Letsencrypt certificate renewal fails with well hardend Nextcloud 15.04 server

letsencrypt
nc15
#11

Thanks for all your support, MichaIng!

Let me answer in parts. This is “Part 1”

the files you mentioned, all correct, plus some more. Here is the total:

Recursive listing of /etc/httpd
[root@wind /etc/httpd]# ls -laFR 
.:
insgesamt 28
drwxr-xr-x.   5 root root  4096 10. Feb 10:56 ./
drwxr-xr-x. 167 root root 12288 10. Feb 10:54 ../
drwxr-xr-x.   2 root root  4096 10. Feb 17:53 conf/
drwxr-xr-x.   2 root root  4096 10. Feb 17:52 conf.d/
drwxr-xr-x.   2 root root  4096 26. Jan 10:50 conf.modules.d/
lrwxrwxrwx.   1 root root    19 23. Jan 13:40 logs -> ../../var/log/httpd/
lrwxrwxrwx.   1 root root    29 23. Jan 13:40 modules -> ../../usr/lib64/httpd/modules/
lrwxrwxrwx.   1 root root    10 23. Jan 13:40 run -> /run/httpd/
lrwxrwxrwx.   1 root root    19 23. Jan 13:40 state -> ../../var/lib/httpd/

./conf:
insgesamt 36
drwxr-xr-x. 2 root root  4096 10. Feb 17:53 ./
drwxr-xr-x. 5 root root  4096 10. Feb 10:56 ../
-rw-r--r--. 1 root root 11983  9. Feb 18:30 httpd.conf
-rw-r--r--. 1 root root 13077 23. Jan 13:40 magic

./conf.d:
insgesamt 64
drwxr-xr-x. 2 root root 4096 10. Feb 17:52 ./
drwxr-xr-x. 5 root root 4096 10. Feb 10:56 ../
-rw-r--r--. 1 root root 2893 23. Jan 13:40 autoindex.conf
-rw-r--r--. 1 root root 1537 10. Feb 10:51 http_my.conf
-rw-r--r--. 1 root root  344 23. Jan 13:37 manual.conf
-rw-r--r--. 1 root root  211 10. Feb 15:04 nextcloud.conf
-rw-r--r--. 1 root root 1752 29. Aug 13:36 perl.conf
-rw-r--r--. 1 root root 1618  8. Jan 15:24 php.conf
-rw-r--r--. 1 root root  400 23. Jan 13:40 README
-rw-r--r--. 1 root root  298 11. Dez 11:35 squid.conf
-rw-r--r--. 1 root root 9807 21. Mär 2018  ssl.conf
-rw-r--r--. 1 root root 1252 23. Jan 13:37 userdir.conf
-rw-r--r--. 1 root root  302 15. Jul 2018  webalizer.conf
-rw-r--r--. 1 root root  516 23. Jan 13:37 welcome.conf

./conf.modules.d:
insgesamt 64
drwxr-xr-x. 2 root root 4096 26. Jan 10:50 ./
drwxr-xr-x. 5 root root 4096 10. Feb 10:56 ../
-rw-r--r--. 1 root root 3311 23. Jan 13:37 00-base.conf
-rw-r--r--. 1 root root  139 23. Jan 13:37 00-dav.conf
-rw-r--r--. 1 root root   41 23. Jan 13:37 00-lua.conf
-rw-r--r--. 1 root root  951 23. Jan 13:37 00-mpm.conf
-rw-r--r--. 1 root root  787 23. Jan 13:37 00-optional.conf
-rw-r--r--. 1 root root 1073 23. Jan 13:37 00-proxy.conf
-rw-r--r--. 1 root root   41 23. Jan 13:37 00-ssl.conf
-rw-r--r--. 1 root root   88 23. Jan 13:37 00-systemd.conf
-rw-r--r--. 1 root root  451 23. Jan 13:37 01-cgi.conf
-rw-r--r--. 1 root root  448 29. Aug 13:36 02-perl.conf
-rw-r--r--. 1 root root   45  9. Okt 14:31 10-h2.conf
-rw-r--r--. 1 root root   57  9. Okt 14:31 10-proxy_h2.conf
-rw-r--r--. 1 root root  480  8. Jan 15:24 15-php.conf
-rw-r--r--. 1 root root  496 23. Jan 13:40 README

No, as it seems. I cannot find phpenmod in Fedora, but

php -m | grep -i rewrite

gives zero results. The other modules are:

php-Modules

# php -m
[PHP Modules]
apcu
bz2
calendar
Core
ctype
curl
date
dom
exif
fileinfo
filter
ftp
gd
gettext
gmp
hash
iconv
igbinary
imagick
imap
intl
json
ldap
libsmbclient
libxml
mbstring
mcrypt
memcached
msgpack
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
readline
redis
Reflection
session
shmop
SimpleXML
smbclient
sockets
SPL
sqlite3
standard
sysvmsg
sysvsem
sysvshm
tokenizer
wddx
xml
xmlreader
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache

Trying the method used to install a couple of other php modules fails here. I just guessed the package name, but obviously it is wrong:

dnf install php-rewrite
Kein Treffer für Argument: php-rewrite

Maybe it is part of another package?

But it seems to be loaded anyhow according to

httpd -M | grep rewrite
rewrite_module (shared)

So the rewrite Module should be fine.

Yes, the server is for Nextcloud only.
(In the future I plan to run Collabora online server on this machine as well, but for now just forget it.)

So, now I am going to continue with your cleanup suggestions. I will be back.

0 Likes

#12

Whoopsie, rewrite is no PHP module, but an Apache module of course. Mixed that up. So it should be:
a2enmod rewrite (Debian-specific)
I will fix that above as well… If the command above does not work, check the README in how to enable/disable modules.
Since ./conf.modules.d does not contain any XX-rewrite.conf that could be indeed missing, on the other hand Nextcloud should face major errors then and other obviously active modules also lack an explizite entry. Perhaps those are contained in 00-base.conf or 00-optional.conf Definitely different then on Debian that I am used to :wink:.

