| Author |
|
bagu
Joined: 06 Jan 2011
Posts: 193
Location: France
|
 Posted: Fri 01 Sep '17 13:28 Post subject: [solved] Letsencrypt configuration problem |
 |
|
Hello,
I try to make mod_md working on one of my domains.
Here is my config :
| Code: |
####################
# Serveur mch44.fr #
####################
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
ManagedDomain mch44.fr www.mch44.fr
<VirtualHost 0.0.0.0:80>
ServerName www.mch44.fr
DocumentRoot /www/mch44/html
ServerAlias mch44.fr *.mch44.fr
VirtualDocumentRoot /www/mch44/html/%1
RewriteEngine on
RewriteCond %{HTTP_HOST} ^mch44.fr [NC]
RewriteRule ^(.*) http://www.mch44.fr$1 [R=301,L]
<IfModule fcgid_module>
<Files ~ "\.php$">
AddHandler fcgid-script .php
FcgidWrapper "/php/php-cgi.exe -d error_log=/logs/vhost_php_error/mch44.fr.php_error.log" .php
</Files>
</IfModule>
ErrorLog /logs/vhost_apache_error/mch44.fr.apache.error.log
<Directory /www/mch44/html/>
Options +FollowSymLinks -Indexes -Includes -ExecCGI
AllowOverride all
Require all granted
</Directory>
</VirtualHost>
<VirtualHost 0.0.0.0:443>
ServerName mch44.fr
DocumentRoot /www/mch44/html
ServerAlias mch44.fr *.mch44.fr
VirtualDocumentRoot /www/mch44/html/%1
RewriteEngine on
RewriteCond %{HTTP_HOST} ^mch44.fr [NC]
RewriteRule ^(.*) https://www.mch44.fr$1 [R=301,L]
<IfModule fcgid_module>
<Files ~ "\.php$">
AddHandler fcgid-script .php
FcgidWrapper "/php/php-cgi.exe -d error_log=/logs/vhost_php_error/mch44.fr.php_error.log" .php
</Files>
</IfModule>
ErrorLog /logs/vhost_apache_error/mch44.fr.apache.error.log
<Directory /www/mch44/html/>
Options +FollowSymLinks -Indexes -Includes -ExecCGI
AllowOverride all
Require all granted
</Directory>
</VirtualHost> |
But i get this error : [Fri Sep 01 13:17:33.014307 2017] [ssl:warn] [pid 5464:tid 544] AH: Init: (mch44.fr:443) disabling this host for now as certificate/key data for the Managed Domain is incomplete.
I have mod_ssl, mod_md and mod_watchdog active.
Can you help me to make it working ?
Thanks. |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Fri 01 Sep '17 14:18 Post subject: |
|
|
Try:
<VirtualHost *:443>
ServerName www.mch44.fr
DocumentRoot /www/mch44/html
ServerAlias mch44.fr
...
.. |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 193
Location: France
|
| Posted: Fri 01 Sep '17 15:13 Post subject: |
|
|
Done, without success...But there is no more error in error log.
On Firefox, i receive : SSL_ERROR_RX_RECORD_TOO_LONG |
|
| Back to top |
|
icing
Joined: 22 Sep 2015
Posts: 41
Location: Münster, Germany
|
| Posted: Fri 01 Sep '17 15:57 Post subject: |
|
|
In the :443 VirtualHost, turn on mod_ssl:
Ideally, mod_md would detect that for you. However that will require some more work by me.
Additionally, if you have no other https: running yet, you need to configure also - for now - globally:
| Code: |
MDCAChallenges http-01
|
|
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 193
Location: France
|
| Posted: Fri 01 Sep '17 16:50 Post subject: |
|
|
I put SSLEngin On on the vhost443, and MDCAChallenges http-01 in ssl.conf
But no luck.
I get :
| Code: | [Fri Sep 01 16:46:54.562564 2017] [ssl:error] [pid 7728:tid 5640] [client 192.168.1.30:57638] AH01962: Unable to create a new SSL connection from the SSL context
[Fri Sep 01 16:46:54.562564 2017] [ssl:error] [pid 7728:tid 5640] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx |
And blank page in firefox with connexion error. |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 193
Location: France
|
| Posted: Fri 01 Sep '17 19:56 Post subject: |
|
|
Ok, after MAAAAANYYYY tests/try...
