logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



[solved] Letsencrypt configuration problem

 
Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules



View previous topic :: View next topic  
Author Message
bagu



Joined: 06 Jan 2011
Posts: 118
Location: France

PostPosted: Fri 01 Sep '17 13:28    Post subject: [solved] Letsencrypt configuration problem Reply with quote

Hello,

I try to make mod_md working on one of my domains.
Here is my config :

Code:

####################
# Serveur mch44.fr #
####################
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
ManagedDomain mch44.fr www.mch44.fr

<VirtualHost 0.0.0.0:80>
   ServerName www.mch44.fr
   DocumentRoot /www/mch44/html

   ServerAlias mch44.fr *.mch44.fr
   VirtualDocumentRoot /www/mch44/html/%1

   RewriteEngine on
   RewriteCond %{HTTP_HOST} ^mch44.fr [NC]
   RewriteRule ^(.*) http://www.mch44.fr$1 [R=301,L]

   <IfModule fcgid_module>
      <Files ~ "\.php$">
         AddHandler fcgid-script .php
         FcgidWrapper "/php/php-cgi.exe -d error_log=/logs/vhost_php_error/mch44.fr.php_error.log" .php
      </Files>
   </IfModule>

   ErrorLog /logs/vhost_apache_error/mch44.fr.apache.error.log

   <Directory /www/mch44/html/>
      Options +FollowSymLinks -Indexes -Includes -ExecCGI
      AllowOverride all
      Require all granted
   </Directory>
</VirtualHost>

<VirtualHost 0.0.0.0:443>
   ServerName mch44.fr
   DocumentRoot /www/mch44/html

   ServerAlias mch44.fr *.mch44.fr
   VirtualDocumentRoot /www/mch44/html/%1

   RewriteEngine on
   RewriteCond %{HTTP_HOST} ^mch44.fr [NC]
   RewriteRule ^(.*) https://www.mch44.fr$1 [R=301,L]

   <IfModule fcgid_module>
      <Files ~ "\.php$">
         AddHandler fcgid-script .php
         FcgidWrapper "/php/php-cgi.exe -d error_log=/logs/vhost_php_error/mch44.fr.php_error.log" .php
      </Files>
   </IfModule>

   ErrorLog /logs/vhost_apache_error/mch44.fr.apache.error.log

   <Directory /www/mch44/html/>
      Options +FollowSymLinks -Indexes -Includes -ExecCGI
      AllowOverride all
      Require all granted
   </Directory>
</VirtualHost>


But i get this error : [Fri Sep 01 13:17:33.014307 2017] [ssl:warn] [pid 5464:tid 544] AH: Init: (mch44.fr:443) disabling this host for now as certificate/key data for the Managed Domain is incomplete.

I have mod_ssl, mod_md and mod_watchdog active.
Can you help me to make it working ?

Thanks.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2536
Location: Hilversum, NL, EU

PostPosted: Fri 01 Sep '17 14:18    Post subject: Reply with quote

Try:

<VirtualHost *:443>
ServerName www.mch44.fr
DocumentRoot /www/mch44/html

ServerAlias mch44.fr
...
..
Back to top
bagu



Joined: 06 Jan 2011
Posts: 118
Location: France

PostPosted: Fri 01 Sep '17 15:13    Post subject: Reply with quote

Done, without success...But there is no more error in error log.

On Firefox, i receive : SSL_ERROR_RX_RECORD_TOO_LONG
Back to top
icing



Joined: 22 Sep 2015
Posts: 31
Location: M√ľnster, Germany

PostPosted: Fri 01 Sep '17 15:57    Post subject: Reply with quote

In the :443 VirtualHost, turn on mod_ssl:

Code:

SSLEngine on


Ideally, mod_md would detect that for you. However that will require some more work by me.

Additionally, if you have no other https: running yet, you need to configure also - for now - globally:

Code:

MDCAChallenges http-01
Back to top
bagu



Joined: 06 Jan 2011
Posts: 118
Location: France

PostPosted: Fri 01 Sep '17 16:50    Post subject: Reply with quote

I put SSLEngin On on the vhost443, and MDCAChallenges http-01 in ssl.conf

But no luck.

