[users@httpd] Apache 2.4 and letsencrypt challenge setup issue?

[David Mehler]

Hello,

I'm trying to get letsencrypt certificates working with
security/acme-client on FreeBSD 10.3, which I like much better than
the python certbot client.

That being said I'm having a problem where authentication is failing,
account keys are created, and from the output below it looks like the
tokens are being successfully generated, not retrieved.  I'm thinking
an apache configuration problem.
I've got two different runs with two different messages.

Any help appreciated.

Thanks.
Dave.

# Domain letsencrypt creation
export DS="example.com www.example.com webmail.example.com"; \
  acme-client -mvnNOC /usr/local/www/.well-known/ \
 $DS && echo $DS >> /usr/local/etc/acme/domains.txt
acme-client: /usr/local/etc/ssl/acme/example.com: creating directory
acme-client: /usr/local/etc/ssl/acme/private/example.com: creating directory
acme-client: /usr/local/etc/acme/example.com: creating directory
acme-client: /usr/local/etc/ssl/acme/private/example.com/privkey.pem:
generating RSA domain key
acme-client: /usr/local/etc/acme/example.com/privkey.pem: generating
RSA account key
acme-client: adding SAN: www.example.com
acme-client: adding SAN: webmail.example.com
acme-client: adding OCSP stapling
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.217.173.130
acme-client: acme-v01.api.letsencrypt.org: DNS: 2600:1400:a:196::3d5
acme-client: acme-v01.api.letsencrypt.org: DNS: 2600:1400:a:197::3d5
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
req-auth: example.com
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
req-auth: www.example.com
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
req-auth: webmail.example.com
acme-client: /usr/local/www/acme//PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c:
created
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/N5-IIl5WRsCfSQfwuEu4dWmvLQY5wYLoW1_MMKUgRDo/1381988522:
challenge
acme-client: /usr/local/www/acme//Y8JozYRWNboKZcs1PNDoeMxw0bcQsMjFpRU4Z-10ov4:
created
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/TwCh4pIh3OsrT1ao6nb3THypuMeKMYyXRfKQeI711Uw/1381988564:
challenge
acme-client: /usr/local/www/acme//k5bqluXjn_93UknVNwhYv7VIT6eje9E9JzYcM4JDKtQ:
created
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/4AtVqZWIXB-rp87DTgLos79h5yMbO-g4FeOvldpcC9s/1381988597:
challenge
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/N5-IIl5WRsCfSQfwuEu4dWmvLQY5wYLoW1_MMKUgRDo/1381988522:
status
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/N5-IIl5WRsCfSQfwuEu4dWmvLQY5wYLoW1_MMKUgRDo/1381988522:
bad response
acme-client: transfer buffer: [{ "type": "http-01", "status":
"invalid", "error": { "type": "urn:acme:error:unauthorized", "detail":
"Invalid response from
http://example.com/.well-known/acme-challenge/PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c:
\"\u003c!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\"
\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"\u003e\r\n\u003chtml
xmlns=\"http\"", "status": 403 }, "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/N5-IIl5WRsCfSQfwuEu4dWmvLQY5wYLoW1_MMKUgRDo/1381988522;,
"token": "PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c",
"keyAuthorization":
"PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c.af3ncVsUzcTQuGUzKGx9RoPA5jbhTlVq8PQocLc0-o0",
"validationRecord": [ { "url":
"http://www.example.com/.well-known/acme-challenge/PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c;,
"hostname": "www.example.com", "port": "80", "addressesResolved": [
"66.228.47.34" ], "addressUsed": "66.228.47.34", "addressesTried": []
}, { "url": 
"http://example.com/.well-known/acme-challenge/PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c;,
"hostname": "example.com", "port": "80", "addressesResolved": [
"66.228.47.34" ], "addressUsed": "66.228.47.34", "addressesTried": []
} ] }] (1350 bytes)
acme-client: bad exit: netproc(30353): 1

# second run
export DS="example.com www.example.com webmail.example.com"; \
   acme-client -mvnNOC /usr/local/www/.well-known/ \
  $DS && echo $DS >> /usr/local/etc/acme/domains.txt
acme-client: /usr/local/etc/ssl/acme/example.com: creating directory
acme-client: /usr/local/etc/ssl/acme/example.com: No such file or directory

# httpd configuration
mkdir -pm750 /usr/local/www/.well-known && chown -R www:www
/usr/local/www/.well-known
# httpd.conf

Options None
AllowOverride None
Require all granted
Header add Content-Type text/plain


# virtual hosts
# The example.com http virtual host

ServerName example.com
RewriteEngine On
RewriteRule ^/?(.*) http://www.example.com/$1 [R,L]


ServerAdmin n...@example.com
DocumentRoot "/usr/vhosts/example.com/htdocs/"
ServerName www.example.com
ServerAlias www.example.com

ErrorDocument 404 /errordocs/error404.htm
# share well-known for renewal via Let's 

[users@httpd] htaccess help

[Yuri Fontella]

Good Evening,
I'm trying to create a rule with the following scenario ... I have a server
with two virtual hosts, it's the same ip.

