[BlueOnyx:25079] Re: Problem Lets Encrypt SSL Certificate Subdomain - fixed

Gerrit Haas Gerrit.Haas at blackpoint.de
Thu Sep 2 03:42:16 -05 2021 

Hi Michael,
It looks like there are some configurations being put in the config that
does not match the apache Version.


AH00526: Syntax error on line 37 of
/etc/httpd/conf.d/subdomains/site68-sportabzeichen.xxx.de.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'

Also Cipher-Suites and curves are defined in a different way.

In the browser, subdomain is not accessible with error

[authz_core:error] [pid 4098] [client 80.xx.88.185:1061] AH01630: client
denied by server configuration: /usr/sausalito/ui/web/error, referer:
https://sportabzeichen.xxx.de/

Permissions look good. (Also user/grp under which mod_ruid runs)

Also permissions on the file look strange.
[root at netz ~]# ls -la
/etc/httpd/conf.d/subdomains/site68-sportabzeichen.xx.de.conf
-r-xr--r-- 1 root root 2671 Sep  2 10:38
/etc/httpd/conf.d/subdomains/site68-sportabzeichen.tv-xxx.de.conf
 


Mit freundlichen Grüßen aus Bad Vilbel 

Gerrit Haas 
Systemadministrator   

 
blackpoint GmbH – Friedberger Straße 106b – 61118 Bad Vilbel 

Tel.: +49 6101 65788 32 
IT-Support: +49 6101 65788 - 30 
Fax: +49 6101 65788 - 99 
eMail: Gerrit.Haas at blackpoint.de Tel. Rufbereitschaft (Außerhalb der
Arbeitszeiten) +49 6101 65788 - 40 

Vertretungsberechtigt Dirk Estenfeld und Mario Di Rienzo HRB 50093 Frankfurt
am Main USt.-IdNr. de210106871 

Besuchen Sie uns im Internet unter www.blackpoint.de
Problemlos Domains registrieren: www.edns.de
Einfach und günstig Daten sichern: Veeam Cloud Connect


Confidentiality Notice: 
This e-mail message, including any attachments,is for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender
by reply e-mail and destroy all copies of the original message. 
-----Ursprüngliche Nachricht-----
Von: Blueonyx <blueonyx-bounces at mail.blueonyx.it> Im Auftrag von Michael
Stauber
Gesendet: Mittwoch, 1. September 2021 23:06
An: blueonyx at mail.blueonyx.it
Betreff: [BlueOnyx:25078] Re: Problem Lets Encrypt SSL Certificate Subdomain
- fixed

Hi Gerrit,

> I tried to create an  SSL Certificate via Lets Encrypt using 
> additional subdomains.
> Problem is: only the subdomain is transmitted in the request. The 
> domain and TLD part is missing.

My apologies for the delay. I finally had a chance to debug this deeply
enough to find the root cause of the issue.

YUM Updates have been published for 5209R and 5210R which fix this issue.

Here is how the problem came about:

In the past the CCEd Object 'Subdomain' only had a 'hostname' field, as it
was directly tied into the Vsite. Recently it also inherited a 'domainname'
field, which is usually set to the domainname of the Vsite that it belongs
to.

This was necessary, because sometimes the domain name of a subdomain is NOT
equal to the domain name of the Vsite, but to the FQDN of the Vsite instead
(long story). Like when the Vsite itself doesn't have a 'www'-hostname.

On the "SSL" / "Let's Encrypt" GUI page where you request the SSL
certificate we aggregate the FQDNs of Subdomains into the aliases that we
want to request a SSL certificate for. Provided you also request the SSL
certificate to be valid for all or certain Subdomains.

If a Subdomain was created BEFORE the CODB Schema change of the 'Subdomain'
Object, then the 'domainname' field may be empty, because previously (when
the Subdomain was created) that field didn't exist.

Subsequently a Cert request would then attempt to acquire a SSL certificate
with validity for a Subdomain where the hostname part was missing from the
request.

In the updated base-ssl for 5209R and 5210R that GUI page now checks if the
'Subdomain' Object in question has an empty 'domainname' field. If so, it
will be augmented with the hostname of the Vsite to form a complete and
working request.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6542 bytes
Desc: not available
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20210902/5029c57b/attachment.p7s>

More information about the Blueonyx mailing list