Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: mod_md one domain |
|
Author |
|
sailor
Joined: 17 Apr 2015 Posts: 58 Location: US
|
Posted: Mon 07 Feb '22 23:08 Post subject: mod_md one domain |
|
|
On v2.4.52. I'm trying to configure ssl for an additional domain (other sites have paid SSL cert). This host is first time configuring with mod_md / Let's Encrypt:
[Mon Feb 07 15:43:18.061405 2022] [ssl:emerg] [pid 2644:tid 696] AH02572: Failed to configure at least one certificate and key for www.myhost.com:443
[Mon Feb 07 15:43:18.061405 2022] [ssl:emerg] [pid 2644:tid 696] SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Mon Feb 07 15:43:18.061405 2022] [ssl:emerg] [pid 2644:tid 696] SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Mon Feb 07 15:43:18.061405 2022] [ssl:emerg] [pid 2644:tid 696] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
Code: |
Listen 172.30.59.122:80
<VirtualHost *:80>
ServerName www.myhost.com
Include conf/rewrites.conf
CustomLog "|D:/Apache_files/cronolog.exe D:/logs/access_%Y-%m-%d.log" combined
ErrorLog "|D:/Apache_Files/cronolog.exe D:/logs/error_%Y-%m-%d.log"
</VirtualHost>
#
# myhost.com
#
MDomain www.myhost.com
LISTEN 11.22.33.44:443
<VirtualHost 11.22.33.44:443>
ServerName www.myhost.com
ServerAlias myhost.com
SSLEngine on
#SSLProtocol -all +TLSv1.2
#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC$
# from https://cipherli.st/
#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
#SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
# prevent CRIME attack
SSLCompression off
# Requires Apache >= 2.4 (2.5?)
#SSLUseStapling on
#SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11, Using them without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy.
SSLSessionTickets Off
Include conf/_rewrites.conf
CustomLog "|D:/Apache_files/cronolog.exe D:/logs/access_%Y-%m-%d.log" combined
ErrorLog "|D:/Apache_Files/cronolog.exe D:/logs/error_%Y-%m-%d.log"
</VirtualHost>
|
|
|
Back to top |
|
sailor
Joined: 17 Apr 2015 Posts: 58 Location: US
|
Posted: Tue 08 Feb '22 15:06 Post subject: Re: mod_md one domain |
|
|
changed host from ip:443 to *:443 and server at least starts...also created cert with certbot. Some other errrors now, will have to look later. |
|
Back to top |
|
Otomatic

Joined: 01 Sep 2011 Posts: 81 Location: Paris, France, EU
|
Posted: Thu 10 Feb '22 14:09 Post subject: |
|
|
Hi,
What seems strange to me are the commented lines, therefore not active:
Code: | #SSLProtocol
#SSLCipherSuite
|
|
|
Back to top |
|
sailor
Joined: 17 Apr 2015 Posts: 58 Location: US
|
Posted: Fri 11 Feb '22 16:45 Post subject: |
|
|
Thanks, removed comments.
I've been re-reading the instructions and fixing issues as I go... |
|
Back to top |
|
sailor
Joined: 17 Apr 2015 Posts: 58 Location: US
|
Posted: Fri 11 Feb '22 21:35 Post subject: |
|
|
I ended up commenting out mod_mod etc.. and focus on getting certbot working right with a dry-run.
80 didn't have both www and non-www.
Next, I finally got rewrites correct (was getting all sorts of denied and unattend / attended redirections:
RewriteCond %{REQUEST_URI} ^/\.well\-known(.*) [OR]
RewriteCond %{REQUEST_URI} ^/md-status [OR]
RewriteCond %{REQUEST_URI} ^/server-status
Rewriterule - - [L]
Rewriterule ^/(.*)$ https://myrealurl.com [R=301,L]
Have not tried mod_md. |
|
Back to top |
|
|
|
|
|
|