AWS ec2 ubuntu16.04 apache flask certbot not work


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mydomain.com

I ran this command: https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache

It produced this output:
Certificate is created, but https redirect shows “This site can’t be reached”.

My web server is (include version): Apache latest

The operating system my web server runs on is (include version): Ubuntu16.04

I can login to a root shell on my machine (yes or no, or I don’t know): yes

Certbot can be used for AWS ec2 instance? I newbie for this. Thank you in advance.


#2

https://mydomain.com/ works flawlessly.

Now how about you give us the real domain name:

To answer your question:

Yes, you already said it got the cert.
The problem you are having now is in probably somewhere in the Apache configuration…


#3

Hi rg305, thank you for help. Here is my /etc/apache2/sites-enabled/000-default.conf
Sorry. I still hide my domain name.

WSGIDaemonProcess flaskapp threads=5
WSGIScriptAlias / /var/www/html/flaskapp/flaskapp.wsgi
<Directory flaskapp>
    WSGIProcessGroup flaskapp
    WSGIApplicationGroup %{GLOBAL}
     Order deny,allow
     Allow from all
</Directory>

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com
        ServerName www.---.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.---.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

#4

Here is my /etc/apache2/sites-enabled/000-default-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com
        ServerName www.---.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
SSLCertificateFile /etc/letsencrypt/live/www.---.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.---.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Blockquote


#6

You need to check the firewall settings…
And ensure port 80 AND PORT 443 are allowed.


#7

Do I need to set up some other Apache configuration after I follow the tutorial :


#8

$ sudo netstat -ntlp | grep LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 26812/sshd
tcp6 0 0 :::22 :::* LISTEN 26812/sshd
tcp6 0 0 :::443 :::* LISTEN 6077/apache2
tcp6 0 0 :::80 :::* LISTEN 6077/apache2


#9

Not apache changes should be required:
wget www.<yourdomain>.com
–2018-05-06 14:19:30-- http://www.<yourdomain>.com/
Resolving www.<yourdomain>.com (www.<yourdomain>.com)… <your IP>
Connecting to www.<yourdomain>.com (www.<yourdomain>.com)|<your IP>|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://www.<yourdomain>.com/ [following]
–2018-05-06 14:19:30-- https://www.<yourdomain>.com/
Connecting to www.<yourdomain>.com (www.<yourdomain>.com)|<your IP>|:443…

and it times out and just sits there retrying…


#10

from Internet, try:
openssl s_client -connect <yourIP>:443 -servername www.<yourdomain>.com


#11

$ openssl s_client -connect my-ip:443 -servername www.my-domain.com
connect: Operation timed out
connect:errno=60


#12

yes! exactly.
test the openssl locally from same server


#13
$ openssl s_client -connect my-ip:443 -servername www.my-domain.com
^C
$ openssl s_client -connect my-ip:80 -servername www.my-domain.com
CONNECTED(00000003)
139649272071896:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:797:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 334 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1525631691
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

While openssl to 443, nothing happens. While openssl to 80, there are some outputs. (I do the commands in the ec2 host)


#14

There is your problem.
Even thou it says this:

It’s not responding on <ipv4>:443 from the Internet


#15

Maybe i need to disable ipv6 on the host?


#16

If you are not going to use IPv6 then yes, that could “fix” the problem.
(although it isn’t really a fix at all - more like a “workaround” the problem)
If you are going to use IPv6, then that just shifts the problem to a later date.


#17

I am happy to learn. Do you have some suggestion in this case – “openssl to 443, nothing happens”?


#18

I’ve used this method successfully on Ubuntu 16.04:
Putting the following lines in /etc/sysctl.conf:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
then
sysctl -p


#19
$ cat /proc/sys/net/ipv6/conf/all/disable_ipv6
1

IPV6 is disabled, but

$ openssl s_client -connect my-ip:443 -servername www.my-domain.com
^C

openssl to 443 still not succeed


#20

Show:
netstat -pant | grep -i LISTEN


#21
$ netstat -pant | grep -i LISTEN
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               
tcp6       0      0 :::443                  :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -