Due to the fact that this is a sensitive client project, all uses of the domain name I'm talking about have been replaced with "example.com".
I am managing a public website whose Let's Encrypt certificate expired recently. So I followed the DigitalOcean tutorial here and used certbot-auto renew to renew the certificate (yes, I ran sudo service apache2 reload afterwards). It worked, but the problem is that the site now serves both the new certificate and the expired one, and it seems like a random selection happens. Sometimes the site is trusted by the browser because it receives the new one, other times the browser rejects the expired certificate. Even running the site through the SSL Labs analyzer gives an A grade sometimes and a failure other times.
What could possibly be causing both certificates to continue to be used when my configuration explicitly includes only the new one? I'm very confused.
Running certbot-auto renew right now gives this result:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted
Apache's sites-enabled directory looks like this:
000-default.conf 000-default-le-ssl.conf
And the configuration for each are as follows:
000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName example.com
</VirtualHost>
</IfModule>
I was able to solve the issue by calling sudo service apache2 stop to stop apache, and then running ps aux | grep apache. I discovered that there were multiple instances of apache running. So I killed them and started apache up again, and everything is now working.
Related
I'm using certbot to set up an ssl certificate on a domain (mydigitalbalance.com). I am changing the domain from a previous staging domain that I was using in order to do testing. In order to make sure there were no conflicts, I followed certbot's apache2 instructions and completely deleted all previous certificates that were on the server as well as certbot itself.
I re-installed certbot following the instructions, added two certificates for the naked domain and for www, and re-started apache.
However as you can see if you go to the URL, it is still showing as an insecure website.
I wanted to take a closer look at the certificate so in chrome I clicked on "Not Secure" in the url bar, and clicked on Certificate.
It says on the first dropdown that the certificate is invalid:
However when you click into the certificate itself, it correctly says it's a valid cert and that it is not expired and was issued by Lets Encrypt:
What is happening here? how do I fix it?
I completely commented out all the default .conf information on my setup, and the only conf is for mydigitalbalance.com, here is my mydigitalbalance.conf:
# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName mydigitalbalance.com
ServerAlias www.mydigitalbalance.com
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.mydigitalbalance.com [OR]
RewriteCond %{SERVER_NAME} =mydigitalbalance.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
and here is the mydigitalbalance-le-ssl.conf that was automatically generated when i restarted apache:
GNU nano 4.8 mydigitalbalance-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName mydigitalbalance.com
ServerAlias www.mydigitalbalance.com
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.mydigitalbalance.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.mydigitalbalance.com/privkey.pem
</VirtualHost>
</IfModule>
Is this a propagation issue?
I am facing a problem of certificate SSL.
I have a dedicated host, and I cannot get what I am missing to receive the error by navigator:
Chrome:
NET::ERR_CERT_COMMON_NAME_INVALID
Mozilla:
SSL_ERROR_BAD_CERT_DOMAIN
Messages in browser are quite similar:
Impossible to verify from server that it is truly domain: site2.com, because its certif of security come from *.sub.site1.com. It may come from a bad config or connection getting catch by pirate. (translated message)
So it seems that the certificate is not taken while it goes threw vitrual box:
<VirtualHost *:80>
ServerName www.site2.com
ServerAlias site2.com
Redirect permanent / https://site2.com/
</VirtualHost>
<VirtualHost *:443>
ServerName www.site2.com
ServerAlias site2.com
DocumentRoot /var/www/site2
Protocols h2 http:/1.1
<If "%{HTTP_HOST} == 'www.site2.com'">
Redirect permanent / https://site2.com/
</If>
ErrorLog ${APACHE_LOG_DIR}/site2-error.log
CustomLog ${APACHE_LOG_DIR}/site2-access.log combined
SSLEngine On
SSLCertificateFile /home/certifs/site2.crt
SSLCertificateKeyFile /home/certifs/site2.key
SSLCertificateChainFile /home/certifs/site2.pem
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLUseStapling on
<Directory /var/www/site2/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/site2/>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*) index.php [PT,L]
</Directory>
</VirtualHost>
FInaly, if I choose to go anyway to the website it is arriving to a sign in gitlab page like:
site2.com/users/sign_in
For information server works with apache2 and debian, and we have gitlab install.
Thank you in advance for your help.
The problem was that in apache2, I was creating well the conf file into the site-available folder. But I was never adding it to site-enabling folder.
Executing the command "a2ensite site2.conf" Fix this problem.
To check if you a enable well your site, I advice you to execute this command: apachectl -S. Please check this subject to because it may change depending your server config: How to debug an apache virtual host configuration?
I face a really strange issue with Apache2 (v2.4.7).
Our sites have both domain.com and www.domain.com, with and without HTTPS
When I only enable one of them with SSL, it response take less than 0.01s.
When I enable both of them with SSL, it takes more than 1 minute to answer.
There's no issue with "classic" HTTP configuration file, only the one with SSL
I've tried both with independent configuration files, or with aliases. No matter, more or less the same big response time.
Here's the config file:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName domain.com
ServerAlias www.domain.com # Fast when commented, slow when enabled
ServerAdmin webmaster#localhost
DocumentRoot /var/www/site
ErrorLog ${APACHE_LOG_DIR}/site-error.log
CustomLog ${APACHE_LOG_DIR}/site-access.log combined
<Directory "/var/www/site/blog">
AllowOverride All
Options FollowSymLinks
allow from all
order allow,deny
</Directory>
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/domain.com-0001/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com-0001/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/domain.com-0001/chain.pem
</VirtualHost>
</IfModule>
Do you have any idea how to fix this or where does the issue comes from?