I see the dav module seems active. The nextcloud.conf disables it anyway, but you can disable it server wide: a2dismod dav (Debian-specific)

Okay so on Fedora vhosts, config snippets and even module specific configs are merged into ./conf.d. Makes it harder to get an overview but matches the way how Apache includes those settings: All exactly the same way via Include directive. However these seem to be default snippets that should not interfere any Nextcloud setup or CertBot challenge. 15-php.conf indicates that PHP is implemented as Apache module, as expected.


Generally for understanding:

  • I am pretty sure that ./conf.modules.d contains files with only the LoadModule directive, loading the modules with their set of features and additional directives.
  • ./conf.d has as well module specific configs, but those apply special settings to them, e.g. ssl.conf containing special SSL/HTTPS settings and perl.conf doing the same for the perl module etc.

Ah jep a2en/dismod, a2en/dissite, a2en/disconf + phpen/dismod are Debian specific. Good to know: https://serverfault.com/questions/251475/how-to-check-enable-mod-rewrite-on-apache-linux

0 Likes

#13

I just found that the rewrite_module is loaded and updated my post above. So this should be fine.

1 Like

#14

As far as I recall a2enmod and a2dismod are also commands of the Debian / Ubuntu world. Some years ago I was using that, but I’m still confusing them once in a while as well.

a2dismod dav
bash: a2dismod: Kommando nicht gefunden. / Command not found.
a2enmod rewrite
bash: a2enmod: Kommando nicht gefunden. / Command not found.
0 Likes

#15

Okay so either /etc/httpd//conf.modules.d/README gives a hint or you manually remove /etc/httpd//conf.modules.d/00-dav.conf, which should be a symlink to /etc/httpd/modules/*:
ls -l /etc/httpd/conf.modules.d/00-dav.conf

Or simply leave it as is, since nextcloud.conf anyway disables it :wink:.

0 Likes

#16
cat /etc/httpd/conf.modules.d/00-dav.conf
00-dav.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dav_lock_module modules/mod_dav_lock.so
cat /etc/httpd/conf.modules.d/README 
README
This directory holds configuration files for the Apache HTTP Server;
any files in this directory which have the ".conf" extension will be
processed as httpd configuration files.  This directory contains
configuration fragments necessary only to load modules.
Administrators should use the directory "/etc/httpd/conf.d" to modify
the configuration of httpd, or any modules.

Files are processed in sorted order and should have a two digit
numeric prefix.  See httpd.conf(5) for more information.

I suggest to leave this unchanged, as it follows the Nextcloud instructions and the README. Obviously completely removing would be the most robust solution.

0 Likes

#17

You were perfectly right, the rewrite module is loaded with 00-base.conf:

grep rewrite *.conf
00-base.conf:LoadModule rewrite_module modules/mod_rewrite.so
0 Likes

#18

Cool now, the server settings seem to be cleaned up!
I rebooted the server and now it is up and running again.
Do you need the updated files (*.conf, …)?
Thanks a lot for guiding me through.

Now getting back to the original problem(s):
a) The certbot error still occurs
b) A new ssllabs test unfortunately also still states: Too many Redirection

Could you please advice what to proceed next?

0 Likes

#19

Okay there seem to be a redirect loop or something, that I can’t find yet. Although not really a loop since accessing via HTTPS (Nextcloud) works well right?


Lets check if with HTTPS, access to the ACME challenge dir works:

mkdir -p /var/www/nextcloud/.well-known/acme-challenge
echo 'No redirection/rewrite is done, great!' > /var/www/nextcloud/.well-known/acme-challenge/test

Then try to access via browser: https://my.domain.tld/.well-known/acme-challenge/test

If you can see the file content, everything is fine so far, otherwise some rewrite/blocking/redirection is done that should not be done. Please paste any error message or URL you land on.


To identify the HTTP redirects:

  • You have no CloudFlare or some redirects active from your dynamic DNS/domain provider, have you? I found one case where provider side 443 is redirected to 80 and on local server 80 back to 443, causing a loop. Of course this is not in your case, but at least a hint where additional redirects could come from.
  • Lets check the remaining config file contents: cat /etc/httpd/conf.d/*.conf

I just see the logs directory now. Perhaps /etc/httpd/logs/http_error_log or /etc/httpd/logs/http_access_log show something interesting?


Instead of doing Redirect permanent / https://my.domain.tld/ you could try do this with a rewrite rule as well:

<VirtualHost *:80>
RewriteEngine On
RewriteRule ^/?(.*)$ https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
  • No more content required in http_my.conf when redirecting everything anyway.
  • The R still does a redirect (forces browser to send a new request) instead of a “silent” rewrite only (which is not reflected in browser URL). So the error might be still the same.
  • For debugging at least you could try to remove the R, so having only [L] at the end of the line.
  • The L btw. means that no further rewrite should be done in this context.
  • If interested, read for further details about mod_rewrite: https://httpd.apache.org/docs/current/mod/mod_rewrite.html

But for simple HTTP => HTTPS redirection this is actually not the recommended way. So at best, even if somehow the above works, we find the reason why it doesn’t with Redirect permanent

3 Likes

#20

This works with
http://my.domain.tld/.well-known/acme-challenge/test, which immediately changes to
https://my.domain.tld/.well-known/acme-challenge/test
and it shows what is intended:
2019_02_10_acme_challenge_test

It also works with my current public IP adress with https
https://87.181.xx.xx/.well-known/acme-challenge/test after accepting the certificate.

But it fails for http with IP:
http://87.181.xx.xx/.well-known/acme-challenge/test
which automatically changes to (I guess just another type of displaying it by Firefox):
87.181.xx.xx/.well-known/acme-challenge/test

2019_02_10_acme_challenge_test_http_IP

As it is quite late now, I will check your proposal “rewrite rule” tomorrow evening, if it still should be a path you suggest to follow.

I just had a look into /etc/letsencrypt/
There is that

SSLOptions +StrictRequire

Now letsencrypt state that they need port 80 open, see link on very top of this thread.
Might this be a problem?
As far as I recall I opted to have strict SSL only when setting up letsencrypt.
The complete file is here:

/etc/letsencrypt/options-ssl-apache.conf
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

Here is the listing of all *.conf, unfortunately without the name of the conf, then stripped by comment lines because it kills length of allowed post.

