From owner-freebsd-questions@freebsd.org Wed Apr 4 13:18:18 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DE5F8F8E129 for ; Wed, 4 Apr 2018 13:18:17 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: from mail-yb0-x244.google.com (mail-yb0-x244.google.com [IPv6:2607:f8b0:4002:c09::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 742967A849 for ; Wed, 4 Apr 2018 13:18:17 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: by mail-yb0-x244.google.com with SMTP id k199-v6so8266930ybk.12 for ; Wed, 04 Apr 2018 06:18:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=npgRJ3l/IQcxMUhzCxqqcZWxjm6KzTnU6aQtCLcXtq0=; b=U7FL+ufesKzbu8dUzMRk3ov9qJ+Bqa0zgbGgFIM0IIwyVC9QK9mRSucwXWyt/ZreWU ntanLnbhs7GerUxSZowJIoUfeNZsRWkDmfDDTpaCBskYZuRupVpYtbysgoYgMoHHzCxB cfezE6rFvD+59ws7cOqaqux6aGvEKUo9d+fTa48MCe3AfGtymtsG7sbNqIfFCPLe/eyv AzkjQNF4qHZHpD4b8RYEWN0WSBOB3wwIdm/W6eSdhUnFaJlC9pFIgtQMj4/wDN3qfir/ ixXMia7Jedlwn9xUMgp5roXqAnhZ3TV2CUKL1oTnrqgw16BhLL1lms5eKux2zDJ68rd8 VYaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=npgRJ3l/IQcxMUhzCxqqcZWxjm6KzTnU6aQtCLcXtq0=; b=Wt16jn7Ca1vEaDKlCSGZlxZqPkdvXDBY21baYKydK58ofSOCSzHGmwET4Xs+JUywaQ MyA+sWbPNbW9m2g7K1FpBH7gH92xm8/69MCFv5eYgkA0h3z7kZUj3MvHItz7lvcQIkW0 uWuomtuO7GAFRxUV5qzZbWQ0Grw9o7NPEZc52s9Y5/uZbHTLvsoopbG1sWGmIeiqp1Pf /35Tk34Y7mkI3mvU1WlD1h6RdcAgNYzUkvNQdOXA2uWJ4lvlnZodPiVzX9TEePiDJKvY HQ6tbs+jrg+C/vEYRdi5MaUVuhsjF8eMVnp4aitAykyqIx83oZoilab7vjzyi1OOfgjC RF7A== X-Gm-Message-State: ALQs6tD+5odmnM6YEO51hhrQUbnMiah7uMwwXg25IlxoTxNMzECHIlm4 P9x0mI+tG7rw5iYr7+t2fNSLOQlI2cmIKo6ATQc= X-Google-Smtp-Source: AIpwx49CXra47ru2wYkKM/8FY8Jo+klBfcGafdpDWZQwZgKie+dH6GCVkueiX3DpjxLwV3+1b9dZ2vwCpIJGVkAqtn8= X-Received: by 10.13.235.204 with SMTP id u195mr1987835ywe.302.1522847896885; Wed, 04 Apr 2018 06:18:16 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:2e48:0:0:0:0:0 with HTTP; Wed, 4 Apr 2018 06:18:16 -0700 (PDT) From: William Dudley Date: Wed, 4 Apr 2018 09:18:16 -0400 Message-ID: Subject: Re: my Let's Encrypt certs "broken" overnight! - SOLVED To: freebsd@dreamchaser.org, Olivier Nicole , joh.hendriks@gmail.com Cc: freebsd-questions , Robert Vangel Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Apr 2018 13:18:18 -0000 All, The problem is "fixed", for now. Mr Vangel had the right answer: my cert is for njsbmwr.dudley.nu and www.njsbmwr.org but NOT for just plain njsbmwr.org, and when I included a stanza to redirect https://njsbmwr.org to https://www.njsbmwr.org, Apache/mod_ssl had a hissy fit and threw all of it's toys out of the pram. This was "working" before, so apparently mod_ssl has changed and now disallows this (invalid) configuration. I had to comment out this stanza to get things running again: ServerName njsbmwr.org Redirect permanent / https://www.njsbmwr.org/ So I'll amend my cert to add njsbmwr.org and then I can re-enable that stanza again. Thank you all for your help. Bill Dudley hobby sysadmin This email is free of malware because I run Linux. On Tue, Apr 3, 2018 at 11:56 PM, Gary Aitken wrote: > On 04/03/18 07:48, William Dudley wrote: > > I had letsencrypt certs for most of the sites I host, and they were >> working fine until a recent upgrade -- either apache 2.4 or openssl >> changed and now things are hosed. >> >> An example: >> >> I host www.njsbmwr.org. I have