Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: JRBATM20192021 on December 23, 2022, 05:48:46 AM
-
Hello,
Can't say this question is one hundred percent SME Server related but the way to do it I am thinking is tied to SME so that is why I am asking.
Is it possible to add a seperate url onto a existing let's encrypt certificate for different url???
Thanks.
-
You mean domains?
Yes, but then depends what you really are trying to do.
Explain your problem clearly.
-
Yes That's what I mean. I have a lets encrypt license for my domain on a SME Server and wanted to add another domain from a different server to the same lets encrypt license is that possible?
Thanks.
-
Yes That's what I mean. I have a lets encrypt license for my domain on a SME Server and wanted to add another domain from a different server to the same lets encrypt license is that possible?
Have you read the wiki?
As I said above.
Yes, but then depends what you really are trying to do.
You need to explain exactly what you are trying to do. That makes a difference on the advice we can give.
-
...add another domain from a different server to the same lets encrypt license is that possible?
This could be done, but requires careful configuration or manual adjustments when updating.
LetsEncrypt verifies each new or renewed certificate using an HTTP connection to the names requested for the cert.
If you're hosting a site on another server, how do you get the SME to respond to the LetsEncrypt challenge?
If the second host is "behind" the SME, you could get the SME to intercept /.well-known/acme-challenge locally while sending other traffic to the second host, then distribute the cert to the second host after it's updated.
I do this on my home network with a SME in server-only mode, but I have to play with my firewall rules every time I need to renew my certificates
I have a set of WAF rules in my sophos firewall that redirect /.well-known/acme-challenge to the system that manages the LetsEncrypt certificates. However, I'm collecting certs on different hosts using the same names, so I still need to turn some rules on and off every 90 days while doing updates...
[pointless extra details]
SME (office.mydomain.tld)
+ autodiscover.mydomain.tld
+ etherpad.mydomain.tld
NethServer (neth.mydomain.tld)
+ collabora.mydomain.tld
+ mattermost.mydomain.tld
+ etherpad.mydomain.tld
Ubuntu (cloud.mydomain.tld)
+ collabora.mydomain.tld
+ etherpad.mydomain.tld
+ passbolt.mydomain.tld
+ wiki.mydomain.tld
+ docker.mydomain.tld
+ office.mydomain.tld
+ router.mydomain.tld
Sophos (router.mydomain.tld)
--> I have a script on cloud.mydomain.tld that will push the letsencrypt cert to the router
--> Once the router has the new cert, I have to manually update the cert settings in the router for affected services
Docker (docker.mydomain.tld)
--> cronjob looks for new cert on cloud.mydomain.tld
--> if there is a new cert, load it and restart the 'onlyoffice' docker container
I could simplify the above, but I keep it as-is in order to teach myself about the various platforms (SME, Neth, Ubuntu, Docker, Sophos)
-
there are few workaround and way to update a ssl cert for a server behind sme.
could use proxypass
could use a nfs or sshfs share to the well-known/ acme challenge directory
could use a script to deploy the certificate to the local server when renewed.
and more. depends on how you are happy with one server having access to the other one or sharing a nfs share or even having the local server accessible from the internet
-
Thanks for the helpful info everyone. Yeah It would be okay for the servers to share info with each other what I am doing is I need to get an security certificate for a "different server" but this server is a streaming server while the one server that I would like to attach to its security certificate is the SME "secure" server. But the more I think about it and with what you guys have said looks like I would be opening up my SME server to security risks by attaching another server on to its security certificate. So I will go another direction with this.
Thanks!
-
You are making this a xyinfo issue.....
https://xyproblem.info/
It depends where your other server lives....
As I said right at the start, explain exactly what you want to achieve including host/domain examples etc.
Host X here, domain X there, SME box here, firewall there, etc etc.
It's fine to deploy cert elsewhere if you know the servers.
Using hook scripts you can deploy certs. But it depends on what you are trying to achieve, and that bit you still haven't clarified.
So you may "go another direction" which may be completely wrong.
We can't be precise unless you are. If you give us a good description we can give you a sensible answer.
Otherwise you'll be back again stumbling blindly looking for a solution to the wrong problem.
-
Yeah your right on the X-Y issue I still don't know what to do on the previous problem I got a Security Certificate online but it didn't associate with the Ice cast Streaming Server like I wanted it too so I doubt tacking it on to the SME Server Security Certificate would have worked either.....
Different Issue I didn't want to make another Topic post so thought I would post here.
I'm trying to do something similar but instead of it being a different server I want to add another completely different domain which will be hosted by the same server as the original domain to the original domains Lets Encrypt security certificate. I know that's possible and this post is more of a I want to check to make sure I know what to do before I go messing with the Certificate and screw it all up.
So do I need to do a Completely new certificate to add the new domain or can I just use the command below to add it?
sudo letsencrypt --apache -d mydomain.com
Thanks
-
Yeah your right on the X-Y issue I still don't know what to do on the previous problem I got a Security Certificate online but it didn't associate with the Ice cast Streaming Server like I wanted it too so I doubt tacking it on to the SME Server Security Certificate would have worked either.....
As we STILL don't know your exact layout we really can't help you.
As I have said repeatedly, describe your situation accurately and we may be able to assist.
-
Different Issue I didn't want to make another Topic post so thought I would post here.
Well then you should create a new thread and post it in the correct forum which is Contribs. You are just creating work and confusion here, which means you won't get much help.
I'm trying to do something similar but instead of it being a different server I want to add another completely different domain which will be hosted by the same server as the original domain to the original domains Lets Encrypt security certificate. I know that's possible and this post is more of a I want to check to make sure I know what to do before I go messing with the Certificate and screw it all up.
So do I need to do a Completely new certificate to add the new domain or can I just use the command below to add it?
You need to read the wiki where this is described.
https://wiki.koozali.org/Letsencrypt#Hosts_and_domains_for_the_certificate
sudo letsencrypt --apache -d mydomain.com
Where does it tell you to do that in the wiki?
When did Koozali SME use sudo ? Please, stop reading pages that relate to different server and letsecnrypt installations types and start reading the documentation for Koozali SME.
You are going to make a complete mess of your server otherwise.
-
if you have an externally provided certificate you can associate it to a httpd virtualhost (domain db) as httpd template can now use SNI.
Template will use this certificate for this domain, and will keep using the LE cert for others where nothing is defined.
SME doew not support separated per domain LE/dehydrated certificate because of the limitation it would impose on other services than httpd using the same certificate (including emails).
currently you can user any domain to connect to those services, of we separated the domain per uniq certificate only httpd would handle them all using SNI and other would only use primary domain.
EDIT 2: revert original post
-
if you have an externally provided certificate you can associate it to a httpd virtualhost (domain db) as httpd template can now use SNI.
Template will use this certificate for this domain, and will keep using the LE cert for others where nothing is defined.
interesting, I missed it..
could you please give me a link in the wiki?
thank you mate
Damn.. I edited your post, not quoted, my bad :-(
EDIT: moved comment from previous message
-
interesting, I missed it..
could you please give me a link in the wiki?
thank you mate
probably need documenting in wiki
this is part of the NFR of SME10. i could point to some fragments in httpd/ virtualhost
-
Okay first problem layout
Internet - Server one SME Server - Server two Icecast Streaming server there both on the same network you would call it but they have different IP addresses.
Second Problem
Okay I didn't have access to the wiki earlier it gave me a really weird error..... Now it works. So if I Start at Step by Step Configuration and go all the way up to test mode but not including test mode It should work and I shouldn't mess up my original certificate?
Thanks
-
Okay so I tried to get a lets encrypt security certificate for a totally different domain that is on the same server as the domain that already has a lets encrypt security certificate installed.
I followed the wiki here and did everything it said to do.
https://wiki.koozali.org/Letsencrypt
however I got an error for the new domain which is below
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 12 authorizations URLs from the CA
+ Handling authorization for ftp.xxxx.com
+ Handling authorization for ftp.xxxx.com
+ Handling authorization for xxxx.com
+ Handling authorization for mail.xxxx.com
+ Handling authorization for mail.xxxx.com
+ Handling authorization for proxy.xxxx.com
+ Handling authorization for proxy.xxxx.com
+ Handling authorization for wpad.xxxx.com
+ Handling authorization for wpad.xxxx.com
+ Handling authorization for www.xxxx.com
+ Handling authorization for www.xxxx.com
+ Handling authorization for xxxx.com
+ 12 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for ftp.xxxx.com authorization...
