From owner-freebsd-questions@freebsd.org Fri Nov 20 19:14:03 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4868B46AC4E for ; Fri, 20 Nov 2020 19:14:03 +0000 (UTC) (envelope-from dalescott@shaw.ca) Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cd5nQ0dqwz4Vgl for ; Fri, 20 Nov 2020 19:14:01 +0000 (UTC) (envelope-from dalescott@shaw.ca) Received: from cds220.dcs.int.inet ([10.0.153.144]) by shaw.ca with ESMTP id gBr5kxuPY34axgBr6kzLPj; Fri, 20 Nov 2020 12:14:00 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shaw.ca; s=s20180605; t=1605899640; bh=rVDHhl7T9mvdqb/u7HCuqG69/q7PX9d26KOIdlZQEhM=; h=Date:From:To:Cc:In-Reply-To:References:Subject; b=bQcZxeifTWWNsGM8YgNrf/CNg2OzNlmiV4BguRQPJMXdz359qZV29TPGnjOKEZH/w aH1kZIMFBua/jaMl5UGJVfWQdZGlWnlAIFGrmnenx0buVsc4YAQdm8f2zmbOO4DsCx K4Exn/8BRGMJAajjpiKL+O9U2n690nUTKaE0WRDgySNz3ZRcAoyMxC+eaBpfPP6wGe obkrEIO5Y0LA7aG/FGb9YX2IUUrz4obdy17xOgxYsM+332NzSNgOslv0XRtofdcDZP givpzuJymcErvMXSIhf0hY3giegjWQpoyYgTOQ6GYfrbxGK8F8+frttc8LEzCwomho n1iCIRurmaDfw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shaw.ca; s=s20180605; t=1605899640; bh=rVDHhl7T9mvdqb/u7HCuqG69/q7PX9d26KOIdlZQEhM=; h=Date:From:To:Cc:In-Reply-To:References:Subject; b=bQcZxeifTWWNsGM8YgNrf/CNg2OzNlmiV4BguRQPJMXdz359qZV29TPGnjOKEZH/w aH1kZIMFBua/jaMl5UGJVfWQdZGlWnlAIFGrmnenx0buVsc4YAQdm8f2zmbOO4DsCx K4Exn/8BRGMJAajjpiKL+O9U2n690nUTKaE0WRDgySNz3ZRcAoyMxC+eaBpfPP6wGe obkrEIO5Y0LA7aG/FGb9YX2IUUrz4obdy17xOgxYsM+332NzSNgOslv0XRtofdcDZP givpzuJymcErvMXSIhf0hY3giegjWQpoyYgTOQ6GYfrbxGK8F8+frttc8LEzCwomho n1iCIRurmaDfw== X-Authority-Analysis: v=2.4 cv=LvQsdlRc c=1 sm=1 tr=0 ts=5fb81578 a=YjOmSjUxhsfmstj0eziGpw==:117 a=FKkrIqjQGGEA:10 a=on0NmgUIp3IA:10 a=IkcTkHD0fZMA:10 a=377LoqYnAAAA:8 a=6I5d2MoRAAAA:8 a=_Dj-zB-qAAAA:8 a=5mcg790sAAAA:8 a=URaacCxWAAAA:8 a=kldTJ55vAAAA:20 a=GBGwecQ4AAAA:20 a=vMAzHOa4AAAA:8 a=Zj0_RZzR0xjSp1P0YuoA:9 a=QEXdDO2ut3YA:10 a=3eFgLbQigKzPVxkzdRgB:22 a=IjZwj45LgO3ly-622nXo:22 a=c-cOe7UV8MviEfHuAVEQ:22 a=uQeDYW1NI25gHNlrW_eK:22 a=rhPLOO7DVPbmD8N-_4O7:22 a=mxlk6Vz2CAKSHsuSuV7u:22 Date: Fri, 20 Nov 2020 12:13:58 -0700 (MST) From: Dale Scott To: freebsd@boosten.org Cc: freebsd-questions Message-ID: <436222222.38328265.1605899638737.JavaMail.zimbra@shaw.ca> In-Reply-To: <57E903C2-0CB4-4DAD-8F10-12A6879A8029@boosten.org> References: <958896405.36997717.1605885037710.JavaMail.zimbra@shaw.ca> <57E903C2-0CB4-4DAD-8F10-12A6879A8029@boosten.org> Subject: Re: Please help with Apache virtual servers and DNS trouble (I think) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [162.223.103.50, 162.223.103.50] X-Mailer: Zimbra 8.8.15_GA_3968 (ZimbraWebClient - GC86 (Win)/8.8.15_GA_3968) Thread-Topic: Please help with Apache virtual servers and DNS trouble (I think) Thread-Index: +ZAGUsm39AhuRHiYK6oxL3JeWPkuOQ== X-CMAE-Envelope: MS4xfMTk/FiR7xWJMyX3q+j0IlZcmFt3snB2UuI0teAx2XkBPkrMOwng1WqritDgKXILafDIBNHTTiw1mzbKS0z98UawbsAEjSqONLQJ1cAktCn71OY4odKx 3Xj1mWKRYdjiicLvepzAYLYOK3FVZtsnkRDdSLUqE6208YlDeoEfyrshi19+vmpYE+/SHxC+9Z5qY4CNBvJ3WSYKi9gMD5U4YQPL7wBGfrNQH6Q15xsezE7n X-Rspamd-Queue-Id: 4Cd5nQ0dqwz4Vgl X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=shaw.ca header.s=s20180605 header.b=bQcZxeif; dkim=pass header.d=shaw.ca header.s=s20180605 header.b=bQcZxeif; dmarc=pass (policy=none) header.from=shaw.ca; spf=pass (mx1.freebsd.org: domain of dalescott@shaw.ca designates 64.59.134.12 as permitted sender) smtp.mailfrom=dalescott@shaw.ca X-Spamd-Result: default: False [-4.10 / 15.00]; HAS_XOIP(0.00)[]; TO_DN_SOME(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[64.59.134.12:from]; R_SPF_ALLOW(-0.20)[+ip4:64.59.134.0/25]; DKIM_TRACE(0.00)[shaw.ca:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[shaw.ca,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCVD_IN_DNSWL_LOW(-0.10)[64.59.134.12:from]; RCVD_TLS_LAST(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[64.59.134.12:from]; FROM_EQ_ENVFROM(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[shaw.ca:dkim]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[shaw.ca:s=s20180605]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:6327, ipnet:64.59.128.0/20, country:CA]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; SPAMHAUS_ZRD(0.00)[64.59.134.12:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2020 