From owner-freebsd-questions@freebsd.org Fri Apr 6 13:33:08 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5A8FBF861E3 for ; Fri, 6 Apr 2018 13:33:08 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: from mail-yb0-x242.google.com (mail-yb0-x242.google.com [IPv6:2607:f8b0:4002:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E24897BD09 for ; Fri, 6 Apr 2018 13:33:07 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: by mail-yb0-x242.google.com with SMTP id e3-v6so382611ybk.1 for ; Fri, 06 Apr 2018 06:33:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=2OZaab9U07tC5RjmTQOrbe6dao5FkIBL1mUgc9Cl/Xc=; b=b+YwLeNquCpw5j2pjz7Bk+RdqPskRsFVDajT+HlLTXPXKXibOPL00YUrql+zlzapWf oUvZfeUI/XEUzoE2ED6GvgEY1oihGd24OoYYPRb7H2QGZ/R0uIuB1aomyCdqyuYMzOy5 PDT8e6+j4llulhXAj8PfEZJySL8Qibh/Q/l24CU9PaBn5DC29QSfBkD8AvhXvjwlbyY4 ldgmI4zsKk3P4ZaOrorO6f/cl4OWitfXGLkl2F7oy0ooCJLqtTtjdihNton1P4IZTEMt QoNgs6Ifa5iavHJYNI5jAqnrHIZ6UimdD7ZPdsj3qVLDEn5anlr2pdbn6TnthsP/r+Ru Hozw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=2OZaab9U07tC5RjmTQOrbe6dao5FkIBL1mUgc9Cl/Xc=; b=qyKPn2vmhJGU3a5WMAc0QQdcI66Ry+6gazGm2FX1TmgUB3jhlwsHdECyDDD7USW0Ar emw5eboTGKX9C5MYFmWXAyyFjTZF5d/GePATfMChmXdi9TXZ21SwRXQJuP+CoAhqt/G8 wGWB+42ttR2vYmCDDLObRYk+qCnGBDwttv7RN7BhyTlwABs7KF8CRylnGFwcHnhobZy3 3mOSoZH6UQhjNXRg3h4mVBAQy9MsO7ZbZxBgxgdM663xHD57L9vkDySYZ1kNqkn40zLH 2degwi2PB/VfVGtfWrZF52znkPaN9AF+4zcmT+Smli7unfTYDWMzBv/selv0pkNvQq9+ QDhw== X-Gm-Message-State: ALQs6tA/JVw9WbYJVMLBStezdtL75x9xlWYi2VGHm660Rc457yYdnj0D eYW8DXDIfLmIb8SR2rs2BPYgkrW+1w+wE3x9fsw= X-Google-Smtp-Source: AIpwx4+Z0QYJBK7AR2CQIPy/7Rj1bABGmR1SnV7yWArQ5wLV1pcYQtvpTtOduSqc++rUeV9VxXamwi8ZSTIIBmsGFhY= X-Received: by 2002:a25:c791:: with SMTP id w139-v6mr15079612ybe.199.1523021587248; Fri, 06 Apr 2018 06:33:07 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:2e48:0:0:0:0:0 with HTTP; Fri, 6 Apr 2018 06:33:06 -0700 (PDT) From: William Dudley Date: Fri, 6 Apr 2018 09:33:06 -0400 Message-ID: Subject: Re: my Let's Encrypt certs "broken" overnight! SOLVED To: krad Cc: freebsd@dreamchaser.org, freebsd-questions Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Apr 2018 13:33:08 -0000 Krad, This has been solved. problem domain is FreeBSD 10.3, apache24-2.4.33 I had multiple problems, and an *upgrade* caused *mod_ssl* to start barfing when it saw the problems. The problems: I had njsbmwr.dudley.nu, www.njsbmwr.org, but NOT njsbmwr.org defined in the cert. I was doing a redirect for https://njsbmwr.org but didn't list the cert in the stanza, like this: ServerName njsbmwr.org Redirect permanent / https://www.njsbmwr.org/ That's wrong, one also needs the lines SSLCertificateFile "/usr/local/etc/letsencrypt/live/ njsbmwr.dudley.nu/cert.pem" SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/ njsbmwr.dudley.nu/privkey.pem" SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/ njsbmwr.dudley.nu/fullchain.pem" Or mod_ssl (and hence apache 2.4) refuse to run. And yes, wild card carts would have been a good thing, but I started down this road 6 months ago. Bill Dudley This email is free of malware because I run Linux. On Fri, Apr 6, 2018 at 7:58 AM, krad wrote: > When you say share the same certificate do mean that the cert has multiple > sites defined in it? > Could you supply the output of the following? > > certbot certificates > > > > The directive defines where that particular vhost binds > logically on the hosts network stack, where as the servername defines the > host that the vhost responds at the application level. Therefore having > *:433 defined is fine > > Is there any chance of any .htaccess file lurking under the docroot that > maybe polluting the apache config. > > Also its worth noting letencrypt do wild card certs now!! > > > > On 4 April 2018 at 