This is some manual work for me for tomorrow, unless you have a nice bash command…

cat /etc/httpd/*/*.conf > ./cat_of_all_dot_conf.txt

IndexOptions FancyIndexing HTMLTable VersionSort

Alias /icons/ “/usr/share/httpd/icons/”

<Directory “/usr/share/httpd/icons”>
Options Indexes MultiViews FollowSymlinks
AllowOverride None
Require all granted

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core.

AddIcon /icons/back.gif …
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

DefaultIcon /icons/unknown.gif

ReadmeName README.html
HeaderName HEADER.html

<VirtualHost *:80>
ServerAdmin email@address.de
Redirect permanent / https://my.domain.tld/
ErrorLog logs/http_error_log
CustomLog logs/http_access_log combined

Alias /manual /usr/share/httpd/manual

<Directory “/usr/share/httpd/manual”>
Options Indexes
AllowOverride None
Require all granted

RedirectMatch 301 ^/manual/(?:da|de|en|es|fr|ja|ko|pt-br|ru|tr|zh-cn)(/.*)$ "/manual$1"
Options +FollowSymlinks AllowOverride All Dav off SetEnv HOME /var/www/nextcloud SetEnv HTTP_HOME /var/www/nextcloud

<Files “.user.ini”>
Require all denied

AddType text/html .php

DirectoryIndex index.php

<IfModule !mod_php5.c>
<IfModule !mod_php7.c>
SetEnvIfNoCase ^Authorization$ “(.+)” HTTP_AUTHORIZATION=$1

<FilesMatch \.(php|phar)$>
    SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
</FilesMatch>
SetHandler application/x-httpd-php
php_value session.save_handler "files"
php_value session.save_path    "/var/lib/php/session"
php_value soap.wsdl_cache_dir  "/var/lib/php/wsdlcache"

ScriptAlias /Squid/cgi-bin/cachemgr.cgi /usr/lib64/squid/cachemgr.cgi

<Location /Squid/cgi-bin/cachemgr.cgi>
Require local

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

DocumentRoot “/var/www/nextcloud”

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

SSLHonorCipherOrder on

SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM

<FilesMatch “.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars

<Directory “/var/www/cgi-bin”>
SSLOptions +StdEnvVars

BrowserMatch “MSIE [2-5]” nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem

Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

UserDir disabled

<Directory “/home/*/public_html”>
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS

Alias /usage /var/www/usage

<Location /usage>
Require local

<LocationMatch “^/+$”>
Options -Indexes
ErrorDocument 403 /.noindex.html

<Directory /usr/share/httpd/noindex>
AllowOverride None
Require all granted

Alias /.noindex.html /usr/share/httpd/noindex/index.html

ServerRoot “/etc/httpd”

Listen 80

Include conf.modules.d/*.conf

User apache
Group apache

ServerAdmin email@address.de

ServerName my.domain.tld

AllowOverride none Require all denied

<Directory “/var/www”>
AllowOverride None
Require all granted

<Directory “/var/www/html”>
Options Indexes FollowSymLinks

AllowOverride None

Require all granted
DirectoryIndex index.html

AccessFileName .htaccess
<Files “.ht*”>
Require all denied

ErrorLog “logs/error_log”

LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>


CustomLog "logs/access_log" combined
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

<Directory “/var/www/cgi-bin”>
AllowOverride None
Options None
Require all granted

TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz



AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

AddDefaultCharset UTF-8

MIMEMagicFile conf/magic

EnableSendfile on

IncludeOptional conf.d/*.conf

LoadModule access_compat_module modules/mod_access_compat.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule allowmethods_module modules/mod_allowmethods.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_dbd_module modules/mod_authz_dbd.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule brotli_module modules/mod_brotli.so
LoadModule cache_module modules/mod_cache.so
LoadModule cache_disk_module modules/mod_cache_disk.so
LoadModule cache_socache_module modules/mod_cache_socache.so
LoadModule data_module modules/mod_data.so
LoadModule dbd_module modules/mod_dbd.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
LoadModule dumpio_module modules/mod_dumpio.so
LoadModule echo_module modules/mod_echo.so
LoadModule env_module modules/mod_env.so
LoadModule expires_module modules/mod_expires.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule filter_module modules/mod_filter.so
LoadModule headers_module modules/mod_headers.so
LoadModule include_module modules/mod_include.so
LoadModule info_module modules/mod_info.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule macro_module modules/mod_macro.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule remoteip_module modules/mod_remoteip.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule request_module modules/mod_request.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule socache_dbm_module modules/mod_socache_dbm.so
LoadModule socache_memcache_module modules/mod_socache_memcache.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule status_module modules/mod_status.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule version_module modules/mod_version.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule watchdog_module modules/mod_watchdog.so

LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dav_lock_module modules/mod_dav_lock.so
LoadModule lua_module modules/mod_lua.so

LoadModule mpm_event_module modules/mod_mpm_event.so

LoadModule proxy_module modules/mod_proxy.so
LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_express_module modules/mod_proxy_express.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule systemd_module modules/mod_systemd.so

LoadModule cgid_module modules/mod_cgid.so LoadModule cgid_module modules/mod_cgid.so LoadModule cgi_module modules/mod_cgi.so

LoadModule perl_module modules/mod_perl.so
LoadModule http2_module modules/mod_http2.so
LoadModule proxy_http2_module modules/mod_proxy_http2.so

<IfModule !mod_php5.c>

LoadModule php7_module modules/libphp7.so

<IfModule !mod_php5.c>
<IfModule !prefork.c>

So now. late enough. More tomorrow.
As Cert expiration dates is on Wednesday, maybe we switch to open a simple *80 port temporarily,
make sure I keep a valid certificate with that and then try to close again…

Thanks again for great support!

