Certbot installed two lets-encrypt SSL certificates but none working
On my AWS EC2 Ubuntu 18
Three files are as follows:
/etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =sub1.domain.net [OR]
RewriteCond %{SERVER_NAME} =sub2.domain.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
/etc/apache2/sites-available/000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
SSLEngine on
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerName sub1.domain.net
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias sub2.domain.net
SSLCertificateFile /etc/letsencrypt/live/sub1.domain.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sub2.domain.net/privkey.pem
</VirtualHost>
</IfModule>
/etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
/var/log/letsencrypt/letsencrypt.log
2018-12-21 04:51:46,545:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/000-default-le-ssl.conf
2018-12-21 04:51:46,744:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
netstat -ltnp | grep ':80\|:443'
tcp6 0 0 :::443 :::* LISTEN 1529/apache2
tcp6 0 0 :::80 :::* LISTEN 1529/apache2
I tried everything but the outside world doesn't find any certificate.
I didn't put any entry into this file: /etc/apache2/apache2.conf
subdomains were taken from free DNS dynu dot com
Related
I'm in the process of setting up a droplet at DigitalOcean. I would like to serve multiple sites from the same droplet and use LetsEncrypt SSL certs. When accessing a test site, I see an error in the logs "AH00566: request failed: malformed request line" and in the Chrome I see "ERR_SSL_PROTOCOL_ERROR".
It seems that I likely have a configuration error somewhere but am not sure where.
The conf for my site is:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName mydomain.com
ServerAlias www.mydomain.com
DocumentRoot /var/www/mydomain.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.mydomain.com [OR]
RewriteCond %{SERVER_NAME} =mydomain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
<Directory /var/www/mydomain.com>
AllowOverride All
</Directory>
ServerAdmin webmaster#localhost
ServerName mydomain.com
ServerAlias www.mydomain.com
DocumentRoot /var/www/mydomain.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
</VirtualHost>
I would like to set up a subdomain on my virtual server with Debian 9 and Apache 2 which points to a directory at /var/www/html/test.
SSL and Let's Encrypt is also enabled, so the subdomain should be reached with https too.
My 000-default.conf file looks like:
<VirtualHost _default_:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<VirtualHost _default_:443>
DocumentRoot /var/www/html
ServerName www.example.com
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
SSLEngine on
ServerAlias www.example.com
SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
The file default-ssl.conf looks like:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
ServerName www.example.com
ServerAlias example.com
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
I made a new copy of the 000-default.conf file, named it "test.example.com.conf" and enabled it by means of a2ensite. The file looks like:
<VirtualHost _default_:80>
ServerAdmin webmaster#test.example.com
DocumentRoot /var/www/html/test
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<VirtualHost _default_:443>
DocumentRoot /var/www/html/test
ServerName test.example.com
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
SSLEngine on
ServerAlias test.example.com
SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
My hosts file includes the entry SERVER_IP_ADDRESS test.example.com.
The DNS server has an "A"-Entry with test.example.com pointing on SERVER_IP_ADDRESS.
Pinging test.example.com from another machine ends in "Host not found" and a ping on the virtual server results in an response from itself.
So why does the webbrowser only show "Server not found"?
Did I forget something? Is something in my config wrong?
After long testing and research I found the mistake!
There were 3:
The DNS A-entry took some time to complete
my .htaccess forwarding caused the URL always to be rewritten to www.example.com, no matter which subdomain was typed in
my test.example.com.conf file has a mistake in it which makes the subdomain only available via https: the ServerAlias instruction was missing inside <VirtualHost _default_:80>
So it works so far and needs some improvements...
I hope I will help someone else with my mistakes!
I have a single digitalocean droplet, with only a single IPV4 address possible. I would like to use SNI to apply TLS (SSL) encryption onto only a specific subdomain, and not any other parts of the domain.
Example being:
domain.com (No TLS)
sub.domain.com (TLS, certificate 1)
sub1.domain.com (TLS, certificate 2)
sub2.domain.com (no TLS)
I'm using LetsEncrypt for the certificates, so wildcard domains are not possible.
domain.com.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
sub.domain.com
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName sub.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
</VirtualHost>
</IfModule>
sub1.domain.com
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName sub1.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
</VirtualHost>
</IfModule>
sub2.domain.com
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName sub2.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Two things you should be aware of:
You never know which protocols users are going to use. They will default to http if protocol not defined and some browser extensions will try https first and use that if it exists.
Apache will fallback to the first site defined for that port if there's not a better match. In which case you might end up serving the wrong site if, for example, you don't define a sub2.domain.com site on port 443.
So you should define all 4 domains on both port 80 and port 443 and basically have 8 vhosts defined.
This also means will need to buy (or get for free from LetsEncrypt) certificates to cover all domains and not just the two you want to serve over https.
Then you should use redirects appropriately:
domain.com (No TLS): Serve site on port 80. Config for port 443 should just redirect all traffic back to equivalent page on http://domain.com
sub.domain.com (TLS, certificate 1): Serve site on port 443. Config for port 80 should just redirect all traffic back to equivalent page on https://sub.domain.com
sub1.domain.com (TLS, certificate 2): Similar to sub.domain.com setup mentioned in point 2 above.
sub2.domain.com (no TLS): Similar to domain.com set up mentioned in point one above.
Example config:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
sub.domain.com
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName sub.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]
</VirtualHost>
</IfModule>
sub1.domain.com
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName sub1.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]
</VirtualHost>
</IfModule>
sub2.domain.com
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName sub2.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-domain.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-domain.key
RewriteEngine On
RewriteRule (.*) http://%{SERVER_NAME}/%$1 [R,L]
</VirtualHost>
sub.domain.com
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName sub.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-subdomain.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-subdomain.key
</VirtualHost>
</IfModule>
sub1.domain.com
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName sub1.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-subdomain1.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-subdomain1.key
</VirtualHost>
</IfModule>
sub2.domain.com
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName sub2.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-subdomain2.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-subdomain2.key
RewriteEngine On
RewriteRule (.*) http://%{SERVER_NAME}/%$1 [R,L]
</VirtualHost>
However if going to all this hassle then might want to rethink not serving everything over https.
I have setup 2 websites on my Ubuntu web server and am having some trouble with getting two SSL certificates to work correctly. I did get one working on it's own at first, however, now I can't restart Apache successfully.
Error when trying to restart Apache
* Restarting web server apache2
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 3 of /etc/apache2/sites-enabled/website1.conf:
ServerName takes one argument, The hostname and port of the server
Action 'configtest' failed.
Output of /etc/apache2/ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Output of website1.conf (first vhost file from /etc/apache2/sites-available)
<VirtualHost *:80>
ServerAdmin support#localhost
ServerName www.website1.com website1.com
DocumentRoot /var/www/html/website1.com/public
Redirect permanent /secure https://website1.com
</VirtualHost>
<VirtualHost _default_:443>
ServerAdmin support#localhost
ServerName website1.com
DocumentRoot /var/www/html/website1.com/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /var/www/html/website1.com/private/website1.crt
SSLCertificateKeyFile /var/www/html/website1.com/private/website1_private.key
SSLCertificateChainFile /var/www/html/website1.com/private/DigiCertCA.crt
</VirtualHost>
Output of website1.conf (second vhost file from /etc/apache2/sites-available)
<VirtualHost *:80>
ServerAdmin support#localhost
ServerAlias www.website2.com website2.com
DocumentRoot /var/www/html/website2.com/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerAdmin support#localhost
ServerName website2.com
DocumentRoot /var/www/html/website2.com/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /var/www/html/website2.com/private/website2.crt
SSLCertificateKeyFile /var/www/html/website2.com/private/website2_private.key
SSLCertificateChainFile /var/www/html/website2.com/private/DigiCertCA.crt
</VirtualHost>
Any help or verification of my config would be greatly appreciated. Thanks in advance.
I have a Server which is running Debian 8.1 with Apache 2.4.10 and OpenSSL 1.0.1k.
I have a domain example.com with a few subdomains like www.example.com, cloud.example.com and db.example.com all pointet to the Server (A-Records).
All these subdomains have their own VirtualHosts with their own SSL-Certificates. Also if you send a HTTPS-Request with another domain or with the IP you'll get a page with a self-signed certificate.
Everything was running perfect until I rebootet my server.
Now when I request example.com (without a subdomain-prefix) I get the self-signed crt. The subdomains are working perfectly fine. I have the following vHost-Configs:
(because I only want HTTPS I have a Rewrite-Rule for all HTTP-Connections)
000-default.conf
<VirtualHost *:80>
ServerAdmin admin#example.com
RewriteEngine On
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin#example.com
DocumentRoot /var/www
<Directory /var/www>
AllowOverride All
Require all granted
</Directory>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
ErrorLog ${APACHE_LOG_DIR}/error.ssl.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.ssl.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/default/ca.crt
SSLCertificateKeyFile /etc/ssl/certs/default/ca.key
</VirtualHost>
</IfModule>
www.example.com.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName www.example.com
ServerAlias example.com
DocumentRoot /var/www/example
<Directory /var/www/example>
AllowOverride All
Require all granted
</Directory>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
ErrorLog ${APACHE_LOG_DIR}/error.ssl.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.ssl.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/www.example.com/ca.crt
SSLCertificateKeyFile /etc/ssl/certs/www.example.com/ca.key
SSLCertificateChainFile /etc/ssl/certs/www.example.com/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/www.example.com/ca.pem
</VirtualHost>
</IfModule>
cloud.example.com.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName cloud.example.com
DocumentRoot /var/www/example
<Directory /var/www/example>
AllowOverride All
Require all granted
</Directory>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
ErrorLog ${APACHE_LOG_DIR}/error.ssl.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.ssl.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/www.example.com/ca.crt
SSLCertificateKeyFile /etc/ssl/certs/www.example.com/ca.key
SSLCertificateChainFile /etc/ssl/certs/www.example.com/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/www.example.com/ca.pem
</VirtualHost>
</IfModule>
I really hope that somebody can help me!
The hostname was example (like the domain, but without .com) so I changed the hostname to some random typing and after a reboot everything worked fine again. When I changed my hostname back it kept working even after a reboot.
For me changing the order of VirtualHosts helped to solve the problem, by putting malfunctioning VirtualHost to the top in the conf file.