* Host mailjoe.net:443 was resolved.
* IPv6: (none)
* IPv4: 64.181.241.71
* Trying 64.181.241.71:443...
* connect to 64.181.241.71 port 443 from 10.0.0.137 port 45208 failed: Connection timed out
* Failed to connect to mailjoe.net port 443 after 134791 ms: Couldn't connect to server
* Closing connection
curl: (28) Failed to connect to mailjoe.net port 443 after 134791 ms: Couldn't connect to server
My web server is (include version):
Apache/2.4.58 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 24.04.2 LTS
My hosting provider, if applicable, is: Oracle cloud instance
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 3.2.0
Hello, thanks for your time in reading through this.
Long story short, I followed this guide to set up my server, then the relevant ubuntu guide for using certbot to enable SSL.
The http version of my site still works, but I haven't been able to connect to https.
I'm not sure what diagnostics are the best so let me know what I should check, but I did see that this was a good one to include:
Hello @joeomundson, welcome to the Let's Encrypt community.
Port 443 is filtered (i.e. blocked), probably a firewall or router being the issue.
From around the world Permanent link to this check report gets results of "Connection timed out".
$ nmap -Pn -p80,443 mailjoe.net
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-21 01:01 UTC
Nmap scan report for mailjoe.net (64.181.241.71)
Host is up (0.030s latency).
PORT STATE SERVICE
80/tcp open http
443/tcp filtered https
Nmap done: 1 IP address (1 host up) scanned in 1.72 seconds
Thank you, that makes sense with what I've seen so far.
I'm not sure where to look next.
I've checked the security list in Oracle, 443 looks good...
I've checked the iptables, 443 is there...
Oh, jeez. I'm both relieved and frustrated that it was such an easy fix. I really thought the ingress rule for port 443 was in place, and it wasn't. Thank you!
Another question if you have time:
Depending on how I type in the URL, I'm sometimes getting ERR_TOO_MANY_REDIRECTS, and http it doesn't seem to default to https.
I think I have the virtual host .conf file wrong, yeah?
Cool, glad you got it working. I'm not an apache expert but I'd assume your port 443 virtual host config doesn't need rewrite rules at all.
[btw your site on port 80 currently thinks it has TLS configured on that port]
If you show the Certbot command we can give better advice on your HTTP redirects for port 80. For example, using --webroot or certonly --apache suggests one way but a DNS Challenge another.
But, you should first fix the two problems described by @webprofusion.
The rewrites in port 443 create a loop. And, HTTP (port 80) rejected with this:
curl -i http://mailjoe.net
HTTP/1.1 400 Bad Request
Server: Apache/2.4.58 (Ubuntu)
...
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
...
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
Check your port mapping and make sure you've restarted Apache since making changes that affect the ports it listens on.
Which is a lot cleaner... chatgpt actually gave some useful advice.
So now any http request is immediately redirected to http, and within the port 443 handling, www.mailjoe.net automatically goes to mailjoe.net. Looks to be operating as intended to me, let me know if you see any issues? Thanks for the help.
Sure, that works. Your HTTP redirect may not be optimal for HTTP Challenges and doing a redirect when one is not required. Which is why I asked for your Certbot command.
But, yes, it should work. You can test the renewal with:
sudo certbot renew --dry-run
The --dry-run will not affect your existing config or production certs.
I don't think that was the whole command. If it was your VirtualHost configs would have looked different than they did.
It's not that big of a deal. If we were working on a pattern for numerous similar domains then yes, probably should improve it. But a single case likely not.
Then it didn't work and I thought something was configured wrong so I consulted with ChatGPT and messed with the .conf file a bit, not realizing I was just missing the ingress rule. Then decided to follow the instructions on certbot.eff.org, so I tried to uninstall certbot completely which I think didn't fully work? Hard to tell? Then ran it again which kind of created some duplicate files since I already had some and they didn't completely erase, tried to modify those again, and yeah... that's probably why it looked messed up, lol. I think I had 3 .conf files at one point.
Oh yeah, and the renew dry run worked just fine!
As long as it's all decent I'm not too worried because it's just gonna be a personal blog for my friends and family, I'm not expecting to ever get a lot of traffic or do anything heavy duty with the site.
Just wanted to host my own email and blog away from google/medium.