Virtual host 1 = videos
Virtual host 2 = website

What I need is for vh2 to access the vh1 videos but not to be able to
access the videos through the vh1 url.

I got the ip block if another server tries to play vh1 videos, but not your
url access.


AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/.htpasswd

SetEnvIf Server_Addr  "22.33.44.55" allow


  Require env allow
  Require valid-user



Any suggestion... Thanks.

*Atenciosamente, *
*Yuri Fontella*

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Hmm,
I was actually asking Yann about committing a patch he created.

I don't think I understand the connection with the CVEs.

On Tue, Jun 20, 2017 at 6:57 PM, Mitchell Krog Photography <
mitchellk...@gmail.com> wrote:

> Yes as it addresses a number of vulnerabilities discovered. Check mailing
> list for CVE messages sent earlier today.
>
> Kind Regards
> Mitchell Krog
> **
> Visit me at https://mitchellkrog.com
> **
> License My Images From Getty Images Here
> 
>
> or From Gallo Images Here
> 
> **
>
> On 20 June 2017 at 17:41:22, Andrei Ivanov (andrei.iva...@gmail.com)
> wrote:
>
>> Hi,
>> Seeing that 2.4.26 was released, is this a good time? 
>>
>> Thanks again.
>>
>> On Sun, May 28, 2017 at 11:54 PM, Yann Ylavic 
>> wrote:
>>
>>> Hi Andrei,
>>>
>>> On Wed, May 24, 2017 at 5:50 PM, Andrei Ivanov 
>>> wrote:
>>> >
>>> > Does anybody know anything about Yann?
>>>
>>> I do :)
>>>
>>> Sorry I didn't have the time to propose something to the dev team for
>>> now, while 2.4.26 is coming soon and is very unlikely to include such
>>> a change on the core expression parser (without quite some testing and
>>> review, we can't regress here...).
>>>
>>> Once 2.4.26 is out, I'll propose/commit the patch so that we can
>>> discuss and hopefuly backport it to some future 2.4.x.
>>>
>>>
>>> Regards,
>>> Yann.
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>
>>>
>>

Re: [users@httpd] mod_lua and subprocess_env

[Mitchell Krog Photography]

Yes as it addresses a number of vulnerabilities discovered. Check mailing
list for CVE messages sent earlier today.

Kind Regards
Mitchell Krog
**
Visit me at https://mitchellkrog.com
**
License My Images From Getty Images Here


or From Gallo Images Here

**

On 20 June 2017 at 17:41:22, Andrei Ivanov (andrei.iva...@gmail.com) wrote:

> Hi,
> Seeing that 2.4.26 was released, is this a good time? 
>
> Thanks again.
>
> On Sun, May 28, 2017 at 11:54 PM, Yann Ylavic 
> wrote:
>
>> Hi Andrei,
>>
>> On Wed, May 24, 2017 at 5:50 PM, Andrei Ivanov 
>> wrote:
>> >
>> > Does anybody know anything about Yann?
>>
>> I do :)
>>
>> Sorry I didn't have the time to propose something to the dev team for
>> now, while 2.4.26 is coming soon and is very unlikely to include such
>> a change on the core expression parser (without quite some testing and
>> review, we can't regress here...).
>>
>> Once 2.4.26 is out, I'll propose/commit the patch so that we can
>> discuss and hopefuly backport it to some future 2.4.x.
>>
>>
>> Regards,
>> Yann.
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Hi,
Seeing that 2.4.26 was released, is this a good time? 

Thanks again.