+ Cleaning challenge tokens...
+ Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up A for ftp.xxxx.com - c heck that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for ftp.xxxx.com - check that a DNS record exists for this domain ",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/194770660857/D0x1KA ",
"token": "ufj_S0yZ9RspLiBt-Tosu4juodH09sNjBPQ_ckDkv1A",
"validated": "2023-01-13T05:25:44Z"
})
What am I doing wrong?? I don't understand what I am missing....
-
Okay first problem layout
Internet - Server one SME Server - Server two Icecast Streaming server there both on the same network you would call it but they have different IP addresses.
As you still don't completely describe your network it is still hard to tell you exactly what to do. Just wastes so much of everyones time trying figure out exactly what your layout is and give you the right advice.
We are two pages in and still guessing. Are these Internal addresses or External addresses? Makes a big difference.
https://www.chiark.greenend.org.uk/~sgtatham/bugs.html (https://www.chiark.greenend.org.uk/~sgtatham/bugs.html)
http://www.catb.org/esr/faqs/smart-questions.html (http://www.catb.org/esr/faqs/smart-questions.html)
How is your router configured? Port forwarding, DHCP? How is SME configured - gateway/server only? Just so much we still don't know.
One of my configs approximately. Use it as a template for your information.
I have a SME server in server only mode behind a router which has a single public static IP address.
The router is on a static local IP 192.168.x.250
The main SME server is on 192.168.x.1 and handles DHCP for clients 192.168.x.30-150
The server is set to handle a couple of domains - say mydomain.com and myotherdomain.com - so the domains all point to the same external IP.
I have also streaming server. It is configured as stream.myotherdomain.com It has a Local IP address of 192.168.x.170
On the router Ports 80 and 443 are forwarded to the main SME server so it can answer Letsencrypt queries.
On the router Port 8123 is forwarded to the streaming server.
I have ssh keys set up to allow copying from the main SME server to the streaming server.
I have these hosts forwarded in the SME server manager....
I have set up external DNS records for these hosts and domains.... blah blah
Try doing something similar for your own setup.
Note that the way letsencrypt is configured on SME currently means that ALL Domains and ALL Hosts that are Letsencrypt enabled go on one certificate.
It is possible to create more certificates on a per domain basis, but to do that requires a massive change to the SME Apache httpd set up that we have not done yet. It is still a NFR.
On my setup I get certificates for the various hosts and domains hosts and then use a hook-script.sh template fragment to copy them to the streaming server like this:
if [ $1 = "deploy_cert" ]; then
KEY=$3
CERT=$4
CHAIN=$6
scp -P 22 $CERT root@192.168.x.170://etc/dehydrated/certs/mydomain.com/cert.pem
scp -P 22 $KEY root@192.168.x.170://etc/dehydrated/certs/mydomain.com/privkey.pem
scp -P 22 $CHAIN root@192.168.x.170://etc/dehydrated/certs/mydomain.com /chain.pem
scp -P 22 /etc/dehydrated/certs/mydomain.com/fullchain.pem root@192.168.x.170:/etc/dehydrated/certs/mydomain.com/fullchain.pem
ssh -p 22 root@192.168.x.170 "/bin/systemctl restart apache"
echo "stream $2 certificate renewed\n 1 $1 3 $3 4 $4 5 $5 6 $6" | mail -s "Certificate renewal for streamer" admin@mydomain
fi
The streaming server can now answer as either stream.mydomain OR as stream.mylocaldomain. But if you only point stream.myotherlocaldomain.com to this server it is the only domain that it can answer.
Second Problem
Okay I didn't have access to the wiki earlier it gave me a really weird error..... Now it works. So if I Start at Step by Step Configuration and go all the way up to test mode but not including test mode It should work and I shouldn't mess up my original certificate?
Test mode creates a test certificate. But your server will point to this certificate. It is easy enough to go back, disable the hosts/domains you don't want, and re-generate the original one. Just don't do it too often or you will get rate limited.
DNS problem: NXDOMAIN looking up A for ftp.xxxx.com - check that a DNS record exists for this domain
Read the error.
check that a DNS record exists for this domain
You have enabled Letsencrypt to get a certificate for ftp.xxx.com but have not set up an IP address for it so Letsencrypt tries to contact the host but can't. Fix your DNS.
-
All IPS are external and the SME server operates in server only mode. Thanks for the info on that one I will give it a try.
Second problem
The problem is a DNS record exists for the new domain it is set to point to the same server as the original domain and ftp is configured on the server I don't understand because what it says doesn't exist already does....
Thanks
-
issue is lets’encrypt servers all over the world says they can not resolve this particular entry so the dns might be defined locally but not for the world wide web!
your domain should have a dns resolvable from anywhere in the planet to allow let’s encrypt to test your server is really its target and provides you with the certificate.
be carefull not to enable all the subdomains available on your server as SME will resolve locally all those even if not defined on your dns provider.
again as you obfuscate all info we can not help verify this info.
-
All IPS are external and the SME server operates in server only mode.
Then you likely need a different solution.
again as you obfuscate all info we can not help verify this info.
Exactly. It is like pulling teeth.
I am not doing any more until the OP documents the layout properly.
Just wasting everyones valuable time.
-
Okay if you can tell me whats wrong DNS wise here is the link to the domain that the lets encrypt challenge failed on
brendasgetzlaw.com I checked this domain side by side with my other domain (which if it would be help to know is kspk.com) that lets encrypt works properly on and the only thing different is that the domain I named first didn't have a txt record and my other domain (that I named second does) that works properly does so I added a txt record for the domain named above waiting for it to be recognized then I will try the certificate again.
For all previous mentioned problems all the layout I can give.
kspk.com - brendasgetzlaw.com forward to one (server only) sme server under one external IP
first problem-layout
stream.kspk.com is the domain to the streaming server which has its own different IP from the main server. This is a completely stand alone server not tied to the one above in any shape or form.
Thanks
-
as i pointed you ask a certificate for a domain/hostname/subdomain not defined
a k a ftp.brendasgetzlaw.com
dig ftp.brendasgetzlaw.com @nirvana.easydns.net
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> ftp.brendasgetzlaw.com @nirvana.easydns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35342
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ftp.brendasgetzlaw.com. IN A
;; AUTHORITY SECTION:
brendasgetzlaw.com. 300 IN SOA rush.easydns.com. zone.easydns.com. 1673642757 3600 600 604800 300
;; Query time: 9 msec
;; SERVER: 69.164.213.139#53(69.164.213.139)
;; WHEN: Fri Jan 13 17:36:57 2023
;; MSG SIZE rcvd: 94
so either you define it in dns and all other hostnames/subdomains defined on your SME for this domain, either you remove the unused hostname from the sme or you keep them and set the property according to the wiki page pointed to have let’s encrypt dehydrated script not asking a certificate for it.
-
okay so New error it doesn't like the acme challenge is there a special generator to make a new one that lets encrypt will recognize error below for your reference
[root@www ~]# db domains setprop brendasgetzlaw.com letsencryptSSLcert enabled
[root@www ~]# db hosts setprop www.brendasgetzlaw.com letsencryptSSLcert enabled
[root@www ~]# config setprop letsencrypt configure domains
[root@www ~]# config setprop letsencrypt status test
[root@www ~]# signal-event console-save
[root@www ~]# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Processing kspk.com with alternative names: brendasgetzlaw.com www.brendasgetzlaw.com kspk.com mail.kspk.com www.kspk.com
+ Checking domain name(s) of existing cert... changed!
+ Domain name(s) are not matching!
+ Names in old certificate: kspk.com mail.kspk.com www.kspk.com
+ Configured names: brendasgetzlaw.com kspk.com mail.kspk.com www.brendasgetzlaw.com www.kspk.com
+ Forcing renew.
+ Checking expire date of existing cert...
