I'm trying to setup the ssl certificate with Letsencrypt but when i run :
./letsencrypt-auto --apache -d industriemedia.tv
It looks like my domain name cannot be found:
[root#ip-172-31-21-7 letsencrypt]# ./letsencrypt-auto --apache -d industriemedia.tv
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for industriemedia.tv
We were unable to find a vhost with a ServerName or Address of industriemedia.tv.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
-------------------------------------------------------------------------------
1: ssl.conf | | HTTPS | Enabled
-------------------------------------------------------------------------------
But i have added a virtualhost in /etc/httpd/conf/httpd.conf
<VirtualHost *:80>
ServerName www.industriemedia.tv
ServerAlias industriemedia.tv *.industriemedia.tv
DocumentRoot /var/www/html/
</VirtualHost>
I had to open the port 443 which haven't been opened.
Also doing a ./letsencrypt-auto reset my ssl certificate and my domain was recognized.
Related
I have a similar problem as mentioned in Apache redirect to another port but the answer does not work for me.
I have Apache set up on an Debian VM, with an instance of Nextcloud.
I setup a vhost for cloud.mydomain.com on port 443 and it works fine.
Also, I installed Gitlab on the same VM, and the external url is https://debianvm.local:1234
How can I redirect https://gitlab.mydomain.com:443 to https://debianvm.local:1234 ??
I have tried
<VirtualHost *:443>
ServerName gitlab.mydomain.com
ServerAlias gitlab.mydomain.com
ProxyPass / https://debianvm:8508/
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
</VirtualHost>
I was hoping to later be able to call certbot -d gitlab.mydomain.com and change the certificate...
I also tried putting exactly the same file for *:80 (without SSLEngine lines) and then call certbot but without success.
I also tried directly putting https://gitlab.mydomain.com in the gitlab configuration, in vain.
Any ideas?
Thanks.
On the DNS side, I set up 2 DNS redirections type A: one for cloud.mydomain.com and one for gitlab.mydomain.com, but they are pointing to the same IP.
On the port forwarding side, the NAS with the host IP is forwarding 80 and 443 to 80 and 443 of the debianvm.local
I try to set ssl for my php/laravel application under Digital Ocean with Kubuntu 18
as in this articles
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04
But I got error trying to use certbot to obtain a free SSL certificate :
# sudo ufw status
Status: active
To Action From
-- ------ ----
Apache Full ALLOW Anywhere
443 ALLOW Anywhere
80 ALLOW Anywhere
22/tcp ALLOW Anywhere
Apache Full (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
# sudo certbot --apache -d products-catalog.nilov-sergey-demo-apps.tk -d www.products-catalog.nilov-sergey-demo-apps.tk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for products-catalog.nilov-sergey-demo-apps.tk
http-01 challenge for www.products-catalog.nilov-sergey-demo-apps.tk
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.products-catalog.nilov-sergey-demo-apps.tk (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for www.products-catalog.nilov-sergey-demo-apps.tk
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.products-catalog.nilov-sergey-demo-apps.tk
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
www.products-catalog.nilov-sergey-demo-apps.tk
products-catalog.nilov-sergey-demo-apps.tk - that is my domain I got on freenom.com and searching I found a hint that
I need to add A-record for www subdomain
I tried to add new record as https://imgur.com/a/ijFxlzN
But trying to suBmit this page I got:
• Error occured: Invalid value in dnsrecord
What is wrong ? Can new record be issue of my problem ? Or I need to move in other way ?
UPDATED # 2
Configuration in appache is :
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/lprods/public
ServerName products-catalog.nilov-sergey-demo-apps.tk
ServerAlias products-catalog.nilov-sergey-demo-apps.tk
<Directory /var/www/html/lprods/public>
AllowOverride All
Order Deny,Allow
Allow from all
Require all granted
</Directory>
Options FollowSymLinks
DirectoryIndex index.php
ErrorLog /var/www/html/lprods/storage/logs/error.log
CustomLog /var/www/html/lprods/storage/logs/access.log combined
</VirtualHost>
with line in /etc/hosts
138.68.107.5 products-catalog.nilov-sergey-demo-apps.tk
Can it be issue with my problem ?
