Why does certbot "version" domain certificate folders - versioning

I recently switched to route53 so I could “re-issue” an existing certificate as a wildcard certificate for my domain “mydomain”.
The valid non-wildcard certs files were created by
certbot certonly -d mydomain.com,foo.mydomain.com,boo.mydomain.com
and in the appropriately named directories:
/live/mydomain
/archive/mydomain
Upon running
certbot certonly --dns-route53 -d mydomain.com,*.mydomain.com”
certbot proceeded to make NEW “versioned” folders, rather than use the exiting ones:
/live/mydomain-0001
/archive/mydomain-0001
I no longer need the non-wildcard cert, I’d like to get rid of the -0001 folders. so my questions are:
Why did certbot do this?
Is there a certbot command that will clean this up?
If not, can I “move” the “-0001” files into the original folders (of course Id have to redo the soft links)?
I’m hoping for a simple way to clean this up.
Thanks

After some investigation, it appears that the original non-wild card cert was created with
certbot certonly --cert-name mydomain.com -d mydomain.com,foo.mydomain.com
but the subsequent wild-card cert was generated without the --cert-name option, so certbot likely saw the -d name string as a reason for differentiating...
Hope this helps someone...

Related

Apache2 - WSGI file not found Issue

I run bash script file through python code. The script is located /home/myscript.sh. The script convert html to pdf and print. If I run the python program in development mode it works fine but if I run in WSGI production mode it give me error "File not found" to print. But if I give access 7777 to home directory it works fine. And I need to do this access step every time whenever machine restarted. Also it not good solution.
I search a lot and change apache2.conf file
<Directory /home/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
But still there is problem. Please help me. I used Apache 2.4.9 version. Advance thanks
Update
In /etc/apache2/apache2.conf file
"User ${APACHE_RUN_USER}" and "Group ${APACHE_RUN_GROUP}"
And in envvars it sets like
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
Still problem exist.
If issue is with directory
Example /home
Move the file from /home to /var/www
sudo chown www-data:www-data /var/www/filename
or
sudo chown www-data:www-data /var/www/filename
If the issue with USB port
Example
ttyUSB0
,
ttyACM0
,
ttyACM1
Write script to change the owner
#!/bin/bash
sudo chown www-data:www-data /dev/ttyACM0
Call this script from your code using subprocess.call
But allow the user www-data to run this file as sudo with out password
sudo visudo
and add the below line in the last
www-data ALL = (ALL) NOPASSWD : /var/www/filename
or
www-data ALL = (ALL) NOPASSWD : ALL

Having trouble building docker container with certbot certs

I have a simple react app (for fun not work or school). I use EC2 to run react, express, mongo using docker. I have been trying to add SSL certs and having an awful time. I think certbot is the easiest but I have not had any luck.
Latest issue is I created the certbot certs manually on my local machine using dns challenge. So I have my "/etc/letsencrypt/live". folder with my pem files.
in my docker file I want to copy those certs to my /etc/ssl directory to use in my docker image and I get no such file exists every time. I think its because they are just sim links?
COPY /etc/letsencrypt/live/yyy.com/fullchain.pem /etc/letsencrypt
That file is in that folder but I do not know how to use it in my docker image because I cannot copy it.
My assumption is I can build this docker image locally with certs and push it to my ec2 instance and have it all work.
any help would be great or links to walk throughs? I could not find any good ones
It is not a good idea to call certbot from inside your container, because it will try to provision the same certificate multiple time.
I recommend instead one of those 3 approaches, depending on how you are using AWS:
Use AWS certificate manager with a Load Balancer or Cloudfront distribution
Use certbot in your EC2 but outside of docker along nginx (or apache2) as a reverse proxy
Use certbot in your EC2 but outside of docker and mount the folder containing the certificates as a docker volume inside your container