+ Valid till Mar 30 09:32:10 2023 GMT (Longer than 30 days). Ignoring because renew was forced!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 5 authorizations URLs from the CA
+ Handling authorization for kspk.com
+ Handling authorization for mail.kspk.com
+ Handling authorization for www.brendasgetzlaw.com
+ Handling authorization for www.kspk.com
+ Handling authorization for brendasgetzlaw.com
+ 5 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for kspk.com authorization...
+ Challenge is valid!
+ Responding to challenge for mail.kspk.com authorization...
+ Challenge is valid!
+ Responding to challenge for www.brendasgetzlaw.com authorization...
+ Cleaning challenge tokens...
+ Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "ip: Invalid response from http://www.brendasgetzlaw.co m/.well-known/acme-challenge/K0w-Yzs2z96lOWxTiLiQ94Kg3YsnSyG4wDE-Cyrsv30: 403",
"status": 403
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/4932748973/ lO3a3Q",
"token": "K0w-Yzs2z96lOWxTiLiQ94Kg3YsnSyG4wDE-Cyrsv30",
"validationRecord": [
{
"url": "http://www.brendasgetzlaw.com/.well-known/acme-challenge/K0w-Yzs2z 96lOWxTiLiQ94Kg3YsnSyG4wDE-Cyrsv30",
"hostname": "www.brendasgetzlaw.com",
"port": "80",
"addressesResolved": [
"ip"
],
"addressUsed": "ip"
}
],
"validated": "2023-01-14T03:41:37Z"
})
[root@www ~]# config setprop letsencrypt status enabled
[root@www ~]# signal-event console-save
[root@www ~]# dehydrated -c -x
# INFO: Using main config file /etc/dehydrated/config
Processing kspk.com with alternative names: brendasgetzlaw.com www.brendasgetzlaw.com kspk.com mail.kspk.com www.kspk.com
+ Checking domain name(s) of existing cert... changed!
+ Domain name(s) are not matching!
+ Names in old certificate: kspk.com mail.kspk.com www.kspk.com
+ Configured names: brendasgetzlaw.com kspk.com mail.kspk.com www.brendasgetzlaw.com www.kspk.com
+ Forcing renew.
+ Checking expire date of existing cert...
+ Valid till Mar 30 09:32:10 2023 GMT (Longer than 30 days). Ignoring because renew was forced!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 5 authorizations URLs from the CA
+ Handling authorization for brendasgetzlaw.com
+ Handling authorization for kspk.com
+ Handling authorization for mail.kspk.com
+ Handling authorization for www.brendasgetzlaw.com
+ Handling authorization for www.kspk.com
+ 5 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for brendasgetzlaw.com authorization...
+ Cleaning challenge tokens...
+ Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "ip: Invalid response from http://brendasgetzlaw.com/.well-known/acme-challenge/DFRY8EyqhT4IcklaGIfl9uvc6dMe8gJqPnsqpntzzkE: 403",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/195011633767/ytsZrQ",
"token": "DFRY8EyqhT4IcklaGIfl9uvc6dMe8gJqPnsqpntzzkE",
"validationRecord": [
{
"url": "http://brendasgetzlaw.com/.well-known/acme-challenge/DFRY8EyqhT4IcklaGIfl9uvc6dMe8gJqPnsqpntzzkE",
"hostname": "brendasgetzlaw.com",
"port": "80",
"addressesResolved": [
"ip"
],
"addressUsed": "ip"
}
],
"validated": "2023-01-14T03:43:10Z"
})
[root@www ~]#
-
1/ if you want a certificate for stream.kspk.com, as its public ip is different and is on a different server you need to run a let's encrypt client on this server.
2/ regarding your issue with http://www.brendasgetzlaw.com, you will have the same with http://brendasgetzlaw.com
"status": 403 means your server refuse the access to read the validation file/folder
if you try to access https://www.kspk.com/.well-known/ you will be able to see the content of the directory
on the opposite http://www.brendasgetzlaw.com/.well-known/ you hit a 403 error.
And if you try to access a non existing file you will get:
www.kspk.com : Not Found The requested URL /.well-known/acme-challenge/jpp
www.brendasgetzlaw.com : Forbidden You don't have permission to access /.well-known/acme-challenge/jpp on this server.
those behaviours is because of some modifications you did on your server.
both behaviours are not expected on a standard SME Server, as you should not be able to browse the content of the folder (i.e. list the content of the folder) for security reason as you are able in https://www.kspk.com/.well-known/ (you should indeed get a 403) but you should be able to read the content of a file you know the path in it, or get a 404 not found if the file does not exist (and not a 403).
So when Let's Encrypt try to validate the token it can not get to it because something has been modified and this is probably one of those:
- chown / chmod of the folder /home/e-smith/files/ibays/Primary/html/.well-known/ (or below)
- a .htaccess in /home/e-smith/files/ibays/Primary/html/ or in the ibay of brendasgetzlaw.com preventing access to .well-known/ and subfolder
- a custom template hidding the fragments intended to allow access to .well-known/ from any virtualhost ibays or any virtualhost related to a webapp installed with a contrib.
-
Makes a lot of sense actually so I am assuming If I can make the /.well-known folder for brendasgetzlaw.com The challenge should work?
How is that folder made? Is it possible to make another for the brendasgetzlaw.com I can't find it in the primary folder for the main domain in ftp so I assume its an invisible folder? I'm guessing in the SSH?
Thanks
-
You can always get a free certificate at zerossl.com using email validation, warns you to renew after 90 days.
-
the default setting is to share the Primary ibay folder with all the other Virtualhosts (ibays,other webapps).
There are fragments templates to alias this url to this folder for all virtualhost. unless, again, you have put a htaccess that override this setting or any other situation I gave as example in my last comment.
creating a such folder in the ibay won’t help as the validation script can only use one folder for all the tests. So you really have to check all the customizations you did and can mess with the expected behaviour. Yes this is difficult, but this is the cost of being able to customize a bit things and not being limited to a closed system.
-
@Jean-Philippe Pialasse
If I override the fragment template to alias the url it was not intentional. How would I set up a fragments template to alias a url or check to see if it exists on my server?
@bunkobugsy
Thanks for the suggestion how am I supposed to associate it with the Server though? I created a certificate but it gave me a certificate to download and upload to the server so not sure what to do with that.
-
Thanks for the suggestion how am I supposed to associate it with the Server though? I created a certificate but it gave me a certificate to download and upload to the server so not sure what to do with that.
https://wiki.koozali.org/Certificates_Concepts#Commercial_certificates
-
Understood thanks will this interfere with my lets encrypt certificate for my other domain since it is going to be on the same server?
-
Also assuming this will work with SME 10 right?
-
Understood thanks will this interfere with my lets encrypt certificate for my other domain since it is going to be on the same server?
I suggested zerossl.com (there's also sslforfree.com) only for the sme10 behind your main sme10, because it only requires email verification. For the main one you can keep letsencrypt contrib running without customizations.
-
Sounds good thank you for your help on this. Last question so the security certificate for email verification requires that it is sent to admin@brendasgetzlaw.com however I don't have email set up for that domain on the server is there a way to make an email account for the alternate domain on the server?
-
With all respect, Looking at your answer, I would rather think, you did not understood the content of this wiki page and the manipulation you are about to try is too advanced for your.
I would suggest you to keep your server usage as simple as possible, as the more layer you add the more possible issue you will encounter and the less likely you will be able to solve the issue.
start checking what returns
/sbin/e-smith/audittools/templates
check if any .htaccess file in your Primary/html and in the ibay of the domain you fail to get the cert with let’s encrypt
also give the output of
ll -d /home/e-smith/files/ibays/Primary/html/.well-known
ll -d /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
-
Last question....
It won't be because you still haven't grasped your situation and tried to understand it. You just lurch from one guess to another.
3 pages on.
The classic XY info. Read that page again.
Still never really described your situation clearly and concisely. So you get bits of answers to bits of questions which you don't actually understand and make no effort to learn.
You say your servers are on the same network but have public IPs and are totally separate.
Ah right. Makes perfect sense.
You don't understand your SME, DNS, email and how they work together.
We don't even know exactly what software version is running your IceCast server. SME? Something else? Local & remote IPs for each box?
At a guess you read a load of guff clickbait wikis unrelated to SME (the tell - we don't use sudo on SME normally, and we use 'dehydrated') in an effort to do something you didn't understand, probably made a load of changes you didn't know how to revert, and now hope by telling the bits of the story you want people to see you can fix the mess without embarassing yourself.
Time to fess up and give us the information requested including a detailed history of what you have done along with some proper info from audittools, or restore from backup, read the manual until you understand it, and start again.
I don't want to be harsh but you are wasting hours of people valuable time and getting nowhere.
We can't help those who won't help themselves, or us.
On SME servers:
/sbin/e-smith/audittools/templates
/sbin/e-smith/audittools/newrpms
-
Okay forget the stream certificate that is a dead issue. I tried to install a different certificate under lets encrypt for brendasgetzlaw.com using the method suggested to me here.
https://wiki.koozali.org/Certificates_Concepts#Commercial_certificates
I was informed that it would work and not bother my other certificate the only problem was it messed up the other certificate for kspk.com and it didn't even issue a security certificate for brendasgetzlaw.com now both sites show they are not secure which is 100% unacceptable. feel free to look since I have given you the links. How do I fix the original lets encrypt for kspk.com? when looking in ssh it still shows it is there but this page is different
[root@www ~]# [root@www ~]# config show modSSL
modSSL=service
CertificateChainFile=/etc/dehydrated/certs/kspk.com/chain.pem
TCPPort=443
access=public
crt=/ibays/Primary/html/.well-known/{brendasgetzlaw.com}.crt
key=/ibays/Primary/html/.well-known/{brendasgetzlaw.com}.key
status=enabled
[root@www ~]#
so I figured there is my problem so I tried to change it back too
[root@www ~]# [root@www ~]# config show modSSL
modSSL=service
CertificateChainFile=/etc/dehydrated/certs/kspk.com/chain.pem
TCPPort=443
access=public
crt=/ibays/Primary/html/.well-known/{kspk.com}.crt
key=/ibays/Primary/html/.well-known/{kspk.com}.key
status=enabled
[root@www ~]#
STILL DIDN'T WORK.
Is there a way to restore or undo a mistake in SME SERVER like in Windows where you can system restore like after you get a trojan horse virus????
I think that is the best option here.
PLEASE let me know ASAP.
I think this section has the mistake everything else is normal and is completed via the wiki information here https://wiki.koozali.org/Letsencrypt
[root@www ~]# [root@www ~]# config show modSSL
modSSL=service
CertificateChainFile=/etc/dehydrated/certs/kspk.com/chain.pem
TCPPort=443
access=public
crt=/ibays/Primary/html/.well-known/{kspk.com}.crt
key=/ibays/Primary/html/.well-known/{kspk.com}.key
status=enabled
[root@www ~]#
Okay let me "try" to explain this again
This server is on its own Public IP address and is a Server-only server it is Sme Server 10 the version you guys had in 2021. We have outside people who upload to it via FTP that is only thing that is open to the internet and email is open to the internet all secured with passwords. Everything else is locked down to local networks. This server also hosts a website the original domain of kspk.com which I was hoping of adding another one which I have but I have basically been told adding a ssl certificate will not work.
ALL other INFORMATION is sensitive that I would hope you understand I am NOT willing to share in a PUBLIC forum that just ANYONE can read.
I would prefer an ANSWER to fix this not CRITICISM if I can fix the security certificate for kspk.com that is all I want and I will leave you all alone.
I work other Jobs I don't have the leisure to 100% dedicate my time to this. This is side job.
Thank you for your time.
-
just remove every { and }
also those are not the locations suggested:
config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
-
Okay did what you said and nothing has changed this is what I have now.
[root@www ~]# config show modSSL
modSSL=service
CertificateChainFile=/etc/dehydrated/certs/kspk.com/chain.pem
TCPPort=443
access=public
crt=/home/e-smith/ssl.crt/{kspk.com}.crt
key=/home/e-smith/ssl.key/{kspk.com}.key
status=enabled
What am I doing wrong?
-
just remove every { and }
don't think you need CertificateChainFile
look in the log for errors
-
Okay there removed assuming this is better?
[root@www ~]# config show modSSL
modSSL=service
CertificateChainFile=/etc/dehydrated/certs/kspk.com/chain.pem
TCPPort=443
access=public
crt=/home/e-smith/ssl.crt/kspk.com.crt
key=/home/e-smith/ssl.key/kspk.com.key
status=enabled
[root@www ~]#
However still didn't fix the problem I don't know how to get rid of the CertificateChainFile I think I got it from here
https://wiki.koozali.org/Letsencrypt
If this shows any values for crt, key, or CertificateChainFile, make a note of them. If you encounter an issue with the certificate files generated by Letsencrypt, you'll then be able to revert your changes. To make a 'backup' of your existing key and properties you can issue:
config show modSSL > "/root/db_configuration_modSSL_backup_$(date +%Y%m%d_%H%M%S)"
-
Will the problem go away if I remove the security certificate and start over?
-
config delprop modSSL CertificateChainFile
signal-event console-save
signal-event reboot
if still not working, revert completely:
config delprop modSSL crt
config delprop modSSL key
now you should only have:
# config show modSSL
modSSL=service
TCPPort=443
access=public
status=enabled
then:
signal-event post-upgrade
signal-event reboot
now you should be back on self-signed
-
Okay did all of that but still not working how do I get back to the lets encrypt certificate? This is what I have now
[root@www ~]# config show modSSL
modSSL=service
TCPPort=443
access=public
status=enabled
[root@www ~]#
-
This is what I have when I put in the below
[root@www ~]# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
API=2
configure=none
email=admin@kspk.com
hookScript=disabled
keysize=NUMBER
signal-event=smeserver-letsencrypt-update
status=enabled
Not sure what I have messed up
-
you made some (typing) mistakes, fix them first:
config delprop letsencrypt keysize
config delprop letsencrypt signal-event
now you should only have:
# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
API=2
configure=none
email=admin@kspk.com
hookScript=disabled
status=enabled
then:
db domains setprop kspk.com letsencryptSSLcert enabled
signal-event smeserver-letsencrypt-update
dehydrated -c -x
-
@bunkobugsy
THANK YOU for your help I got it. The certificate is back now for the original.
I shouldn't open Pandora's box again if I do the follow commands for the other one
Like these
config setprop modSSL crt /home/e-smith/ssl.crt/brendasgetzlaw.com.crt
config setprop modSSL key /home/e-smith/ssl.key/brendasgetzlaw.com.key
Will it work correctly this time
Also do I need to upload the key and crt to the I-bay for the second domain or will it just work with the commands above and of course following the wiki?
-
Everyone else
Sorry for blowing up SME Server while is excellent software and very secure I truly do love it is sometimes a pain in the ass when you mess something up like I have done.
Thank you for helping me.
-
Like these
config setprop modSSL crt /home/e-smith/ssl.crt/brendasgetzlaw.com.crt
config setprop modSSL key /home/e-smith/ssl.key/brendasgetzlaw.com.key
Will it work correctly this time
Also do I need to upload the key and crt to the I-bay for the second domain or will it just work with the commands above and of course following the wiki?
Should work, you need to put the 2 files in the exact path specified.
Follow the above commands with either:
signal-event console-save
signal-event reboot
or
signal-event post-upgrade
signal-event reboot
And you already know how to undo this.
-
Yes I do! Thank you again for your help!!!!
-
just remove every { and }
also those are not the locations suggested:
config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
.
this is will be overwritten by self signed certificate if this domain is the Primary.
AGAIN, i told you not to go to the rabbit hole of this page as you show you do not understand what you do, but you choose to go there and do not provide the information asked using the debug commands I asked to help fix your initial problem.
You just keep inputing commands without the proper understanding of what you do and without trying actually to understand what gone wrong first. You are just adding layers and layers to your problem.
-
You just keep inputing commands without the proper understanding of what you do and without trying actually to understand what gone wrong first. You are just adding layers and layers to your problem.
Hence the cert for this wrong. And http as well. Not a great look for a lawyers website.
brendasgetzlaw.com
He really ought to fix that.
-
ALL other INFORMATION is sensitive that I would hope you understand I am NOT willing to share in a PUBLIC forum that just ANYONE can read.
We don't need the capitals thanks.
You need to give us enough to describe the situation, which you have not. You can obfuscate relevant information (and we would tell you to PM us if we thought it was genuinely sensitive) but you need to show the basic information requested, though I am not sure you can tell the difference between what needs obfuscating and what does not.
I would prefer an ANSWER to fix this not CRITICISM if I can fix the security certificate for kspk.com that is all I want and I will leave you all alone.
The criticism is that you still don't give the information required to give you an answer that will solve your issues. Not sure what else we can say. That is the answer currently.
These will reveal nothing that will cause an issue but would have told us a lot.
/sbin/e-smith/audittools/templates
/sbin/e-smith/audittools/newrpms
ll -d /home/e-smith/files/ibays/Primary/html/.well-known
ll -d /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
Or Server Manager, report a bug, create configuration report.
"Solving a problem requires understanding it"
We actually understand most of what is going on, but because we don't have accurate information we can't tell you properly how to fix it. That is why you have no definitive simple answer that you crave, and your certificates are still not right. Yes for sure you can carry on bodging your way around it, but then it will break again and we'll be back to the start.
https://xyproblem.info/
User wants to do X.
User doesn't know how to do X, but thinks they can fumble their way to a solution if they can just manage to do Y.
User doesn't know how to do Y either.
User asks for help with Y.
Others try to help user with Y, but are confused because Y seems like a strange problem to want to solve.
After much interaction and wasted time, it finally becomes clear that the user really wants help with X, and that Y wasn't even a suitable solution for X.
An almost perfect description of these 4 pages.
I work other Jobs I don't have the leisure to 100% dedicate my time to this. This is side job.
This is not a job for any of us.
We are all volunteers doing this for free in our spare time, including building code and fixing bugs and trying to help users.
Perhaps you should think about this a bit.
Your donation from yourself and your clients to assist in keeping this whole show running will be welcome:
https://forums.koozali.org/index.php?action=profile;area=subscriptions
Remember, this is open source. Not free sauce.
-
What is it that you would like to know? because I'm pretty sure I have given you most info but if you tell me what you need I can probably give it to you.
I would like to know how to carry out this wiki here because I think it will work
https://wiki.koozali.org/Certificates_Concepts#Commercial_certificates
When I go to this domain /home/e-smith/ it is read only and will not let me add the new ssl.crt and ssl.key will it hurt to put the files else where?
-
What is it that you would like to know? because I'm pretty sure I have given you most info but if you tell me what you need I can probably give it to you.
for the third time we clearly ask the output of those commands (and a 4th was more subtle) , and you just dodge the issue.
/sbin/e-smith/audittools/templates
/sbin/e-smith/audittools/newrpms
ll -d /home/e-smith/files/ibays/Primary/html/.well-known
ll -d /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
-
What is it that you would like to know? because I'm pretty sure I have given you most info but if you tell me what you need I can probably give it to you.
Start at the top and read down.
You might need to do that more than once.
I would like to know how to carry out this wiki here because I think it will work
https://wiki.koozali.org/Certificates_Concepts#Commercial_certificates
No, the existing method will work but as you still don't understand the problem or provide enough information our answers are general and meaningless to you.
Using this method is of no benefit to you and your somewhat trashed server. It won't fix your existing issues.
When I go to this domain /home/e-smith/
That's a directory.
it is read only and will not let me add the new ssl.crt and ssl.key will it hurt to put the files else where?
XY Problem. Yes. See above for reference.
Is there a way to restore or undo a mistake in SME SERVER like in Windows where you can system restore like after you get a trojan horse virus????
Yup. Depends what you did. It's in the manual. See "custom-templates, "backup/restore", or snapshots with VMs.
You do take regular backups don't you?
-
Not sure which commands you want to see the output of do you mean these?
ll -d /home/e-smith/files/ibays/Primary/html/.well-known
ll -d /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
I assume these are directories
/sbin/e-smith/audittools/templates
/sbin/e-smith/audittools/newrpms
All commands from
https://wiki.koozali.org/Certificates_Concepts#Commercial_certificates
Don't bring back anything in putty
Existing method? you mean the way the original domain SSL is done??
Yes I know /home/e-smith/ is a directory that was a mistake.
Yes of course I take regular backups.
-
This is what the commands returned
[root@www ~]# /sbin/e-smith/audittools/newrpms
Loaded plugins: fastestmirror, post-transaction-actions, priorities, smeserver
Loading mirror speeds from cached hostfile
* base: repos.forethought.net
* smeaddons: www.mirrorservice.org
* smeos: www.mirrorservice.org
* smeupdates: www.mirrorservice.org
* updates: forksystems.mm.fcix.net
Extra Packages
GeoIP.x86_64 1.6.12-9.el7.sme @smecontribs
GeoIP-GeoLite-data.noarch 2018.06-7.el7.sme @smecontribs
GeoIP-GeoLite-data-extra.noarch 2018.06-7.el7.sme @smecontribs
bglibs.x86_64 1.102-2.el7.sme @anaconda/10.0
clamav.x86_64 0.103.2-1.el7 @anaconda/10.0
clamav-data.noarch 0.103.2-1.el7 @anaconda/10.0
clamav-filesystem.noarch 0.103.2-1.el7 @anaconda/10.0
clamav-lib.x86_64 0.103.2-1.el7 @anaconda/10.0
clamav-update.x86_64 0.103.2-1.el7 @anaconda/10.0
clamd.x86_64 0.103.2-1.el7 @anaconda/10.0
cvm.x86_64 0.82-1.el7.sme @anaconda/10.0
dehydrated.noarch 0.6.5-1.el7 @smeos
e-smith-LPRng.noarch 2.6.0-7.el7.sme @anaconda/10.0
e-smith-apache.noarch 2.6.0-14.el7.sme @anaconda/10.0
e-smith-backup.noarch 2.6.0-27.el7.sme @anaconda/10.0
e-smith-base.x86_64 5.8.1-1.el7.sme @anaconda/10.0
e-smith-cvm-unix-local.noarch 2.6.0-3.el7.sme @anaconda/10.0
e-smith-devtools.noarch 2.6.0-10.el7.sme @anaconda/10.0
e-smith-email.noarch 5.6.0-11.el7.sme @anaconda/10.0
e-smith-ibays.noarch 2.6.0-17.el7.sme @anaconda/10.0
e-smith-ldap.noarch 5.6.0-12.el7.sme @anaconda/10.0
e-smith-lib.noarch 2.6.0-14.el7.sme @anaconda/10.0
e-smith-lib-compspec.noarch 2.6.0-3.el7.sme @anaconda/10.0
e-smith-manager.x86_64 2.8.0-34.el7.sme @anaconda/10.0
e-smith-mysql.noarch 2.6.0-21.el7.sme @anaconda/10.0
e-smith-ntp.noarch 2.6.0-13.el7.sme @anaconda/10.0
e-smith-nutUPS.noarch 2.6.0-11.el7.sme @anaconda/10.0
e-smith-packetfilter.noarch 2.6.0-7.el7.sme @anaconda/10.0
e-smith-proxy.noarch 5.6.0-9.el7.sme @anaconda/10.0
e-smith-qmail.noarch 2.6.0-12.el7.sme @anaconda/10.0
e-smith-radiusd.noarch 2.6.0-15.el7.sme @anaconda/10.0
e-smith-samba.noarch 2.6.0-23.el7.sme @anaconda/10.0
fail2ban-sendmail.noarch 0.11.2-3.el7 @smecontribs
fail2ban-server.noarch 0.11.2-3.el7 @smecontribs
gd-last.x86_64 2.3.2-1.el7.remi @anaconda/10.0
libsodium.x86_64 1.0.18-1.el7.remi @remi
libzip5.x86_64 1.8.0-2.el7.remi @remi-safe
libzstd.x86_64 1.5.0-1.el7 @smeupdates
mod_authnz_external.x86_64 3.3.1-7.el7 @anaconda/10.0
oniguruma5php.x86_64 6.9.7.1-1.el7.remi @anaconda/10.0
perl-B-Hooks-EndOfScope.noarch 0.24-1.of.el7 @smecontribs
perl-B-Hooks-OP-Check.x86_64 0.22-1.of.el7 @smecontribs
perl-Class-Load-XS.x86_64 0.10-1.of.el7 @smecontribs
perl-Class-Method-Modifiers.noarch 2.13-1.of.el7 @smecontribs
perl-Class-XSAccessor.x86_64 1.19-2.el7 @smecontribs
perl-Clone-PP.noarch 1.06-1.of.el7 @smecontribs
perl-Data-Dumper-Concise.noarch 2.023-1.of.el7 @smecontribs
perl-Data-IEEE754.noarch 0.01-1.of.el7 @smecontribs
perl-Data-Printer.noarch 0.35-1.of.el7 @smecontribs
perl-Data-Validate-IP.noarch 0.27-13.el7 @smecontribs
perl-DateTime.x86_64 2:1.55-1.of.el7 @smecontribs
perl-DateTime-Locale.noarch 1.33-1.of.el7 @smecontribs
perl-DateTime-TimeZone.noarch 2.51-1.of.el7 @smecontribs
perl-Devel-GlobalDestruction.noarch 0.14-1.of.el7 @smecontribs
perl-Devel-OverloadInfo.noarch 0.007-1.of.el7 @smecontribs
perl-Devel-StackTrace.noarch 1:2.04-1.of.el7 @smecontribs
perl-Eval-Closure.noarch 0.14-1.of.el7 @smecontribs
perl-File-HomeDir.noarch 1.002-1.of.el7 @smecontribs
perl-Geo-IP.x86_64 1.45-1.of.el7 @smecontribs
perl-GeoIP2.noarch 2.001002-1.of.el7 @smecontribs
perl-Hash-FieldHash.x86_64 0.14-1.of.el7 @smecontribs
perl-IO-Socket-IP.noarch 0.37-1.el7.sme @anaconda/10.0
perl-Lexical-SealRequireHints.x86_64 0.011-1.of.el7 @smecontribs
perl-List-AllUtils.noarch 0.08-1.of.el7 @smecontribs
perl-MRO-Compat.noarch 0.12-2.el7 @smecontribs
perl-Math-Int128.x86_64 0.18-1.of.el7 @smecontribs
perl-Math-Int64.x86_64 0.52-1.el7 @smecontribs
perl-MaxMind-DB-Common.noarch 0.040000-1.of.el7 @smecontribs
perl-MaxMind-DB-Reader.noarch 1.000004-1.of.el7 @smecontribs
perl-Module-Implementation.noarch 0.09-1.of.el7 @smecontribs
perl-Module-Runtime.noarch 0.016-1.of.el7 @smecontribs
perl-Module-Runtime-Conflicts.noarch 0.003-1.of.el7 @smecontribs
perl-Moo.noarch 2.004004-2.of.el7 @smecontribs
