[Freedombox-discuss] trouble configuring letsencrypt, apache, subdomains...

Mon Mar 4 18:56:15 GMT 2019

On 02/03/19 10:27 pm, David Mintz wrote:
[...]
> I also notice that it tries to redirect me to /plinth, which I see
> coming from the directive in freedombox.conf (which I gather is
> global, not sure how I go about overriding that just for this vhost).

Just released version 19.2 allows you set the home page to 'Apache
Default' that will pick up the index.html page in /var/www/html . On an
older version you can edit /etc/apache/conf-available/freedombox.conf
and change the 'RedirectMatch "^/$" "/plinth"' to what ever you wish.
(This manual change will require you to answer a conffile prompt for
next version of FreedomBox package upgrade, due to a small oversight.
After that the file that will contain the redirection is
/etc/apache/conf-available/freedombox-apache-default.conf).

> But I do think the vhost for my personal page looks correct:
> 
> <VirtualHost *:443>
> 	
> 	ServerName  lin-chi.dyndns.org
> 	ServerAdmin david at davidmintz.org
> 	DocumentRoot /opt/www/lin-chi/public
> 	SSLCertificateKeyFile /etc/letsencrypt/live/lin-chi.dyndns.org/privkey.pem
>         SSLCACertificateFile /etc/letsencrypt/live/lin-chi.dyndns.org/fullchain.pem
> 
> 	ErrorLog ${APACHE_LOG_DIR}/error.log
> 	CustomLog ${APACHE_LOG_DIR}/access.log combined
> 
> 	<Directory /opt/www/lin-chi/public >
> 		Options +Indexes +FollowSymLinks -MultiViews
> 		AllowOverride All
> 		Require all granted	
> 	</Directory>
> 
> </VirtualHost>> 

This configuration looks correct. FreedomBox does something very similar.

You can also use the following line instead of the above (which picks up
certificates from Let's Encrypt directory).

Use FreedomBoxTLSSiteMacro lin-chi.dyndns.org

a2enconf freedombox-tls-site-macro
systemctl reload apache2

> and of course, I reloaded the Apache config (again and again and
> again) after changing things. No complaints from Apache.
> 
> The only way I can get it to serve my personal page is by disabling
> the RedirectMatch directive and ignoring the certificate error. I can
> live with the former, but the certificate error? No good.
> 
> Does this have to do with having the personal and the freedombox
> domains set up like this? That is, with the personal site as
> example.org and the freedombox as freedombox.example.org? Any
> suggestions?

From what I gather from Apache documentation. This is not the case.
However, you can test this theory by temporarily disabling the subdomain
configuration: `a2dissite fbox.lin-chi.dyndns.org; systemctl reload
apache2`.

Since everything in your setup looks okay, I would:

- Ensure that the newly created configuration for lin-chi.dyndns.org is
actually enabled. Confirm a symlink from
/etc/apache2/sites-enabled/lin-chi.dyndns.org.conf to
/etc/apache2/sites-available/lin-chi.dyndns.org.conf.

- Verify that /etc/letsencrypt/live/lin-chi.dyndns.org/ actually
contains the certificates for the correct domain. That there was no
mistake when copying the files.

- Enable debug logging by setting 'LogLevel trace4' in
/etc/apache2/apache.conf (and also in the virtualhost directives if they
overwrote), restart apache and monitor /var/log/apache2/error.log.

BTW, I hope you handled the merging of the two /etc/letsencrypt
directories and renewals are not an issue.

-- 
Sunil

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/freedombox-discuss/attachments/20190304/233af8ab/attachment.sig>