my Let's Encrypt certs "broken" overnight!
William Dudley
wfdudley at gmail.com
Tue Apr 3 13:48:19 UTC 2018
FreeBSD 10.3
I run a hobby web server, with a couple of small clubs that pay me for
hosting.
I had letsencrypt certs for most of the sites I host, and they were working
fine
until a recent upgrade -- either apache 2.4 or openssl changed and now
things are hosed.
An example:
I host www.njsbmwr.org. I have a "test" URL for development,
njsbmwr.dudley.nu.
Both share the same certificates, or at least, they used to.
Now, if I uncomment the <VirtualHost *:443> section for www.njsbmwr.org,
apache throws an error and won't start. If I comment the section out,
apache
is happy but www.njsbmwr.org doesn't serve https pages.
njsbmwr.dudley.nu has almost the identical <VirtualHost *:443> section, and
it
works fine as https://njsbmwr.dudley.nu
The apache error I get when I enable the <VirtualHost *:443> section for
www.njsbmwr.org is:
[Tue Apr 03 09:13:29.141783 2018] [ssl:emerg] [pid 49861] AH02572: Failed
to configure at least one certificate and key for njsbmwr.org:80
[Tue Apr 03 09:13:29.141947 2018] [ssl:emerg] [pid 49861] SSL Library
Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate
assigned
[Tue Apr 03 09:13:29.141982 2018] [ssl:emerg] [pid 49861] AH02312: Fatal
error initialising mod_ssl, exiting.
AH00016: Configuration Failed
Here's the <VirtualHost *:443> section that causes failure:
<VirtualHost *:443>
ServerAdmin webmaster at dudley.nu
ServerName www.njsbmwr.org
DocumentRoot /usr/local/www/njsbmwr.dudley.nu
Alias /.well-known/ /usr/local/www/.well-known/
ScriptAlias /cgi-bin/ "/usr/local/www/njsbmwr.dudley.nu/cgi-bin/"
SSLEngine on
SSLCertificateFile \
"/usr/local/etc/letsencrypt/live/njsbmwr.dudley.nu/cert.pem"
SSLCertificateKeyFile \
"/usr/local/etc/letsencrypt/live/njsbmwr.dudley.nu/privkey.pem"
SSLCertificateChainFile \
"/usr/local/etc/letsencrypt/live/njsbmwr.dudley.nu/fullchain.pem"
SSLOptions +StdEnvVars
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/var/log/njsbmwr.dudley.nu-httpd-ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Header set Content-Security-Policy "default-src 'self'; script-src
'self' 'u
nsafe-inline' pagead2.googlesyndication.com www.google-analytics.com
*.cloudflar
e.com www.paypal.com; img-src 'self' *.crystalbrook.com
www.paypalobjects.com"
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
ErrorDocument 404 /errormessages/oatmeal_404.html
ErrorDocument 500 /errormessages/oatmeal_500.html
ErrorDocument 503 /errormessages/oatmeal_503.html
ErrorLog /var/log/njsbmwr.dudley.nu-error_log
CustomLog /var/log/njsbmwr.dudley.nu-access_log combined
<Directory "/usr/local/www/njsbmwr.dudley.nu">
Options +ExecCGI +FollowSymLinks +Includes +Indexes
-SymLinksIfOwnerMatc
h
AllowOverride All
</Directory>
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
The ONLY difference between this section, that doesn't work, and the section
that DOES work is the ServerName line:
< ServerName njsbmwr.dudley.nu
---
> ServerName www.njsbmwr.org
More info:
pkg info | grep apache
apache24-2.4.33 Version 2.4.x of Apache web server
pkg info | grep openssl
openssl-1.0.2o,1 SSL and crypto library
I am mystified, and running out of ideas on what to try.
I suspect the openssl I installed from a package, because of this scary
warning
that the apache upgrade gave me:
Message from apache24-2.4.33:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! mod_http2 on FreeBSD with OpenSSL from base results in a mostly !!
!! functionally unusable module due to lack of "Upgrade" !!
!! capability in OpenSSL 1.0.1. !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
How can I re-install the openssl from base? I want to revert
to that and see if it fixes my problems.
Thanks,
Bill Dudley
This email is free of malware because I run Linux.
More information about the freebsd-questions
mailing list