AWS ec2 ubuntu16.04 apache flask certbot not work

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mydomain.com

I ran this command: https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache

It produced this output:
Certificate is created, but https redirect shows “This site can’t be reached”.

My web server is (include version): Apache latest

The operating system my web server runs on is (include version): Ubuntu16.04

I can login to a root shell on my machine (yes or no, or I don’t know): yes

Certbot can be used for AWS ec2 instance? I newbie for this. Thank you in advance.

2

https://mydomain.com/ works flawlessly.
...
Now how about you give us the real domain name:

To answer your question:

Yes, you already said it got the cert.
The problem you are having now is in probably somewhere in the Apache configuration...

3

Hi rg305, thank you for help. Here is my /etc/apache2/sites-enabled/000-default.conf
Sorry. I still hide my domain name.

WSGIDaemonProcess flaskapp threads=5
WSGIScriptAlias / /var/www/html/flaskapp/flaskapp.wsgi
<Directory flaskapp>
    WSGIProcessGroup flaskapp
    WSGIApplicationGroup %{GLOBAL}
     Order deny,allow
     Allow from all
</Directory>

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com
        ServerName www.---.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.---.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
4

Here is my /etc/apache2/sites-enabled/000-default-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com
        ServerName www.---.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
SSLCertificateFile /etc/letsencrypt/live/www.---.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.---.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Blockquote

6

You need to check the firewall settings…
And ensure port 80 AND PORT 443 are allowed.

7

Do I need to set up some other Apache configuration after I follow the tutorial :

8

$ sudo netstat -ntlp | grep LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 26812/sshd
tcp6 0 0 :::22 :::* LISTEN 26812/sshd
tcp6 0 0 :::443 :::* LISTEN 6077/apache2
tcp6 0 0 :::80 :::* LISTEN 6077/apache2

9

Not apache changes should be required:
wget www.<yourdomain>.com
–2018-05-06 14:19:30-- http://www.<yourdomain>.com/
Resolving www.<yourdomain>.com (www.<yourdomain>.com)… <your IP>
Connecting to www.<yourdomain>.com (www.<yourdomain>.com)|<your IP>|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://www.<yourdomain>.com/ [following]
–2018-05-06 14:19:30-- https://www.<yourdomain>.com/
Connecting to www.<yourdomain>.com (www.<yourdomain>.com)|<your IP>|:443…

and it times out and just sits there retrying…

10

from Internet, try:
openssl s_client -connect <yourIP>:443 -servername www.<yourdomain>.com

11

$ openssl s_client -connect my-ip:443 -servername www.my-domain.com
connect: Operation timed out
connect:errno=60

12

yes! exactly.
test the openssl locally from same server

13 
$ openssl s_client -connect my-ip:443 -servername www.my-domain.com
^C
$ openssl s_client -connect my-ip:80 -servername www.my-domain.com
CONNECTED(00000003)
139649272071896:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:797:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 334 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1525631691
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

While openssl to 443, nothing happens. While openssl to 80, there are some outputs. (I do the commands in the ec2 host)

14

There is your problem.
Even thou it says this:

It's not responding on <ipv4>:443 from the Internet

15

Maybe i need to disable ipv6 on the host?

16

If you are not going to use IPv6 then yes, that could “fix” the problem.
(although it isn’t really a fix at all - more like a “workaround” the problem)
If you are going to use IPv6, then that just shifts the problem to a later date.

17

I am happy to learn. Do you have some suggestion in this case – “openssl to 443, nothing happens”?

18

I’ve used this method successfully on Ubuntu 16.04:
Putting the following lines in /etc/sysctl.conf:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
then
sysctl -p

19 
$ cat /proc/sys/net/ipv6/conf/all/disable_ipv6
1

IPV6 is disabled, but

$ openssl s_client -connect my-ip:443 -servername www.my-domain.com
^C

openssl to 443 still not succeed

20

Show:
netstat -pant | grep -i LISTEN

21 
$ netstat -pant | grep -i LISTEN
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               
tcp6       0      0 :::443                  :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -