From owner-freebsd-questions@freebsd.org Wed Apr 4 03:57:43 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2E80CF8BE03 for ; Wed, 4 Apr 2018 03:57:43 +0000 (UTC) (envelope-from freebsd@dreamchaser.org) Received: from nightmare.dreamchaser.org (ns.dreamchaser.org [66.109.141.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "nightmare.dreamchaser.org", Issuer "nightmare.dreamchaser.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A464A862E6 for ; Wed, 4 Apr 2018 03:57:42 +0000 (UTC) (envelope-from freebsd@dreamchaser.org) Received: from breakaway.dreamchaser.org (breakaway [192.168.151.122]) by nightmare.dreamchaser.org (8.15.2/8.15.2) with ESMTP id w343vYXa061293; Tue, 3 Apr 2018 21:57:35 -0600 (MDT) (envelope-from freebsd@dreamchaser.org) Subject: Re: my Let's Encrypt certs "broken" overnight! To: William Dudley , freebsd-questions References: From: Gary Aitken Reply-To: freebsd@dreamchaser.org Message-ID: <36f18609-b418-ff3e-8a02-7129b889c08c@dreamchaser.org> Date: Tue, 3 Apr 2018 21:56:53 -0600 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Apr 2018 03:57:43 -0000 On 04/03/18 07:48, William Dudley wrote: > I had letsencrypt certs for most of the sites I host, and they were > working fine until a recent upgrade -- either apache 2.4 or openssl > changed and now things are hosed. > > An example: > > I host www.njsbmwr.org. I have a "test" URL for development, > njsbmwr.dudley.nu. Both share the same certificates, or at least, > they used to. > > Now, if I uncomment the section for > www.njsbmwr.org, apache throws an error and won't start. If I > comment the section out, apache is happy but www.njsbmwr.org doesn't > serve https pages. > > njsbmwr.dudley.nu has almost the identical > section, and it works fine as https://njsbmwr.dudley.nu > > The apache error I get when I enable the section > for www.njsbmwr.org is: > > [Tue Apr 03 09:13:29.141783 2018] [ssl:emerg] [pid 49861] AH02572: > Failed to configure at least one certificate and key for > njsbmwr.org:80 [Tue Apr 03 09:13:29.141947 2018] [ssl:emerg] [pid > 49861] SSL Library Error: error:140A80B1:SSL > routines:SSL_CTX_check_private_key:no certificate assigned [Tue Apr > 03 09:13:29.141982 2018] [ssl:emerg] [pid 49861] AH02312: Fatal error > initialising mod_ssl, exiting. AH00016: Configuration Failed > > Here's the section that causes failure: > > ServerAdmin webmaster@dudley.nu ServerName > www.njsbmwr.org DocumentRoot /usr/local/www/njsbmwr.dudley.nu Alias > /.well-known/ /usr/local/www/.well-known/ ScriptAlias /cgi-bin/ > "/usr/local/www/njsbmwr.dudley.nu/cgi-bin/" SSLEngine on > SSLCertificateFile \ > "/usr/local/etc/letsencrypt/live/njsbmwr.dudley.nu/cert.pem" > SSLCertificateKeyFile \ > "/usr/local/etc/letsencrypt/live/njsbmwr.dudley.nu/privkey.pem" > SSLCertificateChainFile \ > "/usr/local/etc/letsencrypt/live/njsbmwr.dudley.nu/fullchain.pem" > SSLOptions +StdEnvVars BrowserMatch "MSIE [2-5]" \ nokeepalive > ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog > "/var/log/njsbmwr.dudley.nu-httpd-ssl_request.log" \ "%t %h > %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Header set > Content-Security-Policy "default-src 'self'; script-src 'self' 'u > nsafe-inline' pagead2.googlesyndication.com www.google-analytics.com > *.cloudflar e.com www.paypal.com; img-src 'self' *.crystalbrook.com > www.paypalobjects.com" Header set X-Frame-Options SAMEORIGIN Header > set X-XSS-Protection "1; mode=block" Header set > X-Content-Type-Options nosniff ErrorDocument 404 > /errormessages/oatmeal_404.html ErrorDocument 500 > /errormessages/oatmeal_500.html ErrorDocument 503 > /errormessages/oatmeal_503.html ErrorLog > /var/log/njsbmwr.dudley.nu-error_log CustomLog > /var/log/njsbmwr.dudley.nu-access_log combined "/usr/local/www/njsbmwr.dudley.nu"> Options +ExecCGI +FollowSymLinks > +Includes +Indexes -SymLinksIfOwnerMatc h AllowOverride All > Order allow,deny Allow from all > > > The ONLY difference between this section, that doesn't work, and the > section that DOES work is the ServerName line: > > < ServerName njsbmwr.dudley.nu --- >> ServerName www.njsbmwr.org Not sure this will help, but it might be worth trying. I had a somewhat similar but not exactly the same issue and resolved it by being more explicit in the VirtualHost assignments. You might try doing each separately and pointing to the same certs: ... and repeat for njsbmwr.dudley.nu:443 Apache 2.4 (not sure about earlier releases) uses the first match it finds for the . So *:443 will match both, and the server name won't match for one of them. Gary