Koozali.org: home of the SME Server
Contribs.org Forums => Koozali SME Server 10.x => Topic started by: thomas.krueger on July 17, 2022, 01:59:02 PM
-
SME10: trying to update certs for let's encrypt, there ist an error accessing http://[mydomain]/.well-known/acme-challenge/.. (Port: 80). My site http://stg-brb.de (http://stg-brb.de) is not reachable, but https://stg-brb.de (https://stg-brb.de) will do. (there ist an redirection in index.html)
What is wrong with my configuration?
[root@stgsvr01 service]# config show httpd-e-smith
httpd-e-smith=service
AllowHosts=82.165.122.48
SSLv2=disabled
SSLv3=disabled
TCPPort=80
TLSv1=disabled
access=public
status=enabled
Custom template for http -> https is in /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/60redir-primary
with
{
if ($port ne "443")
{
$OUT .= <<'HERE';
## Redirect Web Address to Secure Address
RewriteEngine on
RewriteRule ^/Primary https://%{HTTP_HOST}/Primary
## End Of Redirect
HERE
}
}
[root@svr01 ~]# config show modSSL
modSSL=service
TCPPort=443
access=public
status=enabled
and /etc/httpd/conf/httpd.conf
...
DocumentRoot /home/e-smith/files/ibays/Primary/html
...
RewriteEngine on
RewriteRule ^/Primary https://%{HTTP_HOST}/Primary
...
# Alias for letsencrypt
Alias /.well-known/acme-challenge/ /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/
# do not proxy request to acme-challenge
ProxyPass /.well-known/acme-challenge !
...
<VirtualHost 0.0.0.0:80>
ServerName stg-brb.de
ServerAlias ftp.stg-brb.de stgsvr01.stg-brb.de wpad.stg-brb.de
# skipping SSL certificate
DocumentRoot /home/e-smith/files/ibays/Primary/html
RewriteEngine on
RewriteRule ^/(.*|$) https://%{HTTP_HOST}/$1 [R,L]
ScriptAlias /cgi-bin /home/e-smith/files/ibays/Primary/cgi-bin
Alias /files /home/e-smith/files/ibays/Primary/files
...
<VirtualHost 0.0.0.0:443>
ServerName stg-brb.de
ServerAlias ftp.stg-brb.de stgsvr01.stg-brb.de wpad.stg-brb.de
DocumentRoot /home/e-smith/files/ibays/Primary/html
ScriptAlias /cgi-bin /home/e-smith/files/ibays/Primary/cgi-bin
Alias /files /home/e-smith/files/ibays/Primary/files
...
#------------------------------------------------------------
# Primary ibay directories (Primary i-bay)
#------------------------------------------------------------
<Directory /home/e-smith/files/ibays/Primary/html>
SSLRequireSSL
Options None
Options +Indexes
Options +Includes
AllowOverride All
order deny,allow
deny from all
allow from all
</Directory>
<Directory /home/e-smith/files/ibays/Primary/cgi-bin>
SSLRequireSSL
Options ExecCGI
AllowOverride None
order deny,allow
deny from all
allow from all
</Directory>
<Directory /home/e-smith/files/ibays/Primary/files>
SSLRequireSSL
AllowOverride None
order deny,allow
deny from all
allow from all
</Directory>
...
<Directory /home/e-smith/files/ibays/Primary/html>
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
<FilesMatch \.(phar|php)$>
<If "-f %{SCRIPT_FILENAME}">
SetHandler "proxy:unix:/var/run/php-fpm/php74-primary.sock|fcgi://localhost"
</If>
</FilesMatch>
</Directory>
# DAV disabled for ibay Primary
...
-
remove your custom template
sme10 is designed to be only https by default except for acme challenge, unless you disable ssl property per ibay, or you mess the templates.
-
thanks, i deleted custom template and changed primary ibay
[root@stgsvr01 ~]# db accounts show primary
primary=system
SSL=disabled
SSLRequireSSL=off
[root@stgsvr01 ~]# service httpd-e-smith restart
but still no http access.
What are the standard rights of
/home/e-smith/files/primary/html/ admin:shared?
and
/home/e-smith/files/primary/html/.well-known/ admin:shared?
