Date: Tue, 3 Apr 2018 21:56:53 -0600 From: Gary Aitken <freebsd@dreamchaser.org> To: William Dudley <wfdudley@gmail.com>, freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: my Let's Encrypt certs "broken" overnight! Message-ID: <36f18609-b418-ff3e-8a02-7129b889c08c@dreamchaser.org> In-Reply-To: <CAFsnNZL=J8=%2Bca1COD7Y_CbhV5aAK-kaN-HguYwLmuyXpU5PnA@mail.gmail.com> References: <CAFsnNZL=J8=%2Bca1COD7Y_CbhV5aAK-kaN-HguYwLmuyXpU5PnA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04/03/18 07:48, William Dudley wrote: > I had letsencrypt certs for most of the sites I host, and they were > working fine until a recent upgrade -- either apache 2.4 or openssl > changed and now things are hosed. > > An example: > > I host www.njsbmwr.org. I have a "test" URL for development, > njsbmwr.dudley.nu. Both share the same certificates, or at least, > they used to. > > Now, if I uncomment the <VirtualHost *:443> section for > www.njsbmwr.org, apache throws an error and won't start. If I > comment the section out, apache is happy but www.njsbmwr.org doesn't > serve https pages. > > njsbmwr.dudley.nu has almost the identical <VirtualHost *:443> > section, and it works fine as https://njsbmwr.dudley.nu > > The apache error I get when I enable the <VirtualHost *:443> section > for www.njsbmwr.org is: > > [Tue Apr 03 09:13:29.141783 2018] [ssl:emerg] [pid 49861] AH02572: > Failed to configure at least one certificate and key for > njsbmwr.org:80 [Tue Apr 03 09:13:29.141947 2018] [ssl:emerg] [pid > 49861] SSL Library Error: error:140A80B1:SSL > routines:SSL_CTX_check_private_key:no certificate assigned [Tue Apr > 03 09:13:29.141982 2018] [ssl:emerg] [pid 49861] AH02312: Fatal error > initialising mod_ssl, exiting. AH00016: Configuration Failed > > Here's the <VirtualHost *:443> section that causes failure: > > <VirtualHost *:443> ServerAdmin webmaster@dudley.nu ServerName > www.njsbmwr.org DocumentRoot /usr/local/www/njsbmwr.dudley.nu Alias > /.well-known/ /usr/local/www/.well-known/ ScriptAlias /cgi-bin/ > "/usr/local/www/njsbmwr.dudley.nu/cgi-bin/" SSLEngine on > SSLCertificateFile \ > "/usr/local/etc/letsencrypt/live/njsbmwr.dudley.nu/cert.pem" > SSLCertificateKeyFile \ > "/usr/local/etc/letsencrypt/live/njsbmwr.dudley.nu/privkey.pem" > SSLCertificateChainFile \ > "/usr/local/etc/letsencrypt/live/njsbmwr.dudley.nu/fullchain.pem" > SSLOptions +StdEnvVars BrowserMatch "MSIE [2-5]" \ nokeepalive > ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog > "/var/log/njsbmwr.dudley.nu-httpd-ssl_request.log" \ "%t %h > %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Header set > Content-Security-Policy "default-src 'self'; script-src 'self' 'u > nsafe-inline' pagead2.googlesyndication.com www.google-analytics.com > *.cloudflar e.com www.paypal.com; img-src 'self' *.crystalbrook.com > www.paypalobjects.com" Header set X-Frame-Options SAMEORIGIN Header > set X-XSS-Protection "1; mode=block" Header set > X-Content-Type-Options nosniff ErrorDocument 404 > /errormessages/oatmeal_404.html ErrorDocument 500 > /errormessages/oatmeal_500.html ErrorDocument 503 > /errormessages/oatmeal_503.html ErrorLog > /var/log/njsbmwr.dudley.nu-error_log CustomLog > /var/log/njsbmwr.dudley.nu-access_log combined <Directory > "/usr/local/www/njsbmwr.dudley.nu"> Options +ExecCGI +FollowSymLinks > +Includes +Indexes -SymLinksIfOwnerMatc h AllowOverride All > </Directory> <Location /> Order allow,deny Allow from all > </Location> </VirtualHost> > > The ONLY difference between this section, that doesn't work, and the > section that DOES work is the ServerName line: > > < ServerName njsbmwr.dudley.nu --- >> ServerName www.njsbmwr.org Not sure this will help, but it might be worth trying. I had a somewhat similar but not exactly the same issue and resolved it by being more explicit in the VirtualHost assignments. You might try doing each separately and pointing to the same certs: <VirtualHost www.njsbmwr.org:443> ... </VirtualHost> and repeat for njsbmwr.dudley.nu:443 Apache 2.4 (not sure about earlier releases) uses the first match it finds for the <VirtualHost>. So *:443 will match both, and the server name won't match for one of them. Gary
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36f18609-b418-ff3e-8a02-7129b889c08c>