From owner-freebsd-questions@freebsd.org Fri Apr 6 11:58:11 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B7399FA0088 for ; Fri, 6 Apr 2018 11:58:11 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-it0-x232.google.com (mail-it0-x232.google.com [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5480E768D9 for ; Fri, 6 Apr 2018 11:58:11 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: by mail-it0-x232.google.com with SMTP id 19-v6so1435993itw.3 for ; Fri, 06 Apr 2018 04:58:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WqU9u6de5yUOFm5ozDXTXWF3OXgRYvd7pZcUbdJIJWs=; b=VPSGA8djucmkjw+NyKCqNJv2o7ZnWGLGrI/JuynYlfXWx36xNoNQ841jeVXVt60nOw IIa4H2r2aKZlVCDgN+cx76YkFLE+awBS5X9Yg05W9aKwDuK7MFggk9DPG81ecBdRCfHN kYAdYgTUw4B8Omt2YTuF7s6cuKiOXZ4tehv5lPhzDQL/qbSHO6sSfDwm4ecR9rNasTCq mzFjQep6ueW4g/WLT6vrvLLeFKfPJ2qLxEaT1kaEK/I+JeTnQ4xQGf/H8vo01hvCAgoQ YrTqgKsAq5r2rhLNNHwQRCiF76B94WxZC+LLb0kX4SjRFpFfKNKTF4OeZuYyZadijsi+ V2Hw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WqU9u6de5yUOFm5ozDXTXWF3OXgRYvd7pZcUbdJIJWs=; b=ARZM4gXDdZS0mpWQerZBUd4VsXjlvB46RbWcq9yf1/NZXmZxvqCV1Rx7I0Sqx/Jsi+ MbVZzjFv6RmgFTa/TJrhX3PIzk7u70SjaaB2x90+z51blNQb8fy68yx59mCXj4kMgY1M 1QZljBj3Ve8WCFEolXz6nhpZynPovLIUO8e+t8RdiRAIhAF67F7QKM2EWhZincf2J92U K1h5L7c1xZKMY7EyvZMqQFzMJj7hZ4cLic7ccl7IXiD+zd3vdqFCOfFuGkPp9ycTHlRZ PYGnIf3MwGdlry4LRMFDyVDEw5GoL5h+mNELjU5ufJjFKavh+TFOS9BW9+r9IdovsfoB L4+A== X-Gm-Message-State: ALQs6tAzC6YMLxuaeGzCNdRhtFI70K4jgQEBkg4NPljH6ZvrM/BbRcr+ pSt8JfQv5XMk9o5wrE6eaoBQrHiZl3WKTPD2djk= X-Google-Smtp-Source: AIpwx4/MjMon2KMekE8piZ7WDZ8yl04M6TUeryAoF7XNwAsrM8JRRHqe8x5vbB9TOVaAJ/+aVQcGwa/M8FGo23FMYmk= X-Received: by 2002:a24:c88:: with SMTP id 130-v6mr17661596itn.14.1523015890563; Fri, 06 Apr 2018 04:58:10 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.79.215 with HTTP; Fri, 6 Apr 2018 04:58:09 -0700 (PDT) In-Reply-To: <36f18609-b418-ff3e-8a02-7129b889c08c@dreamchaser.org> References: <36f18609-b418-ff3e-8a02-7129b889c08c@dreamchaser.org> From: krad Date: Fri, 6 Apr 2018 12:58:09 +0100 Message-ID: Subject: Re: my Let's Encrypt certs "broken" overnight! To: freebsd@dreamchaser.org Cc: William Dudley , freebsd-questions Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Apr 2018 11:58:12 -0000 When you say share the same certificate do mean that the cert has multiple sites defined in it? Could you supply the output of the following? certbot certificates The directive defines where that particular vhost binds logically on the hosts network stack, where as the servername defines the host that the vhost responds at the application level. Therefore having *:433 defined is fine Is there any chance of any .htaccess file lurking under the docroot that maybe polluting the apache config. Also its worth noting letencrypt do wild card certs now!! On 4 April 2018 at 04:56, Gary Aitken wrote: > On 04/03/18 07:48, William Dudley wrote: > > I had letsencrypt certs for most of the sites I host, and they were >> working fine until a recent upgrade -- either apache 2.4 or openssl >> changed and now things are hosed. >> >> An example: >> >> I host www.njsbmwr.org. I have a "test" URL for development, >> njsbmwr.dudley.nu. Both share the same certificates, or at least, >> they used to. >> >> Now, if