logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: mod_md one domain
Author
sailor



Joined: 17 Apr 2015
Posts: 77
Location: US

PostPosted: Mon 07 Feb '22 23:08    Post subject: mod_md one domain Reply with quote

On v2.4.52. I'm trying to configure ssl for an additional domain (other sites have paid SSL cert). This host is first time configuring with mod_md / Let's Encrypt:

[Mon Feb 07 15:43:18.061405 2022] [ssl:emerg] [pid 2644:tid 696] AH02572: Failed to configure at least one certificate and key for www.myhost.com:443
[Mon Feb 07 15:43:18.061405 2022] [ssl:emerg] [pid 2644:tid 696] SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Mon Feb 07 15:43:18.061405 2022] [ssl:emerg] [pid 2644:tid 696] SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Mon Feb 07 15:43:18.061405 2022] [ssl:emerg] [pid 2644:tid 696] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned

Code:


Listen 172.30.59.122:80

<VirtualHost *:80>

ServerName www.myhost.com

Include conf/rewrites.conf

CustomLog "|D:/Apache_files/cronolog.exe D:/logs/access_%Y-%m-%d.log" combined
ErrorLog  "|D:/Apache_Files/cronolog.exe D:/logs/error_%Y-%m-%d.log"

</VirtualHost>


#
#             myhost.com
#
MDomain www.myhost.com

LISTEN 11.22.33.44:443

<VirtualHost 11.22.33.44:443>
   ServerName www.myhost.com
   ServerAlias myhost.com

   SSLEngine on


   #SSLProtocol -all +TLSv1.2

   #SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC$

   # from https://cipherli.st/
   #SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

   #SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
   

   SSLHonorCipherOrder On

   Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
   Header always set X-Frame-Options DENY
   Header always set X-Content-Type-Options nosniff

   # Requires Apache >= 2.4
   # prevent CRIME attack
   SSLCompression off

   # Requires Apache >= 2.4  (2.5?)
   #SSLUseStapling on
   #SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

   # Requires Apache >= 2.4.11, Using them without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy.
   SSLSessionTickets Off
   
   Include conf/_rewrites.conf

   CustomLog "|D:/Apache_files/cronolog.exe D:/logs/access_%Y-%m-%d.log" combined
   ErrorLog  "|D:/Apache_Files/cronolog.exe D:/logs/error_%Y-%m-%d.log"


</VirtualHost>
Back to top
sailor



Joined: 17 Apr 2015
Posts: 77
Location: US

PostPosted: Tue 08 Feb '22 15:06    Post subject: Re: mod_md one domain Reply with quote

changed host from ip:443 to *:443 and server at least starts...also created cert with certbot. Some other errrors now, will have to look later.
Back to top
Otomatic



Joined: 01 Sep 2011
Posts: 150
Location: Paris, France, EU

PostPosted: Thu 10 Feb '22 14:09    Post subject: Reply with quote

Hi,

What seems strange to me are the commented lines, therefore not active:
Code:
#SSLProtocol

#SSLCipherSuite
Back to top
sailor



Joined: 17 Apr 2015
Posts: 77
Location: US

PostPosted: Fri 11 Feb '22 16:45    Post subject: Reply with quote

Thanks, removed comments.

I've been re-reading the instructions and fixing issues as I go...
Back to top
sailor



Joined: 17 Apr 2015
Posts: 77
Location: US

PostPosted: Fri 11 Feb '22 21:35    Post subject: Reply with quote

I ended up commenting out mod_mod etc.. and focus on getting certbot working right with a dry-run.

80 didn't have both www and non-www.

Next, I finally got rewrites correct (was getting all sorts of denied and unattend / attended redirections:

RewriteCond %{REQUEST_URI} ^/\.well\-known(.*) [OR]
RewriteCond %{REQUEST_URI} ^/md-status [OR]
RewriteCond %{REQUEST_URI} ^/server-status
Rewriterule - - [L]
Rewriterule ^/(.*)$ https://myrealurl.com [R=301,L]

Have not tried mod_md.
Back to top
sailor



Joined: 17 Apr 2015
Posts: 77
Location: US

PostPosted: Thu 22 Sep '22 14:34    Post subject: Reply with quote

I don't quite understand, but somehow there was a typo (not visible to me due to maybe some encoding?) in the domain name.

In notepad++ I double click on domain portion in the "ServerAlias somehost.com" and it highlights through the config, but the domain "Servername www.somehost.com" was not turning green! When I retyped the domain in Servername www.somehost.com and then double clicked the somehost portion on ServerAlias, the Servername domain turned green!
Back to top


Reply to topic   Topic: mod_md one domain View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules