Apache not loading SSL virtualhost

mhweb · March 21, 2020, 5:27pm

I’m trying to enable a 000-default-le-ssl.conf, everything looks OK when running a2ensite 000-default-le-ssl a reloading apache2 and I even used sudo apachectl configtest with Syntax OK result, but when I run the apachectl -S the command doesn’t display the the *443 configuration.

The apache2 error logs doesn’t show any errors related to this.

I also enabled the 000-default.conf and it works correctly, and it shows up when I use the apachectl -S.

This is on a server that I’m upgrading, and the settings are the same using in production and they working OK in the old server. I have also tested the process moving a site to a new server, and I didn’t have this problem.

This is the virtualhost that I’m using:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName domain.com
        ServerAlias www.domain.com
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

the fullchaing and privkey are in location.

This is the output I get:

root@webserver:/etc/apache2/sites-available# apachectl -S
VirtualHost configuration:
*:80                   domain.com (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

As you can see ,the *:443 is missing.

Any ideas how to fix this problem?
Thanks,

9peppe · March 21, 2020, 6:18pm

post your actual domain name.

you reloaded apache, right?

check /etc/apache2/sites-enabled

mhweb · March 21, 2020, 6:25pm

Apache has been reloaded.
I also try disabling the site command, reload apache, enable site command, and reload apache.
Both virtualhosts for 80 and 443 appear in the Sites-Enabled folder.
The domain is 192.241.1.2. This is a new test server, before moving site. So, it’s not live, yet.
I also restarted the server just in case.

9peppe · March 21, 2020, 6:27pm

I don’t need a domain for another machine, give me an address on which this server responds

mhweb · March 21, 2020, 6:28pm

This is the machine I’m using.
192.241.1.2

9peppe · March 21, 2020, 6:35pm

a2enmod ssl ?

or maybe...

mhweb · March 21, 2020, 6:42pm

I want to cry, because I’m still learning, I spent countless hours search before posting in here.

Thank you, it seem that fixed the issue. However, after enabling the a2enmod ssl will stay enabled after reboot and apache reload?

9peppe · March 21, 2020, 6:43pm

it should, check modules-available and modules-enabled, there should be a symlink in the second location. This sounds like something certbot should check, did you use certbot?

mhweb · March 21, 2020, 6:55pm

Yes, the ssl.load and ssl.conf have symlinks to the mods-enabled folder.

The thing is that I’m using prebuilt vm. Let’s Encrypt is install and ready to go, but because the server initial setup wants to set the site https, and because I’m moving a site from the old to this new server, I skipped the https setup. Then moved the sites and letsencrypt folder to the new server.
And this is probably why the module was disabled.

Now, I’m noticing that the IP address of the new server is loading with https without issues, and I haven’t yet run sudo letsencrypt renew --dry-run is this an expected behavior.

Can I keep the new server turn on running the https until I’m ready to switch while the old server continues to run as always?

9peppe · March 21, 2020, 8:00pm

yes. be aware that http-01 validation will fail before switching dns records.

worst case scenario, once you switch dns records you'll start on an expired certificate.

mhweb · March 22, 2020, 12:56pm

Thank you for your help.
One last question, what log file and entry I need to check to find out the certbot cron checking job worked?

9peppe · March 22, 2020, 12:59pm

/var/log/letsencrypt

https://certbot.eff.org/docs/using.html#log-rotation

system · April 21, 2020, 12:59pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.