Good morning.
Yesterdays evening I was messing around with the ownCloud server. I read in the newsletter that you can use the lets encrypt app to make a certificate and use https. So I did that and I use the commands in the newsletter.
ucr set apache2/force_https=yessystemctl restart apache2.service
(https://www.univention.com/2018/07/configure-with-lets-encrypt-free-ssl-certificates-for-ucs/ )
And now i can’t login. Http of https.
Now i have the error “404 Not Found !!! The requested URL was not found on this server”
So I change the command to no in “ucr set apache2/force_https=no” but nothing change.
I hope anyone can help me!
Regards Dave
ahrnke
July 27, 2018, 8:21am
2
The response looks VERY strange. The default 404 does not show 3 (three!) exclamation marks following a blank (!) character and always mentions the requested URL.
Regards,
1 Like
Hello Dirk, its works again. But not with https. Can you help me with the settings?
Good Night,
ahrnke
July 28, 2018, 3:37pm
4
What exactly do you see when accessing your server with https?ucr search --brief apache2/ssl?
The latest solution for this task was posted in How to deny access to /univention portal from internet - #2 by Moritz_Bunkus
Best Regards,
1 Like
Hello Dirk,
Gr Dave
ahrnke
July 31, 2018, 8:46am
6
shadow1232:
Is that normal?
no
can you use the command-line of any Linux-host (at least use your UCS) to run the following commands:
curl -v https://yourserver.yourcompany.com
curl -v http://yourserver.yourcompany.com
Of course you should replace the hostname and sanitize the output before posting it here.
On your UCS run:
ucr search --brief apache2/ssl
Please post the output.
Best Regards,
1 Like
He Dirk.
ucr search --brief apache2/ssl:
apache2/ssl/ca: <empty
apache2/ssl/certificate: <empty
apache2/ssl/certificatechain: <empty
apache2/ssl/ciphersuite: <empty
apache2/ssl/compression: <empty
apache2/ssl/honorcipherorder: <empty
apache2/ssl/key: <empty
apache2/ssl/tlsv11: <empty
apache2/ssl/tlsv12: <empty
saml/apache2/ssl/ca: <empty
saml/apache2/ssl/certificate: <empty
saml/apache2/ssl/certificatechain: <empty
saml/apache2/ssl/key: <empty
curl -v https://yourserver.yourcompany.com:
* Rebuilt URL to: https://........../
* Trying ..........
* TCP_NODELAY set
* connect to ..... port 443 failed: Verbinding is geweigerd
* Trying ...........
* TCP_NODELAY set
* Connected to ......... (............) port 443(#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ahrnke
July 31, 2018, 12:59pm
8
The UCRV are showing that no remnants from Lets Encrypt are stored.
Lets try to repair:
ucr commit /etc/apache2/sites-available/*
ucr commit /etc/apache2/conf-available/*
ucr commit /etc/apache2/mods-available/*
systemctl restart apache2
systemctl status apache2
if https still doesnt come up, post the output of the last command. The last lines of /var/log/apache2/error.log may provide additonal informations.
1 Like
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2018-07-31 15:22:43 CEST; 5s ago
Process: 41921 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/SUCCESS)
Process: 50697 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
Process: 41930 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 41934 (apache2)
Tasks: 7 (limit: 9830)
Memory: 39.8M
CPU: 155ms
CGroup: /system.slice/apache2.service
├─41934 /usr/sbin/apache2 -k start
├─41935 /usr/sbin/apache2 -k start
├─41936 /usr/sbin/apache2 -k start
├─41937 /usr/sbin/apache2 -k start
├─41938 /usr/sbin/apache2 -k start
├─41939 /usr/sbin/apache2 -k start
└─41940 /usr/sbin/apache2 -k start
jul 31 15:22:42 owncloudx systemd[1]: Starting The Apache HTTP Server...
jul 31 15:22:43 owncloudx systemd[1]: Started The Apache HTTP Server.
ahrnke
July 31, 2018, 1:38pm
10
Still no response on https?
What do the last lines (look at the time stamp) in /var/log/apache2/error.log say?
1 Like
Yes the file default-sslexist.
here is the error log:
[Tue Jul 31 15:09:06.249847 2018] [mpm_prefork:notice] [pid 36643] AH00169: caught SIGTERM, shutting down
[Tue Jul 31 15:19:59.096488 2018] [suexec:notice] [pid 41815] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Tue Jul 31 15:20:01.002870 2018] [mpm_prefork:notice] [pid 41816] AH00163: Apache/2.4.25 (Univention) OpenSSL/1.0.2l mod_wsgi/4.5.11 Python/2.7 configured -- resuming normal operations
[Tue Jul 31 15:20:01.002912 2018] [core:notice] [pid 41816] AH00094: Command line: '/usr/sbin/apache2'
[Tue Jul 31 15:22:42.460351 2018] [mpm_prefork:notice] [pid 41816] AH00169: caught SIGTERM, shutting down
[Tue Jul 31 15:22:42.764100 2018] [suexec:notice] [pid 41933] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Tue Jul 31 15:22:44.002992 2018] [mpm_prefork:notice] [pid 41934] AH00163: Apache/2.4.25 (Univention) OpenSSL/1.0.2l mod_wsgi/4.5.11 Python/2.7 configured -- resuming normal operations
[Tue Jul 31 15:22:44.003031 2018] [core:notice] [pid 41934] AH00094: Command line: '/usr/sbin/apache2'
[Tue Jul 31 15:35:07.818945 2018] [autoindex:error] [pid 42015] [client .........:38446] AH01276: Cannot serve directory /var/www/univention/js/umc/: No matching DirectoryIndex (inde$
ahrnke
July 31, 2018, 2:00pm
12
No smoking gun so far.