On Sun, May 28, 2017 at 11:54 PM, Yann Ylavic  wrote:

> Hi Andrei,
>
> On Wed, May 24, 2017 at 5:50 PM, Andrei Ivanov 
> wrote:
> >
> > Does anybody know anything about Yann?
>
> I do :)
>
> Sorry I didn't have the time to propose something to the dev team for
> now, while 2.4.26 is coming soon and is very unlikely to include such
> a change on the core expression parser (without quite some testing and
> review, we can't regress here...).
>
> Once 2.4.26 is out, I'll propose/commit the patch so that we can
> discuss and hopefuly backport it to some future 2.4.x.
>
>
> Regards,
> Yann.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

[users@httpd] forensic logs with virtual hosts

[Rose, John B]

Is there some global way to utilize mod_log_forensic with virtual hosts without 
having to add “ForensicLog logfilepathname” to every virtual host config?

Re: [users@httpd] adding footer to all web pages

[Rose, John B]

Thanks for reply.

SSI seemed to only work if an “include” was added to pages.

Using php_value in Apache or the file append in php.ini seemed the best options.

Also briefly looked at AddOutputFilter/Substitute and the cgi options. Did not 
explore mod_layout very closely.

From: Adam Powell >
Reply-To: "users@httpd.apache.org" 
>
Date: Thursday, May 25, 2017 at 11:04 PM
To: "users@httpd.apache.org" 
>
Subject: Re: [users@httpd] adding footer to all web pages

Google Analytics, by default, only tracks pages by path.

Meaning if you add a Google Analytics snippet to all virtual hosts visitors to 
the home page of each site will be almost impossible to distinguish from each 
other in the reports...there are ways around this but you should be aware of it.

I believe you'll want to review the documentation for server side includes 
(SSI).

Adam Powell
http://www.adaminfinitum.com


On Thu, May 25, 2017 at 9:32 PM, Rose, John B 
> wrote:

If we wanted to add a Google Analytics footer to all pages on our server, 
meaning all virtual hosts, what is the best way to do that via Apache without 
having to touch the individual web sites?

[users@httpd] server-statut ACC value and MaxConnectionsPerChild

[Bertrand Lods]

Hi


[root@fusion ~]# httpd -V
Server version: Apache/2.4.6 (CentOS)
Server built:   Apr 12 2017 21:03:28
Server's Module Magic Number: 20120211:24
Server loaded:  APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture:   64-bit
Server MPM: prefork
  threaded: no
forked: yes (variable process count)
Server compiled with
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"


This my apache conf for mpm_prefork_module



StartServers 5
MinSpareServers  5
MaxSpareServers 10
MaxRequestWorkers   32
MaxConnectionsPerChild  350



When i look at server-status web interface for AccNumber of accesses 
(this connection / this child / this slot), I notice that ACC this child 
value don't tie in with my MaxConnectionsPerChild.


The process don't die when AccNumber of accesses this child reaches 350

Is this normal?

cordialy

--
*Bertrand LODS*
DSI4 / Pole Web
Division des systèmes d'information
Tél : 02 31 30 15 23
bertrand.l...@ac-caen.fr  | 
www.ac-caen.fr 

*Rectorat de la région académique Normandie*
*Rectorat de l'académie de Caen*
168, rue Caponière - BP 46184 - 14061 Caen cedex | Accès et horaires 

Re: [users@httpd] Re: 'require' directive result

[Marat Khalili]

My 2.4.18 already logs AH01797 (client denied by server configuration) 
to a configured ErrorLog in this case. I don't use syslog myself so I 
cannot help you with this part, but quick google search shows it is 
possible in various ways.


--

With Best Regards,
Marat Khalili

On 20/06/17 11:42, Andrei Ivanov wrote:

Anybody? Can this be done in some way?

On Fri, Jun 16, 2017 at 4:23 PM, Andrei Ivanov 
> wrote:


Hi,
Now that I've managed to configure my 'require' directive, I have
a requirement to log some details to syslog in case the request is
not authorized.


  Require expr ""
  // if expression is false, log details about the request and
maybe the SSL certificate to syslog


I've searched around, but I can't find how I could do that.

Please help.

Thank you

[users@httpd] Re: 'require' directive result

[Andrei Ivanov]

Anybody? Can this be done in some way?

On Fri, Jun 16, 2017 at 4:23 PM, Andrei Ivanov 
wrote:

> Hi,
> Now that I've managed to configure my 'require' directive, I have a
> requirement to log some details to syslog in case the request is not
> authorized.
>
> 
>   Require expr ""
>   // if expression is false, log details about the request and maybe
> the SSL certificate to syslog
> 
>
> I've searched around, but I can't find how I could do that.
>
> Please help.
>
> Thank you
>