Topic: letsencrypt and server-manager

[ElFroggio]

ok..

Code: [Select]

config show modSSL


Code: [Select]

[root@ethelbert ~]# config show modSSL
modSSL=service
    CertificateChainFile=/etc/dehydrated/certs/911networks.com/chain.pem
    CommonName=ethelbert.911networks.com
    TCPPort=443
    access=public
    crt=/etc/dehydrated/certs/911networks.com/cert.pem
    key=/etc/dehydrated/certs/911networks.com/privkey.pem
    status=enabled
[root@ethelbert ~]#


about logs: /var/log/http/*admin* are the files to check

Code: [Select]

View log files
Log file "httpd-admin/current" is empty!

and looking at /var/log/httpd/access_log

All are status code: 200: ok except for this line that is 307 redirect, but no other error.

Code: [Select]

911networks.com 192.168.1.71 - - [07/Feb/2017:08:02:54 -0800] "GET /server-manager HTTP/1.1" 307 308 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; Trident/7.0; rv:11.0) like Gecko"
911networks.com 192.168.1.71 - - [07/Feb/2017:08:02:54 -0800] "GET //server-common/cgi-bin/login?back=https%3a%2f%2f192.168.1.14%2fserver-manager HTTP/1.1" 200 468 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; Trident/7.0; rv:11.0) like Gecko"
911networks.com 192.168.1.71 - - [07/Feb/2017:08:02:54 -0800] "GET /favicon.ico HTTP/1.1" 200 601 "https://192.168.1.14//server-common/cgi-bin/login?back=https%3a%2f%2f192.168.1.14%2fserver-manager" "Mozilla/5.0 (Windows; U; Windows NT 5.2; Trident/7.0; rv:11.0) like Geck


[Jean-Philippe Pialasse]

and looking at /var/log/httpd/access_log

All are status code: 200: ok except for this line that is 307 redirect, but no other error.

Code: [Select]

911networks.com 192.168.1.71 - - [07/Feb/2017:08:02:54 -0800] "GET /server-manager HTTP/1.1" 307 308 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; Trident/7.0; rv:11.0) like Gecko"
911networks.com 192.168.1.71 - - [07/Feb/2017:08:02:54 -0800] "GET //server-common/cgi-bin/login?back=https%3a%2f%2f192.168.1.14%2fserver-manager HTTP/1.1" 200 468 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; Trident/7.0; rv:11.0) like Gecko"
911networks.com 192.168.1.71 - - [07/Feb/2017:08:02:54 -0800] "GET /favicon.ico HTTP/1.1" 200 601 "https://192.168.1.14//server-common/cgi-bin/login?back=https%3a%2f%2f192.168.1.14%2fserver-manager" "Mozilla/5.0 (Windows; U; Windows NT 5.2; Trident/7.0; rv:11.0) like Geck


you need to look at the admin_error_log and admin_access_log

[ElFroggio]

you need to look at the admin_error_log and admin_access_log

No error that I can see:

/var/log/httpd/admin_access_log:

Code: [Select]

127.0.0.1 - - [07/Feb/2017:08:02:28 -0800] "GET /server-manager HTTP/1.1" 307 334
127.0.0.1 - - [07/Feb/2017:08:02:28 -0800] "GET /server-common/cgi-bin/login?back=https%3a%2f%2fethelbert.911networks.com%2fserver-manager HTTP/1.1" 200 481
127.0.0.1 - - [07/Feb/2017:08:02:29 -0800] "GET /server-common/cgi-bin/login?redirect=1&back=https%3A%2F%2Fethelbert.911networks.com%2Fserver-manager HTTP/1.1" 200 1522
127.0.0.1 - - [07/Feb/2017:08:02:29 -0800] "GET /server-common/css/tkt.css HTTP/1.1" 200 674
127.0.0.1 - - [07/Feb/2017:08:02:29 -0800] "GET /server-common/smeserver_logo.jpg HTTP/1.1" 200 6447
127.0.0.1 - - [07/Feb/2017:08:02:29 -0800] "GET /server-common/btn_donateCC_LG.gif HTTP/1.1" 200 3592
127.0.0.1 - - [07/Feb/2017:08:02:34 -0800] "POST /server-common/cgi-bin/login HTTP/1.1" 200 440
127.0.0.1 - - [07/Feb/2017:08:02:44 -0800] "POST /server-common/cgi-bin/login HTTP/1.1" 200 440
127.0.0.1 - - [07/Feb/2017:08:02:49 -0800] "POST /server-common/cgi-bin/login HTTP/1.1" 200 440
127.0.0.1 - - [07/Feb/2017:08:02:54 -0800] "GET /server-manager HTTP/1.1" 307 308

and

/var/log/httpd/admin_error_log: Viewed at Tue 07 Feb 2017 08:21:45 AM PST.

