Topic: no access over http but https works

[thomas.krueger]

SME10: trying to update certs for let's encrypt, there ist an error accessing http://[mydomain]/.well-known/acme-challenge/.. (Port: 80). My site http://stg-brb.de is not reachable, but https://stg-brb.de will do. (there ist an redirection in index.html)

What is wrong with my configuration?

[root@stgsvr01 service]# config show httpd-e-smith
httpd-e-smith=service
    AllowHosts=82.165.122.48
    SSLv2=disabled
    SSLv3=disabled
    TCPPort=80
    TLSv1=disabled
    access=public
    status=enabled

Custom template for http -> https is in  /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/60redir-primary
with
{
if ($port ne "443")
{
$OUT .= <<'HERE';
## Redirect Web Address to Secure Address
RewriteEngine on
RewriteRule ^/Primary https://%{HTTP_HOST}/Primary

## End Of Redirect
HERE
}
}

[root@svr01 ~]# config show modSSL
modSSL=service
    TCPPort=443
    access=public
    status=enabled

and /etc/httpd/conf/httpd.conf
...
DocumentRoot /home/e-smith/files/ibays/Primary/html
...
RewriteEngine on
RewriteRule ^/Primary https://%{HTTP_HOST}/Primary
...
# Alias for letsencrypt
Alias /.well-known/acme-challenge/ /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/
# do not proxy request to acme-challenge
ProxyPass /.well-known/acme-challenge !
...
<VirtualHost 0.0.0.0:80>
    ServerName stg-brb.de
    ServerAlias ftp.stg-brb.de stgsvr01.stg-brb.de wpad.stg-brb.de
    # skipping SSL certificate
    DocumentRoot         /home/e-smith/files/ibays/Primary/html
    RewriteEngine on
    RewriteRule ^/(.*|$) https://%{HTTP_HOST}/$1 [R,L]
    ScriptAlias /cgi-bin /home/e-smith/files/ibays/Primary/cgi-bin
    Alias       /files   /home/e-smith/files/ibays/Primary/files
...
<VirtualHost 0.0.0.0:443>
    ServerName stg-brb.de
    ServerAlias ftp.stg-brb.de stgsvr01.stg-brb.de wpad.stg-brb.de
    DocumentRoot         /home/e-smith/files/ibays/Primary/html
    ScriptAlias /cgi-bin /home/e-smith/files/ibays/Primary/cgi-bin
    Alias       /files   /home/e-smith/files/ibays/Primary/files
...
#------------------------------------------------------------
# Primary ibay directories (Primary i-bay)
#------------------------------------------------------------

<Directory /home/e-smith/files/ibays/Primary/html>
    SSLRequireSSL
    Options None
    Options +Indexes
    Options +Includes
    AllowOverride All
    order deny,allow
    deny from all
    allow from all
</Directory>

<Directory /home/e-smith/files/ibays/Primary/cgi-bin>
    SSLRequireSSL
    Options ExecCGI
    AllowOverride None
    order deny,allow
    deny from all
    allow from all
</Directory>

<Directory /home/e-smith/files/ibays/Primary/files>
    SSLRequireSSL
    AllowOverride None
    order deny,allow
    deny from all
    allow from all
</Directory>
...

<Directory /home/e-smith/files/ibays/Primary/html>
    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    <FilesMatch \.(phar|php)$>
   <If "-f %{SCRIPT_FILENAME}">
        SetHandler "proxy:unix:/var/run/php-fpm/php74-primary.sock|fcgi://localhost"
   </If>
    </FilesMatch>
</Directory>

   # DAV disabled for ibay Primary

...

[Jean-Philippe Pialasse]

remove your custom template

sme10 is designed to be only https by default except for acme challenge, unless you disable ssl property per ibay, or you mess the templates.

[thomas.krueger]

thanks, i deleted custom template and changed primary ibay
[root@stgsvr01 ~]# db accounts show primary
primary=system
    SSL=disabled
    SSLRequireSSL=off

[root@stgsvr01 ~]# service httpd-e-smith restart

but still no http access.

What are the standard rights of
/home/e-smith/files/primary/html/            admin:shared?
and
/home/e-smith/files/primary/html/.well-known/      admin:shared?

