> > What's the exact certificate error? Right now, curl complains thus:
* Rebuilt URL to: https://lin-chi.dyndns.org/ * Trying 100.35.196.222... * TCP_NODELAY set * Connected to lin-chi.dyndns.org (100.35.196.222) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS alert, Server hello (2): * SSL certificate problem: self signed certificate * stopped the pause stream! * Closing connection 0 curl: (60) SSL certificate problem: self signed certificate More details here: https://curl.haxx.se/docs/sslcerts.html And when I ask curl to ignore the certificate error it's like so: SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=freedombox * start date: Dec 21 18:54:29 2018 GMT * expire date: Dec 18 18:54:29 2028 GMT * issuer: CN=freedombox * SSL certificate verify result: self signed certificate (18), continuing anyway. > HEAD / HTTP/1.1 > Host: lin-chi.dyndns.org > User-Agent: curl/7.58.0 > Accept: */* And I think this is weird because it the vhost config really does point to a certificate that was in fact was issued by LetsEncrypt, and which was working perfectly up until I moved it all from its former machine to the freedombox. I thought of trying to get a new certificate but to my surprise, on the freedombox certbot said it could not configure my web server -- and I could not figure out the cert-only method. > Is the setup using separate certificates for each of the sites, or the same > cert? > If it's the latter, the certificate would have to be "wildcard" > certificate, supporting multiple subdomains. Let's encrypt is issuing > these kind of certificates for about a year, but as far as I know, > freedombox is not using the option It's separate certificates, but yeah, as I mentioned I've been wondering about whether it has something to do with wildcards, the subdomain, all that. I've done some reading but I still don't fully understand all the intricacies of PKI, TLS, etc. Sadly, for the next couple of days I am away from my house where the freedombox lives and at the moment I have no way to reach it via SSH to get in there and look again. I wonder if it would make any difference if I assigned a totally different FQDN to the freedombox and got new certs. --- David Mintz https://davidmintz.org Capitalism has failed. https://wsws.org On Sun, Mar 3, 2019, at 11:22 AM, Daddy wrote: > > On 3. 3. 2019 7:27, David Mintz wrote: > > This issue is somewhere at the intersection of Freedombox and LetsEncrypt > > and Apache. Hope no one minds if I bring it here. > > > > I am having trouble getting LetsEncrypt and Apache working together > > properly to serve both the freedombox and a little personal website. I've > > long been using dyndns.org for my dynamic ip and serving lin-chi.dyndns.org > > off my desktop, and successfully using LetsEncrypt with that. I set up my > > Freedombox hardware to use the domain fbox.lin-chi.dyndns.org, and > > reconfigured port forwarding on my home router (Freedombox sits behind it) > > so that ports 80 and 443 now forward to the freedombox rather than the > > desktop. All good. > > > > Then I decided I wanted to move the personal site from my desktop onto the > > freedombox. So I moved the web files, the vhost configuration, and > > carefully copied various files and subdirectories from /etc/letsencrypt on > > the desktop to the equivalent locations under /etc/letsencrypt on the > > freedombox, making sure not to clobber anything, preserving symlinks, etc. > > I enabled the vhost for lin-chi.dyndns.org with the a2ensite command. > > > > I can access https://fbox.lin-chi.dyndns.org properly, all that is well and > > good. But when I try to access https://lin-chi.dyndns.org -- i.e., the > > personal site -- what seems to be happening is that the configuration that > > controls the subdomain fbox.lin-chi.dyndns.org is being read, so I get a > > certificate warning about the mismatched name. I also notice that it tries > > to redirect me to /plinth, which I see coming from the directive in > > freedombox.conf (which I gather is global, not sure how I go about > > overriding that just for this vhost). But I do think the vhost for my > > personal page looks correct: > > > > <VirtualHost *:443> > > > > ServerName lin-chi.dyndns.org > > ServerAdmin [email protected] > > DocumentRoot /opt/www/lin-chi/public > > SSLCertificateKeyFile > > /etc/letsencrypt/live/lin-chi.dyndns.org/privkey.pem > > SSLCACertificateFile > > /etc/letsencrypt/live/lin-chi.dyndns.org/fullchain.pem > > > > ErrorLog ${APACHE_LOG_DIR}/error.log > > CustomLog ${APACHE_LOG_DIR}/access.log combined > > > > <Directory /opt/www/lin-chi/public > > > Options +Indexes +FollowSymLinks -MultiViews > > AllowOverride All > > Require all granted > > </Directory> > > > > </VirtualHost> > > > > and of course, I reloaded the Apache config (again and again and again) > > after changing things. No complaints from Apache. > > > > The only way I can get it to serve my personal page is by disabling the > > RedirectMatch directive and ignoring the certificate error. I can live with > > the former, but the certificate error? No good. > > > > Does this have to do with having the personal and the freedombox domains > > set up like this? That is, with the personal site as example.org and the > > freedombox as freedombox.example.org? Any suggestions? > > > > Thanks. > > _______________________________________________ Freedombox-discuss mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss
