Apache and let's encrypt

[Tursiops]

Hello everyone,

 

So for the context: I'm currently trying to setup a diaspora installation on my private VPS system. I've installed all the packages, and done all the configuration necessary, but I'm missing an important part without which I cannot go forward. I can't generate a let's encrypt certificate because It's ending in error. 

First it's telling me when launching the "certbot --apache" command that "No names were found in the configuration files" When I've properly configured the apache server with the diaspora.conf file and disabled the default 000-default.conf file.

Then if I go ahead and input the domain name I want to register which is pod.diasporing.ch I get the following message:

Failed authorization procedure. pod.diasporing.ch (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to xx.xx.xx.xx:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: pod.diasporing.ch
   Type:   connection
   Detail: Failed to connect to xx.xx.xx.xx:443 for TLS-SNI-01
   challenge

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

 

I've checked the A record of my domain and it's correct.

I've also checked in iptables to make sure that port 443 is open and listening and it is.

I've also checked on the apache side to make sure that it's listening on https, and it is.

 

I don't know what to do anymore.

 

Thanks for your help.

[vorticalbox]

Quote

 DNS A record(s) for that domain contain(s) the right IP address

 

Did you check this? I can not get to the domain with 

This site can’t provide a secure connection

diasporing.ch sent an invalid response.
Try running Connectivity Diagnostics.
ERR_SSL_PROTOCOL_ERROR

 

[Tursiops]

10 minutes ago, vorticalbox said:

Did you check this? I can not get to the domain with 

This site can’t provide a secure connection

diasporing.ch sent an invalid response.
Try running Connectivity Diagnostics.
ERR_SSL_PROTOCOL_ERROR

 

Ok so here is my DNS configuration.

I've done a ping on pod.diasporing.ch and diasporing.ch and both reply.

I might add www.diasporing.ch for good measure.

[Tursiops]

Ok while digging around a bit more on my apache configuration I've found that:

 

apache2 -t -D DUMP_VHOSTS
[Mon Sep 26 09:33:39.462260 2016] [core:warn] [pid 22009] AH00111: Config variable ${APACHE_LOCK_DIR} is not defined
[Mon Sep 26 09:33:39.462326 2016] [core:warn] [pid 22009] AH00111: Config variable ${APACHE_PID_FILE} is not defined
[Mon Sep 26 09:33:39.462349 2016] [core:warn] [pid 22009] AH00111: Config variable ${APACHE_RUN_USER} is not defined
[Mon Sep 26 09:33:39.462364 2016] [core:warn] [pid 22009] AH00111: Config variable ${APACHE_RUN_GROUP} is not defined
[Mon Sep 26 09:33:39.462382 2016] [core:warn] [pid 22009] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Mon Sep 26 09:33:39.482345 2016] [core:warn] [pid 22009] AH00111: Config variable ${APACHE_RUN_DIR} is not defined
[Mon Sep 26 09:33:39.482793 2016] [core:warn] [pid 22009] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
AH00526: Syntax error on line 74 of /etc/apache2/apache2.conf:
Invalid Mutex directory in argument file:${APACHE_LOCK_DIR}

 

I might have done something I didn't notice because it didn't do that a few days ago.

[Lurick]

Quick question, is this for an external webserver that will be facing the internet or local area webserver that will only face the local network?

[Tursiops]

4 minutes ago, Lurick said:

Quick question, is this for an external webserver that will be facing the internet or local area webserver that will only face the local network?

It's an external webserver. It will be used as an alternative to facebook, for my family members and other close friends.

[Lurick]

Just now, Tursiops said:

It's an external webserver. It will be used as an alternative to facebook, for my family members and other close friends.

Alright, just wanted to make sure. As for the problem itself I would check on line 74 of your apache config file and make sure there isn't a typo somewhere.

[Tursiops]

4 minutes ago, Lurick said:

Alright, just wanted to make sure. As for the problem itself I would check on line 74 of your apache config file and make sure there isn't a typo somewhere.

Line 74 looks like this:

 

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
Mutex file:${APACHE_LOCK_DIR} default        (<- Line 74)

 

[Tursiops]

The strange thing is that if I use the "apache2ctl -S" command I get all the options correct:

 

apache2ctl -S
VirtualHost configuration:
*:80                   diasporing.ch (/etc/apache2/sites-enabled/diaspora.conf:3)
*:443                  diasporing.ch (/etc/apache2/sites-enabled/diaspora.conf:9)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

 

 

But not with "apache2 -t -D DUMP_VHOSTS"

[Tursiops]

Ok so there is progress, with the command: "certbot --authenticator standalone --installer apache" I managed to create the certificate. But now my webserver is defaulting to diasporing.ch instead of www.diasporing.ch which is giving an SSL error.

[Tursiops]

ok fixed! I'm too good You give me inspiration guys

Thanks!

[Lurick]

How did you fix the www error? Just curious.