something to compare:
root@ucs-8884:~# netstat -tulpen | grep apache2
tcp6 0 0 :::80 :::* LISTEN 0 19588 1449/apache2
tcp6 0 0 :::443 :::* LISTEN 0 19584 1449/apache2
root@ucs-8884:~# cat /etc/apache2/sites-enabled/default-ssl.conf
# Warning: This file is auto-generated and might be overwritten by
# univention-config-registry.
# Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
# univention-config-registry ueberschrieben werden.
# Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
#
# /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/00start
# /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts
# /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10univention-appcenter
# /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/99end
#
<IfModule mod_ssl.c>
<VirtualHost *:443>
IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
SSLEngine on
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateFile /etc/univention/ssl/ucs-8884.mydomain.intranet/cert.pem
SSLCertificateKeyFile /etc/univention/ssl/ucs-8884.mydomain.intranet/private.key
SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem
#SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
### To enable special log format for HTTPS-access
# LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %p" combinedssl
# CustomLog /var/log/apache2/access.log combinedssl ## with port number
</VirtualHost>
</IfModule>
root@ucs-8884:~# ucr search --brief security/packetfilter/package/univention-apache
security/packetfilter/package/.*: <empty>
security/packetfilter/package/univention-apache/tcp/443/all/en: HTTPS
security/packetfilter/package/univention-apache/tcp/443/all: ACCEPT
security/packetfilter/package/univention-apache/tcp/80/all/en: HTTP
security/packetfilter/package/univention-apache/tcp/80/all: ACCEPT
root@ucs-8884:~# iptables -L -n | grep 443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
1 Like
tcp6 0 0 :::80 :::* LISTEN 0 2334171 41934/apache2
tcp6 0 0 :::443 :::* LISTEN 0 2334167 41934/apache2
root@owncloudx:/var/log/apache2# cat /etc/apache2/sites-enabled/default-ssl.conf
# Warning: This file is auto-generated and might be overwritten by
# univention-config-registry.
# Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
# univention-config-registry ueberschrieben werden.
# Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
#
# /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/00start
# /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts
# /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10univention-appcenter
# /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/99end
#
<IfModule mod_ssl.c>
<VirtualHost *:443>
IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
SSLEngine on
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateFile /etc/univention/ssl/owncloudx........l/cert.pem
SSLCertificateKeyFile /etc/univention/ssl/owncloudx.........private.key
SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem
#SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
### To enable special log format for HTTPS-access
# LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %p" combinedssl
# CustomLog /var/log/apache2/access.log combinedssl ## with port number
ProxyPass /owncloud https://127.0.0.1:40001/owncloud retry=0
ProxyPassReverse /owncloud https://127.0.0.1:40001/owncloud
root@owncloudx:/var/log/apache2# ucr search --brief security/packetfilter/package/univention-apache
security/packetfilter/package/.*: <empty>
security/packetfilter/package/univention-apache/tcp/443/all/en: HTTPS
security/packetfilter/package/univention-apache/tcp/443/all: ACCEPT
security/packetfilter/package/univention-apache/tcp/80/all/en: HTTP
security/packetfilter/package/univention-apache/tcp/80/all: ACCEPT
root@owncloudx:/var/log/apache2#
ahrnke
July 31, 2018, 2:19pm
14
Ok, lets summarize:
Apache is listening on port 443 which is not blocked by a local firewall rule and should therefore at least provide a response.
# curl -k -v https://yourserver.yourcompany.com
With “-k” the untrusted cert is ignored.
1 Like
ahrnke:
curl -k -v https:
root@owncloudx:/var/log/apache2# curl -k -v https://................
* Rebuilt URL to: https://............../
* Trying 188.........
* TCP_NODELAY set
* connect to 188......... port 443 failed: Verbinding is geweigerd
* Trying ............................
* TCP_NODELAY set
* Connected to davypennings.nl (.........................) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=TW; ST=HsinChu; L=HuKou; O=DrayTek Corp.; OU=DrayTek Support; CN=Vigor Router
* start date: Jan 16 19:10:12 2017 GMT
* expire date: Jan 16 19:10:12 2047 GMT
* issuer: C=TW; ST=HsinChu; L=HuKou; O=DrayTek Corp.; OU=DrayTek Support; CN=Vigor Router
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: ......................
> User-Agent: curl/7.52.1
> Accept: */*
>
* Curl_http_done: called premature == 0
* Empty reply from server
* Connection #0 to host davypennings.nl left intact
curl: (52) Empty reply from server
ahrnke
July 31, 2018, 2:41pm
16
shadow1232:
Verbinding is geweigerd
I have only limited knowlegde in Dutch, but I guess this means that the connection has been rejected.
The configuration of the UCS-system might be ok, you should rather look at the portforwarding (or whatever needs to be done) on your router.
1 Like
Yes its works now. The problem was I forgot to change the 443 port from the vpn tunnel. Now it works.
Now he says “not secured”. But no do I need to make a certificate of something?
ahrnke
July 31, 2018, 2:55pm
18
This is the point where Lets Encrypt will help. You have have to forward Port 80 too, otherwise the handshake with the Lets Encrypt services will fail.
1 Like
nice nice. Thanks for you patients and your help. I have only one question. What i ask 2 day ago that i want to use owncloud external and the portal internal. I read the article about it. and i tried. They talk about the “umc-access.conf” but i don’t have it. so i put this "univention/>
ahrnke
July 31, 2018, 4:59pm
20
shadow1232:
192.168.0.0/24
This should be replaced with your real internal network.
Be careful to edit the file - which does not exist by default - exactly as described for all other lines. I have verified that this method works with my network at home.
1 Like
