Date: Wed, 4 Apr 2018 09:18:16 -0400 From: William Dudley <wfdudley@gmail.com> To: freebsd@dreamchaser.org, Olivier Nicole <olivier2553@gmail.com>, joh.hendriks@gmail.com Cc: freebsd-questions <freebsd-questions@freebsd.org>, Robert Vangel <rob.v@cwsau.com> Subject: Re: my Let's Encrypt certs "broken" overnight! - SOLVED Message-ID: <CAFsnNZ%2B0GxcdKRYyBzjpnx4XNuxjErWrTwKU5d5L%2BcVU5N6auw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
All, The problem is "fixed", for now. Mr Vangel had the right answer: my cert is for njsbmwr.dudley.nu and www.njsbmwr.org but NOT for just plain njsbmwr.org, and when I included a stanza to redirect https://njsbmwr.org to https://www.njsbmwr.org, Apache/mod_ssl had a hissy fit and threw all of it's toys out of the pram. This was "working" before, so apparently mod_ssl has changed and now disallows this (invalid) configuration. I had to comment out this stanza to get things running again: <VirtualHost *:443> ServerName njsbmwr.org Redirect permanent / https://www.njsbmwr.org/ </VirtualHost> So I'll amend my cert to add njsbmwr.org and then I can re-enable that stanza again. Thank you all for your help. Bill Dudley hobby sysadmin This email is free of malware because I run Linux. On Tue, Apr 3, 2018 at 11:56 PM, Gary Aitken <freebsd@dreamchaser.org> wrote: > On 04/03/18 07:48, William Dudley wrote: > > I had letsencrypt certs for most of the sites I host, and they were >> working fine until a recent upgrade -- either apache 2.4 or openssl >> changed and now things are hosed. >> >> An example: >> >> I host www.njsbmwr.org. I have a "test" URL for development, >> njsbmwr.dudley.nu. Both share the same certificates, or at least, >> they used to. >> >> Now, if I uncomment the <VirtualHost *:443> section for >> www.njsbmwr.org, apache throws an error and won't start. If I >> comment the section out, apache is happy but www.njsbmwr.org doesn't >> serve https pages. >> >> njsbmwr.dudley.nu has almost the identical <VirtualHost *:443> >> section, and it works fine as https://njsbmwr.dudley.nu >> >> The apache error I get when I enable the <VirtualHost *:443> section >> for www.njsbmwr.org is: >> >> [Tue Apr 03 09:13:29.141783 2018] [ssl:emerg] [pid 49861] AH02572: >> Failed to configure at least one certificate and key for >> njsbmwr.org:80 [Tue Apr 03 09:13:29.141947 2018] [ssl:emerg] [pid >> 49861] SSL Library Error: error:140A80B1:SSL >> routines:SSL_CTX_check_private_key:no certificate assigned [Tue Apr >> 03 09:13:29.141982 2018] [ssl:emerg] [pid 49861] AH02312: Fatal error >> initialising mod_ssl, exiting. AH00016: Configuration Failed >> >> Here's the <VirtualHost *:443> section that causes failure: >> >> <VirtualHost *:443> ServerAdmin webmaster@dudley.nu ServerName >> www.njsbmwr.org DocumentRoot /usr/local/www/njsbmwr.dudley.nu Alias >> /.well-known/ /usr/local/www/.well-known/ ScriptAlias /cgi-bin/ >> "/usr/local/www/njsbmwr.dudley.nu/cgi-bin/" SSLEngine on >> SSLCertificateFile \ "/usr/local/etc/letsencrypt/live/ >> njsbmwr.dudley.nu/cert.pem" SSLCertificateKeyFile \ >> "/usr/local/etc/letsencrypt/live/njsbmwr.dudley.nu/privkey.pem" >> SSLCertificateChainFile \ "/usr/local/etc/letsencrypt/live/ >> njsbmwr.dudley.nu/fullchain.pem" SSLOptions +StdEnvVars BrowserMatch >> "MSIE [2-5]" \ nokeepalive >> ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog >> "/var/log/njsbmwr.dudley.nu-httpd-ssl_request.log" \ "%t %h >> %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Header set >> Content-Security-Policy "default-src 'self'; script-src 'self' 'u >> nsafe-inline' pagead2.googlesyndication.com www.google-analytics.com >> *.cloudflar e.com www.paypal.com; img-src 'self' *.crystalbrook.com >> www.paypalobjects.com" Header set X-Frame-Options SAMEORIGIN Header >> set X-XSS-Protection "1; mode=block" Header set >> X-Content-Type-Options nosniff ErrorDocument 404 >> /errormessages/oatmeal_404.html ErrorDocument 500 >> /errormessages/oatmeal_500.html ErrorDocument 503 >> /errormessages/oatmeal_503.html ErrorLog >> /var/log/njsbmwr.dudley.nu-error_log CustomLog >> /var/log/njsbmwr.dudley.nu-access_log combined <Directory >> "/usr/local/www/njsbmwr.dudley.nu"> Options +ExecCGI +FollowSymLinks >> +Includes +Indexes -SymLinksIfOwnerMatc h AllowOverride All </Directory> >> <Location /> Order allow,deny Allow from all </Location> </VirtualHost> >> >> The ONLY difference between this section, that doesn't work, and the >> section that DOES work is the ServerName line: >> >> < ServerName njsbmwr.dudley.nu --- >> >>> ServerName www.njsbmwr.org >>> >> > Not sure this will help, but it might be worth trying. > I had a somewhat similar but not exactly the same issue and resolved > it by being more explicit in the VirtualHost assignments. You might > try doing each separately and pointing to the same certs: > <VirtualHost www.njsbmwr.org:443> > ... > </VirtualHost> > and repeat for njsbmwr.dudley.nu:443 > Apache 2.4 (not sure about earlier releases) uses the first match it > finds for the <VirtualHost>. So *:443 will match both, and the server > name won't match for one of them. > > Gary > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFsnNZ%2B0GxcdKRYyBzjpnx4XNuxjErWrTwKU5d5L%2BcVU5N6auw>