UPDATED # 3
I made some more review and found next :
IP of my server is 138.68.107.4 and under ssh I enter the console of OS as
ssh root#138.68.107.4
But in my /etc/hosts file I had next lines pointing to some other hosts on this server:
# 127.0.0.1 localhost
127.0.0.1 localhost.localdomain localhost
138.68.107.4 box.example.com box
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
138.68.107.4 votes.nilov-sergey-demo-apps.tk
138.68.107.5 products-catalog.nilov-sergey-demo-apps.tk
138.68.107.6 csvp.nilov-sergey-demo-apps.tk
...
I modified 3 last lines as :
138.68.107.4 votes.nilov-sergey-demo-apps.tk
138.68.107.4 products-catalog.nilov-sergey-demo-apps.tk
138.68.107.4 csvp.nilov-sergey-demo-apps.tk
But I still not sure is that is valid value, as I have next error again:
# sudo certbot --apache -d products-catalog.nilov-sergey-demo-apps.tk -d www.products-catalog.nilov-sergey-demo-apps.tk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for products-catalog.nilov-sergey-demo-apps.tk
http-01 challenge for www.products-catalog.nilov-sergey-demo-apps.tk
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.products-catalog.nilov-sergey-demo-apps.tk (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up
A for www.products-catalog.nilov-sergey-demo-apps.tk
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.products-catalog.nilov-sergey-demo-apps.tk
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
www.products-catalog.nilov-sergey-demo-apps.tk
can reason of this error be in wrong IP in /etc/hosts or some other issue ?
Thanks!
The domain www.products-catalog.nilov-sergey-demo-apps.tk does not resolve:
https://www.whatsmydns.net/#A/www.products-catalog.nilov-sergey-demo-apps.tk
So it's not a server configuration issue, you simply have to add the www.products-catalog subdomain record in you DNS manager,
or remove this: -d www.products-catalog.nilov-sergey-demo-apps.tk from the certbot command
certbot complains about:
DNS problem: NXDOMAIN looking up A for
www.products-catalog.nilov-sergey-demo-apps.tk
a) the local /etc/hosts file is not the public DNS zone file ...just add the domain name; because virtual host is being told apart by HTTP host headers: 138.68.107.4 nilov-sergey-demo-apps.tk
when using a DNS zone file, one does not have to add them into there, alike on the localhost.
b) then either use the certbot command without the non-existent www virtual host:
sudo certbot --apache -d products-catalog.nilov-sergey-demo-apps.tk
or fix DNS and virtual host, in order to serve the www virtual host; then they should work for both. an A "address" record is being expected; but a CNAME "common name" record is being provided. to fix this you just have to change the type from CNAME to A and wait until it had been distributed.
see for yourself: non-www and www. HTTPS also does not respond, at all.
c) and to fix the virtual host configuration, you have to add the proper ServerAlias:
ServerName products-catalog.nilov-sergey-demo-apps.tk
ServerAlias www.products-catalog.nilov-sergey-demo-apps.tk
If you run certbot with --manual certonly then run with --apache option it will "reinstall" the cert to your Apache server.
Run :
sudo certbot --server https://acme-v02.api.letsencrypt.org/directory
-d *.domain.com --manual --preferred-challenges dns-01 certonly
You then add DNS TXT record and click Continue on the certbot instruction.
Once complete you can run a simple --apache install like this.
sudo certbot --server https://acme-v02.api.letsencrypt.org/directory
-d *.domain.com --apache
This will ask to reinstall cert and you can just select that.
I have limited experience setting up SSL certs, so far i've been able to get single SSL certs working on different servers, now I'm stuck trying to get a wildcard SSL cert setup alongside an existing organisational SSL for same domain, it keeps pointing at the organisational cert even though I specify the wildcard cert in the the virtual host.