It work, but i don't know why ^^
And if i reboot the web server, it don't work again
Settings for mod_md are :
| Code: | # Container for directives applied to the same managed domains
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
# This tells mod_md which challenge types it shall use in which order when proving domain ownership. The names are protocol specific. The current ACME protocol version that Let's Encrypt speaks defines two challenge types that are supported by mod_md. By default, it will try the one on port 443 when available
# Default: MDCAChallenges tls-sni-01 http-01
MDCAChallenges http-01 |
Settings for vhost are :
| Code: | ####################
# Serveur mch44.fr #
####################
ManagedDomain mch44.fr www.mch44.fr
<VirtualHost *:80>
ServerName www.mch44.fr
DocumentRoot /www/mch44/html
ServerAlias mch44.fr *.mch44.fr
VirtualDocumentRoot /www/mch44/html/%1
RewriteEngine on
RewriteCond %{HTTP_HOST} ^mch44.fr [NC]
RewriteRule ^(.*) http://www.mch44.fr$1 [R=301,L]
<IfModule fcgid_module>
<Files ~ "\.php$">
AddHandler fcgid-script .php
FcgidWrapper "/php/php-cgi.exe -d error_log=d/logs/vhost_php_error/mch44.fr.php_error.log" .php
</Files>
</IfModule>
ErrorLog /logs/vhost_apache_error/mch44.fr.apache.error.log
<Directory /www/mch44/html/>
Options +FollowSymLinks -Indexes -Includes -ExecCGI
AllowOverride all
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName www.mch44.fr
DocumentRoot /www/mch44/html
ServerAlias mch44.fr *.mch44.fr
VirtualDocumentRoot /www/mch44/html/%1
SSLEngine On
RewriteEngine on
RewriteCond %{HTTPS_HOST} ^mch44.fr [NC]
RewriteRule ^(.*) https://www.mch44.fr$1 [R=301,L]
<IfModule fcgid_module>
<Files ~ "\.php$">
AddHandler fcgid-script .php
FcgidWrapper "/php/php-cgi.exe -d error_log=/logs/vhost_php_error/mch44.fr.php_error.log" .php
</Files>
</IfModule>
ErrorLog /logs/vhost_apache_error/mch44.fr.apache.error.log
<Directory /www/mch44/html/>
Options +FollowSymLinks -Indexes -Includes -ExecCGI
AllowOverride all
Require all granted
</Directory>
</VirtualHost> |
|
|
| Back to top |
|
PipoDeClown
Joined: 20 Dec 2005
Posts: 77
|
| Posted: Sat 02 Sep '17 20:33 Post subject: |
|
|
the wildcard in
| Quote: | | ServerAlias mch44.fr *.mch44.fr |
is not supposed to work, since lets encrypt does not support wildcards (yet) |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 193
Location: France
|
| Posted: Sat 02 Sep '17 21:53 Post subject: |
|
|
I have change it by :
Without success :
| Code: | [Sat Sep 02 21:50:41.430725 2017] [ssl:warn] [pid 4796:tid 532] AH: Init: (www.mch44.fr:443) disabling this host for now as certificate/key data for the Managed Domain is incomplete.
[Sat Sep 02 21:50:58.349617 2017] [ssl:error] [pid 4796:tid 5656] [client 192.168.1.1:54675] AH01962: Unable to create a new SSL connection from the SSL context
[Sat Sep 02 21:50:58.350606 2017] [ssl:error] [pid 4796:tid 5656] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx |
|
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 193
Location: France
|
| Posted: Mon 04 Sep '17 0:15 Post subject: |
|
|
I have turn on trace info, and there are some news :
| Code: | [Mon Sep 04 00:12:03.734088 2017] [md:trace2] [pid 8824:tid 612] md_store_fs.c(424): (2)No such file or directory: loading type 3 from /apache/md/domains/mch44.fr/privkey.pem
[Mon Sep 04 00:12:03.734088 2017] [md:trace2] [pid 8824:tid 612] md_store_fs.c(424): (2)No such file or directory: loading type 4 from /apache/md/domains/mch44.fr/pubcert.pem
[Mon Sep 04 00:12:03.734088 2017] [md:debug] [pid 8824:tid 612] md_reg.c(166): md{mch44.fr}: incomplete, without private key |
Have i miss something ? |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 193
Location: France
|
| Posted: Mon 04 Sep '17 16:47 Post subject: |
|
|
Hello,
After maaaaaany tests/changes...I have a nearly working configuration
| Code: | [Mon Sep 04 16:41:12.042909 2017] [md:debug] [pid 2980:tid 544] mod_md.c(850): AH10076: mch44.fr: manages server mch44.fr
[Mon Sep 04 16:41:12.042909 2017] [md:debug] [pid 2980:tid 544] mod_md.c(882): AH10077: mch44.fr: loading credentials for server mch44.fr |
But, i get a SEC_ERROR_UNKNOWN_ISSUER from firefox because i had a Fake LE Root X1 certificate.