a "test" URL for development, >> njsbmwr.dudley.nu. Both share the same certificates, or at least, >> they used to. >> >> Now, if I uncomment the section for >> www.njsbmwr.org, apache throws an error and won't start. If I >> comment the section out, apache is happy but www.njsbmwr.org doesn't >> serve https pages. >> >> njsbmwr.dudley.nu has almost the identical >> section, and it works fine as https://njsbmwr.dudley.nu >> >> The apache error I get when I enable the section >> for www.njsbmwr.org is: >> >> [Tue Apr 03 09:13:29.141783 2018] [ssl:emerg] [pid 49861] AH02572: >> Failed to configure at least one certificate and key for >> njsbmwr.org:80 [Tue Apr 03 09:13:29.141947 2018] [ssl:emerg] [pid >> 49861] SSL Library Error: error:140A80B1:SSL >> routines:SSL_CTX_check_private_key:no certificate assigned [Tue Apr >> 03 09:13:29.141982 2018] [ssl:emerg] [pid 49861] AH02312: Fatal error >> initialising mod_ssl, exiting. AH00016: Configuration Failed >> >> Here's the section that causes failure: >> >> ServerAdmin webmaster@dudley.nu ServerName >> www.njsbmwr.org DocumentRoot /usr/local/www/njsbmwr.dudley.nu Alias >> /.well-known/ /usr/local/www/.well-known/ ScriptAlias /cgi-bin/ >> "/usr/local/www/njsbmwr.dudley.nu/cgi-bin/" SSLEngine on >> SSLCertificateFile \ "/usr/local/etc/letsencrypt/live/ >> njsbmwr.dudley.nu/cert.pem" SSLCertificateKeyFile \ >> "/usr/local/etc/letsencrypt/live/njsbmwr.dudley.nu/privkey.pem" >> SSLCertificateChainFile \ "/usr/local/etc/letsencrypt/live/ >> njsbmwr.dudley.nu/fullchain.pem" SSLOptions +StdEnvVars BrowserMatch >> "MSIE [2-5]" \ nokeepalive >> ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog >> "/var/log/njsbmwr.dudley.nu-httpd-ssl_request.log" \ "%t %h >> %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Header set >> Content-Security-Policy "default-src 'self'; script-src 'self' 'u >> nsafe-inline' pagead2.googlesyndication.com www.google-analytics.com >> *.cloudflar e.com www.paypal.com; img-src 'self' *.crystalbrook.com >> www.paypalobjects.com" Header set X-Frame-Options SAMEORIGIN Header >> set X-XSS-Protection "1; mode=block" Header set >> X-Content-Type-Options nosniff ErrorDocument 404 >> /errormessages/oatmeal_404.html ErrorDocument 500 >> /errormessages/oatmeal_500.html ErrorDocument 503 >> /errormessages/oatmeal_503.html ErrorLog >> /var/log/njsbmwr.dudley.nu-error_log CustomLog >> /var/log/njsbmwr.dudley.nu-access_log combined > "/usr/local/www/njsbmwr.dudley.nu"> Options +ExecCGI +FollowSymLinks >> +Includes +Indexes -SymLinksIfOwnerMatc h AllowOverride All >> Order allow,deny Allow from all >> >> The ONLY difference between this section, that doesn't work, and the >> section that DOES work is the ServerName line: >> >> < ServerName njsbmwr.dudley.nu --- >> >>> ServerName www.njsbmwr.org >>> >> > Not sure this will help, but it might be worth trying. > I had a somewhat similar but not exactly the same issue and resolved > it by being more explicit in the VirtualHost assignments. You might > try doing each separately and pointing to the same certs: > > ... > > and repeat for njsbmwr.dudley.nu:443 > Apache 2.4 (not sure about earlier releases) uses the first match it > finds for the . So *:443 will match both, and the server > name won't match for one of them. > > Gary > >