perl-MooX-StrictConstructor.noarch 0.006-1.of.el7 @smecontribs
perl-Moose.x86_64 2.2015-1.of.el7 @smecontribs
perl-Net-Server.noarch 2.007-2.el7 @anaconda/10.0
perl-Net-Works.noarch 0.21-1.of.el7 @smecontribs
perl-Params-Classify.x86_64 0.013-7.el7 @smecontribs
perl-Params-Validate.x86_64 1.30-1.of.el7 @smecontribs
perl-Params-ValidationCompiler.noarch 0.30-1.of.el7 @smecontribs
perl-Razor-Agent.x86_64 2.85-15.el7 @anaconda/10.0
perl-Regexp-Common.noarch 2016020301-1.el7.sme @anaconda/10.0
perl-Role-Tiny.noarch 2.001004-1.of.el7 @smecontribs
perl-Sort-Naturally.noarch 1.03-8.el7 @smecontribs
perl-Specio.noarch 0.47-1.of.el7 @smecontribs
perl-Sub-Exporter-Progressive.noarch 0.001013-1.of.el7 @smecontribs
perl-Sub-Identify.x86_64 0.14-1.of.el7 @smecontribs
perl-Sub-Install.noarch 0.928-1.of.el7 @smecontribs
perl-Sub-Name.x86_64 0.26-1.of.el7 @smecontribs
perl-Sub-Quote.noarch 2.006006-1.of.el7 @smecontribs
perl-Test-Warnings.noarch 0.031-1.of.el7 @smecontribs
perl-Throwable.noarch 1.000-1.of.el7 @smecontribs
perl-Try-Tiny.noarch 0.22-1.of.el7 @smecontribs
perl-Variable-Magic.x86_64 0.62-1.of.el7 @smecontribs
perl-bareword-filehandles.x86_64 0.007-1.of.el7 @smecontribs
perl-indirect.x86_64 0.39-1.of.el7 @smecontribs
perl-multidimensional.x86_64 0.014-1.of.el7 @smecontribs
perl-namespace-autoclean.noarch 0.29-1.of.el7 @smecontribs
perl-namespace-clean.noarch 0.27-1.of.el7 @smecontribs
-
Continued
perl-strictures.noarch 2.000006-1.of.el7 @smecontribs
php-pear.noarch 1:1.10.12-8.el7.remi @smeupdates
php55-php.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-bcmath.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-cli.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-common.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-enchant.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-fpm.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-gd.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-imap.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-intl.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-ldap.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-mbstring.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-mcrypt.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-mysqlnd.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-opcache.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-pdo.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-pear.noarch 1:1.10.12-9.el7.remi @remi-safe
php55-php-pecl-zip.x86_64 1.19.3-2.el7.remi @remi-safe
php55-php-process.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-snmp.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-soap.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-tidy.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-xml.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php55-php-xmlrpc.x86_64 5.5.38-12.el7.remi @anaconda/10.0
php56-php.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-bcmath.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-cli.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-common.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-enchant.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-fpm.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-gd.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-imap.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-intl.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-ldap.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-mbstring.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-mcrypt.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-mysqlnd.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-opcache.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-pdo.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-pear.noarch 1:1.10.12-9.el7.remi @remi-safe
php56-php-pecl-zip.x86_64 1.19.3-2.el7.remi @remi-safe
php56-php-process.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-snmp.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-soap.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-tidy.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-xml.x86_64 5.6.40-28.el7.remi @remi-safe
php56-php-xmlrpc.x86_64 5.6.40-28.el7.remi @remi-safe
php70-php.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-bcmath.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-cli.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-common.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-enchant.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-fpm.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-gd.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-imap.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-intl.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-json.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-ldap.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-mbstring.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-mcrypt.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-mysqlnd.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-opcache.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-pdo.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-pear.noarch 1:1.10.12-9.el7.remi @remi-safe
php70-php-pecl-zip.x86_64 1.19.3-2.el7.remi @remi-safe
php70-php-process.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-snmp.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-soap.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-tidy.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-xml.x86_64 7.0.33-28.el7.remi @remi-safe
php70-php-xmlrpc.x86_64 7.0.33-28.el7.remi @remi-safe
php71-php.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-bcmath.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-cli.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-common.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-enchant.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-fpm.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-gd.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-imap.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-intl.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-json.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-ldap.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-mbstring.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-mcrypt.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-mysqlnd.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-opcache.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-pdo.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-pear.noarch 1:1.10.12-9.el7.remi @remi-safe
php71-php-pecl-zip.x86_64 1.19.3-2.el7.remi @remi-safe
php71-php-process.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-snmp.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-soap.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-tidy.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-xml.x86_64 7.1.33-15.el7.remi @remi-safe
php71-php-xmlrpc.x86_64 7.1.33-15.el7.remi @remi-safe
php72-php.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-bcmath.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-cli.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-common.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-enchant.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-fpm.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-gd.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-imap.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-intl.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-json.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-ldap.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-mbstring.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-mysqlnd.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-opcache.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-pdo.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-pear.noarch 1:1.10.12-9.el7.remi @remi-safe
php72-php-pecl-mcrypt.x86_64 1.0.4-1.el7.remi @anaconda/10.0
php72-php-pecl-zip.x86_64 1.19.3-2.el7.remi @remi-safe
php72-php-process.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-snmp.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-soap.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-tidy.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-xml.x86_64 7.2.34-6.el7.remi @remi-safe
php72-php-xmlrpc.x86_64 7.2.34-6.el7.remi @remi-safe
php73-php.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-bcmath.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-cli.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-common.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-enchant.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-fpm.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-gd.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-imap.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-intl.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-json.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-ldap.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-mbstring.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-mysqlnd.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-opcache.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-pdo.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-pear.noarch 1:1.10.12-9.el7.remi @remi-safe
php73-php-pecl-zip.x86_64 1.19.3-2.el7.remi @remi-safe
php73-php-process.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-snmp.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-soap.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-tidy.x86_64 7.3.29-1.el7.remi @remi-safe