19:14:03 -0000 ----- Original Message ----- > From: freebsd@boosten.org > To: "freebsd-questions" > Cc: "Dale Scott (dalescott@shaw)" > Sent: Friday, November 20, 2020 10:16:26 AM > Subject: Re: Please help with Apache virtual servers and DNS trouble (I t= hink) >> Op 20 nov. 2020, om 16:10 heeft Dale Scott < [ mailto:dalescott@shaw.ca = | >> dalescott@shaw.ca ] > het volgende geschreven: Thanks for your kind help Peter. Just to be clear, this is my intended network. +-------------= ---+ wwww.dalescott.net:8080 <-------------------------------- + ERPNext = + +-------------= ---+ ssh -p 3022 dalescott.net <-------------------------------- + Ubuntu = | | 20.04 = | www.dalescott.net <----\ | LTS = | mantisbt.dalescott.net <----+ | = | proqjector.dalescott.net <----+ +--------------------+-------------= ---+ nextcloud.dalescott.net <----+------ + Apache/MariaDb/PHP | virtualbox-o= se | +--------------------+-------------= ---+ ssh -p 3022 dalescott.net <------------| FreeBSD 11.3 / 12.2 = | +----------------------------------= ---+ >> ... My understanding of LetsEncrypt (and certbot and the Apache >> certbot plugin) is that subdomain DNS entry will be required for each Ap= ache >> virtual server that will https. > LetsEncrypt version 2 support wildcard certificates. So with one certific= ate you > can serve www.domain.tld, blah.domain.tld and hurray.domain.tld. However,= in order > to reach your virtual server mantisbt.dalescott.net have to have a DNS re= cord for > that host (not subdomain), this can be an A record or a CNAME. > Of course you can use a wildcard. Wild cards sound easier to manage, which I will investigate after getting t= hings working again without certs. >> So I removed the wild card from my dalescott.net DNS entry and configure= d new >> subdomain DNS entries for the Apache virtual servers. However I didn't c= reate >> certificates or change Apache httpd-vhosts.conf, and I'm still not tryin= g to >> serve anything but pure http on port 80. > What do you mean with =E2=80=99subdomain=E2=80=99? A subdomain would mean= something like > 'servers.dalescott.net' in your case, and your mantisbt server would then= be > reachable as mantisbt.servers.dalescott.net. So please elaborate. Networking is not my strength ; IIUC my tld is dalescott.net, and I am usin= g subdomains www, mantisbt, timetracker... or fully qualified www.dalescott.net, mantisb= t.dalescott.net, timetracker.dalescott.net, etc. Is my terminology incorrect? >> The problem is that I can access all my virtual servers and ssh to the v= m using >> port 3022, but I get a "no server response" error in the browser when tr= ying to >> access the vm web server on port 8080. > Is it not that your browser expects https and you get http (or vice versa= )? > What does your apache logging say? I am not expecting ANY https at this point. My goal is to first restore the http-only behavior I had using fbsd-11.3 before I started down this rabbit hole. ;-) Perhaps I need to go back to the one original wildcard DNS entry= I had and all will be ok, and then I figure out to use a wildcard Let's Encrypt c= ert, and then the specifics of each web apps. I browsed to the vbox vm web server dalescott.net:8080 and saw expected ("T= his page isn=E2=80=99t working" "dalescott.net didn=E2=80=99t send any data." "ERR_EMPTY_RESPONSEI= "), but then checked httpd-error.log and no related errors, which I had expected to see,= thinking Apache was getting the dalescott.net:8080 request and didn't know what to d= o with it. Maybe the web server on the vbox vm isn't responding at all. I will need to= check that out. Fwiw, here is my DNS setup at No-IP.com (entries all have same config): htt= ps://i.imgur.com/3UMiWFY.png https://i.imgur.com/RIp6tQS.png Also, fwiw, from my httpd.conf: Listen 80 ServerName www.dalescott.net:80 and my typical vhost entry in httpd-vhosts.com: DocumentRoot "/usr/local/www/mantisbt" allow from all Options None Require all granted