0 Likes

#21

I just deleted all log files, then ran

certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/my.domain.tld.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for my.domain.tld
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (my.domain.tld) from /etc/letsencrypt/renewal/my.domain.tld.conf produced an unexpected error: Failed authorization procedure. my.domain.tld (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://my.domain.tld/.well-known/acme-challenge/kv-j88f23JWiAM07N_I1-7ExM8lOVrmvkU7A9_hCe9s: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/my.domain.tld/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/my.domain.tld/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: my.domain.tld
    Type: connection
    Detail: Fetching
    http://my.domain.tld/.well-known/acme-challenge/kv-j88f23JWiAM07N_I1-7ExM8lOVrmvkU7A9_hCe9s:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

with the following result in the error log

/etc/httpd/logs/error_log
[Wed Feb 13 21:49:45.796310 2019] [lbmethod_heartbeat:notice] [pid 19057:tid 140031319456000] AH02282: No slotmem from mod_heartmonitor
[Wed Feb 13 21:49:45.800174 2019] [mpm_event:notice] [pid 19057:tid 140031319456000] AH00489: Apache/2.4.38 (Fedora) OpenSSL/1.1.1a mod_perl/2.0.10 Perl/v5.28.1 configured -- resuming normal operations
[Wed Feb 13 21:49:45.800199 2019] [core:notice] [pid 19057:tid 140031319456000] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Wed Feb 13 21:49:52.307881 2019] [mpm_event:notice] [pid 19057:tid 140031319456000] AH00493: SIGUSR1 received.  Doing graceful restart
[Wed Feb 13 21:49:52.392284 2019] [lbmethod_heartbeat:notice] [pid 19057:tid 140031319456000] AH02282: No slotmem from mod_heartmonitor
[Wed Feb 13 21:49:52.396561 2019] [mpm_event:notice] [pid 19057:tid 140031319456000] AH00489: Apache/2.4.38 (Fedora) OpenSSL/1.1.1a mod_perl/2.0.10 Perl/v5.28.1 configured -- resuming normal operations
[Wed Feb 13 21:49:52.396583 2019] [core:notice] [pid 19057:tid 140031319456000] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
(END)

and the following results in

/var/log/letsencrypt/letsencrypt.log
[root@wind letsencrypt]# cat letsencrypt.log
2019-02-13 22:01:36,177:DEBUG:certbot.main:certbot version: 0.30.2
2019-02-13 22:01:36,177:DEBUG:certbot.main:Arguments: ['--dry-run']
2019-02-13 22:01:36,177:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-02-13 22:01:36,202:DEBUG:certbot.log:Root logging level set at 20
2019-02-13 22:01:36,202:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-13 22:01:36,256:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fb95533bf28> and installer <certbot.cli._Default object at 0x7fb95533bf28>
2019-02-13 22:01:36,256:DEBUG:certbot.cli:Var dry_run=True (set by user).
2019-02-13 22:01:36,256:DEBUG:certbot.cli:Var server={'dry_run', 'staging'} (set by user).
2019-02-13 22:01:36,256:DEBUG:certbot.cli:Var dry_run=True (set by user).
2019-02-13 22:01:36,257:DEBUG:certbot.cli:Var server={'dry_run', 'staging'} (set by user).
2019-02-13 22:01:36,257:DEBUG:certbot.cli:Var account={'server'} (set by user).
2019-02-13 22:01:36,292:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2019-02-17 00:10:33 UTC.
2019-02-13 22:01:36,293:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2019-02-13 22:01:36,293:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2019-02-13 22:01:36,445:DEBUG:certbot_apache.configurator:Apache version is 2.4.38
2019-02-13 22:01:36,826:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_centos.CentOSConfigurator object at 0x7fb95533f5f8>
Prep: True
2019-02-13 22:01:36,827:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_centos.CentOSConfigurator object at 0x7fb95533f5f8>
Prep: True
2019-02-13 22:01:36,827:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_centos.CentOSConfigurator object at 0x7fb95533f5f8> and installer <certbot_apache.override_centos.CentOSConfigurator object at 0x7fb95533f5f8>
2019-02-13 22:01:36,827:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2019-02-13 22:01:36,874:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7fb9553ab390>)>), contact=(), agreement='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', status='valid', terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/5781483', new_authzr_uri=None, terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), a1b301d8e0e8670600499f3098dbef10, Meta(creation_dt=datetime.datetime(2018, 3, 21, 17, 33, 22, tzinfo=<UTC>), creation_host='wind'))>
2019-02-13 22:01:36,875:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2019-02-13 22:01:36,877:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2019-02-13 22:01:37,099:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
2019-02-13 22:01:37,100:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 724
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 13 Feb 2019 21:01:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 13 Feb 2019 21:01:37 GMT
Connection: keep-alive

{
  "LcT-HT3DNPQ": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2019-02-13 22:01:37,100:INFO:certbot.main:Renewing an existing certificate
2019-02-13 22:01:37,169:DEBUG:acme.client:Requesting fresh nonce
2019-02-13 22:01:37,169:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2019-02-13 22:01:37,342:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2019-02-13 22:01:37,343:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Replay-Nonce: SizR-C-h3V6Z34QwI8PnpWH_mkw0KB3DgJLJ6t4Q4-Y
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 0
Expires: Wed, 13 Feb 2019 21:01:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 13 Feb 2019 21:01:37 GMT
Connection: keep-alive