Configuring rundeck with ldap for AD authentication

Trying here to see if anyone has worked out LDAP auth against AD with rundeck. I am using the JRE running method for rundesk. Here is what I have done so far:
I have set up the jaas-ldap.conf as shown on Rundeck authentication users page
I have requested for a ssl certificate from my admin. To use ldaps rundeck requires ssl cert or so it's written on their site. After getting the cert, they mention following two steps:
Once a certificate has been obtained. There are two options for adding the certificate. The first involves updating the truststore for the JRE. If that is not possible or not desirable, then one can set the truststore to be used by the jvm, using any arbitrary truststore that contains the appropriate certificate.
Both options require importing a certificate. The following would import a certificate called, AD.cert into the /etc/rundeck/ssl/truststore.
keytool -import -alias CompanyAD -file AD.cert -keystore /etc/rundeck/ssl/truststore -storepass adminadmin
To add the certificate to the JRE, locate the file $JAVA_HOME/lib/security/cacerts and run
keytool -import -alias CompanyAD -file AD.cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
To verify your CA has been added, run keytool list and look for CompanyAD in the output.
keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
This is where I am running into issue. I have imported my certificate to the java truststore under $JAVA_HOME/lib/security/cacerts. The ssl.properties files also ask for a keystore, keystore.password, key.password parameters. Now, am I supposed to create a new keystore or omit these and just use the truststore variables?
I also tried creating a new keystore (.jks) and imported the same ssl certificate to it setting keypass and storepass. This did not help. I am getting error saying java.io.IOException: Keystore was tampered with, or password was incorrect
I am deploying the jar using - java -Dloginmodule.conf.name=jaas-ldap.conf -Dloginmodule.name=ldap -Drundeck.ssl.config=ssl.properties -jar rundeck-launcher-2.6.4.jar
I'd appreciate help passing through this.
There is no need to ask your admin for the ssl certificate. If your organization uses ldaps and the certificate installed on the ldap server is a self signed cert which is not in your keystore, then you need to add the cert to your JVM keystore. Now to get that certificate run the below query
openssl s_client -connect <ldapserver>:636
This will give some output with -----BEGIN CERTIFICATE----- and ---------END CERTIFICATE--------. Copy the text between these strings to a file ldap.cert.
keytool -import -alias CompanyAD -file ldap.cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit.
If your keystore is tampered probably you may have to reinstall Java in the system.

Is There Any Location Specific in Apache2

I'm using Apache2 running on Ubuntu-12.04 machine and I run my files through apache2 pointing to my folder in the local file system like
$ cd etc/apache2/
$ vi sites-enabled/000-default
And I change the location pointing to my folders in
DocumentRoot /home/user/foo/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /home/user/foo/>
What is the default location of Apache2 web root where if I would just copy my files the Apache server would pick it. For running hundreds of files through Apache2 each and every time I keep doing the above steps of changing the location manually. Is there any other best way of doing it.
It would be great if anyone could help me out.
If do an ls -l inside /etc/apache2/sites-enabled/ you'll see that 000-default is a symlink to /etc/apache2/sites-available/. The idea being that you create site definition files in sites-enabled, then symlink to them from sites-available... making it very simple to enable and disable sites as needed.
In fact, Ubuntu provides the a2ensite command to enable sites, and a2dissite to disable sites. This means all you have to do is create the vhost file in sites-available, then run a2ensite to enable it.
Take a look at https://help.ubuntu.com/12.04/serverguide/httpd.html for more details.

