I'm trying to secure my CentOS 7 VPS with Let's Encrypt. I've followed the guidelines in https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7 . I've set up virtual hosts, installed server dependencies and the Let's Encrypt client. But when I try to set up the SSL certificate with:
./letsencrypt-auto --apache -d example.com -d mail.example.com
I get the error:
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()
The Apache Plugin for Let's Encrypt is not working, but how do I make it work?
Same error on CentOS 7 and Apache 2.4. Checked through my configuration, had a couple of IfModule lines that were not closed with /IfModule. Apache is OK with them, but apparently certbot parser isn't. Hope this helps others.
appretnly they are a bug in the letsencrypt-auto script, you can use this command to do the job.
sudo certbot --authenticator standalone --installer apache -d <yourdomain> --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"
This answer is not working. In my cases i checked apache config file and found the following line at the end of it <IfModule mod_ssl.c> It was not making sense. On removing it the renewal went on without a problem
Related
I'm having trouble setting Lucce to run on Apache in a CentOS 9 machine.
The steps I've followed are bellow:
Installed .run file from https://downloads.lucee.org
Left the default for apachectl, httpd conf and http modules (I've already checked and it seems they're correct, I can provide the values if you need)
Set Tomcat to run on port 8888, the default value (tomcat is in fact running because i can access it externally)
Accepted to install Apache connector
Accepted to install mod_cfml
Then, when Lucee is being installed, I get a post-install step error, mentioning that the installation may not complete correctly:
Error running /opt/lucee/sys/install_mod_proxy.sh -m install -t 8888 -f
/etc/httpd/conf/httpd.conf -c /usr/sbin/apachectl: apachectl: The "-M" option is
not supported.
apachectl: The "-M" option is not supported.
But the installation process ends and everything seems to be fine.
Tomcat is running (I can access through domain.com:8888)
Proxy is added to httpd.conf file with the following rules
<IfModule mod_proxy.c>
ProxyPreserveHost On
ProxyPassMatch ^/(.+\.cf[cm])(/.*)?$ http://127.0.0.1:8888/$1$2
ProxyPassMatch ^/(.+\.cfml)(/.*)?$ http://127.0.0.1:8888/$1$2
# optional mappings
#ProxyPassMatch ^/flex2gateway/(.*)$ http://127.0.0.1:8888/flex2gateway/$1
#ProxyPassMatch ^/messagebroker/(.*)$ http://127.0.0.1:8888/messagebroker/$1
#ProxyPassMatch ^/flashservices/gateway(.*)$ http://127.0.0.1:8888/flashservices/gateway$1
#ProxyPassMatch ^/openamf/gateway/(.*)$ http://127.0.0.1:8888/openamf/gateway/$1
#ProxyPassMatch ^/rest/(.*)$ http://127.0.0.1:8888/rest/$1
ProxyPassReverse / http://127.0.0.1:8888/
</IfModule>
mod_cfml is loaded in httpd.conf file
LoadModule modcfml_module modules/mod_cfml.so
CFMLHandlers ".cfm .cfc .cfml"
ModCFML_SharedKey "{{ shared_key_here }}"
LogHeaders false
LogHandlers false
LogAliases false
VDirHeader false
In the end I restarted Lucee and Apache services and created a index.cfm file in /var/www/html, but when I try o access it I get a 503 error.
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
Catalina.out logs from tomcat and error_logs from apache dont give me any hints on whats happerning.
Can anyone point me any direction to solve this?
Any additional info you may need in order to help me fell free to ask.
Thanks.
So I found that my machine had SE (Security Enhanced) enabled, and there was a setting that prevented the request to be correctly proxied to tomcat, which is httpd_can_network_connect.
I had to run /usr/sbin/setsebool httpd_can_network_connect true in order to make it work, after this and restarting httpd service, everything was ok!
I setup two sites (links below) using certbot and entered the "www." portion of the domain when generating the HTTPS certificate resulting in non-www URL's for both sites causing an error.
There are many similar questions on StackOverflow but none have fixed my issue so far.
Related Links
https://certbot.eff.org/lets-encrypt/ubuntubionic-apache
https://letsencrypt.org/
Working Domains
https://www.fastsitephp.com/en/
https://www.dataformsjs.com/#/en/
Invalid Domains (because of the missing 'www.')
https://fastsitephp.com/en/
https://dataformsjs.com/#/en/
Attempted Fix Commands
sudo certbot certonly --standalone -d fastsitephp.com -d www.fastsitephp.com
sudo certbot delete --cert-name www.fastsitephp.com
Chrome will re-direct to the 'www' site using the above links however the error is clear from Firefox and Mobile Safari
Server
Ubuntu 18.04 LTS with Apache
HELP! What can I do to fix this without having to setup a new server and changing the URL. Ideally the severs would support both www and non-www; however if it can't be fixed an Apache url re-write would also be acceptable.
Thank you in advance!
I ended up solving it myself. The primary issue is that Certbot still leaves the HTTP->HTTPS redirect it created and some other Apache config settings even after running delete (this assumes you selected redirect from HTTP to HTTPS on the original setup).
In case someone else has this issue and needs to fully delete a certificate generated by Certbot here are the commands that I used:
sudo certbot delete
cd /etc/apache2/sites-enabled
ls
sudo nano 000-default.conf
# Remove the redirect
sudo rm 000-default-le-ssl.conf
# Also any file other SSL files such as [000-default-le-ssl.conf.sav]
sudo certbot --apache
# enter both Domains "example.com www.example.com"
sudo service apache2 restart
I have set up a Apache server with the 3 virtual hosts tomrouse.me, dev.tomrouse.me and server.tomrouse.me. All of the virtual hosts worked fine. When I went to each one, it would take me to the index for that site.