2019-02-13 22:01:37,344:DEBUG:acme.client:Storing nonce: SizR-C-h3V6Z34QwI8PnpWH_mkw0KB3DgJLJ6t4Q4-Y
2019-02-13 22:01:37,344:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "my.domain.tld"\n    }\n  ]\n}'
2019-02-13 22:01:37,346:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81NzgxNDgzIiwgIm5vbmNlIjogIlNpelItQy1oM1Y2WjM0UXdJOFBucFdIX21rdzBLQjNEZ0pMSjZ0NFE0LVkiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "IQrHL6xohNHfrb0daRSxWWaeyGmbfZF8JN1e-_38QGfu7vkGFLKAxY0ReLToPsFVKseammI0zbn4jdDF8rhhntvJ2rrl49JL7Nf860I10INpfJGAoXGhdIrP6xLQD4Z7DwOLhOskCzE9_B_lId0zqV4chtoDoHlHhk1SczuZ93H0aAm6khRHBWo68DSjIgtIldzOv0NHm_tR5VhmSWTePnkl9uyE1MJwJbEcK0jwys8jmz7QwWqB2NSr_bZAs69hgkOgMNSQvSl4VwP6FTMNUV96hJE48HM7c7l2gwjcp_OKnP_Vk-5KUvh6O8ZonK8VyH911EEschmYNf1qsMxjIQ",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIm1haWVyLmR5bi5jYyIKICAgIH0KICBdCn0"
}
2019-02-13 22:01:37,550:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 383
2019-02-13 22:01:37,552:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 383
Boulder-Requester: 5781483
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/5781483/23407653
Replay-Nonce: vQOBS_cgG2ZQ8ESeRtnaXPx_eMJCy835uWkWHZmfJaI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 13 Feb 2019 21:01:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 13 Feb 2019 21:01:37 GMT
Connection: keep-alive

{
  "status": "pending",
  "expires": "2019-02-20T21:01:37.4354776Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "my.domain.tld"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/5781483/23407653"
}
2019-02-13 22:01:37,552:DEBUG:acme.client:Storing nonce: vQOBS_cgG2ZQ8ESeRtnaXPx_eMJCy835uWkWHZmfJaI
2019-02-13 22:01:37,553:DEBUG:acme.client:JWS payload:
b''
2019-02-13 22:01:37,559:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81NzgxNDgzIiwgIm5vbmNlIjogInZRT0JTX2NnRzJaUThFU2VSdG5hWFB4X2VNSkN5ODM1dVdrV0habWZKYUkiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHovcWlWZG9GZnRnNlh3d3lUX2lZUEhnbFhwZmlXVUxvM04zMjR1MkhFZ0ZjZyJ9",
  "signature": "Bb4qaSZ-aNl4q9kairT5hg6DxvZ1oNDhuaff5aplszCruhM6TVMtJR3FdP5GerVQrMQtz3qFYGPpEq-DfGcDSil74Hc4QT4QQrqv_9Liv_-MEEnsVCJyVbLt7CM5Dj3cnI60uy5wwzC3ENuZo0Cdjm44ZW-zWP0Lef8zxxQvW9i1KakryHvZNj5e4pLn3XYKyrl4ZL0QsHiqtlTShGjNq5ADNIaaIzksXfqR_iMmvwNeQc0U2_DVu8MfTaZzsBRCZlovOpwchk8eDRswDf83M4pC0YlO9PE6mkaGlAdnaZGj5B5cWcaVdUIzQwEwMJhvdo64bkZld0m6vixE4BPYZg",
  "payload": ""
}
2019-02-13 22:01:37,748:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg HTTP/1.1" 200 925
2019-02-13 22:01:37,748:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 925
Boulder-Requester: 5781483
Replay-Nonce: Rz4Qxlh6VtSIgSGLIzNeFek4_w2n4-iBv9fDbj04dos
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 13 Feb 2019 21:01:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 13 Feb 2019 21:01:37 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "my.domain.tld"
  },
  "status": "pending",
  "expires": "2019-02-20T21:01:37Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543471",
      "token": "okOOTvJoxY_KRrJgl3ibZUoaDrAKUbFodjvaEk0PUmQ"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543472",
      "token": "SB8EO5Hw3FYeB38nWWu4nt62Y9gjM5HvoqfJGDwdW1U"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543473",
      "token": "vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0"
    }
  ]
}
2019-02-13 22:01:37,749:DEBUG:acme.client:Storing nonce: Rz4Qxlh6VtSIgSGLIzNeFek4_w2n4-iBv9fDbj04dos
2019-02-13 22:01:37,749:INFO:certbot.auth_handler:Performing the following challenges:
2019-02-13 22:01:37,749:INFO:certbot.auth_handler:http-01 challenge for my.domain.tld
2019-02-13 22:01:37,795:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: None in: /etc/httpd/conf.d/http_my.conf
2019-02-13 22:01:37,796:DEBUG:certbot_apache.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
    
2019-02-13 22:01:37,796:DEBUG:certbot_apache.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>
    
