SSL shows good but cant find url with https

UCS - Univention Corporate Server
1

Hello - likely something I missed - domain secured with Lets Encrypt - all check and tests from here https://www.ssllabs.com/ssltest say it is valid but no lock, and Univention portal only shows under http. thanks for help

2

Hi,

whats the exact error when you replace the portal URL with https instead of http?
Are there entries in /var/log/apache2/error.log when you (re-)start the Apache2-service or when you try to access the system with htts?

Best Regards,
Dirk Ahrnke

8

** ProxyPass /openproject/ http://127.0.0.1:40003/openproject/ retry=0**
** ProxyPassReverse /openproject/ http://127.0.0.1:40003/openproject/**

** ProxyPass /owncloud https://127.0.0.1:40001/owncloud retry=0**
** ProxyPassReverse /owncloud https://127.0.0.1:40001/owncloud**

** ProxyPass /wordpress https://127.0.0.1:40004/wordpress retry=0**
** ProxyPassReverse /wordpress https://127.0.0.1:40004/wordpress**


Sorry for the wall of text …

9

I think the problem shown in the Apache log is related to the way you have configured the proxy for your bdcloud.
Usually the default Apache configuration does not care which hostname is used to access the pages.
My private server at home is ucs01.somedomain.tld. I can access it from the internet just using somedomain.tld. In addition I created a DNS-record somedomain.someotherdomain.tld pointing to somedomain.tld. While having Lets Encrypt configured for all external hostnames I can use both names to connect without any modifications in UCS-Apache.

I may be wrong, but I believe the issue is related that the ServerName and ServerAlias directives you have added is justing mentioning the bdcloud system. And the Apache log says that it got no configuration.

11

Looks like you right - owncloud uses index.php as here:
https://www.liquidweb.com/kb/apache-error-no-matching-directoryindex-index-html-found-solved/

Should I try or do you think would break it - should it go into the virtual host above somewhere, or added to the apache stack

16

Thank you so much for your help! So - it turned out I used an A name instead of a CNAME to build the subdomain … so now the subdomain pops up no problem! I still am not able to secure the Univention portal with SSL, even though it checks as valid in testing … likely something simple.

17

Hi,

from my experience it is not advisable to change things in the configuration files that are to be modified by UCS through templates and UCR-variables.
This is what I tried without changing the default-ssl.conf, maybe you can see if it works for you:

First I created a CNAME-record sub.somedomain.tld pointing to somedomain.tld. Then I added sub.somedomain.tld to the list of domains in the UCRV letsencrypt/domains and executed /usr/share/univention-letsencrypt/setup-letsencrypt. I think this should be equivalent to the bdcloud setup you already have.

Next I created a new file sub.conf in /etc/apache/sites-available. I simply copied from default-ssl.conf and changed some lines, maybe there is some duplicate config because already defined elsewhere. The Proxy config is adopted from the one you posted earlier:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName sub.somedomain.tld

        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key
        SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem
        SSLCertificateChainFile /etc/univention/letsencrypt/intermediate.pem

        ErrorLog ${APACHE_LOG_DIR}/proxy-error.log
        CustomLog ${APACHE_LOG_DIR}/proxy-access.log combined

        ProxyPass / http://192.168.100.100/
        ProxyPassReverse / http://192.168.100.100/
        ProxyPreserveHost On
        ProxyRequests Off

</VirtualHost>
</IfModule>

After enabling the site with a2ensite sub and restarting Apache I have the following result:

  • all sites that are served by somedomain.tld are still accessible as before
  • on https/sub.somedomain.tld I see the page that is served by the internal host at 192.168.100.100

For me there was no need to add a VirtualHost for Port 80 as I have apache2/force_https=yes which also matches.
Note that I have not checked a real application, my internal host only serves a static page.

hth,
Dirk Ahrnke

18

ok. Thanks for the time looking at this.

If you are adding virtual hosts to an existing web server, you must also create a <VirtualHost> block for the existing host. The ServerName and DocumentRoot included in this virtual host should be the same as the global ServerName and DocumentRoot . List this virtual host first in the configuration file so that it will act as the default host.

For example, suppose that you are serving the domain www.domain.tld and you wish to add the virtual host www.otherdomain.tld , which points at the same IP address. Then you simply add the following to httpd.conf :

NameVirtualHost *:80<VirtualHost *:80>ServerName www.domain.tldServerAlias domain.tld *.domain.tldDocumentRoot /www/domain</VirtualHost><VirtualHost *:80>ServerName www.otherdomain.tldDocumentRoot /www/otherdomain</VirtualHost>

You can alternatively specify an explicit IP address in place of the * in both the NameVirtualHost and <VirtualHost> directives. For example, you might want to do this in order to run some name-based virtual hosts on one IP address, and either IP-based, or another set of name-based virtual hosts on another address." https://httpd.apache.org/docs/2.2/vhosts/name-based.html
edited for content

22

I got it! I needed to follow your direction a bit closer and modify the new conf file after finding my own internal ip settings, and adjust the CNAME - Thank you so much for the direction!

23

This worked! Thanks so much!