I'll try explain the best I can using sample data:
organisational certificate site.example.com
wildcard certificate *.example.com
apache version 2.2.3
I will leave out the port 80 stuff as there is no issues there
Example configuration:
NameVirtualHost *:443
NameVirtualHost 192.0.2.201:443
NameVirtualHost 192.0.2.202:443
<VirtualHost 192.0.2.202:443>
ServerName site.example.com
DocumentRoot /var/www/html/site
SSLEngine On
SSLCertificateFile /locationof/organisational.crt
SSLCertificateChainFile /locationof/organisational.intermediate.pem
SSLCertificateKeyFile /locationof/organisational.key
</VirtualHost>
<VirtualHost 192.0.2.202:443>
ServerName mytestsite.example.com
DocumentRoot /var/www/html/mytestsite
SSLEngine On
SSLCertificateFile /locationof/wildcard.crt
SSLCertificateChainFile /locationof/wildcard.intermediate.pem
SSLCertificateKeyFile /locationof/wildcard.key
</VirtualHost>
There are no issues with either certificate.
When I restart Apache and go to https://mytestsite.example.com in Firefox it tells me 'Your connection is not sercure' when expanding the Advanced button I can see from the message 'The certificate is only valid for the following names: site.example.com, www.site.example.com' So I guess it's picking up the organisational virtual host each time and isn't getting to the wildcard virtual host, I've tried switching them about as I've read that Apache can be affected by the order of the virtual hosts but it made no difference to me.
I'm sure it's something simple I'm doing wrong but I've searched various sites and Google but just can't pinpoint the issue :(
EDIT - additional info from running httpd -S
192.0.2..201:443 is a NameVirtualHost
default server www.anothersite.net (/etc/httpd/conf/httpd.conf:aaaa)
port 443 namevhost www.anothersite.net (/etc/httpd/conf/httpd.conf:aaaa)
192.0.2.202:443 is a NameVirtualHost
default server site.example.com (/etc/httpd/conf/httpd.conf:xxxx)
port 443 namevhost site.example.com (/etc/httpd/conf/httpd.conf:xxxx)
port 443 namevhost mytestsite.example.com (/etc/httpd/conf/httpd.conf:yyyy)
wild alias *.*
*:443 is a NameVirtualHost
default server someoldsite.com (/etc/httpd/conf.d/ssl.conf:xx)
port 443 namevhost someoldsite.com (/etc/httpd/conf.d/ssl.conf:xx)
// there is no virtual host for this old site, it seems it is the name of the server inside /etc/hosts file
I checked the *:443 path in case there was a redirect or something like that but there is not. I've added in the additional NameVirtualHost settings to example configuration. From the info above I'm still not sure what's going wrong! The wildcard SSL certificate is set up on 2 other servers and works fine but it is the only SSL certificates on those servers as opposed to this server which has 2 others and 1 sharing the same domain
EDIT 2
there is a ssl.conf file being include with the following <VirtualHost _default_:443> but don't think that is causing any harm?
this server has been working fine using both certs on .201 and .202 and the wildcard cert works fine on two other servers, I just can't get the wildcard ssl cert to work along with the .202 organisational cert :(
My question is related to the wrong redirection of multi-domain server.
I have a VPS server on ovh.com with 2 domains names:
site1.com
site2.com
On OVH admin panel, I have set up the DNS zone so that each site return to the IP adress of the server with a type A. Each www.siteX.com have for targetsiteX.com with a type CNAME.
On the server side, I'm using Apache2 and I have created for all a conf file in /etc/apache2/site-available/:
site1.conf
site2.conf
with the same structure:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName siteX.com
ServerAlias www.siteX.com
DocumentRoot /var/www/siteX
</VirtualHost>
Then I have used the command a2ensite subX.conf or a2ensite siteX.conf and sudo service apache2 restart
The problem I have is that www.site2.com is redirected to site1.com while site2.com is correct and return site2.
The interesting aspect is that www.site2.com? is correctly loading the content of site2 while keeping the www.site2.com/? in the url.
Again, similar to Sub-domain not working, the solution was to disable the default virtualserver:
sudo a2dissite 000-default
Can someone explain the reason ? How to avoid that ?