2019-02-13 22:01:37,806:DEBUG:certbot.reverter:Creating backup of /etc/httpd/conf.d/http_my.conf
2019-02-13 22:01:40,995:INFO:certbot.auth_handler:Waiting for verification...
2019-02-13 22:01:40,996:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "challenge",\n  "keyAuthorization": "vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0.zrqieU9qr0gYnCMun8hMyKi4jlGEBdb6XML5Pj8Cy4E",\n  "type": "http-01"\n}'
2019-02-13 22:01:40,998:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543473:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81NzgxNDgzIiwgIm5vbmNlIjogIlJ6NFF4bGg2VnRTSWdTR0xJek5lRmVrNF93Mm40LWlCdjlmRGJqMDRkb3MiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGxlbmdlL3FpVmRvRmZ0ZzZYd3d5VF9pWVBIZ2xYcGZpV1VMbzNOMzI0dTJIRWdGY2cvMjQ1NTQzNDczIn0",
  "signature": "QJlBA3hFYOb0aatmCywW-w2D-8Mg13KGjCkKwav7NK18_gzuOnUbHV_h_EqkO9gUS2JdzouM4JnqxKpXY2rFGBZ8z4a6Jld_pdJL7LwmSzR-UZSuhKyuUp7x1sB-626dm_lqIN00My4r3DjRf7hl9n83zUHzdI8dsZvYbUHvzzRqfJ0PN8lE-kFzkaFAHtG1G1Lbe8xhE2ja3Nc5Sw_NfEAbUo0LNwpnA_ye9T-WNwnI4PgTD2fiAnk1ENNH97eXiZyyU3l2Fkv7w1r0PUg7befhWxuie4ucItxAAAXlK9Mu2ZHrw1zAFdMHpbzfKVcqfnoqgW4_HIgtbAtKLB3UBg",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogInZjNlFNVVRfb0h5d3pKNHJLbFNKYjNjZlAwMHlXandVc3dCa3NhOWZzcDAuenJxaWVVOXFyMGdZbkNNdW44aE15S2k0amxHRUJkYjZYTUw1UGo4Q3k0RSIsCiAgInR5cGUiOiAiaHR0cC0wMSIKfQ"
}
2019-02-13 22:01:41,189:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543473 HTTP/1.1" 200 230
2019-02-13 22:01:41,190:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 230
Boulder-Requester: 5781483
Link: <https://acme-staging-v02.api.letsencrypt.org/acme/authz/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543473
Replay-Nonce: CNM-Bf1gWE3y53fWUMfkAM5H5rKYHf2rm_1t_TZEe3c
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 13 Feb 2019 21:01:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 13 Feb 2019 21:01:41 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543473",
  "token": "vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0"
}
2019-02-13 22:01:41,190:DEBUG:acme.client:Storing nonce: CNM-Bf1gWE3y53fWUMfkAM5H5rKYHf2rm_1t_TZEe3c
2019-02-13 22:01:44,194:DEBUG:acme.client:JWS payload:
b''
2019-02-13 22:01:44,196:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81NzgxNDgzIiwgIm5vbmNlIjogIkNOTS1CZjFnV0UzeTUzZldVTWZrQU01SDVyS1lIZjJybV8xdF9UWkVlM2MiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHovcWlWZG9GZnRnNlh3d3lUX2lZUEhnbFhwZmlXVUxvM04zMjR1MkhFZ0ZjZyJ9",
  "signature": "IiuwYEyXmt7IQ_QSnbxXGF125hXtbAQz4UGOsnvjomZA9Q4v113bLzs4oBt-9fSNbvBi1JkJ0gw_eEKtqfGtiFmOmgLyZ46Czl8uFfUUWLorMli6Px5_KuxTu7I6tszK3o6jQmiz_Pm9UkOvHdfDcEltAhqtetEuunnUABk5m83gb0njKjDJj6nUzwJQvil-npllZ_bg3JMmImXQPhAxfRsT376Lvuci70VS_hIXBWBWLMfJiqRkSJ18QcxirSUjxi-wCaK_XCzWXSLkOdIHSaNlFGxN303wJ-P0Goa6WoTyr_9OP_6vwTpcuWKFS6Ay6yUi64TdoM2m_scBwmQZiw",
  "payload": ""
}
2019-02-13 22:01:44,391:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg HTTP/1.1" 200 925
2019-02-13 22:01:44,392:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 925
Boulder-Requester: 5781483
Replay-Nonce: F9hfj2hnqJyVOqV2z4xjh7_w4w0A7noQML_sQ8-nx94
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 13 Feb 2019 21:01:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 13 Feb 2019 21:01:44 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "my.domain.tld"
  },
  "status": "pending",
  "expires": "2019-02-20T21:01:37Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543471",
      "token": "okOOTvJoxY_KRrJgl3ibZUoaDrAKUbFodjvaEk0PUmQ"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543472",
      "token": "SB8EO5Hw3FYeB38nWWu4nt62Y9gjM5HvoqfJGDwdW1U"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543473",
      "token": "vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0"
    }
  ]
}
2019-02-13 22:01:44,392:DEBUG:acme.client:Storing nonce: F9hfj2hnqJyVOqV2z4xjh7_w4w0A7noQML_sQ8-nx94
2019-02-13 22:01:47,395:DEBUG:acme.client:JWS payload:
b''
2019-02-13 22:01:47,396:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81NzgxNDgzIiwgIm5vbmNlIjogIkY5aGZqMmhucUp5Vk9xVjJ6NHhqaDdfdzR3MEE3bm9RTUxfc1E4LW54OTQiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHovcWlWZG9GZnRnNlh3d3lUX2lZUEhnbFhwZmlXVUxvM04zMjR1MkhFZ0ZjZyJ9",
  "signature": "GrMTwoVl9x2euCAzec3jtdI8rpaNL7naB2VzWWi1i7k7CnKeh5r47KAO2seBMEjMPJJCdZnDGXTcwWnXRzmVGbOo7qEOJ8eV2pL0__Si68QXMsVKJGmMXa8qoHQc3ENTRw7h0CVhBZ_Hdj5tB8n0hMzziwY3MCL_hvNC6CSaUbbDHJ7-u3xiYJ2TfrhS23nMkJ0eiQQyBCSlydIXIHGA_xFdh54pmXCx2AAM_If4Qxet5-wANmXg4cllR0hPQ2DF4mKfZgw3EhlwMWxBP8lXGOjJw3wwTiPuE0CHLbZZq3qhETvew0UkPOSK32oNVUSV-8rhHtAP8bMO9a6smK5C5w",
  "payload": ""
}
2019-02-13 22:01:47,593:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg HTTP/1.1" 200 1527
2019-02-13 22:01:47,594:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1527
Boulder-Requester: 5781483
Replay-Nonce: _iA3lzqcpVmd2fpBYl7Fo3nowmf4jQQivNwlYI_-C_k
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 13 Feb 2019 21:01:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 13 Feb 2019 21:01:47 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "my.domain.tld"
  },
  "status": "invalid",
  "expires": "2019-02-20T21:01:37Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543471",
      "token": "okOOTvJoxY_KRrJgl3ibZUoaDrAKUbFodjvaEk0PUmQ"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543472",
      "token": "SB8EO5Hw3FYeB38nWWu4nt62Y9gjM5HvoqfJGDwdW1U"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://my.domain.tld/.well-known/acme-challenge/vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0: Error getting validation data",
        "status": 400
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543473",
      "token": "vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0",
      "validationRecord": [
        {
          "url": "http://my.domain.tld/.well-known/acme-challenge/vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0",
          "hostname": "my.domain.tld",
          "port": "80",
          "addressesResolved": [
            "87.181.165.82"
          ],
          "addressUsed": "87.181.165.82"
        }
      ]
    }
  ]
}
2019-02-13 22:01:47,594:DEBUG:acme.client:Storing nonce: _iA3lzqcpVmd2fpBYl7Fo3nowmf4jQQivNwlYI_-C_k
2019-02-13 22:01:47,595:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: my.domain.tld
Type:   connection
Detail: Fetching http://my.domain.tld/.well-known/acme-challenge/vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0: Error getting validation data

