404 Not Found ! Https Error

owncloud
letsencrypt

#1

Good morning.

Yesterdays evening I was messing around with the ownCloud server. I read in the newsletter that you can use the lets encrypt app to make a certificate and use https. So I did that and I use the commands in the newsletter.

  • ucr set apache2/force_https=yes
  • systemctl restart apache2.service

(https://www.univention.com/2018/07/configure-with-lets-encrypt-free-ssl-certificates-for-ucs/)

And now i can’t login. Http of https.

Now i have the error “404 Not Found !!! The requested URL was not found on this server”

So I change the command to no in “ucr set apache2/force_https=no” but nothing change.

I hope anyone can help me!

Regards Dave

Naamloos


#2

The response looks VERY strange. The default 404 does not show 3 (three!) exclamation marks following a blank (!) character and always mentions the requested URL.
Maybe you are not connecting directly and some piece of software is altering the original response.
Maybe you changed “apache2/startsite” to a location which has a custom (and mispelled) 404 page.

Regards,
Dirk


#3

Hello Dirk, its works again. But not with https. Can you help me with the settings?
Is it also possible to keep the portal local and owncloud external?

Good Night,
Dave


#4

What exactly do you see when accessing your server with https?
Can you post the output from ucr search --brief apache2/ssl?

The latest solution for this task was posted in How to deny access to /univention portal from internet

Best Regards,
Dirk


#5

Hello Dirk,
I have no output when I use the command. Is that normal?

Gr Dave


#6

no :wink:

can you use the command-line of any Linux-host (at least use your UCS) to run the following commands:

curl -v https://yourserver.yourcompany.com
curl -v http://yourserver.yourcompany.com

Of course you should replace the hostname and sanitize the output before posting it here.

On your UCS run:

ucr search --brief apache2/ssl

Please post the output.

Best Regards,
Dirk


#7

He Dirk.

ucr search --brief apache2/ssl:

apache2/ssl/ca: <empty
apache2/ssl/certificate: <empty
apache2/ssl/certificatechain: <empty
apache2/ssl/ciphersuite: <empty
apache2/ssl/compression: <empty
apache2/ssl/honorcipherorder: <empty
apache2/ssl/key: <empty
apache2/ssl/tlsv11: <empty
apache2/ssl/tlsv12: <empty
saml/apache2/ssl/ca: <empty
saml/apache2/ssl/certificate: <empty
saml/apache2/ssl/certificatechain: <empty
saml/apache2/ssl/key: <empty

curl -v https://yourserver.yourcompany.com:

* Rebuilt URL to: https://........../
*   Trying ..........
* TCP_NODELAY set
* connect to ..... port 443 failed: Verbinding is geweigerd
*   Trying ...........
* TCP_NODELAY set
* Connected to ......... (............) port 443(#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

#8

The UCRV are showing that no remnants from Lets Encrypt are stored.
https is not listening according to the test with curl.

Lets try to repair:

ucr commit /etc/apache2/sites-available/*
ucr commit /etc/apache2/conf-available/*
ucr commit /etc/apache2/mods-available/*
systemctl restart apache2
systemctl status apache2

if https still doesnt come up, post the output of the last command. The last lines of /var/log/apache2/error.log may provide additonal informations.


#9
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2018-07-31 15:22:43 CEST; 5s ago
  Process: 41921 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/SUCCESS)
  Process: 50697 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
  Process: 41930 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
 Main PID: 41934 (apache2)
    Tasks: 7 (limit: 9830)
   Memory: 39.8M
      CPU: 155ms
   CGroup: /system.slice/apache2.service
           ├─41934 /usr/sbin/apache2 -k start
           ├─41935 /usr/sbin/apache2 -k start
           ├─41936 /usr/sbin/apache2 -k start
           ├─41937 /usr/sbin/apache2 -k start
           ├─41938 /usr/sbin/apache2 -k start
           ├─41939 /usr/sbin/apache2 -k start
           └─41940 /usr/sbin/apache2 -k start

jul 31 15:22:42 owncloudx systemd[1]: Starting The Apache HTTP Server...
jul 31 15:22:43 owncloudx systemd[1]: Started The Apache HTTP Server.

