ports.conf changed by certbot - apache

I have two http servers running:
nginx (80/443)
apache2 (8080/8081)
My ports.conf (apache2) looks like this:
Listen 8080
<IfModule ssl_module>
Listen 8081
</IfModule>
<IfModule mod_gnutls.c>
Listen 8081
</IfModule>
Usually both (nginx & apache) run in parallel which is no problem.
Periodically certbot from letsencrypt runs (dunno why, it's not listend in crontab) and appends the following lines to the above-mentioned file:
#vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<IfModule mod_ssl.c>
Listen 443
</IfModule>
Apache2 then tries to restart, but fails, because port 443 is already in use by nginx.
I tried to delete or comment the new lines, but they get overwritten each time certbot runs. Also changing the port from 443 to 8081 lead to the same result.
I have written a wrapper script that stops nginx, resets apache ports to defaults, updates the certificates and changes them back.
Is it possible to prevent certbot from running automatically?
Instead I would like to add my wrapper script to the crontab.

I had this problem as well. I realized that I had installed the certificate configured to use apache, which was then being proxied by nginx. To solve, I simply created a new certificate for that domain using nginx as the server instead.
It no longer tries to configure the port number during it's attempt to renew.

Related

Apache HTTPD: How to setup Virtual Host correctly

I've installed Apache httpd on my Mac and "It works".
Now I need to configure a Virtual Host in order to expose my application (Java Spring) with httpd as reverse proxy in front of it.
This is what I have into /usr/local/etc/httpd/extra/httpd-vhosts.conf file
<VirtualHost *:443>
ServerName my.domain.it:443
SSLEngine on
SSLCertificateFile /path/to/cert.crt
SSLCertificateKeyFile /path/to/cert.key
ProxyPreserveHost On
ProxyPass / http://localhost:8080/myapp
ProxyPassReverse / http://localhost:8080/myapp
</VirtualHost>
In /etc/hosts I've mapped to server address in this way:
127.0.0.1 my.domain.it
And The Tomcat Connector configuration is:
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" proxyPort="443" scheme="https"/>
If I run the application with Eclipse it responds correctly at http://localhost:8080/myapp/ but If I try to call https://my.domain.it/myapp/ It doesn't work and Google Chrome tells me: "This site can't be reached".
What's wrong with my configuration?
P.S.
The httpd Apache instance is configured to Listen on port 80
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
Thanks.
EDIT: SOLVED
Unfortunately I was not able to solve with Apache Httpd but now with Nginx it works. Thanks for your answers
In mod_ssl.conf (file name might be different) you should have the following line
Listen 443
It tells apache to listen on port 443 (it's include in the configuration file when you install mod_ssl to be able to expose your site over HTTPS).
The same configuration file should include all the shared configuration about the TLS.
If apache is running, you can check if port 443 is listening, using netstat:
netstat -an | grep -i list
The output should include port 80 and 443 (and some other according to the services running on the server such as ssh).
If the port is shown in the list, next step is to check apache logs for errors.

How to set Caddy as a reverse proxy for apache

Caddy 2 is a powerful, open source web server with automatic HTTPS written in Go. I have a web app where users can point their custom domains. So caddy can easily generate ssl with tls on demand. https://caddyserver.com/docs/automatic-https
So I want to set caddy as a reverse-proxy for apache, so I edited my ports.conf file and set it to
Listen 8080
<IfModule ssl_module>
Listen 8443
</IfModule>
<IfModule mod_gnutls.c>
Listen 8443
</IfModule>
And my caddy file is set to:
mydomain:80 {
reverse_proxy localhost:8080
}
mydomain:443{
reverse_proxy localhost:8443
However http works fine with it, but https doesn't work at all. I even tried checking if the port 8443 is free even, changed it to 44301. But it doesnt work.
My questions:
1) How to properly configure caddy as reverse proxy for apache?
2) Should I also change the ports from VirtualHost file? (Tried changing to 8080, but apache wont start)
3) Is there anything I am missing setting it up as a reverse proxy with apache?
Appreciate your help!!

Apache SSL error - Unable to configure server certificate for stapling

I'm trying to configure SSL on apache2 with geotrust SSL. I have the private key file, the certificate and the bundle sertificate.
This is the virtualhost config:
http://pastebin.com/38ygh8W1
The apache gives me error:
AH02235: Unable to configure server certificate for stapling
The https gives time out for the 443 port.
I read a lot of info for this topic but im not sure what to do anymore.
Any suggestions?
This seems to be bug that where the fix still hasn't made its way to the latest environments. I have the same problem. Here's my environment:
Server version: Apache/2.4.41
OS: Ubuntu 18.04
As a workaround, you can edit ports.conf so that the last listen directive is for a non-SSL port, i.e. Listen 80. Here's the whole file:
<IfModule ssl_module>
Listen 443 https
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
Listen 80
And the problem is gone.

Self signed certificate on Ubuntu 12.04 and Apache 2.4.9

I am trying to install a self-signed certificate on an Apache server. First, I did
sudo a2enmod ssl
and got the following output:
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart
Then, I restarted apache2 and got the following error:
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs
In ports.conf, I have the following:
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
If I comment the line Listen 443 inside <IfModule ssl_module>, I get no errors. However, that seems like I won't be able to listen to 443 requests.
What can I do to be able to put listen 443 and get no errors ?

"make_sock: could not bind to address [::]:443" when restarting apache (installing trac and mod_wsgi)

I'm trying to install trac and mod_wsgi over SSL. I tried to manually install it, but that didn't work out so well so I started to follow this: trac-on-ubuntu
I skipped the svn part because I'd like to use git instead. After the first edit of httpd.conf:
WSGIScriptAlias /trac /var/trac/apache/trac.wsgi
<Directory /var/trac/apache>
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
I restarted apache only to get this error:
* Restarting web server apache2
(98)Address already in use: make_sock: could not bind to address [::]:443
[ OK ]
Doing these showed nothing.
netstat -anp | grep 443
fuser 443/tcp
Doing this didn't yield anything except the grep command that I ran:
ps -aux | grep httpd
Why is it saying that something else is using the port when there's nothing showing up?
EDIT: You guys are going to laugh at this. I had an extra Listen 443 in ports.conf that shouldn't have been there. Removing that solved this.
You guys are going to laugh at this. I had an extra Listen 443 in ports.conf that shouldn't have been there. Removing that solved this.
Thank you for you answers, on apache 2.4.x versions if have installed ssl_module using yum command, dont want to add the port :443 in httpd.conf (main) file,
To find out the port 443 in configure files,
# grep '443' /etc/httpd/conf.d/*
/etc/httpd/conf.d/ssl.conf:Listen 443 https
/etc/httpd/conf.d/ssl.conf:<VirtualHost _default_:443>
/etc/httpd/conf.d/ssl.conf:#ServerName www.example.com:443
# grep '443' /etc/httpd/conf/httpd.conf
Listen 443
Just remove the line or command it (Listen 443) from httpd.conf file.
I'm adding another answer to this as I had the same problem and solved it the same way:
I had installed SSL on apache2 using a2enmod ssl, which seems to have added an extra configuration in /etc/apache2/ports.conf:
NameVirtualHost *:80
Listen 80
NameVirtualHost *:443
Listen 443
<IfModule mod_ssl.c>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
I had to comment out the first Listen 443 after the NameVirtualHost *:443 directive:
NameVirtualHost *:443
#Listen 443
But I'm thinking I can as well let it and comment the others.
Anyway, thank you for the solution :)
For everyone else who has no duplicate Listen directives and no running processes on the port: check that you don't accidentally include ports.conf twice in apache2.conf (as I did due to a bad merge).
I use apache version 2.4.27, also have this problem, solved it through modify
the conf/extra/httpdahssl.conf,comment the 18 line content(Listen 443 https),it works fine.
I am using Ubuntu. I just disabled ssl mode of apache2 and it worked for me.
a2dismod ssl
and then restarted apache2.
service apache2 restart
I made the mistake of incorrectly naming a backup file in the /etc/httpd/conf.d directory. In the README it states that it alphabetically goes through all .conf files.
I had created ssl-<date>.conf (meant to be a backup) and it was loading before ssl.conf. It was binding the :443 port based on the ssl-<date>.conf and failing on the ssl.conf.
Once I renamed the backup file to ssl.conf.<date>, the service started without issue.
As a note, the server I'm on is running RHEL 6
I seconded Matthieu answer
I commented #Listen 443 in httpd-ssl file and apache can be started
Because the file already has VirtualHost default:443
Let me add one more reason for the error. In httpd.conf I included explicitly
Include etc/apache24/extra/httpd-ssl.conf
while did not notice previous wildcard
Include etc/apache24/extra/*.conf
Grepping 443 will not find this.
I had same issue, was due to multiple copies of ssl.conf In /etc/httpd/conf.d - There should only be one.
I have checked and fixed the following and got it resolved -
httpd.conf file at /etc/httpd/conf/
Checked the listening IP and port e.g. 10.12.13.4:80
Removed extra listening port(s)
Restarted the httpd service to take
I meet the problem in windows7, phpeclipse, when I start the XAMPP.
My solution is :
1.Commented out the \xampp\apache\conf\httpd.conf -> line171 -> #LoadModule ssl_module modules/mod_ssl.so
2.line539 -> #Include conf/extra/httpd-ssl.conf
or you can change the 443 port to another one
In httpd.conf instead:
Listen *:443
you need write Listen 127.0.0.1:443
It works for me.