-
of you access via https hen this is not rights issue. do not start messing with that.
first what do you mean by no http access.
what do you expect to see in your browser ? what do you see? what access_log says? what error_log says?
-
"no http access":
calling http://stg-brb.de (http://stg-brb.de) -> timeout
calling http://stg-brb.de/.well-known/acme-challenge -> timeout
calling https://stg-brb.de (https://stg-brb.de) -> works, Website (with index.html redirection) is shown
my letsencrypt certs were valid until yesterday.
Refresh letsencrypt certs doesn't work. ( dehydrated -c -x)
=>
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
["status"] "invalid"
["error","type"] "urn:ietf:params:acme:error:connection"
["error","detail"] "80.151.43.198: Fetching http://ftp.mail.stg-brb.de/.well-known/acme-challenge/T3Zs_OxxErYQgSf9mc-95S398FmPc3Tri41x5Yq9Btw: Timeout during connect (likely firewall problem)"
["error","status"] 400
["error"] {"type":"urn:ietf:params:acme:error:connection","detail":"80.151.43.198: Fetching http://ftp.mail.stg-brb.de/.well-known/acme-challenge/T3Zs_OxxErYQgSf9mc-95S398FmPc3Tri41x5Yq9Btw: Timeout during connect (likely firewall problem)","status":400}
["url"] "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3025911384/fUzw_g"
["token"] "T3Zs_OxxErYQgSf9mc-95S398FmPc3Tri41x5Yq9Btw"
["validationRecord",0,"url"] "http://ftp.mail.stg-brb.de/.well-known/acme-challenge/T3Zs_OxxErYQgSf9mc-95S398FmPc3Tri41x5Yq9Btw"
["validationRecord",0,"hostname"] "ftp.mail.stg-brb.de"
["validationRecord",0,"port"] "80"
["validationRecord",0,"addressesResolved",0] "80.151.43.198"
["validationRecord",0,"addressesResolved"] ["80.151.43.198"]
["validationRecord",0,"addressUsed"] "80.151.43.198"
access_log: (these line several times, 'webcam' folder does't exist any more, this is ok.)
stg-brb.de 83.65.30.38 - - [17/Jul/2022:18:35:55 +0200] "GET /webcam/home/neumarkt2.jpg HTTP/1.1" 403 227 "https://www.bergfex.at/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 bergfex/webcams"
stg-brb.de 192.168.0.115 - - [17/Jul/2022:18:41:00 +0200] "GET /wpad.dat HTTP/1.1" 304 - "-" "WinHttp-Autoproxy-Service/5.1"
following file/folder states:
/home/e-smith/files/ibays rwxr-xr-x root:root
/home/e-smith/files/ibays/Primary rwxr-xr-x root:root
/home/e-smith/files/ibays/Primary/html rwxrwsr-x admin:shared
/home/e-smith/files/ibays/Primary/html/.well-known rwxrwsr-x admin:shared
/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge rwxrwsr-x admin:shared
httpd/error_log: (lets encrypt cert is not valid anynore)
[Sun Jul 17 18:18:25.492799 2022] [ssl:warn] [pid 8281] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 17 18:18:25.492804 2022] [ssl:warn] [pid 8281] AH01909: RSA certificate configured for stg-brb.de:443 does NOT include an ID which matches the server name
[Sun Jul 17 18:18:25.492907 2022] [ssl:warn] [pid 8281] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Sun Jul 17 18:18:25.502052 2022] [ssl:warn] [pid 8281] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 17 18:25:12.485668 2022] [mpm_prefork:notice] [pid 8502] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips configured -- resuming normal operations
[Sun Jul 17 18:25:12.485686 2022] [core:notice] [pid 8502] AH00094: Command line: '/usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND'
[Sun Jul 17 18:28:56.118571 2022] [core:crit] [pid 8506] (13)Permission denied: [client 207.46.13.36:1216] AH00529: /home/e-smith/files/ibays/Primary/html/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/e-smith/files/ibays/Primary/html/' is executable
[Sun Jul 17 18:31:32.554395 2022] [mpm_prefork:notice] [pid 8502] AH00170: caught SIGWINCH, shutting down gracefully