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2019-02-13 22:01:47,596:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/auth_handler.py", line 161, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/auth_handler.py", line 232, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. my.domain.tld (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://my.domain.tld/.well-known/acme-challenge/vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0: Error getting validation data

2019-02-13 22:01:47,596:DEBUG:certbot.error_handler:Calling registered functions
2019-02-13 22:01:47,596:INFO:certbot.auth_handler:Cleaning up challenges
2019-02-13 22:01:47,925:WARNING:certbot.renewal:Attempting to renew cert (my.domain.tld) from /etc/letsencrypt/renewal/my.domain.tld.conf produced an unexpected error: Failed authorization procedure. my.domain.tld (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://my.domain.tld/.well-known/acme-challenge/vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0: Error getting validation data. Skipping.
2019-02-13 22:01:47,926:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/certbot/renewal.py", line 452, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3.7/site-packages/certbot/main.py", line 1192, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3.7/site-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3.7/site-packages/certbot/renewal.py", line 310, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3.7/site-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.7/site-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/auth_handler.py", line 161, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/auth_handler.py", line 232, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. my.domain.tld (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://my.domain.tld/.well-known/acme-challenge/vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0: Error getting validation data

2019-02-13 22:01:47,927:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-02-13 22:01:47,927:ERROR:certbot.renewal:  /etc/letsencrypt/live/my.domain.tld/fullchain.pem (failure)
2019-02-13 22:01:47,927:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.30.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.7/site-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.7/site-packages/certbot/main.py", line 1271, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3.7/site-packages/certbot/renewal.py", line 477, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
[root@wind letsencrypt]# 
0 Likes

#22

I just tried this a well.
It seems that http://my.domain.tld now opens slighly faster in Firefox than before, but otherwise unfortunately no difference: certbot renewal still fails.

Any idea how to proceed now would be appreciated very much.

0 Likes

#23

Without [R] this is expected since the client (browser) is not forced to send a new request. However I believe no real HTTPS connection is established then, since the rewrite is done only server internally then. So that was only for testing reasons.


At least that gave me the chance to check as well that http//:my.domain.tld/ to that dir indeed works well, as long as the file exist. Without file existing /var/www/nextcloud/.htaccess will redirect back to the webroot (login page) via

ErrorDocument 403 /
ErrorDocument 404 /

You might want to try removing those lines, or commenting temporary, but that should not cause in issue actually.


Also try to give the webserver user full R/W access to that dir:
chown -R apache:apache /var/www/nextcloud/.well-known

And I found this one: https://stackoverflow.com/questions/12849703/reset-htacces-for-sub-folders
Test, to disable all parent rewrite rules:
echo -e 'RewriteEngine Off\nRewriteEngine On' > /var/www/nextcloud/.well-known/.htaccess
Or even just the first line should work.

0 Likes

#24

They are comments now:

#ErrorDocument 403 /
#ErrorDocument 404 /

This I did immediately when I created the test file. It is unchanged since, see:

ll -R /var/www/nextcloud/.well-known
ll -R  /var/www/nextcloud/.well-known
/var/www/nextcloud/.well-known:
insgesamt 12
drwxr-xr-x.  3 apache apache 4096 11. Feb 22:28 ./
drwxr-x---. 15 apache apache 4096 11. Feb 22:27 ../
drwxr-xr-x.  2 apache apache 4096 11. Feb 22:28 acme-challenge/

/var/www/nextcloud/.well-known/acme-challenge:
insgesamt 12
drwxr-xr-x. 2 apache apache 4096 11. Feb 22:28 ./
drwxr-xr-x. 3 apache apache 4096 11. Feb 22:28 ../
-rw-r--r--. 1 apache apache   39 11. Feb 22:28 test

Now there is /var/www/nextcloud/.well-known/.htaccess with content:

RewriteEngine Off
RewriteEngine On

Not that it would confuse me, because I can undo the steps above, which were just for testing, but meanwhile we stopped a bit too much of the redirection, I feel. Logging in as admin into Nextcloud I get the following:

Es gibt einige Warnungen bei Deiner Systemkonfiguration.

One trivial question:
Is checking with

certbot renew --dry-run

which still fails, the right thing to do for testing?
According to Letsencrypt my certificate should have been expired yesterday, but I did not add any exception manually and it still works. I’m confused.

Any more ideas?
Let me know how to spend some “credits” for you. Haven’t been posting much ever, so I’m not familiar with that.

0 Likes

#25

Ah yeah makes sense. /var/www/nextcloud/.well-known/acme-challenge/.htaccess would be better to not break the Cal/CardDAV redirection. But CerBot removes the whole dir as cleanup step after applying the cert, so this would need to be recreated before every renewal.

But it does not work anyway :thinking:, so simply remove the file again. So we are sure now that no rewrite rule is the reason…


Jep that works fine for testing usually:

2019-02-15 01:34:55 root@micha:/tmp# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/my.domain.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for my.domain.org
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/my.domain.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/my.domain.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Okay I am out of ideas for now. Also checked some guide about Fedora + Apache + Certbot but no special requirement mentioned there: https://chewett.co.uk/blog/490/setting-ssl-certbot-apache-fedora/

You ran certbot reasonably with --apache option. -a webroot -w /var/www/nextcloud is an alternative which could be tried. But most likely this is no solution as well. The main issue is still:

HTTP status code: Request failed (Too many Redirection)

But even with all rewrite rules disabled and no affecting redirect rule, besides the usual HTTP => HTTPS that works (or should) well.

I am still thinking if something from your ISP or dyn DNS provider outside of your server might be the reason.


However until nothing else found, I would go with temporary removing the HTTPS redirection to renew the certificate, if this even works?


Disabling all Apache modules and configs and testing from bare empty Apache would be the hammer method to find the affecting thing :laughing:.