Could not reliably determine the server's fully qualified domain name

I have just installed Apache 2.2.17, and I am using it for the first time.
Now when I try to start the server using the command service httpd start it gives me the message:
httpd: Could not reliably determine the server's fully qualified domain name, using ::1 for ServerName
Now I think I have to set ServerName and the IP address as I search through Google. But I don't know in which file I have to set.
How can I fix this problem?
sudo vim /etc/apache2/httpd.conf
Insert the following line at the httpd.conf: ServerName localhost
Just restart the Apache: sudo /etc/init.d/apache2 restart
Yes, you should set ServerName:
http://wiki.apache.org/httpd/CouldNotDetermineServerName
http://httpd.apache.org/docs/current/mod/core.html#servername
You can find information on the layouts used by the various httpd distributions here:
http://wiki.apache.org/httpd/DistrosDefaultLayout
In your case the file to edit is /etc/httpd/conf/httpd.conf
I was NOT getting the ServerName wrong. Inside your VirtualHost configuration that is causing this warning message, it is the generic one near the top of your httpd.conf which is by default commented out.
Change
#ServerName www.example.com:80
to:
ServerName 127.0.0.1:80
Under Debian Squeeze;
Edit Apache2 conf file : vim /etc/apache2/apache2.conf
Insert the following line at the apache2.conf: ServerName localhost
Restart Apache2: apache2ctl restart or /etc/init.d/apache2 restart
Should work fine (it did solve the problem in my case)
tks noodl for the link on the different layouts. :)
sudo nano /etc/apache2/httpd.conf
search for a text ServerName in nano editor <Ctrl + W>
Insert the following line at the httpd.conf: ServerName localhost
Just restart the Apache: sudo /usr/sbin/apachectl restart
Another option is to ensure that the full qualified host name (FQDN) is listed in /etc/hosts.
This worked for me on Ubuntu v11.10 without having to change the default Apache configuration.
" To solve this problem You need set ServerName.
1: $ vim /etc/apache2/conf.d/name
For example set add ServerName localhost or any other name:
2: ServerName localhost
Restart Apache 2
3: $ service apache restart
For this example I use Ubuntu 11.10.1.125"
FQDN means the resolved name over DNS. It should be like "server-name.search-domain".
The warning you get just provides a notice that httpd can not find a FQDN, so it might not work right to handle a name-based virtual host. So make sure the expected FQDN is registered in your DNS server, or manually add the entry in /etc/hosts which is prior to hitting DNS.
If you are using windows there is something different sort of situation
First open c:/apache24/conf/httpd.conf.
The Apache folder is enough not specifically above path
After that you have to configure httpd.conf file.
Just after few lines there is pattern like:
#Listen _____________:80
Listen 80
Here You have to change for the localhost.
You have to enter ipv4 address for that you can open localhost.
Refer this video link and after that just bit more.
Change your environment variables:
In which you have to enter path:
c:apache24/bin
and
same in the SYSTEM variables
If any query feel free to ask.
Two things seemed to do it for me:
Put all aliases for 127.0.0.1 in /etc/hosts in a single line (e.g. 127.0.0.1 localhost mysite.local myothersite.local
Set ServerName in my httpd.conf to 0.0.0.0 (localhost or 127.0.0.1 didn't work for me)
Editing /etc/hosts got rid of long response times and setting the ServerName got rid of OP's warning for me.
who are still couldnt resolve the problem and using mac then follow this
1.goto the root folder /
cd usr/local/etc/apache2/2.4
3.sudo nano httpd.conf
4.change #servername to ServerName 127.0.0.1:8080 press ctrl+o,+return+ctrl x
5.then restart the server apachectl restart
If you are using windows, remove comment on these lines and set them as:
Line 227 : ServerName 127.0.0.1:80
Line 235 : AllowOverride all
Line 236 : Require all granted
Worked for me!
Here's my two cents. Maybe it's useful for future readers.
I ran into this problem when using Apache within a Docker container. When I started a container from an image of the Apache webserver, this message appeared when I started it with docker run -it -p 80:80 my-apache-container.
However, after starting the container in detached mode, using docker run -d -p 80:80 my-apache-container, I was able to connect through the browser.
I am using ubuntu 22.04
I installed the apache2 at the location '/usr/local/apache2'
I just edited the '/usr/local/apache2/conf/httpd.conf' file.
run the following commands
cd /usr/local/apache2/conf
sudo nano httpd.conf
find this comment
#ServerName www.example.com:80, in my case it is at line 197
after that add this
ServerName localhost
don't modify anything else in this file!
Thank you!

Resources