[Sun Jul 17 18:31:33.963452 2022] [ssl:warn] [pid 8787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 17 18:31:33.963493 2022] [ssl:warn] [pid 8787] AH01909: RSA certificate configured for stgbrb.de:443 does NOT include an ID which matches the server name
[Sun Jul 17 18:31:33.963677 2022] [ssl:warn] [pid 8787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 17 18:31:33.963682 2022] [ssl:warn] [pid 8787] AH01909: RSA certificate configured for mail.stg-brb.de:443 does NOT include an ID which matches the server name
[Sun Jul 17 18:31:33.963862 2022] [ssl:warn] [pid 8787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 17 18:31:33.963870 2022] [ssl:warn] [pid 8787] AH01909: RSA certificate configured for stg-brb.de:443 does NOT include an ID which matches the server name
[Sun Jul 17 18:31:33.963969 2022] [ssl:warn] [pid 8787] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Sun Jul 17 18:31:33.972988 2022] [ssl:warn] [pid 8787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 17 18:31:33.972997 2022] [ssl:warn] [pid 8787] AH01909: RSA certificate configured for stgbrb.de:443 does NOT include an ID which matches the server name
[Sun Jul 17 18:31:33.973173 2022] [ssl:warn] [pid 8787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 17 18:31:33.973178 2022] [ssl:warn] [pid 8787] AH01909: RSA certificate configured for mail.stg-brb.de:443 does NOT include an ID which matches the server name
[Sun Jul 17 18:31:33.973379 2022] [ssl:warn] [pid 8787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 17 18:31:33.973389 2022] [ssl:warn] [pid 8787] AH01909: RSA certificate configured for stg-brb.de:443 does NOT include an ID which matches the server name
[Sun Jul 17 18:31:33.973485 2022] [ssl:warn] [pid 8787] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Sun Jul 17 18:31:33.976090 2022] [mpm_prefork:notice] [pid 8787] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips configured -- resuming normal operations
[Sun Jul 17 18:31:33.976112 2022] [core:notice] [pid 8787] AH00094: Command line: '/usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND'
iptables/denylog.log:
Jul 17 18:38:03 stgsvr01 denylog: IN=eno2 OUT= MAC=ac:1f:6b:74:f9:5d:00:09:4f:8a:75:32:08:00 SRC=79.197.20.169 DST=192.168.1.2 LEN=52 TOS=00 PREC=0x00 TTL=122 ID=21163 DF PROTO=TCP SPT=53089 DPT=80 SEQ=293349125 ACK=0 WINDOW=64240 SYN URGP=0 MARK=0
Jul 17 18:38:03 stgsvr01 denylog: IN=eno2 OUT= MAC=ac:1f:6b:74:f9:5d:00:09:4f:8a:75:32:08:00 SRC=79.197.20.169 DST=192.168.1.2 LEN=52 TOS=00 PREC=0x00 TTL=122 ID=21170 DF PROTO=TCP SPT=53087 DPT=80 SEQ=278275206 ACK=0 WINDOW=64240 SYN URGP=0 MARK=0
-
I also checked this:
https://forums.koozali.org/index.php?topic=54750.0 (https://forums.koozali.org/index.php?topic=54750.0)
no changes.
-
What is wrong with my configuration?
[root@stgsvr01 service]# config show httpd-e-smith
httpd-e-smith=service
AllowHosts=82.165.122.48 <============== this is wrong
SSLv2=disabled
SSLv3=disabled
TCPPort=80
TLSv1=disabled
access=public
status=enabled
well you only allow 82.165.122.48 to access to your port 80 every one else will be redirected to denylog by the firewall
why did you add this in the first place ?
config delprop httpd-e-smith AllowHosts
signal-event remoteaccess-update
-
:-?, oh yes, thanks a lot!
A relic to allow access only from our IONOS server.
Your solution saves my week, certifcates renewed, SOGo calenders on IONOS Server are working! E-Mails are working again. And also out redirection of our public webcam on stg-brb.de/home (http://stg-brb.de/home)
Thanks a lot again, time for donation!
-
Thanks a lot again, time for donation!
Perfect!! And thank you.