• OS X Server Globe
    Tech

    [OS X Server 5.x] httpd.conf location

    The httpd.conf file controlled by the Server.app is stored at

    /Library/Server/Web/Config/apache2/httpd_server_app.conf

    If you happen to update PHP or other Apache modules through non-Apple methods (e.g. homebrew), then this is where you add your LoadModule and FilesMatch arguments.

    You MUST restart the web server through the Server.app for changes to load. apachectl graceful will not load the changes in httpd_server_app.conf.

    #This article is in response to “Update PHP on OS X Server 5.x”.

  • Lets Encrypt & Certbot
    Tech

    Certbot, HTTPS, and Timeout Error

    If you use Let’s Encrypt as your SSL certificate authority, it is paramount that you implement an automatic certificate renewal procedure.

    Very helpful tutorial from Mac Strategy – How To Setup Let’s Encrypt For OS X / macOS + Server 5.x

    When setting up or renewing your SSL certificates, you may encounter a problem with certbot giving you the following error:

    Timeout, https://www.example.com (http-01):
    urn:acme:error:connection :: The server could not connect to
    the client to verify the domain 

    This may be happening if you ONLY have the HTTPS version of your website configured OR if you use http::REDIRECT to redirect to HTTPS without letting the GET request connect to a HTTP version of your site.

    certbot, as default, can only validate your website via HTTP on port 80. The easiest solution would be to provide an HTTP version of your website. This may be less than ideal for many setups where port 80 is inundated with DDoS attacks – so it seems.

    In reality, if port 80 is served by the same software that serves port 443, having port 80 open does not increase the amount of risk. Rather, it is a reminder that one should not rely on the illusion that HTTPS alone will prevent a hack. Your website design should be more resilient in that it would protect against ALL web based attacks.

    A message from Let’s Encrypt regarding Port 80: Best Practice – Keep Port 80 Open

    So open up port 80, setup your webserver to answer to HTTP requenst, and renew your Let’s Encrypt SSL certificates using certbot. And go add some security features to your website while your at it.

    For WordPress sites like this, you can use the WP Force SSL plugin to reroute all HTTP request to HTTPS via script. That means, any non-Wordpress request like certbot’s will be processed via HTTP.