This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

[SPLIT] Secure Sentora Login with Let's Encrypt
#41
RE: Secure Sentora Login with Let's Encrypt
(12-09-2016, 06:50 AM)TGates Wrote: Right on, I will add your findings to the tutorial to help complete the CentOS instructions. I may also set up a CentOS VM and see how that goes, if I can make the time.

I would be more than happy to contribute, but this is behaving badly again. Right after changing the Global Sentora port from 80 to 443 and hit save, it crashed Apache 2.2

This is what Apache is now saying, but I don't know how to proceed.

I am pretty sure you will know how to assist me after looking at the Apache error log. I had no real luck with Google.

Code:
-- resuming normal operations
[Fri Dec 09 06:10:29 2016] [notice] caught SIGTERM, shutting down
[Fri Dec 09 06:17:59 2016] [notice] Digest: generating secret for digest authentication ...
[Fri Dec 09 06:17:59 2016] [notice] Digest: done
[Fri Dec 09 06:17:59 2016] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Fri Dec 09 06:20:02 2016] [notice] SIGHUP received.  Attempting to restart
[Fri Dec 09 06:20:02 2016] [notice] Digest: generating secret for digest authentication ...
[Fri Dec 09 06:20:02 2016] [notice] Digest: done
[Fri Dec 09 06:20:02 2016] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Fri Dec 09 06:21:26 2016] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Fri Dec 09 06:24:39 2016] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Fri Dec 09 06:35:02 2016] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)


You can see in the last entries while I tried to start Apache and get the [failed] response in the cli.

Incidentally this same mystery error, while it appeared all on its own, is what induced me to reinstall fresh - both I need stability as well to have it function. I will search on this error this week end.

Also for more info, my post about breaking Apache on page four would seem to be the same issue. In the end there I had to restore to a backup and then it worked, but it did some automated stuff with the ssl.conf file naming.

Hmm I am wondering what the difference was between the one that worked and this one which was some automated changes to ssl.conf. Looking at ssl.conf says the certificates should be in .pki and such. Could this be the issue and if so, how do we prevent it in the future?
Everyone makes mistakes, but to truly screw up it takes the root password!
Reply
Thanks given by:
#42
RE: Secure Sentora Login with Let's Encrypt
I found several ideas on Google, not sure if you tried any or if you did and none of them worked? (Mostly from serverfault.com)


Just in case I'll post some of the things to check while I have it fresh in my memory Wink

D below is possibly the culprit in this issue since I wrote the tutorial using apache 2.4

A- Make sure SSLEngine on is ONLY listed inside virtual host containers that include SSL. (No 'stray' SSLEngine on's anywhere else.)
B- Make sure that a vhost entry that is not SSL is on port 80 (<VirtualHost *:80>) and not port 443 (<VirtualHost *:443>) by accident.
C- Try using Listen 443 http instead of just Listen 443
D- Change SSLCertificateChainFile (apache 2.4+) to SSLCACertificatePath (apache 2.2)
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#43
RE: Secure Sentora Login with Let's Encrypt
Thanks, that is a good start.What I plan on doing is using two identical servers and writing a script. Why might I do this? Well because the success or failure of this is illogcal. I will add anything to the thread I can find.

Generally I found the same sort of stuff on Google too now I just need to get rid of all the variables.

BTW if anyone wants to add the sub-domain "www" to their address I have not had any success with that.

(Which is fine for a control panel and I am guessing the other tutorial covers this? Yes/No)

Will keep you updated Thanks TGates,
Everyone makes mistakes, but to truly screw up it takes the root password!
Reply
Thanks given by:
#44
RE: Secure Sentora Login with Let's Encrypt
Right on, looking forward to your findings!
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#45
RE: Secure Sentora Login with Let's Encrypt
Bottom line for CentOS 6.x (and likely Ubuntu)

You MUST INSTALL mod_ssl as well as openssl - openssl does not mandate the install of mod_ssl in CentOS 6.x.

A) This should be  your command in CentOS - (use apt-get for Ubuntu):

Code:
yum install mod_ssl openssl

B) No if and or buts about it. ssl.conf at this location "/etc/httpd/conf.d" ssl.conf WILL have Listen 443 in it that MUST BE COMMENTED OUT THERE!

If you do this along with TGates procedures, be them for the panel, or a domain you should have success. I can post back after I test a cert on a new domain, but for now this is based on just securing the panel; the topic of this thread.

Although I would not be shocked to have to revisit this while securing domains, but since this is done during the install of mod_ssl - I would like to think the other procedure does not over-write the ssl.conf file - but that is a fight for a new day and different guide... But I have not followed that guide yet, so if you are trying to secure a site first and you install openssl and mod-ssl, you will likely be facing the same issue. TGates, maybe in this and/or the other guide should we be telling people to expect this behavior of Apache breaking down and tell them from the get go they will need to modify their ssl.conf no matter what??? Your call Sir.  Angel
Everyone makes mistakes, but to truly screw up it takes the root password!
Reply
Thanks given by:
#46
RE: Secure Sentora Login with Let's Encrypt
Edited tutorial to clarify the installation mod_ssl and openssl and added your note about ssl.conf Wink
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by: worksmarter
#47
RE: Secure Sentora Login with Let's Encrypt
(12-22-2016, 05:33 PM)TGates Wrote: Edited tutorial to clarify the installation mod_ssl and openssl and added your note about ssl.conf Wink
That looks great T. What I think my erratic troubles involved was that you can comment the Listen 443 out of the httpd-vhosts.conf file @ /etc/sentora/configs/apache. If you comment that one out it works until the job runs that breaks it again and I was left scratching my head.

I feel like a boob for not noticing this from the get-go, but that happens. I think your guide should be 100% on the money now for CentOS and Ubuntu. Thanks for the great guide as well as the patience.  Confused
Everyone makes mistakes, but to truly screw up it takes the root password!
Reply
Thanks given by:
#48
RE: Secure Sentora Login with Let's Encrypt
Thanks! I did forget some steps too. Glad we got that sorted out! I also used it to update the one for regular domains also and in the docs sites Wink

I will split the post so people don't get confused reading 5 pages of trial and error fixes.
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Secure Sentora Domains with Let's Encrypt TGates 27 97 ,789 06-08-2024, 05:06 PM
Last Post: andykimpe
Secure Sentora With SSLForFree Chris L 1 5 ,384 01-22-2020, 09:19 PM
Last Post: ralphharder
Fail2ban for Sentora (Centos 7) bbspike 14 49 ,006 01-14-2020, 07:32 AM
Last Post: Vedran B

Forum Jump:


Users browsing this thread: 4 Guest(s)