I uncomment the section for >> www.njsbmwr.org, apache throws an error and won't start. If I >> comment the section out, apache is happy but www.njsbmwr.org doesn't >> serve https pages. >> >> njsbmwr.dudley.nu has almost the identical >> section, and it works fine as https://njsbmwr.dudley.nu >> >> The apache error I get when I enable the section >> for www.njsbmwr.org is: >> >> [Tue Apr 03 09:13:29.141783 2018] [ssl:emerg] [pid 49861] AH02572: >> Failed to configure at least one certificate and key for >> njsbmwr.org:80 [Tue Apr 03 09:13:29.141947 2018] [ssl:emerg] [pid >> 49861] SSL Library Error: error:140A80B1:SSL >> routines:SSL_CTX_check_private_key:no certificate assigned [Tue Apr >> 03 09:13:29.141982 2018] [ssl:emerg] [pid 49861] AH02312: Fatal error >> initialising mod_ssl, exiting. AH00016: Configuration Failed >> >> Here's the section that causes failure: >> >> ServerAdmin webmaster@dudley.nu ServerName >> www.njsbmwr.org DocumentRoot /usr/local/www/njsbmwr.dudley.nu Alias >> /.well-known/ /usr/local/www/.well-known/ ScriptAlias /cgi-bin/ >> "/usr/local/www/njsbmwr.dudley.nu/cgi-bin/" SSLEngine on >> SSLCertificateFile \ "/usr/local/etc/letsencrypt/live/ >> njsbmwr.dudley.nu/cert.pem" SSLCertificateKeyFile \ >> "/usr/local/etc/letsencrypt/live/njsbmwr.dudley.nu/privkey.pem" >> SSLCertificateChainFile \ "/usr/local/etc/letsencrypt/live/ >> njsbmwr.dudley.nu/fullchain.pem" SSLOptions +StdEnvVars BrowserMatch >> "MSIE [2-5]" \ nokeepalive >> ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog >> "/var/log/njsbmwr.dudley.nu-httpd-ssl_request.log" \ "%t %h >> %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Header set >> Content-Security-Policy "default-src 'self'; script-src 'self' 'u >> nsafe-inline' pagead2.googlesyndication.com www.google-analytics.com >> *.cloudflar e.com www.paypal.com; img-src 'self' *.crystalbrook.com >> www.paypalobjects.com" Header set X-Frame-Options SAMEORIGIN Header >> set X-XSS-Protection "1; mode=block" Header set >> X-Content-Type-Options nosniff ErrorDocument 404 >> /errormessages/oatmeal_404.html ErrorDocument 500 >> /errormessages/oatmeal_500.html ErrorDocument 503 >> /errormessages/oatmeal_503.html ErrorLog >> /var/log/njsbmwr.dudley.nu-error_log CustomLog >> /var/log/njsbmwr.dudley.nu-access_log combined > "/usr/local/www/njsbmwr.dudley.nu"> Options +ExecCGI +FollowSymLinks >> +Includes +Indexes -SymLinksIfOwnerMatc h AllowOverride All >> Order allow,deny Allow from all >> >> The ONLY difference between this section, that doesn't work, and the >> section that DOES work is the ServerName line: >> >> < ServerName njsbmwr.dudley.nu --- >> >>> ServerName www.njsbmwr.org >>> >> > Not sure this will help, but it might be worth trying. > I had a somewhat similar but not exactly the same issue and resolved > it by being more explicit in the VirtualHost assignments. You might > try doing each separately and pointing to the same certs: > > ... > > and repeat for njsbmwr.dudley.nu:443 > Apache 2.4 (not sure about earlier releases) uses the first match it > finds for the . So *:443 will match both, and the server > name won't match for one of them. > > Gary > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe > @freebsd.org" >