But when I added SSL and forced HTTP to redirect to HTTPS, it is now always going to the tomrouse.me virtual host no matter what subdomain I request.
Files I have in available sites in Apache:
SSL configuration for Apache:
I dont think it is a issue with the virtual hosts, as all were working fine until I added SSL with redirects using the python-letsencrypt-apache program.
All fixed, i went wrong by trying to install the ssl in all sub domains at once did a full reinstall then did each one one at a time and it works fine!
For example:
This is what it tells you to do (this will not work):
sudo letsencrypt --apache -d tomrouse.me -d dev.tomrouse.me -d server.tomrouse.me
I reinstalled the server the same but did this part like this:
sudo letsencrypt --apache -d tomrouse.me
sudo letsencrypt --apache -d dev.tomrouse.me
sudo letsencrypt --apache -d server.tomrouse.me
and selected the force https like i did before for each this is a fix if you have the same issie however if you already did it the first way you have to restart as far as i know i tryed doing this after the first way and it dint work.
Correct format of apache config files:
All of the ssl config files should be created by the lets encrypted program https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04
I'm trying to set up a Godaddy SSL certificate on a DigitalOcean droplet running Ubuntu with Apache 2. After I've configured the certificates correctly (to the best I can see & according to the following articles:
https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04#step-2-configure-apache-to-use-ssl
https://www.digicert.com/ssl-certificate-installation-ubuntu-server-with-apache2.htm
https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04
I cannot run Apache and I'm getting the following error:
AH02311: Fatal error initialising mod_ssl
I've also seen this error:
SSL Library Error: error:0B080074:x509 certificate routine
both of these are in the error.log file.
Looks like private key is not matching certificate check on that (Not sure as i do not see full console logs). I hope the cert order is correct it should be
SSLCertificateFile /etc/apache2/ssl/certificate.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
SSLCACertificateFile /etc/apache2/ssl/intermediate.crt
Usually this is an apache.conf configuration error or any other configuration file. do this:
purge ApacheUninstall/Purge Apache
reload modules
reboot server
do apachectl configtest
sudo systemctl restart apache2.service
sudo systemctl status apache2.service
That should fix the problem.
I was able to reproduce this exact error condition by simply enabling SSL under apache (by uncommenting the line in httpd.conf that loads mod_ssl and mod_socache_shmcb.so). The default httpd-ssl.conf file contains example lines of configuration with dummy values. Specifically there is a virtual host block at the bottom of this file that is provided as a template. It contains uncommented lines with dummy values. Apache won't accept these values as they are.
To test this, uncomment the above modules in httpd.conf open a console window, go to the apache\bin folder (the apache folder will have the appropriate version appended like apache2.37)
and type
httpd -t
And apache will validate your .conf files and report fatal errors. The first one you will see will report that it is unable to find server.crt. If you fill in the entire section with the values for the website that you are trying to secure apache should stop throwing these errors.
for more detail when troubleshooting use
httpd -e warn
or
httpd -e debug
To set up a secure virtual host for a site example.com you need two blocks.
One insecure block, and one insecure block. The insecure block uses port 80 or whatever port you choose if 80 is in use elsewhere. This is usually set up in the httpd-vhosts.conf file. The secure block is copy of the insecure block with the added commands for configuring SSL and uses port 443. This block is usually placed in httpd-ssl.conf Https-ssl.conf is automatically included in httpd.conf which is the master configuration file. It contains a conditional clause which detects the mod_ssl module and loads httpd-ssl.conf if the module is loaded. This is why the error occurs as soon as mod_ssl is enabled.
I was also having the same problem.
While checking, I found it was due to wrong passphrase in pass.out file.
It was solved after correcting that, so I suggest you to check that as well.
Recently I discover letsencrypt which is awesome project, and it basically allows you to get ssl certificate for free.
I manage to setup my server and domain with their certificate, everything work great and my site showed the https in green which was great.
Then I connected this domain to cloudflare, which is another great solution, for many web problems.
Once my name servers were changed to cloudflare name servers the https stopped working.
:(
I am not really sure what is the root of that issue, but I manage to fixed it with a little bit of luck, so decided to write here the problem and the solution who worked for me in case other will encounter this issue in the future.
On cloudflare
https://www.cloudflare.com/a/crypto/yourdomain
default settings for ssl is full, once I changed it to
strict https start working again like charm.
2 days after I had the same issue, I changed it back to full from strict and then it worked again so I am confused and not sure if my answer here is good.
you need to use certbot when you're already using cloudflare.
check this link
So before you run the certbot command try this first export LC_ALL="C"
Then if you're on apache change the command to this
./certbot-auto certonly --webroot --webroot-path /var/www/html/ --renew-by-default --email email#host.tld --text --agree-tos -d example.tld -d www.example.tld
/var/www/html/ = where your webroot path for the domain is located.
I hope this helps..
I've faced the same issue that CloudFlare said there is a 526 error.
I could solve it by adding
SSLCertificateChainFile "/etc/letsencrypt/live/DOMAIN/chain.pem"
to the apache hosts config, since Apache < 2.4.8 needs the chain (see http://letsencrypt.readthedocs.org/en/latest/using.html)