icing
commented
1 year ago Can you provide a log of the failed configuration start by adding LogLevel md:trace2 at the start of your config?
Closed orlitzky closed 1 year ago
icing
commented
1 year ago Can you provide a log of the failed configuration start by adding LogLevel md:trace2 at the start of your config?
orlitzky
commented
1 year ago No problem, but I'll have to wait until off-hours (US Eastern) so I don't get crucified for crashing everything.
FWIW I've pushed my collection of macros to https://github.com/orlitzky/apache2-macros
orlitzky
commented
1 year ago Leaving de-anonymized so you can see the contrast between the two that work and the one that don't.
It's *.gramophone.com that's giving me trouble. The non-www hosts are all essentially superfluous, but have been used for marketing campaigns or something in the past and tl;dr the customer wants them. But, they don't want to pay for certificates for those subdomains. That means (at least for now) that the non-www gramophone.com subdomains will all be serving a self-signed cert if you manage to hit them over https somehow. The www vhost, on the other hand, has a paid cert and is what I'm trying to convert to use mod_md, since it expires in a few days.
[Mon Dec 05 22:00:38.207764 2022] [mpm_prefork:notice] [pid 10378] AH00171: Graceful restart requested, doing restart
[Mon Dec 05 22:00:41.959628 2022] [md:info] [pid 10378] AH10071: mod_md (v2.4.17), initializing...
[Mon Dec 05 22:00:41.959840 2022] [md:debug] [pid 10378] mod_md.c(451): AH10037: server seems reachable via http: and reachable via https:
[Mon Dec 05 22:00:41.959853 2022] [md:debug] [pid 10378] mod_md.c(705): AH10039: Completed MD[boutiquelaurie.com, CA=(null), Proto=ACME, Agreement=accepted, renew-mode=1 renew_window=33%, warn_window=10%
[Mon Dec 05 22:00:41.959863 2022] [md:debug] [pid 10378] mod_md.c(705): AH10039: Completed MD[gramophone.com, CA=(null), Proto=ACME, Agreement=accepted, renew-mode=1 renew_window=33%, warn_window=10%
[Mon Dec 05 22:00:41.959871 2022] [md:debug] [pid 10378] mod_md.c(705): AH10039: Completed MD[physiciansresearchinstitute.org, CA=(null), Proto=ACME, Agreement=accepted, renew-mode=1 renew_window=33%, warn_window=10%
[Mon Dec 05 22:00:41.959987 2022] [md:debug] [pid 10378] mod_md.c(596): AH10041: Server www.boutiquelaurie.com:0 matches md boutiquelaurie.com (config www.boutiquelaurie.com[default, default]) for domain boutiquelaurie.com, has now 1 MDs
[Mon Dec 05 22:00:41.959995 2022] [md:debug] [pid 10378] mod_md.c(596): AH10041: Server www.boutiquelaurie.com:0 matches md boutiquelaurie.com (config www.boutiquelaurie.com[default, default]) for domain boutiquelaurie.com, has now 1 MDs
[Mon Dec 05 22:00:41.960033 2022] [md:debug] [pid 10378] mod_md.c(596): AH10041: Server shop.gramophone.com:0 matches md gramophone.com (config shop.gramophone.com[default, default]) for domain gramophone.com, has now 1 MDs
[Mon Dec 05 22:00:41.960040 2022] [md:debug] [pid 10378] mod_md.c(596): AH10041: Server shop.gramophone.com:0 matches md gramophone.com (config shop.gramophone.com[default, default]) for domain gramophone.com, has now 1 MDs
[Mon Dec 05 22:00:41.960046 2022] [md:debug] [pid 10378] mod_md.c(596): AH10041: Server lodge.gramophone.com:0 matches md gramophone.com (config lodge.gramophone.com[default, default]) for domain gramophone.com, has now 1 MDs
[Mon Dec 05 22:00:41.963650 2022] [md:debug] [pid 10378] mod_md.c(596): AH10041: Server lodge.gramophone.com:0 matches md gramophone.com (config lodge.gramophone.com[default, default]) for domain gramophone.com, has now 1 MDs
[Mon Dec 05 22:00:41.963661 2022] [md:debug] [pid 10378] mod_md.c(596): AH10041: Server kdc.gramophone.com:0 matches md gramophone.com (config kdc.gramophone.com[default, default]) for domain gramophone.com, has now 1 MDs
[Mon Dec 05 22:00:41.963669 2022] [md:debug] [pid 10378] mod_md.c(596): AH10041: Server kdc.gramophone.com:0 matches md gramophone.com (config kdc.gramophone.com[default, default]) for domain gramophone.com, has now 1 MDs
[Mon Dec 05 22:00:41.963679 2022] [md:debug] [pid 10378] mod_md.c(596): AH10041: Server solutions.gramophone.com:0 matches md gramophone.com (config solutions.gramophone.com[default, default]) for domain gramophone.com, has now 1 MDs
[Mon Dec 05 22:00:41.963686 2022] [md:debug] [pid 10378] mod_md.c(596): AH10041: Server solutions.gramophone.com:0 matches md gramophone.com (config solutions.gramophone.com[default, default]) for domain gramophone.com, has now 1 MDs
[Mon Dec 05 22:00:41.963695 2022] [md:debug] [pid 10378] mod_md.c(596): AH10041: Server www.gramophone.com:0 matches md gramophone.com (config www.gramophone.com[default, default]) for domain gramophone.com, has now 1 MDs
[Mon Dec 05 22:00:41.963703 2022] [md:debug] [pid 10378] mod_md.c(596): AH10041: Server www.gramophone.com:0 matches md gramophone.com (config www.gramophone.com[default, default]) for domain gramophone.com, has now 1 MDs
[Mon Dec 05 22:00:41.963746 2022] [md:debug] [pid 10378] mod_md.c(596): AH10041: Server www.physiciansresearchinstitute.org:0 matches md physiciansresearchinstitute.org (config www.physiciansresearchinstitute.org[default, default]) for domain physiciansresearchinstitute.org, has now 1 MDs
[Mon Dec 05 22:00:41.963752 2022] [md:debug] [pid 10378] mod_md.c(596): AH10041: Server www.physiciansresearchinstitute.org:0 matches md physiciansresearchinstitute.org (config www.physiciansresearchinstitute.org[default, default]) for domain physiciansresearchinstitute.org, has now 1 MDs
[Mon Dec 05 22:00:41.963799 2022] [md:debug] [pid 10378] md_reg.c(836): sync MDs, start
[Mon Dec 05 22:00:41.963870 2022] [md:debug] [pid 10378] md_reg.c(899): sync MDs, 3 existing, 0 moved, 0 new.
[Mon Dec 05 22:00:41.963884 2022] [md:trace2] [pid 10378] md_reg.c(1191): boutiquelaurie.com: nothing staged
[Mon Dec 05 22:00:41.963898 2022] [md:trace2] [pid 10378] md_reg.c(1191): gramophone.com: nothing staged
[Mon Dec 05 22:00:41.963909 2022] [md:trace2] [pid 10378] md_reg.c(1191): physiciansresearchinstitute.org: nothing staged
[Mon Dec 05 22:00:42.126163 2022] [md:trace2] [pid 10378] md_crypt.c(1484): read chain with 2 certs
[Mon Dec 05 22:00:42.126174 2022] [md:debug] [pid 10378] md_ocsp.c(322): md[physiciansresearchinstitute.org]: priming OCSP status
[Mon Dec 05 22:00:42.126204 2022] [md:trace2] [pid 10378] md_ocsp.c(340): md[physiciansresearchinstitute.org]: getting ocsp responder from cert
[Mon Dec 05 22:00:42.126219 2022] [md:trace2] [pid 10378] md_crypt.c(2114): ocsp responder found 'http://r3.o.lencr.org'
[Mon Dec 05 22:00:42.126287 2022] [md:debug] [pid 10378] md_ocsp.c(361): md[physiciansresearchinstitute.org]: adding ocsp info (responder=http://r3.o.lencr.org)
[Mon Dec 05 22:00:42.126488 2022] [md:trace2] [pid 10378] md_crypt.c(1484): read chain with 2 certs
[Mon Dec 05 22:00:42.126496 2022] [md:debug] [pid 10378] md_ocsp.c(322): md[physiciansresearchinstitute.org]: priming OCSP status
[Mon Dec 05 22:00:42.126516 2022] [md:trace2] [pid 10378] md_ocsp.c(340): md[physiciansresearchinstitute.org]: getting ocsp responder from cert
[Mon Dec 05 22:00:42.126528 2022] [md:trace2] [pid 10378] md_crypt.c(2114): ocsp responder found 'http://r3.o.lencr.org'
[Mon Dec 05 22:00:42.134478 2022] [md:debug] [pid 10378] md_ocsp.c(361): md[physiciansresearchinstitute.org]: adding ocsp info (responder=http://r3.o.lencr.org)
[Mon Dec 05 22:00:42.415856 2022] [md:trace2] [pid 10378] md_crypt.c(1484): read chain with 2 certs
[Mon Dec 05 22:00:42.415867 2022] [md:debug] [pid 10378] md_ocsp.c(322): md[boutiquelaurie.com]: priming OCSP status
[Mon Dec 05 22:00:42.415896 2022] [md:trace2] [pid 10378] md_ocsp.c(340): md[boutiquelaurie.com]: getting ocsp responder from cert
[Mon Dec 05 22:00:42.415911 2022] [md:trace2] [pid 10378] md_crypt.c(2114): ocsp responder found 'http://r3.o.lencr.org'
[Mon Dec 05 22:00:42.415978 2022] [md:debug] [pid 10378] md_ocsp.c(361): md[boutiquelaurie.com]: adding ocsp info (responder=http://r3.o.lencr.org)
[Mon Dec 05 22:00:42.416180 2022] [md:trace2] [pid 10378] md_crypt.c(1484): read chain with 2 certs
[Mon Dec 05 22:00:42.416187 2022] [md:debug] [pid 10378] md_ocsp.c(322): md[boutiquelaurie.com]: priming OCSP status
[Mon Dec 05 22:00:42.416208 2022] [md:trace2] [pid 10378] md_ocsp.c(340): md[boutiquelaurie.com]: getting ocsp responder from cert
[Mon Dec 05 22:00:42.416220 2022] [md:trace2] [pid 10378] md_crypt.c(2114): ocsp responder found 'http://r3.o.lencr.org'
[Mon Dec 05 22:00:42.416273 2022] [md:debug] [pid 10378] md_ocsp.c(361): md[boutiquelaurie.com]: adding ocsp info (responder=http://r3.o.lencr.org)
[Mon Dec 05 22:00:42.458344 2022] [md:trace1] [pid 10378] mod_md.c(1241): hook ssl_add_cert_files for ajmichaels.com
[Mon Dec 05 22:00:42.458353 2022] [md:debug] [pid 10378] mod_md.c(1125): AH10113: get_certificates called for vhost ajmichaels.com.
[Mon Dec 05 22:00:43.064505 2022] [md:trace1] [pid 10378] mod_md.c(742): checking duplicate ssl assignments
[Mon Dec 05 22:00:43.064614 2022] [md:trace2] [pid 10378] mod_md.c(973): md{boutiquelaurie.com}: auto_add
[Mon Dec 05 22:00:43.064618 2022] [md:trace1] [pid 10378] mod_md.c(515): md[boutiquelaurie.com]: auto add domains
[Mon Dec 05 22:00:43.064697 2022] [md:debug] [pid 10378] mod_md.c(555): AH10169: boutiquelaurie.com: https server_rec for boutiquelaurie.com does not have protocol acme-tls/1 enabled
[Mon Dec 05 22:00:43.064707 2022] [md:debug] [pid 10378] mod_md.c(555): AH10169: boutiquelaurie.com: https server_rec for www.boutiquelaurie.com does not have protocol acme-tls/1 enabled
[Mon Dec 05 22:00:43.064712 2022] [md:trace2] [pid 10378] mod_md.c(978): md{boutiquelaurie.com}: check_usage
[Mon Dec 05 22:00:43.064723 2022] [md:trace2] [pid 10378] mod_md.c(982): md{boutiquelaurie.com}: sync_finish
[Mon Dec 05 22:00:43.064743 2022] [md:trace2] [pid 10378] md_reg.c(231): md{boutiquelaurie.com}: check cert secp256r1
[Mon Dec 05 22:00:43.065178 2022] [md:debug] [pid 10378] md_reg.c(251): md{boutiquelaurie.com}: certificate(0) is ok
[Mon Dec 05 22:00:43.065185 2022] [md:trace2] [pid 10378] md_reg.c(231): md{boutiquelaurie.com}: check cert rsa
[Mon Dec 05 22:00:43.065400 2022] [md:debug] [pid 10378] md_reg.c(251): md{boutiquelaurie.com}: certificate(1) is ok
[Mon Dec 05 22:00:43.065407 2022] [md:trace2] [pid 10378] md_reg.c(270): md{boutiquelaurie.com}: state=2, (null)