It seem that it's because i had :
| Code: | | MDCertificateAuthority https://acme-v01.api.letsencrypt.org/directory |
Instead of
| Code: | | MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory |
So, is there a way to renew the certificat with the good parameter ?
An other question :
i have two vhosts, so, i have this config :
| Code: | <ManagedDomain mch44.fr>
MDMember www.mch44.fr
# MDCertificateAuthority https://acme-v01.api.letsencrypt.org/directory # For test purpose only
MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory
</ManagedDomain>
<ManagedDomain hyze.fr>
MDMember blog.hyze.fr
MDMember forum.hyze.fr
MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory
</ManagedDomain> |
But i get the mch44.fr certificat on hyze.fr...Do you know why ? |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Mon 04 Sep '17 17:01 Post subject: |
|
|
Remove the /md folder and start over again.
And remove the MDCertificateAuthority from your config. Since version 0.7.0 you get a real certificate by default. |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 193
Location: France
|
| Posted: Tue 05 Sep '17 11:59 Post subject: |
|
|
Hello,
So, now, https://www.mch44.fr work, but https://forum.hyze.fr get SSL_ERROR_BAD_CERT_DOMAIN because it receive the mch44 certificat Oo
Do you know why ?
Any idea is welcome |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Tue 05 Sep '17 12:12 Post subject: |
|
|
When no vhost found he goes to the first one.
So, do you have a virtualhost www.hyze.fr with
serveralias hyze.fr
serveralias blog.hyze.fr
serveralias forum.hyze.fr |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 193
Location: France
|
| Posted: Tue 05 Sep '17 12:21 Post subject: |
|
|
Yes of course :
| Code: | <virtualhost *:443>
ServerName hyze.fr
DocumentRoot /www/hyze/html/
SSLEngine On
ServerAlias forum.hyze.fr blog.hyze.fr
VirtualDocumentRoot /www/hyze/html/%1
<IfModule fcgid_module>
<Files ~ "\.php$">
AddHandler fcgid-script .php
FcgidWrapper "/php7/php-cgi.exe -d error_log=/logs/vhost_php_error/hyze.fr.php_error.log" .php
</Files>
</IfModule>
ErrorLog /logs/vhost_apache_error/hyze.fr.apache.error.log
<Directory /www/hyze/html/>
Options +FollowSymLinks -Indexes -Includes -ExecCGI
AllowOverride all
Require all granted
</Directory>
</VirtualHost> |
|
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Tue 05 Sep '17 12:42 Post subject: |
|
|
You have:
<ManagedDomain mch44.fr>
...
...
<ManagedDomain hyze.fr>
...
...
Remove that.
And try:
ManagedDomain mch44.fr www.mch44.fr hyze.fr www.hyze.fr blog.hyze.fr forum.hyze.fr
When you have more serveralias'ses you can add them. |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 193
Location: France
|
| Posted: Tue 05 Sep '17 16:56 Post subject: |
|
|
Ok, so it work fine now... 
My very first problem was i had more than one ManagedDomain line on my config.
Many thanks  |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 193
Location: France
|
| Posted: Tue 05 Sep '17 18:15 Post subject: |
|
|
An other question :
I have only one certificat for every hosts i have...
May i have one certificat by vhost ? |
|
| Back to top |
|
admin
Site Admin
Joined: 15 Oct 2005
Posts: 692
|
| Posted: Thu 07 Sep '17 11:17 Post subject: |
|
|
Two lines, for example:
ManagedDomain mch44.fr www.mch44.fr
ManagedDomain hyze.fr www.hyze.fr blog.hyze.fr forum.hyze.fr |
|
| Back to top |
|