I get :
Code:
[Fri Sep 01 16:46:54.562564 2017] [ssl:error] [pid 7728:tid 5640] [client 192.168.1.30:57638] AH01962: Unable to create a new SSL connection from the SSL context
[Fri Sep 01 16:46:54.562564 2017] [ssl:error] [pid 7728:tid 5640] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx


And blank page in firefox with connexion error.
Back to top
bagu



Joined: 06 Jan 2011
Posts: 118
Location: France

PostPosted: Fri 01 Sep '17 19:56    Post subject: Reply with quote

Ok, after MAAAAANYYYY tests/try...
It work, but i don't know why ^^
And if i reboot the web server, it don't work again

Settings for mod_md are :
Code:
# Container for directives applied to the same managed domains
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf

# This tells mod_md which challenge types it shall use in which order when proving domain ownership. The names are protocol specific. The current ACME protocol version that Let's Encrypt speaks defines two challenge types that are supported by mod_md. By default, it will try the one on port 443 when available
# Default:   MDCAChallenges tls-sni-01 http-01
MDCAChallenges http-01


Settings for vhost are :
Code:
####################
# Serveur mch44.fr #
####################
ManagedDomain mch44.fr www.mch44.fr

<VirtualHost *:80>
   ServerName www.mch44.fr
   DocumentRoot /www/mch44/html

   ServerAlias mch44.fr *.mch44.fr
   VirtualDocumentRoot /www/mch44/html/%1

   RewriteEngine on
   RewriteCond %{HTTP_HOST} ^mch44.fr [NC]
   RewriteRule ^(.*) http://www.mch44.fr$1 [R=301,L]

   <IfModule fcgid_module>
      <Files ~ "\.php$">
         AddHandler fcgid-script .php
         FcgidWrapper "/php/php-cgi.exe -d error_log=d/logs/vhost_php_error/mch44.fr.php_error.log" .php
      </Files>
   </IfModule>

   ErrorLog /logs/vhost_apache_error/mch44.fr.apache.error.log

   <Directory /www/mch44/html/>
      Options +FollowSymLinks -Indexes -Includes -ExecCGI
      AllowOverride all
      Require all granted
   </Directory>
</VirtualHost>

<VirtualHost *:443>
   ServerName www.mch44.fr
   DocumentRoot /www/mch44/html

   ServerAlias mch44.fr *.mch44.fr
   VirtualDocumentRoot /www/mch44/html/%1

   SSLEngine On

   RewriteEngine on
   RewriteCond %{HTTPS_HOST} ^mch44.fr [NC]
   RewriteRule ^(.*) https://www.mch44.fr$1 [R=301,L]

   <IfModule fcgid_module>
      <Files ~ "\.php$">
         AddHandler fcgid-script .php
         FcgidWrapper "/php/php-cgi.exe -d error_log=/logs/vhost_php_error/mch44.fr.php_error.log" .php
      </Files>
   </IfModule>

   ErrorLog /logs/vhost_apache_error/mch44.fr.apache.error.log

   <Directory /www/mch44/html/>
      Options +FollowSymLinks -Indexes -Includes -ExecCGI
      AllowOverride all
      Require all granted
   </Directory>
</VirtualHost>
Back to top
PipoDeClown



Joined: 20 Dec 2005
Posts: 75

PostPosted: Sat 02 Sep '17 20:33    Post subject: Reply with quote

the wildcard in
Quote:
ServerAlias mch44.fr *.mch44.fr

is not supposed to work, since lets encrypt does not support wildcards (yet)
Back to top
bagu



Joined: 06 Jan 2011
Posts: 118
Location: France

PostPosted: Sat 02 Sep '17 21:53    Post subject: Reply with quote

I have change it by :

Code:
ServerAlias mch44.fr www.mch44.fr


Without success :

Code:
[Sat Sep 02 21:50:41.430725 2017] [ssl:warn] [pid 4796:tid 532] AH: Init: (www.mch44.fr:443) disabling this host for now as certificate/key data for the Managed Domain is incomplete.
[Sat Sep 02 21:50:58.349617 2017] [ssl:error] [pid 4796:tid 5656] [client 192.168.1.1:54675] AH01962: Unable to create a new SSL connection from the SSL context
[Sat Sep 02 21:50:58.350606 2017] [ssl:error] [pid 4796:tid 5656] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx
Back to top
bagu



Joined: 06 Jan 2011
Posts: 118
Location: France

PostPosted: Mon 04 Sep '17 0:15    Post subject: Reply with quote

I have turn on trace info, and there are some news :

Code:
[Mon Sep 04 00:12:03.734088 2017] [md:trace2] [pid 8824:tid 612] md_store_fs.c(424): (2)No such file or directory: loading type 3 from /apache/md/domains/mch44.fr/privkey.pem
[Mon Sep 04 00:12:03.734088 2017] [md:trace2] [pid 8824:tid 612] md_store_fs.c(424): (2)No such file or directory: loading type 4 from /apache/md/domains/mch44.fr/pubcert.pem
[Mon Sep 04 00:12:03.734088 2017] [md:debug] [pid 8824:tid 612] md_reg.c(166): md{mch44.fr}: incomplete, without private key


Have i miss something ?
Back to top
bagu



Joined: 06 Jan 2011
Posts: 118
Location: France

PostPosted: Mon 04 Sep '17 16:47    Post subject: Reply with quote

Hello,

After maaaaaany tests/changes...I have a nearly working configuration

Code:
[Mon Sep 04 16:41:12.042909 2017] [md:debug] [pid 2980:tid 544] mod_md.c(850): AH10076: mch44.fr: manages server mch44.fr
[Mon Sep 04 16:41:12.042909 2017] [md:debug] [pid 2980:tid 544] mod_md.c(882): AH10077: mch44.fr: loading credentials for server mch44.fr


But, i get a SEC_ERROR_UNKNOWN_ISSUER from firefox because i had a Fake LE Root X1 certificate.