php73-php-xml.x86_64 7.3.29-1.el7.remi @remi-safe
-
Continued
php73-php-xmlrpc.x86_64 7.3.29-1.el7.remi @remi-safe
php74-php.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-bcmath.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-cli.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-common.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-enchant.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-fpm.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-gd.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-imap.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-intl.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-json.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-ldap.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-mbstring.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-mysqlnd.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-opcache.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-pdo.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-pear.noarch 1:1.10.12-9.el7.remi @remi-safe
php74-php-pecl-zip.x86_64 1.19.3-2.el7.remi @remi-safe
php74-php-process.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-snmp.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-soap.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-sodium.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-tidy.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-xml.x86_64 7.4.21-1.el7.remi @remi-safe
php74-php-xmlrpc.x86_64 7.4.21-1.el7.remi @remi-safe
php80-php.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-bcmath.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-cli.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-common.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-enchant.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-fpm.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-gd.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-imap.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-intl.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-ldap.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-mbstring.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-mysqlnd.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-opcache.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-pdo.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-pear.noarch 1:1.10.12-9.el7.remi @remi-safe
php80-php-pecl-xmlrpc.x86_64 1.0.0~rc2-1.el7.remi @anaconda/10.0
php80-php-pecl-zip.x86_64 1.19.3-2.el7.remi @remi-safe
php80-php-process.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-snmp.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-soap.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-sodium.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-tidy.x86_64 8.0.8-1.el7.remi @remi-safe
php80-php-xml.x86_64 8.0.8-1.el7.remi @remi-safe
proftpd.x86_64 1.3.5e-10.el7 @anaconda/10.0
pyzor.noarch 0.5.0-10.el7 @anaconda/10.0
qpsmtpd.noarch 0.96-19.el7.sme @anaconda/10.0
smeserver-audittools.noarch 1.6.0-2.el7.sme @anaconda/10.0
smeserver-clamav.noarch 2.7.0-8.el7.sme @anaconda/10.0
smeserver-extrarepositories-atomic.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-centos-sclo.noarch
0.1-31 @smeaddons
smeserver-extrarepositories-egroupware.noarch
0.1-31 @smeaddons
smeserver-extrarepositories-elastic.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-elrepo.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-epel.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-erlang.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-freeswitch.noarch
0.1-31 @smeaddons
smeserver-extrarepositories-fws.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-libreswan.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-node.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-okay.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-openfusion.noarch
0.1-31 @smeaddons
smeserver-extrarepositories-pgsql.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-reetp.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-remi-ocsinventory.noarch
0.1-31 @smeaddons
smeserver-extrarepositories-remi-roundcube.noarch
0.1-31 @smeaddons
smeserver-extrarepositories-remi-unsafe.noarch
0.1-31 @smeaddons
smeserver-extrarepositories-rpmfusion.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-sogo.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-spectrum2.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-springdale.noarch
0.1-31 @smeaddons
smeserver-extrarepositories-stephdl.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-virtualbox.noarch
0.1-31 @smeaddons
smeserver-extrarepositories-webtatic.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-xymon.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-zabbix.noarch 0.1-31 @smeaddons
smeserver-extrarepositories-zmrepo.noarch 0.1-31 @smeaddons
smeserver-fail2ban.noarch 9:0.1.18-30.el7.sme @smecontribs
smeserver-geoip.noarch 1.2-18.el7.sme @smecontribs
smeserver-horde.noarch 1.0.0-27.el7.sme @anaconda/10.0
smeserver-locale-bg.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-da.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-de.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-el.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-es.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-et.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-fr.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-he.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-hu.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-id.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-it.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-ja.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-nb.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-nl.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-pl.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-pt.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-pt_BR.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-ro.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-ru.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-sl.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-sv.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-th.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-tr.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-zh_CN.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-locale-zh_TW.noarch 2.6.0-15.el7.sme @anaconda/10.0
smeserver-php.x86_64 3.0.0-36.el7.sme @anaconda/10.0
smeserver-qpsmtpd.noarch 2.7.0-3.el7.sme @anaconda/10.0
smeserver-release.noarch 26:10.0-3.el7.sme @anaconda/10.0
smeserver-remoteuseraccess.noarch 1.3-5.el7.sme @smecontribs
smeserver-yum.noarch 2.6.0-55.el7.sme @anaconda/10.0
spamassassin.x86_64 3.4.5-1.el7.sme @anaconda/10.0
[root@www ~]#
[root@www ~]# /sbin/e-smith/audittools/templates
[root@www ~]#
[root@www ~]# ll -d /home/e-smith/files/ibays/Primary/html/.well-known
drwxrwsr-x 3 apache shared 28 Oct 14 2021 /home/e-smith/files/ibays/Primary/html/.well-known
[root@www ~]#
[root@www ~]# ll -d /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
drwxrwsr-x 2 apache shared 6 Jan 17 02:18 /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
[root@www ~]#
-
Okay to catch everybody up I have been involved in several behind the scenes discussions. So My setup up consists Two domains on one server one in primary ibay and the other in another ibay
single public ip with both domains on it
here is a map to describe my setup
https://drive.google.com/file/d/1e9ecJQq2dsoEiu4OmjkUWwxyrUEI8rbZ/view (https://drive.google.com/file/d/1e9ecJQq2dsoEiu4OmjkUWwxyrUEI8rbZ/view)
So it was suggested that I try the following
db domains setprop brendasgetzlaw.com letsencryptSSLcert enabled because I didn't have a letsencrypt enabled for this domain.
Running the command here db domains show returned
[root@www ~]# db domains show
brendasgetzlaw.com=domain
Content=bsglawoffice
Description=BSG
Nameservers=localhost
letsencryptSSLcert=enabled
kspk.com=domain
Content=Primary
Description=Primary domain
Nameservers=localhost
Removable=no
SystemPrimaryDomain=yes
letsencryptSSLcert=enabled
[root@www ~]#
Then it was suggested that I run the following commands
db domains setprop brendasgetzlaw.com letsencryptSSLcert enabled
db hosts setprop www.brendasgetzlaw.com letsencryptSSLcert enabled
signal-event smeserver-letsencrypt-update
dehydrated -c -x
Which returned this below
# INFO: Using main config file /etc/dehydrated/config
Processing kspk.com with alternative names: brendasgetzlaw.com www.brendasgetzlaw.com mail.kspk.com www.kspk.com
+ Checking domain name(s) of existing cert... changed!
+ Domain name(s) are not matching!
+ Names in old certificate: kspk.com mail.kspk.com www.kspk.com
+ Configured names: brendasgetzlaw.com kspk.com mail.kspk.com www.brendasgetzlaw.com www.kspk.com
+ Forcing renew.
+ Checking expire date of existing cert...
+ Valid till Apr 19 02:58:53 2023 GMT (Longer than 30 days). Ignoring because renew was forced!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 5 authorizations URLs from the CA
+ Handling authorization for brendasgetzlaw.com
+ Handling authorization for kspk.com
+ Handling authorization for mail.kspk.com
+ Handling authorization for www.kspk.com
+ Handling authorization for www.brendasgetzlaw.com
+ 5 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for brendasgetzlaw.com authorization...
+ Cleaning challenge tokens...
+ Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "public ip: Invalid response from http://brendasgetzlaw.com/.well-known/acme-challenge/W-VWKmh6QU-tj_ugJXchnTEqbQbJPSjLDRBQnydQqUM: 403",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/196431784397/eK-OBA",
"token": "W-VWKmh6QU-tj_ugJXchnTEqbQbJPSjLDRBQnydQqUM",
"validationRecord": [
{
"url": "http://brendasgetzlaw.com/.well-known/acme-challenge/W-VWKmh6QU-tj_ugJXchnTEqbQbJPSjLDRBQnydQqUM",
"hostname": "brendasgetzlaw.com",
"port": "80",
"addressesResolved": [
"public ip"
],
"addressUsed": "public ip"
}
],
"validated": "2023-01-19T09:08:40Z"
})
[root@www ~]#
Kinda like further up the list here when I tried it a few days ago I am wondering if I need to give the DNS a new acme challenge??
-
Here are these two
[root@www ~]# ll -d /home/e-smith/files/ibays/Primary/html/.well-known
drwxrwsr-x 3 apache shared 28 Oct 14 2021 /home/e-smith/files/ibays/Primary/html/.well-known
[root@www ~]#
[root@www ~]# ll -d /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
drwxrwsr-x 2 apache shared 6 Jan 19 02:08 /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
[root@www ~]#
Let me know what else you need because I can likely provide it.
-
http://www.brendasgetzlaw.com and http://brendasgetzlaw.com both give 403 Forbidden
You don't have permission to access brendasgetzlaw.com on this server.
Any relevant error in httpd/error_log or is there something you customized?
-
start by updating your server that has a lot issues fixed in the last 2 years as you never updated it.
anaconda/10.0
do
yum update --enablerepo=smecontribs
-
Okay I will get that done.
-
Okay update is now complete and access to the second domain has been restored.
-
please show output of
rpm -q smeserver-letsencrypt
and
dehydrated -c -x
-
Done.
[root@www ~]# rpm -q smeserver-letsencrypt
smeserver-letsencrypt-0.5-24.noarch
[root@www ~]#
[root@www ~]# dehydrated -c -x
# INFO: Using main config file /etc/dehydrated/config
+ Fetching account URL...
Processing kspk.com with alternative names: brendasgetzlaw.com www.brendasgetzlaw.com mail.kspk.com www.kspk.com
+ Checking domain name(s) of existing cert... changed!
+ Domain name(s) are not matching!
+ Names in old certificate: kspk.com mail.kspk.com www.kspk.com
+ Configured names: brendasgetzlaw.com kspk.com mail.kspk.com www.brendasgetzlaw.com www.kspk.com
+ Forcing renew.
+ Checking expire date of existing cert...
+ Valid till Apr 19 02:58:53 2023 GMT (Longer than 30 days). Ignoring because renew was forced!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 5 authorizations URLs from the CA
+ Handling authorization for kspk.com
+ Handling authorization for mail.kspk.com
+ Handling authorization for www.kspk.com
+ Handling authorization for brendasgetzlaw.com
+ Handling authorization for www.brendasgetzlaw.com
+ 5 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for kspk.com authorization...
+ Challenge is valid!
+ Responding to challenge for mail.kspk.com authorization...
+ Challenge is valid!
+ Responding to challenge for www.kspk.com authorization...
+ Challenge is valid!
+ Responding to challenge for brendasgetzlaw.com authorization...
+ Cleaning challenge tokens...
+ Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
["status"] "invalid"
["error","type"] "urn:ietf:params:acme:error:unauthorized"
["error","detail"] "Public IP: Invalid response from http://brendasgetzlaw.com/.well-known/acme-challenge/k23xi2XOM4SXPfrYfnGT1oIEu1_uoYoJiAPQ-nnAqWc: 403"
["error","status"] 403
["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Public IP: Invalid response from http://brendasgetzlaw.com/.well-known/acme-challenge/k23xi2XOM4SXPfrYfnGT1oIEu1_uoYoJiAPQ-nnAqWc: 403","status":403}
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/196457154087/29hvzQ"
["token"] "k23xi2XOM4SXPfrYfnGT1oIEu1_uoYoJiAPQ-nnAqWc"
["validationRecord",0,"url"] "http://brendasgetzlaw.com/.well-known/acme-challenge/k23xi2XOM4SXPfrYfnGT1oIEu1_uoYoJiAPQ-nnAqWc"
["validationRecord",0,"hostname"] "brendasgetzlaw.com"
["validationRecord",0,"port"] "80"
["validationRecord",0,"addressesResolved",0] "Public IP"
["validationRecord",0,"addressesResolved"] ["Public IP"]
["validationRecord",0,"addressUsed"] "Public IP"
["validationRecord",0] {"url":"http://brendasgetzlaw.com/.well-known/acme-challenge/k23xi2XOM4SXPfrYfnGT1oIEu1_uoYoJiAPQ-nnAqWc","hostname":"brendasgetzlaw.com","port":"80","addressesResolved":["public IP"],"addressUsed":"public IP"}
["validationRecord"] [{"url":"http://brendasgetzlaw.com/.well-known/acme-challenge/k23xi2XOM4SXPfrYfnGT1oIEu1_uoYoJiAPQ-nnAqWc","hostname":"brendasgetzlaw.com","port":"80","addressesResolved":["public IP"],"addressUsed":"public IP"}]
["validated"] "2023-01-20T07:41:10Z")
[root@www ~]#
-
2/ regarding your issue with http://www.brendasgetzlaw.com, you will have the same with http://brendasgetzlaw.com
"status": 403 means your server refuse the access to read the validation file/folder
if you try to access https://www.kspk.com/.well-known/ you will be able to see the content of the directory
on the opposite http://www.brendasgetzlaw.com/.well-known/ you hit a 403 error.
And if you try to access a non existing file you will get:
www.kspk.com : Not Found The requested URL /.well-known/acme-challenge/jpp
www.brendasgetzlaw.com : Forbidden You don't have permission to access /.well-known/acme-challenge/jpp on this server.
those behaviours is because of some modifications you did on your server.
both behaviours are not expected on a standard SME Server, as you should not be able to browse the content of the folder (i.e. list the content of the folder) for security reason as you are able in https://www.kspk.com/.well-known/ (you should indeed get a 403) but you should be able to read the content of a file you know the path in it, or get a 404 not found if the file does not exist (and not a 403).
So when Let's Encrypt try to validate the token it can not get to it because something has been modified and this is probably one of those:
- chown / chmod of the folder /home/e-smith/files/ibays/Primary/html/.well-known/ (or below)
- a .htaccess in /home/e-smith/files/ibays/Primary/html/ or in the ibay of brendasgetzlaw.com preventing access to .well-known/ and subfolder
- a custom template hidding the fragments intended to allow access to .well-known/ from any virtualhost ibays or any virtualhost related to a webapp installed with a contrib.
-
Okay the problem makes sense. However I don't know how to fix that. Since these folders are read only I don't know what I did to change that unless when I had the Lets encrypt SSL renewal errors in late 2021 that's when things went hay-wire I don't know. Like I have said I am still green. I don't understand what might be turned off here with the acme-challenge???
-
Okay you guys need an emoji on here for some eating crow because its my turn to eat that.
I have a Security Certificate now feel free to see for yourselves. Two commands for the I-bay Execution of Dynamic content and Force Secure Connections were set to Disabled NEVER thought in a million years that would be the issue at play here.
Thank you ALL for your help. Yes I feel Capitals was warranted here :) Now lets Talk Hypothetically if I were too add a 3rd domain will the lets encrypt Certificate Support that?? I remember something about 5 domains somewhere......
-
please give output of
db accounts show Primary
and also for the ibay name where the law site is.
-
Done
[root@www ~]# db accounts show Primary
Primary=ibay
CgiBin=enabled
Group=shared
Modifiable=no
Name=Primary i-bay
PasswordSet=no
Passwordable=no
PublicAccess=global
Removable=no
SSLRequireSSL=enabled
UserAccess=wr-admin-rd-group
[root@www ~]#
[root@www ~]# db accounts show bsg
bsglawoffice=ibay
CgiBin=enabled
Gid=5021
Group=shared
Name=bsg
PasswordSet=no
PublicAccess=global
SSLRequireSSL=enabled
Uid=5021
UserAccess=wr-group-rd-group
[root@www ~]#