Author |
|
sailor
Joined: 17 Apr 2015 Posts: 82 Location: US
|
Posted: Mon 07 Feb '22 23:08 Post subject: mod_md one domain |
|
|
On v2.4.52. I'm trying to configure ssl for an additional domain (other sites have paid SSL cert). This host is first time configuring with mod_md / Let's Encrypt:
[Mon Feb 07 15:43:18.061405 2022] [ssl:emerg] [pid 2644:tid 696] AH02572: Failed to configure at least one certificate and key for www.myhost.com:443
[Mon Feb 07 15:43:18.061405 2022] [ssl:emerg] [pid 2644:tid 696] SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Mon Feb 07 15:43:18.061405 2022] [ssl:emerg] [pid 2644:tid 696] SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Mon Feb 07 15:43:18.061405 2022] [ssl:emerg] [pid 2644:tid 696] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
Code: |
Listen 172.30.59.122:80
<VirtualHost *:80>
ServerName www.myhost.com
Include conf/rewrites.conf
CustomLog "|D:/Apache_files/cronolog.exe D:/logs/access_%Y-%m-%d.log" combined
ErrorLog "|D:/Apache_Files/cronolog.exe D:/logs/error_%Y-%m-%d.log"
</VirtualHost>
#
# myhost.com
#
MDomain www.myhost.com
LISTEN 11.22.33.44:443
<VirtualHost 11.22.33.44:443>
ServerName www.myhost.com
ServerAlias myhost.com
SSLEngine on
#SSLProtocol -all +TLSv1.2
#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC$
# from https://cipherli.st/
#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
#SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
# prevent CRIME attack
SSLCompression off
# Requires Apache >= 2.4 (2.5?)
#SSLUseStapling on
#SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11, Using them without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy.
SSLSessionTickets Off
Include conf/_rewrites.conf
CustomLog "|D:/Apache_files/cronolog.exe D:/logs/access_%Y-%m-%d.log" combined
ErrorLog "|D:/Apache_Files/cronolog.exe D:/logs/error_%Y-%m-%d.log"
</VirtualHost>
|
|
|
Back to top |
|
sailor
Joined: 17 Apr 2015 Posts: 82 Location: US
|
Posted: Tue 08 Feb '22 15:06 Post subject: Re: mod_md one domain |
|
|
changed host from ip:443 to *:443 and server at least starts...also created cert with certbot. Some other errrors now, will have to look later. |
|
Back to top |
|
Otomatic
Joined: 01 Sep 2011 Posts: 213 Location: Paris, France, EU
|
Posted: Thu 10 Feb '22 14:09 Post subject: |
|
|
Hi,
What seems strange to me are the commented lines, therefore not active:
Code: | #SSLProtocol
#SSLCipherSuite
|
|
|
Back to top |
|
sailor
Joined: 17 Apr 2015 Posts: 82 Location: US
|
Posted: Fri 11 Feb '22 16:45 Post subject: |
|
|
Thanks, removed comments.
I've been re-reading the instructions and fixing issues as I go... |
|
Back to top |
|
sailor
Joined: 17 Apr 2015 Posts: 82 Location: US
|
Posted: Fri 11 Feb '22 21:35 Post subject: |
|
|
I ended up commenting out mod_mod etc.. and focus on getting certbot working right with a dry-run.
80 didn't have both www and non-www.
Next, I finally got rewrites correct (was getting all sorts of denied and unattend / attended redirections:
RewriteCond %{REQUEST_URI} ^/\.well\-known(.*) [OR]
RewriteCond %{REQUEST_URI} ^/md-status [OR]
RewriteCond %{REQUEST_URI} ^/server-status
Rewriterule - - [L]
Rewriterule ^/(.*)$ https://myrealurl.com [R=301,L]
Have not tried mod_md. |
|
Back to top |
|
sailor
Joined: 17 Apr 2015 Posts: 82 Location: US
|
Posted: Thu 22 Sep '22 14:34 Post subject: |
|
|
I don't quite understand, but somehow there was a typo (not visible to me due to maybe some encoding?) in the domain name.
In notepad++ I double click on domain portion in the "ServerAlias somehost.com" and it highlights through the config, but the domain "Servername www.somehost.com" was not turning green! When I retyped the domain in Servername www.somehost.com and then double clicked the somehost portion on ServerAlias, the Servername domain turned green! |
|
Back to top |
|