04:56, Gary Aitken wrote: > >> On 04/03/18 07:48, William Dudley wrote: >> >> I had letsencrypt certs for most of the sites I host, and they were >>> working fine until a recent upgrade -- either apache 2.4 or openssl >>> changed and now things are hosed. >>> >>> An example: >>> >>> I host www.njsbmwr.org. I have a "test" URL for development, >>> njsbmwr.dudley.nu. Both share the same certificates, or at least, >>> they used to. >>> >>> Now, if I uncomment the section for >>> www.njsbmwr.org, apache throws an error and won't start. If I >>> comment the section out, apache is happy but www.njsbmwr.org doesn't >>> serve https pages. >>> >>> njsbmwr.dudley.nu has almost the identical >>> section, and it works fine as https://njsbmwr.dudley.nu >>> >>> The apache error I get when I enable the section >>> for www.njsbmwr.org is: >>> >>> [Tue Apr 03 09:13:29.141783 2018] [ssl:emerg] [pid 49861] AH02572: >>> Failed to configure at least one certificate and key for >>> njsbmwr.org:80 [Tue Apr 03 09:13:29.141947 2018] [ssl:emerg] [pid >>> 49861] SSL Library Error: error:140A80B1:SSL >>> routines:SSL_CTX_check_private_key:no certificate assigned [Tue Apr >>> 03 09:13:29.141982 2018] [ssl:emerg] [pid 49861] AH02312: Fatal error >>> initialising mod_ssl, exiting. AH00016: Configuration Failed >>> >>> Here's the section that causes failure: >>> >>> ServerAdmin webmaster@dudley.nu ServerName >>> www.njsbmwr.org DocumentRoot /usr/local/www/njsbmwr.dudley.nu Alias >>> /.well-known/ /usr/local/www/.well-known/ ScriptAlias /cgi-bin/ >>> "/usr/local/www/njsbmwr.dudley.nu/cgi-bin/" SSLEngine on >>> SSLCertificateFile \ "/usr/local/etc/letsencrypt/live/ >>> njsbmwr.dudley.nu/cert.pem" SSLCertificateKeyFile \ >>> "/usr/local/etc/letsencrypt/live/njsbmwr.dudley.nu/privkey.pem" >>> SSLCertificateChainFile \ "/usr/local/etc/letsencrypt/live/ >>> njsbmwr.dudley.nu/fullchain.pem" SSLOptions +StdEnvVars BrowserMatch >>> "MSIE [2-5]" \ nokeepalive >>> ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog >>> "/var/log/njsbmwr.dudley.nu-httpd-ssl_request.log" \ "%t %h >>> %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Header set >>> Content-Security-Policy "default-src 'self'; script-src 'self' 'u >>> nsafe-inline' pagead2.googlesyndication.com www.google-analytics.com >>> *.cloudflar e.com www.paypal.com; img-src 'self' *.crystalbrook.com >>> www.paypalobjects.com" Header set X-Frame-Options SAMEORIGIN Header >>> set X-XSS-Protection "1; mode=block" Header set >>> X-Content-Type-Options nosniff ErrorDocument 404 >>> /errormessages/oatmeal_404.html ErrorDocument 500 >>> /errormessages/oatmeal_500.html ErrorDocument 503 >>> /errormessages/oatmeal_503.html ErrorLog >>> /var/log/njsbmwr.dudley.nu-error_log CustomLog >>> /var/log/njsbmwr.dudley.nu-access_log combined >> "/usr/local/www/njsbmwr.dudley.nu"> Options +ExecCGI +FollowSymLinks >>> +Includes +Indexes -SymLinksIfOwnerMatc h AllowOverride All >>> Order allow,deny Allow from all >>> >>> The ONLY difference between this section, that doesn't work, and the >>> section that DOES work is the ServerName line: >>> >>> < ServerName njsbmwr.dudley.nu --- >>> >>>> ServerName www.njsbmwr.org >>>> >>> >> Not sure this will help, but it might be worth trying. >> I had a somewhat similar but not exactly the same issue and resolved >> it by being more explicit in the VirtualHost assignments. You might >> try doing each separately and pointing to the same certs: >> >> ... >> >> and repeat for njsbmwr.dudley.nu:443 >> Apache 2.4 (not sure about earlier releases) uses the first match it >> finds for the . So *:443 will match both, and the server >> name won't match for one of them. >> >> Gary >> >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe >> @freebsd.org" >> > >