Not sure if this is anything or not.
You pasted the httpd-ssl.conf file.
The script output is referencing httpd.conf
I think it’s sending the challenge request via port 80 and that might be where you’re looking in the wrong place.
this post was submitted on 21 Jan 2025
44 points (97.8% liked)
Selfhosted
41633 readers
529 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
Thanks I'm gonna check this out first thing. I thought that was weird but I'm not sure what in httpd.conf could be interfering with the process. I will give the file a better read through and see what I can come up with - it's a good starting point.
Hi, just a guess. But
The retryafter=86400 value is too large (> 600), will not retry anymore.
Seems to me like the call to your server in the verification step is failing.
Do you have port 80 blocked or stopping the call in another way ?
The only thing I can think of that might be interfering is HSTS? I'm not sure how acme is accessed when a browser can only access a site with ssl. Perhaps HSTS is interfering with the cert process somehow?
The process makes file to read via http (not https), it’s just a nonce ( some random characters). Once their server reads that file, using the domain (and not the ip) and compares with what is expected, this shows you own the domain , and they give you a new ssl cert, modifying your server’s https configuration file (usually). And deletes the file it made .
Thanks for the breakdown.
Would concur, that was the only thing I could find.
You've just reminded me to fix cert renewal on my instance. I'm using let's encrypt & their certbot with nginx and it is great.
Recently my nginx config got too complex, so nginx plugin stopped working correctly, because it wasn't able to inject the config for ACME challenge correctly anymore. The solution was to manually configure location /.well-known/acme-challange to read from a local directory and configure certbot to use a local webroot directory instead of fiddling with nginx config.
This is out of my skillset but I'm sure there's documentation online I can check out to give it a shot. We use this server for our (very) small business so I'm trying not to jack anything up worse than it is but it seems like something I could potentially tackle. Thank you.
I'm really surprised noone mentioned Caddy which handles all the SSL business for you. Not to mention an easier config :)
Caddy is awesome! I originally went for nginx proxy manager to manage my certs as it has a GUI. However, despite being text based, Caddy is so even easier to configure...
email [email protected]
}
jellyfin.mydomain.net {
reverse_proxy 192.168.0.1:8096
}```
That's all there is to it. Caddy does the heavy lifting.I don't think you even need to configure the email.
If I recall correctly emails are optional for Let's Encrypt but Caddy are partnered with ZeroSSL who do require emails so you're encouraged to provide one.
How hard would it be to switch in your experience... I'd love something this simple. Nervous to tear stuff down though.
I dont think its hard :)
Can you post your apache config?
Ive been so long on Caddy i havent touched Apache or nginx for ages. But i'm pretty sure i or someone else can help you convert your config :)
I appreciate the offer. If I get stuck I'll dump it. If it's as straight forward as everyone says I should be able to pull it off it looks so easy. Don't want to make others do my work for me unduly.
Oh my god.. i completely overlooked the config in your original message!!
Un any case, look at this: https://join-lemmy.org/docs/administration/caddy.html
Someone done the work, and they would be glad if you made use of it :)
And if you start with: lemmy.domain.tld:81 {
You can even have it run on a different port, so you can test it without risking your apache config.
This is brilliant thank you. This is going to save me dozens of hours.
Only thing I'm having trouble with so far is handling a line like this >
<FilesMatch \.php$> # Apache 2.4.10+ can proxy to unix socket SetHandler "proxy:unix:///run/php74-fpm.sock|fcgi://localhost/" </FilesMatch>
Not really sure how caddy handles this.
Look here: https://caddyserver.com/docs/caddyfile/directives/php_fastcgi
I'm not near a computer right now, but tomorrow i can show an example of my nextcloud setup. Its also php with Caddy :)
thank you for taking the time to share, I actually moved over to nginx.... all over the place >_> a few people have made it pretty clear I'm going to overwhelm caddy quickly with the number of different domains and sites we host so I'm starting over with nginx now.
I have 11 sites and numerous sub sites behind a single Caddy server. I dont know how you would "overwelm" Caddy?
Never the less, good luck :)
I'm at the whim of the community lol I don't have a lot of my own experiences to rely on - just trying to make educated guesses. I have a few sites I'd like to host at home and I'll definitely be using caddy for that going forward it was super easy.
Just popping in this morning to thank everyone for their suggestions overnight. I have some stuff to look at now when I get to the office this morning. Can't respond to every comment at the moment but I will. Just wanted to say thanks.
You can just try zeroSSL. Either add a DNS record they give you or host the file they give you, it's much simpler
This sounds like a good backup plan and I'll probably definitely have to resort to trying it - thank you for the suggestion.
Are you using cloudflare to proxy the server? If so, just download a 10-year certificate and don’t worry about renewing short term ones.
Unfortunately no, though that sounds very nice.
Ah, you should perhaps look into using Cloudflare or a similar service. Not for the certificate, but because if somebody took a dislike to your instance, they could easily DDoS you off the internet. The decade long certificate is just icing on the top.
Certainly will look into it thanks for the heads up!
Are you using cloud flare?
I am not.
What's in the acme.log file in the last line there?
Are you referring to the 'does not contain DNS'? Or the 'apache,/' because both are a bit confusing to me honestly
'cat /root/.acme.sh/acme.log'
Why use Apache over Nginx?
My friend chose it, he was old school. I don't personally have a preference between the two but we use this server for our small business so I haven't really wanted to risk messing everything up to switch when it's (mostly) currently functional.
Woah, you have a Lemmy instance hosted on the server for your small business? That just doesn't sit well with me. I hope the server going down would not halt your income.
We are a community oriented business and I really hate the big tech companies controlling the fate of my company. Lemmy seemed like one of a few easy alternative platforms where we were free from being stuck under the thumb of a tech giant or a ban away from loosing our members.