Code: [Select]

[Thu Feb 02 07:14:01 2017] [notice] Digest: generating secret for digest authentication ...
[Thu Feb 02 07:14:01 2017] [notice] Digest: done
[Thu Feb 02 07:14:01 2017] [notice] Apache/2.2.15 (Unix) mod_auth_tkt/2.1.0 configured -- resuming normal operations
[Thu Feb 02 07:14:15 2017] [notice] caught SIGTERM, shutting down
[Thu Feb 02 07:16:06 2017] [notice] Digest: generating secret for digest authentication ...
[Thu Feb 02 07:16:06 2017] [notice] Digest: done
[Thu Feb 02 07:16:07 2017] [notice] Apache/2.2.15 (Unix) mod_auth_tkt/2.1.0 configured -- resuming normal operations


[michelandre]

Hi ElFroggio,

https://www.ethelbert.911networks.com/
WARNING: This site is trying to identify itself with invalid informations. (my translation)

Alternative names for the certificate:
Non critique
Nom DNS: 911networks.com
Nom DNS: ethelbert.911networks.com
Nom DNS: ethelbert.sritch.com
Nom DNS: mail.911networks.com
Nom DNS: mail.sritch.com
Nom DNS: www.sritch.com

Try to use a TEST cerficate (so you will not overun the 5/7 limit) and add a www.ethelbert.911networks.com in the file /etc/dehydrated/domains.txt

I will also check the definition of domain ethelbert.911networks.com in Server Manager of both servers. How did ethelbert.911networks.com answered the challenge? There is a redirection somewhere because he is local?

My 2 cents

Michel-Andeé

[Stefano]

michelandre, seeing the modSSL setup I'd guess that ElFroggio is using smeserver-letsencrypt contrib, not the dehydrated script alone..

using the domains.txt file, AFAIK, will result in many certs, one for each domain (and its hosts)

so, ElFroggio, please tell us how are you using dehydrated/letsencrypt and hod did you install it

thank you

[michelandre]

Hi Stefano,

I will issue only one certificate if the domains are all in one line only and separated by space. Limit is around 100 domains +/-.
I will issue one certificate for each line if the domains are all on different lines.

I do not know the contrib but my Let's Encrypt client uses the same path as above.

Michel-André

[Stefano]

doh, I learned something new, my bad
thank you

[ElFroggio]

https://www.ethelbert.911networks.com/
WARNING: This site is trying to identify itself with invalid informations. (my translation)

There is no www.ethlebert.911networks.com, just ethelbert.911networks.com

I will also check the definition of domain ethelbert.911networks.com in Server Manager of both servers. How did ethelbert.911networks.com answered the challenge? There is a redirection somewhere because he is local?

There's a redirection but not on 911networks.com, just on sritch.com

Thanks

Syv

[ElFroggio]

michelandre, seeing the modSSL setup I'd guess that ElFroggio is using smeserver-letsencrypt contrib, not the dehydrated script alone..

using the domains.txt file, AFAIK, will result in many certs, one for each domain (and its hosts)

so, ElFroggio, please tell us how are you using dehydrated/letsencrypt and hod did you install it

I used dehydrated and not the contrib. It's not even installed. I just followed https://wiki.contribs.org/Letsencrypt part 3 and 4.

[michelandre]

Hi ElFroggio,

As a last hope I would try this.
Using Reverse Rroxy on the main server to redirect Internet traffic to the local server.

At your Register, add a CNAME record for ethelbert that point to the public IP of 911networks.com

In Server Manager on local server, create domain: ethelbert.911networks.com with the DNS Servers: from the Internet.

Configuration of the main server 911networks.com as a Reverse Proxy

Code: [Select]

# db domains set ethelbert.911networks.com domain
# db domains setprop ethelbert.911networks.com Nameservers internet
# db domains setprop ethelbert.911networks.comt ProxyPassTarget http://LOCAL_IP_OF_ethelbert.911networks.com
# db domains setprop ethelbert.911networks.com TemplatePath ProxyPassVirtualHosts
# signal-event domain-create micronator-101.ddns.net
On main server, check with Server Manager and the domain ethelbert.911networks.com should be there.

Code: [Select]

# db domains show
...
ethelbert.911networks.com=domain
    Nameservers=internet
    ProxyPassTarget=http://LOCAL_IP_OF_ethelbert.911networks.com/
    TemplatePath=ProxyPassVirtualHosts
...

Code: [Select]

# ping -c 2 ethelbert.911networks.com
INSTALL "TOR" AND GOTO: https://www.ethelbert.911networks.com

Install Let's Encrypt on the local machine and ask for a TEST certificate.
Let's Encrypt will send the challenge to ethelbert.911networks.com and the local server will answer.

*** UNINSTALLING ***
On main server: 911networks.com

Code: [Select]

# db domains delete ethelbert.911networks.com
# signal-event domain-modify
# db domains show | grep ethelbert.911networks.com
I tried this scenario before on a local server to test certificate from Let's Encrypt and it worked.

Michel-André