[Jean-Philippe Pialasse]

of you access via https hen this is not rights issue. do not start messing with that.


first what do you mean by no http access. 

what do you expect to see in your browser ? what do you see? what access_log says? what error_log says?

[thomas.krueger]

"no http access":
calling http://stg-brb.de  -> timeout
calling http://stg-brb.de/.well-known/acme-challenge   -> timeout

calling https://stg-brb.de  ->  works, Website (with index.html redirection) is shown

my letsencrypt certs were valid until yesterday.
Refresh letsencrypt certs doesn't work. ( dehydrated -c -x)
=>
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]      "http-01"
["status"]      "invalid"
["error","type"]        "urn:ietf:params:acme:error:connection"
["error","detail"]      "80.151.43.198: Fetching http://ftp.mail.stg-brb.de/.well-known/acme-challenge/T3Zs_OxxErYQgSf9mc-95S398FmPc3Tri41x5Yq9Btw: Timeout during connect (likely firewall problem)"
["error","status"]      400
["error"]       {"type":"urn:ietf:params:acme:error:connection","detail":"80.151.43.198: Fetching http://ftp.mail.stg-brb.de/.well-known/acme-challenge/T3Zs_OxxErYQgSf9mc-95S398FmPc3Tri41x5Yq9Btw: Timeout during connect (likely firewall problem)","status":400}
["url"] "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3025911384/fUzw_g"
["token"]       "T3Zs_OxxErYQgSf9mc-95S398FmPc3Tri41x5Yq9Btw"
["validationRecord",0,"url"]    "http://ftp.mail.stg-brb.de/.well-known/acme-challenge/T3Zs_OxxErYQgSf9mc-95S398FmPc3Tri41x5Yq9Btw"
["validationRecord",0,"hostname"]       "ftp.mail.stg-brb.de"
["validationRecord",0,"port"]   "80"
["validationRecord",0,"addressesResolved",0]    "80.151.43.198"
["validationRecord",0,"addressesResolved"]      ["80.151.43.198"]
["validationRecord",0,"addressUsed"]    "80.151.43.198"


access_log: (these line several times, 'webcam' folder does't exist any more, this is ok.)
stg-brb.de 83.65.30.38 - - [17/Jul/2022:18:35:55 +0200] "GET /webcam/home/neumarkt2.jpg HTTP/1.1" 403 227 "https://www.bergfex.at/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 bergfex/webcams"
stg-brb.de 192.168.0.115 - - [17/Jul/2022:18:41:00 +0200] "GET /wpad.dat HTTP/1.1" 304 - "-" "WinHttp-Autoproxy-Service/5.1"

following file/folder states:
/home/e-smith/files/ibays                                                                  rwxr-xr-x   root:root
/home/e-smith/files/ibays/Primary                                                       rwxr-xr-x  root:root
/home/e-smith/files/ibays/Primary/html                                               rwxrwsr-x  admin:shared
/home/e-smith/files/ibays/Primary/html/.well-known                             rwxrwsr-x  admin:shared
/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge      rwxrwsr-x  admin:shared

