[Freedombox-discuss] trouble configuring letsencrypt, apache, subdomains... almost solved
David Mintz
david at davidmintz.org
Wed Mar 6 21:32:07 GMT 2019
Just to recap, the goal was to serve a little personal website using my freedombox instead of the desktop system where it has lived until recently, and to have it place nicely with freedombox. I copied over my vhost configuration and LetsEncrypt files, taking care not to clobber. I enabled the personal site (using a2ensite) and got TLS certificate errors because, as it turns out, I must have made some mistale, as a result of which the "snakeoil" cert you get by default was being used instead of the LetsEncrypt one I intended.
I read Sunil's advice, fiddled around... finally disabled the personal site and deleted its .conf, thinking it best to start over from the top with that bit of it, but left my additions to /etc/letsencrypt intact. I also commented out RedirectMatch "^/$" "/plinth" in /etc/apache2conf-available/freedombox-tls-site-macro.conf. Then I copied my old vhost config from the desktop onto the freedombox's /etc/apache2/sites-available once again, enabled it, reloaded apache config, and... the personal page loads correctly, and /plinth loads correctly. No more certificate errors!
But! But when I try https://lin-chi.dyndns.org/plinth/sys/config/, we blow up with a 500 error:
Mar 06 15:54:04 freedombox /usr/bin/plinth[19880]: Internal Server Error: /plinth/sys/config/
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/django/core/handlers/exception.py", line 41, in inner
response = get_response(request)
File "/usr/lib/python3/dist-packages/django/core/handlers/base.py", line 187, in _get_response
response = self.process_exception_by_middleware(e, request)
File "/usr/lib/python3/dist-packages/django/core/handlers/base.py", line 185, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/usr/lib/python3/dist-packages/plinth/modules/config/views.py", line 40, in index
status = get_status()
File "/usr/lib/python3/dist-packages/plinth/modules/config/views.py", line 66, in get_status
'defaultapp': config.get_default_app(),
File "/usr/lib/python3/dist-packages/plinth/modules/config/__init__.py", line 69, in get_default_app
return app_path.strip('"').strip('/')
UnboundLocalError: local variable 'app_path' referenced before assignment
FWIW, this is the configuration for the vhost that I enabled:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName lin-chi.dyndns.org
ServerAdmin webmaster at localhost
#RedirectMatch "^/$" "/index.html" # nope
DocumentRoot /var/www/html
# when we do this, we get the mismatched certificate error again (CN=freedombox)
#DocumentRoot /opt/www/lin-chi/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/lin-chi.dyndns.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/lin-chi.dyndns.org/privkey.pem
#Include /etc/letsencrypt/options-ssl-apache.conf
<Directory /opt/www/lin-chi/public >
Options +FollowSymLinks -MultiViews
#AllowOverride All
Require all granted
</Directory>
</VirtualHost>
</IfModule>
Not sure if it bears mentioning that I saved this as lin-chi.tls.conf and a2ensite-enabled it without touching or disabling either
default-ssl.conf or default-tsl.conf
Anyway -- the present situation is that I can either disable RedirectMatch "^/$" "/plinth" (in freedombox.conf) and break /plinth/sys/config/, or I can enable RedirectMatch "^/$" "/plinth" but not be able to reach the personal site unless I request index.html.
I am wondering about trying to work around with mod_rewrite, but I'm hoping there's a better solution.
Any further suggestions?
Thanks.
---
David Mintz
https://davidmintz.org
Capitalism has failed. https://wsws.org
On Mon, Mar 4, 2019, at 2:09 PM, Sunil Mohan Adapa wrote:
> On 04/03/19 9:27 am, David Mintz wrote:
> [...]
> >
> > SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> > * ALPN, server accepted to use http/1.1
> > * Server certificate:
> > * subject: CN=freedombox
> > * start date: Dec 21 18:54:29 2018 GMT
> > * expire date: Dec 18 18:54:29 2028 GMT
> > * issuer: CN=freedombox
> > * SSL certificate verify result: self signed certificate (18), continuing anyway.
> >> HEAD / HTTP/1.1
> >> Host: lin-chi.dyndns.org
> >> User-Agent: curl/7.58.0
> >> Accept: */*
> >
> > And I think this is weird because it the vhost config really does point to a certificate that was in fact was issued by LetsEncrypt, and which was working perfectly up until I moved it all from its former machine to the freedombox.
> >
> > I thought of trying to get a new certificate but to my surprise, on the freedombox certbot said it could not configure my web server -- and I could not figure out the cert-only method.
>
> The certificate is actually the self-signed certificate that is used
> when specific domain configuration does not exist. This is not the
> certificate of the already configured subdomain.
>
> This can only mean that configuration for the new domain was not
> created/activated properly (spelling mistakes, placed in incorrect
> directory etc.). Check that it was actually enabled properly. Apache's
> debug logging should help understand the problem.
>
> [...]
>
More information about the Freedombox-discuss
mailing list