[Freedombox-discuss] trouble configuring letsencrypt, apache, subdomains...

David Mintz david at davidmintz.org
Mon Mar 4 17:27:31 GMT 2019


> 
> What's the exact certificate error?

Right now, curl complains thus:

* Rebuilt URL to: https://lin-chi.dyndns.org/
*   Trying 100.35.196.222...
* TCP_NODELAY set
* Connected to lin-chi.dyndns.org (100.35.196.222) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

And when I ask curl to ignore the certificate error it's like so:

SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=freedombox
*  start date: Dec 21 18:54:29 2018 GMT
*  expire date: Dec 18 18:54:29 2028 GMT
*  issuer: CN=freedombox
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> HEAD / HTTP/1.1
> Host: lin-chi.dyndns.org
> User-Agent: curl/7.58.0
> Accept: */*

And I think this is weird because it the vhost config really does point to a certificate that was in fact was issued by LetsEncrypt, and which was working perfectly up until I moved it all from its former machine to the freedombox.

I thought of trying to get a new certificate but to my surprise, on the freedombox certbot said it could not configure my web server -- and I could not figure out the cert-only method.

>  Is the setup using separate certificates for each of the sites, or the same cert?
> If it's the latter, the certificate would have to be "wildcard"
> certificate, supporting multiple subdomains. Let's encrypt is issuing
> these kind of certificates for about a year, but as far as I know,
> freedombox is not using the option

It's separate certificates, but yeah,  as I mentioned I've been wondering about whether it has something to do with wildcards, the subdomain, all that. I've done some reading but I still don't fully understand all the intricacies of PKI, TLS, etc. Sadly, for the next couple of days I  am away from my house where the freedombox lives and at the moment I have no way to reach it via SSH to get in there and look  again.

I wonder if it would make any difference if I assigned a totally different FQDN to the freedombox and got new certs.

---
David Mintz
https://davidmintz.org
Capitalism has failed. https://wsws.org

On Sun, Mar 3, 2019, at 11:22 AM, Daddy wrote:

> 
> On 3. 3. 2019 7:27, David Mintz wrote:
> > This issue is somewhere at the intersection of Freedombox and LetsEncrypt and Apache. Hope no one minds if I bring it here.
> >
> > I am having trouble getting LetsEncrypt and Apache working together properly to serve both the freedombox and a little personal website. I've long been using dyndns.org for my dynamic ip and serving lin-chi.dyndns.org off my desktop, and successfully using LetsEncrypt with that.  I set up my Freedombox hardware to use the domain fbox.lin-chi.dyndns.org, and reconfigured port forwarding on my home router (Freedombox sits behind it) so that ports 80 and 443 now forward to the freedombox rather than the desktop. All good.
> >
> > Then I decided I wanted to move the personal site from my desktop onto the freedombox. So I moved the web files, the vhost configuration, and carefully copied various files and subdirectories from /etc/letsencrypt on the desktop to the equivalent locations under /etc/letsencrypt on the freedombox, making sure not to clobber anything, preserving symlinks, etc. I enabled the vhost for lin-chi.dyndns.org with the a2ensite command. 
> >
> > I can access https://fbox.lin-chi.dyndns.org properly, all that is well and good. But when I try to access https://lin-chi.dyndns.org -- i.e., the personal site -- what seems to be happening is that the configuration that controls the subdomain fbox.lin-chi.dyndns.org is being read, so I get a certificate warning about the mismatched name. I also notice that it tries to redirect me to /plinth, which I see coming from the directive in freedombox.conf (which I gather is global, not sure how I go about overriding that just for this vhost). But I do think the vhost for my personal page looks correct:
> >
> > <VirtualHost *:443>
> > 	
> > 	ServerName  lin-chi.dyndns.org
> > 	ServerAdmin david at davidmintz.org
> > 	DocumentRoot /opt/www/lin-chi/public
> > 	SSLCertificateKeyFile /etc/letsencrypt/live/lin-chi.dyndns.org/privkey.pem
> >         SSLCACertificateFile /etc/letsencrypt/live/lin-chi.dyndns.org/fullchain.pem
> >
> > 	ErrorLog ${APACHE_LOG_DIR}/error.log
> > 	CustomLog ${APACHE_LOG_DIR}/access.log combined
> >
> > 	<Directory /opt/www/lin-chi/public >
> > 		Options +Indexes +FollowSymLinks -MultiViews
> > 		AllowOverride All
> > 		Require all granted	
> > 	</Directory>
> >
> > </VirtualHost>
> >
> > and of course, I reloaded the Apache config (again and again and again) after changing things. No complaints from Apache.
> >
> > The only way I can get it to serve my personal page is by disabling the RedirectMatch directive and ignoring the certificate error. I can live with the former, but the certificate error? No good.
> >
> > Does this have to do with having the personal and the freedombox domains set up like this? That is, with the personal site as example.org and the freedombox as freedombox.example.org? Any suggestions?
> >
> > Thanks.
> >



More information about the Freedombox-discuss mailing list