0 Likes

#26

I had tried that I think 3 days ago, simply replacing the entire /etc/httpd with a one from a fresh install of Fedora with Apache and removing redirects that I knew of. But it kept ending up in https (due to HSTS??) or I did not catch all redirects - my feeling is there are quite a few - explicit and implcit via defaults…
But we might give it a second try.

a) How does this affect my “production” NC15 install? In general it is used by me and family only, but with quite a few clients. I don’t care for some offline time. But it should be sure to bring back the working state.
b) I guess I would need quite a few instructions. So how much time would it cost roughly? and would you be willing to support?

Or how about switching to acme.sh, which at least postulates to be able to live with port 443?
Would work around the redirection problem, not solving it, right?
And interfere with certbot?
It has the acme-tiny package available in Fedora 29:

Links to acme.sh

https://github.com/Neilpang/acme.sh/blob/master/README.md
with some details here
https://gist.github.com/ammgws/381b4d9104c4e2b43b9210f33f03a15a

acme-tiny
usage: acme-tiny [-h] --account-key ACCOUNT_KEY --csr CSR --acme-dir ACME_DIR
             [--quiet] [--disable-check] [--directory-url DIRECTORY_URL]
             [--ca CA] [--contact [CONTACT [CONTACT ...]]]
acme-tiny: error: the following arguments are required: --account-key, --csr, --acme-dir
0 Likes

#27

Sorry for the late reply:

Jep the browser will still end up with HTTPS due to HSTS, however this should not affect Certbot.

a) Of course at first this will break Nextcloud. It would be only the way to debug the “too many redirects” error that most likely breaks Certbot as well. If everything is disabled, so Apache plain HTTP/port 80 is active only, and Certbot still fails then (and “too many redirects” error, if this can be even tested on ssllabs then), then you can be sure that it must be either a local network or ISP/dyn DNS provider issue. If it succeeds, you can then step by step re-enable the required/desired modules/configs to check which one causes the fail.

b) Moving out all conf.d and conf.modules.d to a backup location (which also disables .htaccess files according to httpd.conf defaults) and try to run Certbot should be quick. I am quite sure now (after reviewing all the configs), that it is indeed not a local server config, but network/ISP/dyn DNS provider related issue, so if the test then fails, you don’t need to mess with the Apache configs anyway. Instead then it would be an idea to test connection via external IP (instead of domain). The browser will complain non-matching certificate, but it should be possible to ignore this. Ah but ssllabs and such only accept domain names… Not sure how to check for the “too many redirects” error then :thinking:. https://www.wormly.com/test_ssl allows to test IPs, but not sure if it shows HTTP connection issues as well.
Here is a list of SSL checkers: https://geekflare.com/ssl-test-certificate/

I will go on assist you (perhaps with dome delay) as fast as you have some results.

Jep acme.sh is actually a nice alternative to Certbot. At least worth giving a try. However take care that it just renews the cert given from Certbot (inside /etc/letsencrypt/live/my.domain.org/, at least on Debian :wink:). Should be possible to configure this. If it succeeds then you can even have it create a systemd unit or automated renewal similar to Certbot. Then uninstall Certbot, keeping its config files, at least: /etc/letsencrypt/options-ssl-apache.conf which enables some reasonable SSL config defaults.

0 Likes

#28

Back again after setting up 2 more Fedora machines and exchanging my Nextcloud 500GB drive by a 2TB SSD :slight_smile:

Tried this yesterday, but it does not work. The conf.d content is inserted via an “Include”, not an "IncludeOptiona"l, in httpd.conf so I had to bring that back, which again loads all Apache modules. Commenting i.e. deactivating them partly did not work, because httpd would not restart complaining about missing “User” and I did not know which of the 30+ modules is responsible for that.

ssl.conf was removed, then certbot complained about a missing VirtualHost for *80. Having that set up, that certbot error was gone, but I was back at the typical certbot error cited above.

I also tried adding /var/www/nextcloud via a <Directory> statement, which does not hurt but not bring any benefit either.

Positive side effect: Using

journalctl -xe

for debugging made me detect a brute force attac from a knownly bad IP on my ssh port, which is now closed - at least for a while.

I had moved the content to /mnt temporarily, but after moving the original content back to /etc/httpd/ I ran into the problem with selinux blocking the restored original files by not giving permission. After

/sbin/restorecon -v -R /etc/httpd/

only httpd and Nextcloud were up and running again. This is quite different from Ubuntu, but actually the first time since initial install of Nextcloud a couple of years ago that I recognized this more strict policy.

This brought me to the idea to give full rights rwxrwxrwx to all /var/www/nextcloud/.well-known and below, without success either.

I might try to set the SELinux status to permissive, maybe that is blocking the writing from external, i.e. certbot?

Otherwise there would be some more options:

  1. Trying the acme.sh, simply did not have time yet to try that.
  2. Copying a httpd config from a fresh Fedora install (where port 80 should be open? At least I remember it was when I first installed Fedora)
  3. Quickly setting up an Ubuntu machine on a free SDD drive to update the certificate and move it to the Fedora Machine to at least fix the current problem. Thunderbird which synchronizes Contacts and Tasks is anoyinly complaining about the invalid certificate - but fortunately there are other mail clients…
  4. Maybe the Letsencrypt / Certbot guys update certbot + one of the Apache modules meanwhile. I remember dark that there was something ongoing, even though I do not having the link…

Let’s see when I have the next free minutes. Might take some or some more days until I can get back to computing. Apart from work there are too many other things with higher prio…

Thanks again for your exceptional support. Keeps me learning lot’s of things :slight_smile:

0 Likes

#29

With

curl -IkL -m20 http://my.domain.tld

I meanwhile found out that Port 80 is not blocked by my internet service provider. Just in case this can help anyone else for debugging…

acme.sh manages to use port my 80 but fails also.

I will try get some support in the letsencrypt forum once I find some time (too many other things to do for me currently) and come back here if the post still should be open.

0 Likes

#30

certbot support DNS Challenge which sometimes more manipulation but at the end easier

0 Likes