Letsencrypt/certbot fails when proxying with Apache ProxyPass

I had an issue on Directadmin server where client had nodejs application for which apache had to proxy on port 3001. Becouse of this, letsencrypt was not able to reach .well-known/acme-challenge/ and certificate registration/renewal failed. Solution is simple, you have to exclude proxy when requesting .well-known/acme-challenge/.

This was error whent trying to check .well-known/acme-challenge:

$ curl http://mydomain.com/.well-known/acme-challenge/test.txt 
{"errors":[{"message":"Route /.well-known/test.txt doesn't exist.","extensions":{"code":"ROUTE_NOT_FOUND"}}]}%

So I added “ProxyPass !” directive just before where I create proxy directive to port 3001. Like so:

. . .
<Location /.well-known/acme-challenge>
     ProxyPass !
</Location>

<Location />
     Require all granted
     ProxyPass http://127.0.0.1:3000/
     ProxyPassReverse http://127.0.0.1:3000/
</Location>
. . . 

Then I was able tu make request to .well-known/acme-challenge sucsessfully:

> $ curl http://mydomain.com/.well-known/acme-challenge/test.txt 
It works!

I hope this helps! 🙂

Nice way to do HTTP to HTTPS redirection with Apache .htaccess

I had some sites on shared hosting environment for which I had to do http to https redirection with .htaccess file. I did 302 redirection intentionally so that in case of error, browser doesn’t cache redirection. You can aslo make permanent 301 redirect if needed.

This is nice and simple way to do it:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=302]

Directadmin/Letsencrypt – Domain does not exist on the system. Unable to find your.hostname.com in /etc/virtual/domainowners

A few days ago I was doing complete migration of old Directadmin server to new Directadmin server which had different hostname. Everything went well but I was unable to register Letsencrypt SSL certificate for new server hostname.

I was getting error like this:

[root@myserver scripts]# ./letsencrypt.sh request my.server.com 4096
Domain does not exist on the system. Unable to find my.server.com in /etc/virtual/domainowners. Exiting...
no valid domain found - exiting

First thing I did is I add new hostname as domain to user admin. Certificate was indeed registered than, but not as server hostname (/usr/local/directadmin/conf/cacert.pem). I deleted domain than.

After a little search I found out that I forgot to change servername variable in directadmin.conf. So I changed it, restart directadmin but I was getting the same error. At the end I found out that the easiest way to fix this is to change hostname in Directadmin administration.

  1. Go to Directadmin as admin user and navigate to Administrator Settings, then set some temporary hostname in Server’s Hostname. Let’s say my.server2.com.
  2. Wait until cron will make changes – you should see new hostname in Administrator Settings when refreshing page.
  3. Go in Administrator Settings again and change Server’s Hostname to your old hostname – my.server.com.
  4. Run letsencrypt.sh again.

This time, certificate was registered successfully.

[root@myserver scripts]# ./letsencrypt.sh request my.server.com 4096
Setting up certificate for a hostname: my.server.com
Generating 4096 bit RSA key for let's encrypt account...
openssl genrsa 4096 > "/usr/local/directadmin/conf/letsencrypt.key"
Generating RSA private key, 4096 bit long modulus
...

[kofi]

Get SSL certificate expiry date quickly and easily with ckcrt script

SSL certificates are daily routine of my work, so there was regular practice to check expiry date of live certificate through Chrome browser -> Developer tools. It is quite time-consuming and annoying work if you have to repeat it. So I made this very simple bash script with which you can check expiry date and some other certificate information quickly, from your terminal. This will work on osx or linux machines. Of corse, you must have OpenSSL installed on your machine in order to use this script.

Continue Reading

Directadmin – install Letsencrypt SSL certificate on server hostname

Letsencrypt is a revolutionary step forward on web security. Free, valid SSL certificates for everyone. I won’t write about how to install and config letsencrypt on Directadmin machine. I will show only how to generate and install letsencrypt certificate on your Directadmin hostname.

When you installed Letsencrypt on Directadmin and tried to install certificate for your server hostname, there is a possibility that you came to this problem: HTTP/1.1 400 Bad Request

Just do this:

cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt

And than install certificate on your server hostname:

/usr/local/directadmin/scripts/letsencrypt.sh request my.serverhostname.com 4096

Open your Directadmin configuration file and change

SSL=0 to SSL=1

Also add this:

carootcert=/usr/local/directadmin/conf/carootcert.pem

Restart your Directadmin and you should be set.

PHP: SSL operation failed with code 1

If you installed PHP 5.6 or grater and your application returns something like this:

SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL...

Then there is a simple fix for that. You can override default OpenSSL’s CA bundle with the one bellow.

  1. Download this cert bundle.
  2. Add this line to your php.ini file 
    openssl.cafile=/path/to/your/downloade/cacert.pem
  3. Restart apache/nginx and you should be ok.

SSH without your certificate / overridde ssh certificate

If you want to test if users can ssh to a server with their passwords but your attempt is overridden by your ssh certificate, this is how you can do it.

ssh user@my.hostname.com -o PreferredAuthentications=password

How to transfer SSL certificate from Linux to Windows

Sometimes you may want to transfer your SSL certificate to Windows enviroment. So if you searching for how to transfer and find this article, than I’m sure that you know how to install certificate on Linux or Windows machine. Otherwise there are a million tutorials that you can find on google. I will explain how to transfer your certificate from Linux to Windows.

First, you need to create .pem file. This file must contain private key and certificate hash (.key and .crt). Open your favorite text editor (vi) and paste the content of your key and certificate file in one file. You must paste it in that order with a line break. First key and then crt. Save this file as sslcertificate.pem.

On IIS server you’ll need a file in p12 format. You can simply create p12 file by execute command below on your Linux machine. You’ll have to define password for your .p12 file. Remember this password because you’ll need it later!

openssl pkcs12 -export -in sslcertificate.pem -out sslcertificate.p12 //replace with your attributes

Transfer your freshly created sslcertificate.p12 file on to your Windows machine. You’ll import your sslcertificate.p12 in your IIS. On Windows machine, find properties of your website in IIS and then go into Directory Security tab. Click on button Server Certificate and then select option Import. Than will asked you to find file. You need to change scope to All files as otherwise, sslcertificate.p12 file won’t be visible. When you’ll select sslcertificate.p12 file, you’ll be asked to enter password. Enter the password that you defined in step 3. This is it! You transferred SSL certificate from Linux to Windows.

© 2024 geegkytuts.net
Hosted by SIEL


About author