It seem that it's because i had :
Code:
MDCertificateAuthority https://acme-v01.api.letsencrypt.org/directory


Instead of
Code:
MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory


So, is there a way to renew the certificat with the good parameter ?

An other question :
i have two vhosts, so, i have this config :
Code:
<ManagedDomain mch44.fr>
   MDMember www.mch44.fr
   # MDCertificateAuthority https://acme-v01.api.letsencrypt.org/directory # For test purpose only
   MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory
</ManagedDomain>

<ManagedDomain hyze.fr>
   MDMember blog.hyze.fr
   MDMember forum.hyze.fr
   MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory
</ManagedDomain>


But i get the mch44.fr certificat on hyze.fr...Do you know why ?
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2536
Location: Hilversum, NL, EU

PostPosted: Mon 04 Sep '17 17:01    Post subject: Reply with quote

Remove the /md folder and start over again.

And remove the MDCertificateAuthority from your config. Since version 0.7.0 you get a real certificate by default.
Back to top
bagu



Joined: 06 Jan 2011
Posts: 118
Location: France

PostPosted: Tue 05 Sep '17 11:59    Post subject: Reply with quote

Hello,

So, now, https://www.mch44.fr work, but https://forum.hyze.fr get SSL_ERROR_BAD_CERT_DOMAIN because it receive the mch44 certificat Oo

Do you know why ?

Any idea is welcome
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2536
Location: Hilversum, NL, EU

PostPosted: Tue 05 Sep '17 12:12    Post subject: Reply with quote

When no vhost found he goes to the first one.

So, do you have a virtualhost www.hyze.fr with
serveralias hyze.fr
serveralias blog.hyze.fr
serveralias forum.hyze.fr
Back to top
bagu



Joined: 06 Jan 2011
Posts: 118
Location: France

PostPosted: Tue 05 Sep '17 12:21    Post subject: Reply with quote

Yes of course :

Code:
<virtualhost *:443>
   ServerName hyze.fr
   DocumentRoot /www/hyze/html/

   SSLEngine On

   ServerAlias forum.hyze.fr blog.hyze.fr
   VirtualDocumentRoot /www/hyze/html/%1


   <IfModule fcgid_module>
      <Files ~ "\.php$">
         AddHandler fcgid-script .php
         FcgidWrapper "/php7/php-cgi.exe -d error_log=/logs/vhost_php_error/hyze.fr.php_error.log" .php
      </Files>
   </IfModule>

   ErrorLog /logs/vhost_apache_error/hyze.fr.apache.error.log

   <Directory /www/hyze/html/>
      Options +FollowSymLinks -Indexes -Includes -ExecCGI
      AllowOverride all
      Require all granted
   </Directory>
</VirtualHost>
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2536
Location: Hilversum, NL, EU

PostPosted: Tue 05 Sep '17 12:42    Post subject: Reply with quote

You have:

<ManagedDomain mch44.fr>
...
...
<ManagedDomain hyze.fr>
...
...

Remove that.

And try:

ManagedDomain mch44.fr www.mch44.fr hyze.fr www.hyze.fr blog.hyze.fr forum.hyze.fr

When you have more serveralias'ses you can add them.
Back to top
bagu



Joined: 06 Jan 2011
Posts: 118
Location: France

PostPosted: Tue 05 Sep '17 16:56    Post subject: Reply with quote

Ok, so it work fine now... Shocked

My very first problem was i had more than one ManagedDomain line on my config.

Many thanks Wink
Back to top
bagu



Joined: 06 Jan 2011
Posts: 118
Location: France

PostPosted: Tue 05 Sep '17 18:15    Post subject: Reply with quote

An other question :

I have only one certificat for every hosts i have...
May i have one certificat by vhost ?
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 536

PostPosted: Thu 07 Sep '17 11:17    Post subject: Reply with quote

Two lines, for example:

ManagedDomain mch44.fr www.mch44.fr
ManagedDomain hyze.fr www.hyze.fr blog.hyze.fr forum.hyze.fr
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules
Page 1 of 1