[Mon Dec 05 22:00:43.065412 2022] [md:debug] [pid 10378] md_reg.c(936): loading md boutiquelaurie.com
[Mon Dec 05 22:00:43.065488 2022] [md:debug] [pid 10378] md_reg.c(938): loaded md boutiquelaurie.com
[Mon Dec 05 22:00:43.065498 2022] [md:debug] [pid 10378] md_reg.c(982): sync MDs, finish done
[Mon Dec 05 22:00:43.065502 2022] [md:trace2] [pid 10378] mod_md.c(973): md{gramophone.com}: auto_add
[Mon Dec 05 22:00:43.065505 2022] [md:trace1] [pid 10378] mod_md.c(515): md[gramophone.com]: auto add domains
[Mon Dec 05 22:00:43.065520 2022] [md:trace2] [pid 10378] mod_md.c(1021): (22)Invalid argument: post_config done
[Mon Dec 05 22:00:43.065531 2022] [:emerg] [pid 10378] AH00020: Configuration Failed, exitingThis is very hard to read due to the nested macros. I am sure this works nicely for you, but as an outsider it is difficult.
The difference between the working and non-working config seems to be the added line:
Use Ssl wildcard.example.comwhich adds SSLCertificateFile and SSLCertificateKeyFile AFAICT.
Can you make a configuration without using your macros that fails similarly?
orlitzky
commented
1 year ago This is very hard to read due to the nested macros. I am sure this works nicely for you, but as an outsider it is difficult.
The difference between the working and non-working config seems to be the added line:
Use Ssl wildcard.example.comwhich adds
SSLCertificateFileandSSLCertificateKeyFileAFAICT.
There's an entirely new subdomain vhost. The main vhost www.gramophone.com works fine:
<VirtualHost 65.246.80.24:80>
Use VhostRedirect www gramophone.com
RedirectMatch permanent (.*) https://www.gramophone.com$1
</VirtualHost>
<IfModule ssl_module>
<VirtualHost 65.246.80.24:443>
Use VhostDrupal www gramophone.com
Use Ssl www.gramophone.com
Use HttpsOnly
</VirtualHost>
</IfModule>but when I add a vhost that redirects a subdomain to a specific URL,
<VirtualHost 65.246.80.24:80>
Use VhostRedirect gxc gramophone.com
RedirectMatch permanent (.*) https://www.gramophone.com/experience-center
</VirtualHost>
<IfModule ssl_module>
<VirtualHost 65.246.80.24:443>
Use VhostRedirect gxc gramophone.com
Use Ssl www.gramophone.com
RedirectMatch permanent (.*) https://www.gramophone.com/experience-center
</VirtualHost>
</IfModule>it crashes. If it's important, the SSL I'm trying to use in the second case is invalid (it's signed for www.gramophone.com, not gxc.gramophone.com).
Can you make a configuration without using your macros that fails similarly?
It's easy enough to copy/paste the macros into the main configuration but the real problem is that I can only test this on the production server and testing it crashes the whole thing. We've got a few hundred sites all with SLAs that I can't be crashing to save $4/year. With https://github.com/icing/mod_md/issues/301 also affecting these subdomain vhosts, I've just given up on using LE certs for anyone with a subdomain for now.
orlitzky
commented
1 year ago I haven't tried this on gramophone.com again yet, but in a few similar situations, MDMatchNames servernames from v2.4.23 looks like it solves all my problems. Optimistically closing. Thanks for all your work!
I initially reported this in a comment on issue https://github.com/icing/mod_md/issues/301, but it appears to be separate. I've now made sure the server aliases are unique. This works,
but after adding
the server crashes:
There is a cert for for the domain in the mod_md directory, so it managed to get one, but then failed to configure the vhost to use it I guess.