Thank you for help ;)
That's strange. Are you sure if you have mod_alias enabled and loaded? You can find that out by issuing this command on a ssh console:
httpd -t -D DUMP_MODULES | grep alias
What you can try though it this: Get your server's ip (no matter if it's private or public) from your main ethernet card and use it in your apache configuration.
Replace:
<VirtualHost *:443> with <VirtualHost server-ip:443> for all your vhosts
Restart apache and try again
I have a php web app running on a AWS EC2 instance with ubuntu. It's domain name comes however from 1&1 and is pointing to the AWS EC2 public IP.
I have a SSL certificate from 1&1 on this same domain name.
When running the web page on my browser in http everything works fine. But as soon as I run it with https it's there is constant load and the page never renders.
I guess the issue is caused by my apache configuration, but I don't know what needs to be changed to make the https working fine.
Here is my mydomain.com.conf :
<VirtualHost *:80>
ServerName www.mydomain.com
ServerAlias mydomain.com
DocumentRoot "/var/www/html/mydomain/"
ErrorLog ${APACHE_LOG_DIR}/error_mydomain.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
By looking on internet, I found out that a ssl key has to be added into the conf file, but since I'm using an ssl certificate from 1&1 I have no key or whatsoever.
Is there anyone who knows more about it ?
Thanks
Ok, so I know not many people will run into this same issue, but we never know...
It is impossible to do this without the /ssl/cert files indeed.
Unfortunately, the 1 SSL Certificate offered by 1&1 on the ultimate packs are only made for websites hosted on 1&1. I called them, and they don't want to give me the cert files because my webpage is hosted at AWS.
Thus, there is no other option then getting an other SSL certificate. I'll probably use letsencrypt for that.
You must have been provided with a cert and cert bundle from your CA vendor, and I am hoping you have kept the private key intact when creating the CSR for the bundle, your vhost should look something like this:
<VirtualHost *:80>
ServerName <mywebsite>
ServerAlias www.<mywebsite>
DocumentRoot /var/www/html/<mywebsitedocroot>
DirectoryIndex index.php index.html
<Directory /var/www/html/<mywebsitedocroot>>
#Options Indexes FollowSymLinks MultiViews
Options -Indexes
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/html/<mywebsitedocroot>
DirectoryIndex index.php index.html
ServerName <mywebsite>
ServerAlias www.<mywebsite>
SSLEngine On
#SSLCertificateFile /etc/ssl/certs/<mycert>.crt
#SSLCertificateKeyFile /etc/ssl/certs/<mycert>.key
SSLCertificateFile /etc/ssl/certs/<mycert>_com.crt
SSLCertificateKeyFile /etc/ssl/certs/<mycert>_com.key
SSLCertificateChainFile /etc/ssl/certs/<mycert>_com.ca-bundle
<Directory /var/www/html/<mywebsitedocroot>>
#Options Indexes FollowSymLinks MultiViews
Options -Indexes
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>
What is essential to understand is HTTPS listens on port 443, not 80 (it is for HTTP) and the most important section (considering your situation) is:
SSLCertificateFile /etc/ssl/certs/<mycert>_com.crt
SSLCertificateKeyFile /etc/ssl/certs/<mycert>_com.key
SSLCertificateChainFile /etc/ssl/certs/<mycert>_com.ca-bundle
You can ignore all the Options I have set or set it as per your need. I just grabbed the info from my website conf. Hope this helps
I'm running Apache 2.4 on Ubuntu 14.04 server. It's purpose is a mail server so it has postfix, dovecot and roundcube on it (amongst other things). I'm trying, and failing, to configure Apache to serve the pages that I want.
I have an SSL certificate installed and working correctly. I want to force all access over HTTPS so I have:
<VirtualHost *:80>
Redirect / https://mailserver.hni.ae/
</VirtualHost>
Both sets of files to be served are under /var/www/html, the first being /var/www/html/A and the other /var/www/html/B (let's say). I have configured my /etc/apache2/sites-available/000-default.conf (which has a symlink to ./sites-enabled) to be:
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/ssl/private/mycert.crt
SSLCertificateKeyFile /etc/ssl/private/mycert.key
ServerAdmin webmaster#mydomain.com
ServerName www.mydomain.com
DocumentRoot /var/www/html/
DirectoryIndex index.php
<Directory /var/www/html/A>
Options FollowSymLinks
AllowOverride None
Order Allow,Deny
Allow from all
</Directory>
<Directory /var/www/html/B>
Options FollowSymLinks
AllowOverride None
Order Deny,Allow
Deny from All
Allow from 192.168.1.1
</Directory>
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
And that works. I can go to www.mydomain.com/B and it serves the login page for those pages (only when I access from the specified IP address), and www.mydomain.com/A and login to the pages from app A.
My problem: I want to be able to go to www.mydomain.com/C and just plain www.mydomain.com and be redirected to www.mydomain.com/A but when I use Redirect ... the server gets into a loop and tries to serve www.mydomain.com/AAAAAAA.... I suspect I should use the RedirectMatch temp ^/$... directive but can't get that to work either. Maybe something to do with the Redirect for :80 to :443 clashing? There is no .htaccess involved as I'm using AllowOverride None.
I've read the Apache 2.4 documentation thoroughly but just can't figure it out. Any suggestions?
You can use a RewriteRule. Add this to your VirtualHost:
RewriteEngine On
RewriteRule ^/(C/?|)$ /A [R,L]
Make sure mod_rewrite is enabled too.
Explanation:
Regex ^/(C/?|)$ will match /C optionally followed by a /, or just / i.e. the root of www.mydomain.com