I've been banging my head against the wall trying to figure out how to setup multiple SSL certificates on an amazon VPC instance (I'm using amazon's standard linux AMI)
Here's what I did:
I setup a VPC instance
Added a secondary private IP address
Added 2 elastic IP addresses & "linked" them to the private ones
Went to my domain registrar & pointed two test domains to the elastic IP addresses
Waited until new IP addresses were propagated
I uploaded the SSL certificates to the VPC instance
Then I tried editing ssl.conf, see line 74 to 93 & httpd.conf, see line 1046 to 1086:
ssl.conf
<VirtualHost domain1.com:443>
ServerName www.domain1.com:443
DocumentRoot "/var/www/html"
SSLENGINE on
SSLCertificateFile /etc/ssl/domain1_com.crt
SSLCertificateKeyFile /etc/ssl/domain1_com.key
SSLCertificateChainFile /etc/ssl/domain1_com.ca-bundle
</VirtualHost>
<VirtualHost _default_:443>
...Default SSL certificate (domain1.com) here...
</VirtualHost>
httpd.conf
<VirtualHost *:80>
ServerName domain1.com
ServerAlias www.domain1.com
DocumentRoot /var/www/html
ServerAdmin webmaster#domain1.com
</VirtualHost>
<VirtualHost *:80>
ServerName domain2.com
ServerAlias www.domain2.com
DocumentRoot /var/www/html
ServerAdmin webmaster#domain2.com
</VirtualHost>
I also tried <VirtualHost *:443> and <VirtualHost IP.ADDRESS:443>, didn't work either.
The result is basically this:
domain1.com (which is the default SSL certificate) works just fine (resolve fine, green bar)
domain2.com: doesn't even resolve to anything, even though when I do ping www.domain2.com, I get the correct elastic IP
My question is: Any idea how to make domain2.com resolve & use the correct SSL certificate?
EDIT / Additional Info:
I also tried this:
Temporarily stopped firewall as suggested, ie. sudo service iptables stop
From outside of EC2, curl --connect-timeout 10 https://domain2.com gave me this curl: (28) connect() timed out!
wget https://www.domain2.com/ gave me this: --2013-10-03 15:57:22-- domain2.com Resolving www.domain2.com... 54.229.111.22 Connecting to www.domain2.com|54.229.111.22|:443... failed: Connection timed out. Retrying.
EDIT (2):
I noticed 2 things:
If I use 2 network interfaces (each NIC with one private IP) sudo ifconfig doesn't show the 2nd NIC (ie. eth1), and wether I use one or two NICs, sudo ifconfig always return the 1st private IP (10.0.0.10), never the 2nd one (10.0.0.183)
Unsurprisingly, the unreachable website domain2.com corresponds to the 2nd IP (which is missing): 10.0.0.183
This command curl --interface 10.0.0.10 ifconfig.me correctly retuns the elastic IP address associated to domain1.com while
This command curl --interface 10.0.0.183 ifconfig.me retuns:
curl: (45) bind failed with errno 99: Cannot assign requested address
I followed this guid, I can see eth1, but domain2.com is still unreachable
And curl --interface 10.0.0.183 ifconfig.me now returns this:
curl: (7) Failed connect to ifconfig.me:80; Connection timed out
You will need to use ip based virtual hosting for SSL. The IP address you are going to listen will be the private, not public IP.
Your sites on port 80 can use name based virtual hosting. But you need to make sure you are using this directive: NameVirtualHost *:80
This tutorial fixed it for me
One small (but important) note:
Instead of typing this command (step #5):
echo "1 admin" >> /etc/iproute2/rt_tables
You should do this instead:
sudo vi /etc/iproute2/rt_tables
then add 1 admin at the end of the file
I think you need to follow a troubleshooting methodology for this.
Start by simplifying your configuration and verifying the basic components, then gradually build it up to the complete solution. For example:
Map the elastic IP for domain2 to a new EC2 server.
On the new server, start by making domain2.com available over HTTP
Once it is working over HTTP, set it up to work over HTTPS
Once it is working over HTTPS map the elastic IP back to the original server and make it work on the original server using HTTP
Once it is working over HTTP take the final step of getting it to work over HTTPS on the original server.
The aim here is to validate each step and isolate exactly where it is going wrong. This will then enable you to best direct your energies for solving the root cause.