#10

Still no response on https?
Is there a file /etc/apache2/sites-enabled/default-ssl.conf?

What do the last lines (look at the time stamp) in /var/log/apache2/error.log say?


#11

Yes the file default-sslexist.

here is the error log:

[Tue Jul 31 15:09:06.249847 2018] [mpm_prefork:notice] [pid 36643] AH00169: caught SIGTERM, shutting down
[Tue Jul 31 15:19:59.096488 2018] [suexec:notice] [pid 41815] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Tue Jul 31 15:20:01.002870 2018] [mpm_prefork:notice] [pid 41816] AH00163: Apache/2.4.25 (Univention) OpenSSL/1.0.2l mod_wsgi/4.5.11 Python/2.7 configured -- resuming normal operations
[Tue Jul 31 15:20:01.002912 2018] [core:notice] [pid 41816] AH00094: Command line: '/usr/sbin/apache2'
[Tue Jul 31 15:22:42.460351 2018] [mpm_prefork:notice] [pid 41816] AH00169: caught SIGTERM, shutting down
[Tue Jul 31 15:22:42.764100 2018] [suexec:notice] [pid 41933] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Tue Jul 31 15:22:44.002992 2018] [mpm_prefork:notice] [pid 41934] AH00163: Apache/2.4.25 (Univention) OpenSSL/1.0.2l mod_wsgi/4.5.11 Python/2.7 configured -- resuming normal operations
[Tue Jul 31 15:22:44.003031 2018] [core:notice] [pid 41934] AH00094: Command line: '/usr/sbin/apache2'
[Tue Jul 31 15:35:07.818945 2018] [autoindex:error] [pid 42015] [client .........:38446] AH01276: Cannot serve directory /var/www/univention/js/umc/: No matching DirectoryIndex (inde$

#12

No smoking gun so far.

something to compare:

root@ucs-8884:~# netstat -tulpen | grep apache2
tcp6       0      0 :::80                   :::*                    LISTEN      0          19588      1449/apache2        
tcp6       0      0 :::443                  :::*                    LISTEN      0          19584      1449/apache2        

root@ucs-8884:~# cat /etc/apache2/sites-enabled/default-ssl.conf 
# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry ueberschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
# 
# 	/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/00start
# 	/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts
# 	/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10univention-appcenter
# 	/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/99end
# 

<IfModule mod_ssl.c>

<VirtualHost *:443>
	IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
	SSLEngine on
	SSLProxyEngine on
	SSLProxyCheckPeerCN off
	SSLProxyCheckPeerName off
	SSLProxyCheckPeerExpire off
	SSLCertificateFile /etc/univention/ssl/ucs-8884.mydomain.intranet/cert.pem
	SSLCertificateKeyFile /etc/univention/ssl/ucs-8884.mydomain.intranet/private.key
	SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem

	#SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

	### To enable special log format for HTTPS-access
	# LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %p" combinedssl
	# CustomLog /var/log/apache2/access.log combinedssl	## with port number




</VirtualHost>
</IfModule>

root@ucs-8884:~# ucr search --brief security/packetfilter/package/univention-apache
security/packetfilter/package/.*: <empty>
security/packetfilter/package/univention-apache/tcp/443/all/en: HTTPS
security/packetfilter/package/univention-apache/tcp/443/all: ACCEPT
security/packetfilter/package/univention-apache/tcp/80/all/en: HTTP
security/packetfilter/package/univention-apache/tcp/80/all: ACCEPT

root@ucs-8884:~# iptables -L -n | grep 443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443

#13
tcp6       0      0 :::80                   :::*                    LISTEN      0          2334171    41934/apache2
tcp6       0      0 :::443                  :::*                    LISTEN      0          2334167    41934/apache2

root@owncloudx:/var/log/apache2# cat /etc/apache2/sites-enabled/default-ssl.conf

# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry ueberschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
#
#       /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/00start
#       /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts
#       /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10univention-appcenter
#       /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/99end
#

<IfModule mod_ssl.c>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
        SSLCertificateFile /etc/univention/ssl/owncloudx........l/cert.pem
        SSLCertificateKeyFile /etc/univention/ssl/owncloudx.........private.key
        SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem

        #SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

        ### To enable special log format for HTTPS-access
        # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %p" combinedssl
        # CustomLog /var/log/apache2/access.log combinedssl     ## with port number



        ProxyPass /owncloud https://127.0.0.1:40001/owncloud retry=0
        ProxyPassReverse /owncloud https://127.0.0.1:40001/owncloud

root@owncloudx:/var/log/apache2# ucr search --brief security/packetfilter/package/univention-apache
security/packetfilter/package/.*: <empty>
security/packetfilter/package/univention-apache/tcp/443/all/en: HTTPS
security/packetfilter/package/univention-apache/tcp/443/all: ACCEPT
security/packetfilter/package/univention-apache/tcp/80/all/en: HTTP
security/packetfilter/package/univention-apache/tcp/80/all: ACCEPT
root@owncloudx:/var/log/apache2#

#14

Ok, lets summarize:

Apache is listening on port 443 which is not blocked by a local firewall rule and should therefore at least provide a response.
What I forgot (because I didnt read you curl-response) was to give the hint regarding the usage of curl if self-signed certs (like the one from UCS-CA):

# curl -k -v https://yourserver.yourcompany.com

With “-k” the untrusted cert is ignored.


#15
root@owncloudx:/var/log/apache2# curl -k -v https://................
* Rebuilt URL to: https://............../
*   Trying 188.........
* TCP_NODELAY set
* connect to 188......... port 443 failed: Verbinding is geweigerd
*   Trying ............................
* TCP_NODELAY set
* Connected to davypennings.nl (.........................) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=TW; ST=HsinChu; L=HuKou; O=DrayTek Corp.; OU=DrayTek Support; CN=Vigor Router
*  start date: Jan 16 19:10:12 2017 GMT
*  expire date: Jan 16 19:10:12 2047 GMT
*  issuer: C=TW; ST=HsinChu; L=HuKou; O=DrayTek Corp.; OU=DrayTek Support; CN=Vigor Router
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: ......................
> User-Agent: curl/7.52.1
> Accept: */*
>
* Curl_http_done: called premature == 0
* Empty reply from server
* Connection #0 to host davypennings.nl left intact
curl: (52) Empty reply from server

#16

I have only limited knowlegde in Dutch, but I guess this means that the connection has been rejected.
In addition the output shows the certificates from a DrayTek device.

The configuration of the UCS-system might be ok, you should rather look at the portforwarding (or whatever needs to be done) on your router.


#17

Yes its works now. The problem was I forgot to change the 443 port from the vpn tunnel. Now it works.

Now he says “not secured”. But no do I need to make a certificate of something?


#18

This is the point where Lets Encrypt will help. You have have to forward Port 80 too, otherwise the handshake with the Lets Encrypt services will fail.


#19

nice nice. Thanks for you patients and your help. I have only one question. What i ask 2 day ago that i want to use owncloud external and the portal internal. I read the article about it. and i tried. They talk about the “umc-access.conf” but i don’t have it. so i put this "univention/>
Require ip 192.168.0.0/24 # put your local network address range here
Require all denied
Location> " in the “ucs.config” but then i block everything so i dont get it. mayby you can help me with it?


#20

This should be replaced with your real internal network.

Be careful to edit the file - which does not exist by default - exactly as described for all other lines. I have verified that this method works with my network at home.