directories currently installed.)
Preparing to unpack .../python-certbot-apache_0.28.0-1~bpo9+1_all.deb ...
Unpacking python-certbot-apache (0.28.0-1~bpo9+1) over (0.25.0-2~bpo9+1) ...
Setting up python-certbot-apache (0.28.0-1~bpo9+1) ...
root#debian:/home/schel4ok# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: site1.lan
2: www.site1.lan
3: site2.ru
4: www.site2.ru
5: site3.ru
6: dav.site3.ru
7: www.site3.ru
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 5 6 7
-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/dav.site3.ru.conf)
It contains these names: dav.site3.ru
You requested these names for the new certificate: site3.ru,
dav.site3.ru, www.site3.ru.
Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for site3.ru
tls-sni-01 challenge for dav.site3.ru
http-01 challenge for www.site3.ru
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. dav.site3.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: dav.site3.ru
Type: connection
Detail: Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
root#debian:/home/schel4ok# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: site1.lan
2: www.site1.lan
3: site2.ru
4: www.site2.ru
5: site3.ru
6: dav.site3.ru
7: www.site3.ru
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 7
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.site3.ru
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/site3-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/site3-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/site3-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/site3.conf to ssl vhost in /etc/apache2/sites-available/site3-le-ssl.conf
-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://www.site3.ru
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.site3.ru
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.site3.ru/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.site3.ru/privkey.pem
Your cert will expire on 2019-03-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
root#debian:/home/schel4ok# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/dav.site3.ru.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dav.site3.ru
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/dav.site3.ru/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.site3.ru.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.site3.ru
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/www.site3.ru/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/dav.site3.ru/fullchain.pem (success)
/etc/letsencrypt/live/www.site3.ru/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
root#debian:/home/schel4ok#
At this point I checked that https not working and I noticed that my conf files, which were created by certbot doesn't contain string 'SSLEngine on'.
Then I add this line, but https still not working.
Here is how my conf looks like.
/etc/apache2/sites-enabled/site3.conf
<VirtualHost *:80>
ServerName site3.ru
ServerAlias www.site3.ru
ServerAdmin admin#site3.ru
DocumentRoot /var/www/site3
DirectoryIndex index.html index.htm index.php
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.site3.ru [OR]
RewriteCond %{SERVER_NAME} =site3.ru
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
/etc/apache2/sites-enabled/site3-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName site3.ru
ServerAlias www.site3.ru
ServerAdmin admin#site3.ru
DocumentRoot /var/www/site3
DirectoryIndex index.html index.htm index.php
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.site3.ru/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.site3.ru/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
/etc/apache2/sites-enabled/dav.conf
<VirtualHost *:80>
ServerName dav.site3.ru
ServerAlias dav.site3.ru
DocumentRoot /var/www/dav/html
DirectoryIndex index.html index.htm index.php
<Directory "/var/www/dav/html">
Options None
Options +FollowSymlinks
AllowOverride All
# Confiugration for apache-2.4:
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
/etc/apache2/sites-enabled/dav-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName dav.site3.ru
ServerAlias dav.site3.ru
DocumentRoot /var/www/dav/html
DirectoryIndex index.html index.htm index.php
<Directory "/var/www/dav/html">
Options None
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/dav.site3.ru/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dav.site3.ru/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Kemal behind apache2 with mod_proy not serving static files

I have an kemalcr based application server listening on
http://127.0.0.1:3000 - behind apache2.
when running the kemalcr-app locally everything is fine and static-files - e.g. /assets/stylesheets/styles.css is delivered perfectly.
but when deploying on a production host behind apache2 - requests for the style.css will result in 404
My apache config for the virtual host looks like this:
<VirtualHost *:80>
ServerName mydom.com
ServerAdmin hostmaster#mydom.com
ErrorLog ${APACHE_LOG_DIR}/mydom_error.log
CustomLog ${APACHE_LOG_DIR}/mydom_access.log combined
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
</VirtualHost>
When browsing $mydom.com kemal behind apache2 is responding fine - except for the static files.
My directory structure looks like:
app/
- src/
- spec/
- public/
- assets/
- stylesheets/
- styles.css
But a request for http://mydom.com/assets/stylesheets/styles.css results in 404.
Any ideas?
kemal app sets app-root where it is started from:
so, a capistrano deployment uses the home-directory of deployment user - which results in
/home/deployment_user
Kemal uses per default a relative path to public_folder './public'
This results in the public folder beeing resolved to
/home/deployment_user/public
which is - of course - not existing.
I can define the kemal-public_folder via config:
Kemal.config.public_folder = "/var/www/mydomain/current/public"
or define it according to Kemal.env e.g. 'production' or 'development'

VirtualHost Same ServerName Different Directories (mirror codes)

There is currently a problem as follows - [I have read this similar Question, but I don't use proxy]
The official code uses the SVN version control under the root directory of the apache document root, which connects the official database.
I need to build a mirror (in other directory) which completely copy the SVN code, but connect the test database for testing.
But two directories site use same VirtualHost Servername
set as follows
<VirtualHost *: 80>
DocumentRoot "E: / website-PHP / online"
ServerName website
</VirtualHost>
The current situation is:
When connecting http://website and browsing sub-pages are normal, such as
http://website/test but when I connect to http://website/mirror
and browse the sub-pages, because of the path in the code was written Absolutly. http://website/mirror/test this page is replaced automatically
by http://website/test and connection failed.
※ I have tried using the rewrite engine
RewriteCond% {SERVER_NAME} localhost [OR]
RewriteCond% {SERVER_NAME} website
RewriteCond% {REQUEST_URI}! Mirror
RewriteRule ^ (. *) $ Https: //% {SERVER_NAME} / mirror% {REQUEST_URI} [R = 301, L]
But the situation will become : http://website redirect to the test area http://website/mirror/
※ try to use two sets of virtualhost:
<VirtualHost *: 80>
DocumentRoot "E: / website-PHP / online"
ServerName website
</VirtualHost>
<VirtualHost *: 8080>
DocumentRoot "E: / website-PHP / online / mirror"
ServerName website
</VirtualHost>
apache can start up,but can't connect to http://website:8080/
and didn't have any error log
Any Solution without editing source code?
Thanks!
※ My apache edition is 2.2.25