httpd/error_log: (lets encrypt cert is not valid anynore)
[Sun Jul 17 18:18:25.492799 2022] [ssl:warn] [pid 8281] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 17 18:18:25.492804 2022] [ssl:warn] [pid 8281] AH01909: RSA certificate configured for stg-brb.de:443 does NOT include an ID which matches the server name
[Sun Jul 17 18:18:25.492907 2022] [ssl:warn] [pid 8281] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Sun Jul 17 18:18:25.502052 2022] [ssl:warn] [pid 8281] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 17 18:25:12.485668 2022] [mpm_prefork:notice] [pid 8502] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips configured -- resuming normal operations
[Sun Jul 17 18:25:12.485686 2022] [core:notice] [pid 8502] AH00094: Command line: '/usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND'
[Sun Jul 17 18:28:56.118571 2022] [core:crit] [pid 8506] (13)Permission denied: [client 207.46.13.36:1216] AH00529: /home/e-smith/files/ibays/Primary/html/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/e-smith/files/ibays/Primary/html/' is executable
[Sun Jul 17 18:31:32.554395 2022] [mpm_prefork:notice] [pid 8502] AH00170: caught SIGWINCH, shutting down gracefully
[Sun Jul 17 18:31:33.963452 2022] [ssl:warn] [pid 8787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 17 18:31:33.963493 2022] [ssl:warn] [pid 8787] AH01909: RSA certificate configured for stgbrb.de:443 does NOT include an ID which matches the server name
[Sun Jul 17 18:31:33.963677 2022] [ssl:warn] [pid 8787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 17 18:31:33.963682 2022] [ssl:warn] [pid 8787] AH01909: RSA certificate configured for mail.stg-brb.de:443 does NOT include an ID which matches the server name
[Sun Jul 17 18:31:33.963862 2022] [ssl:warn] [pid 8787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 17 18:31:33.963870 2022] [ssl:warn] [pid 8787] AH01909: RSA certificate configured for stg-brb.de:443 does NOT include an ID which matches the server name
[Sun Jul 17 18:31:33.963969 2022] [ssl:warn] [pid 8787] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Sun Jul 17 18:31:33.972988 2022] [ssl:warn] [pid 8787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 17 18:31:33.972997 2022] [ssl:warn] [pid 8787] AH01909: RSA certificate configured for stgbrb.de:443 does NOT include an ID which matches the server name
[Sun Jul 17 18:31:33.973173 2022] [ssl:warn] [pid 8787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 17 18:31:33.973178 2022] [ssl:warn] [pid 8787] AH01909: RSA certificate configured for mail.stg-brb.de:443 does NOT include an ID which matches the server name
[Sun Jul 17 18:31:33.973379 2022] [ssl:warn] [pid 8787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 17 18:31:33.973389 2022] [ssl:warn] [pid 8787] AH01909: RSA certificate configured for stg-brb.de:443 does NOT include an ID which matches the server name
[Sun Jul 17 18:31:33.973485 2022] [ssl:warn] [pid 8787] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Sun Jul 17 18:31:33.976090 2022] [mpm_prefork:notice] [pid 8787] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips configured -- resuming normal operations
[Sun Jul 17 18:31:33.976112 2022] [core:notice] [pid 8787] AH00094: Command line: '/usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND'

iptables/denylog.log:
Jul 17 18:38:03 stgsvr01 denylog: IN=eno2 OUT= MAC=ac:1f:6b:74:f9:5d:00:09:4f:8a:75:32:08:00 SRC=79.197.20.169 DST=192.168.1.2 LEN=52 TOS=00 PREC=0x00 TTL=122 ID=21163 DF PROTO=TCP SPT=53089 DPT=80 SEQ=293349125 ACK=0 WINDOW=64240 SYN URGP=0 MARK=0
Jul 17 18:38:03 stgsvr01 denylog: IN=eno2 OUT= MAC=ac:1f:6b:74:f9:5d:00:09:4f:8a:75:32:08:00 SRC=79.197.20.169 DST=192.168.1.2 LEN=52 TOS=00 PREC=0x00 TTL=122 ID=21170 DF PROTO=TCP SPT=53087 DPT=80 SEQ=278275206 ACK=0 WINDOW=64240 SYN URGP=0 MARK=0

[thomas.krueger]

I also checked this:
https://forums.koozali.org/index.php?topic=54750.0
no changes.

[Jean-Philippe Pialasse]

What is wrong with my configuration?

[root@stgsvr01 service]# config show httpd-e-smith
httpd-e-smith=service
    AllowHosts=82.165.122.48  <============== this is wrong
    SSLv2=disabled
    SSLv3=disabled
    TCPPort=80
    TLSv1=disabled
    access=public
    status=enabled

well you only allow 82.165.122.48 to access to your port 80 every one else will be redirected to denylog by the firewall


why did you add this in the first place ?

config delprop httpd-e-smith AllowHosts
signal-event remoteaccess-update

[thomas.krueger]

 , oh yes, thanks a lot!
A relic to allow access only from our IONOS server.
Your solution saves my week, certifcates renewed, SOGo calenders on IONOS Server are working! E-Mails are working again. And also out redirection of our public webcam on stg-brb.de/home
Thanks a lot again, time for donation!

[ReetP]

Thanks a lot again, time for donation!

Perfect!! And thank you.