Cannot acces my webpage

Help
1

My domain is: nextcloud.asus.jeansibelus.net
My web server is: Apache2
The operating system my web server runs on: Ubuntu 22.04
My hosting provider, if applicable, is: Cloudflare
I can login to a root shell on my machine (yes or no, or I don't know): I don't know what that is.
I'm using a control panel to manage my site: I don't know what that is.
The version of my client is: certbot 2.10.0

Hello! I have the following problem. I have installed a ssl certificate on my nextcloud server, after installing I tried to open my page, but I got this error: SSL_ERROR_NO_CYPHER_OVERLAP.
I had a very hard time trying to find any answer. Please help me!!

PS. I apologize for any mistakes, English isn't my first language.

All best,
Kazimierz Krauze

2

Hello @kazimierzkrauze, welcome to the Let's Encrypt community. :slightly_smiling_face:

What web client (i.e. like a web browser), with version number, Operating System and version, are you using when you the error?

This is the error I see with Window 10 Chrome Version 123.0.6312.123 (Official Build) (64-bit)
(and that is a DNS issue, which is a different problem)

image
image847×569 9.7 KB

1 Like
3

Using the online tool Let's Debug yields these results https://letsdebug.net/nextcloud.asus.jeansibelus.net/1888969

NoRecords
FATAL
No valid A or AAAA records could be ultimately resolved for nextcloud.asus.jeansibelus.net. This means that Let's Encrypt would not be able to connect to your domain to perform HTTP validation, since it would not know where to connect to.
No A or AAAA records found.

And ICANN show the domain jeansibelus.net does not exist!

image
image1190×457 16.8 KB

1 Like
4

Pardon, my domain is: nextcloud.asus.jeansibelius.net

1 Like
5

And now I see this

image
image880×546 9.63 KB

And ICANN's

image
image1180×867 23.1 KB

1 Like
6

I am using Windows 11, on different web browsers there are different error codes:
Firefox 125.0.1:
SSL_ERROR_NO_CYPHER_OVERLAP
Chrome 121.0.6167.160:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Opera 108.0.5067.29:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

7

@kazimierzkrauze, I believe you are serving HTTP on both Ports 80 & 443, were typically one would expect to find HTTPS on Port 443.

HTTPS on Port 443 FAILING

$ curl -k -Ii https://nextcloud.asus.jeansibelius.net/.well-known/acme-challenge/sometestfile
curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure

HTTP on Port 443 wrongly PASSing - ERROR!

$ curl -k -Ii http:///nextcloud.asus.jeansibelius.net:443/.well-known/acme-challenge/sometestfile
HTTP/1.1 400 Bad Request
Server: cloudflare
Date: Fri, 19 Apr 2024 21:07:28 GMT
Content-Type: text/html
Content-Length: 253
Connection: close
CF-RAY: -
2 Likes
8

A lot going on here
Using the online tool Let's Debug yields these results https://letsdebug.net/nextcloud.asus.jeansibelius.net/1889019

AAAANotWorking
ERROR
nextcloud.asus.jeansibelius.net has an AAAA (IPv6) record (2606:4700:3031::ac43:9c9c) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
Get "https://nextcloud.asus.jeansibelius.net/.well-known/acme-challenge/letsdebug-test": remote error: tls: handshake failure

Trace:
@0ms: Making a request to http://nextcloud.asus.jeansibelius.net/.well-known/acme-challenge/letsdebug-test (using initial IP 2606:4700:3031::ac43:9c9c)
@0ms: Dialing 2606:4700:3031::ac43:9c9c
@68ms: Server response: HTTP 301 Moved Permanently
@68ms: Received redirect to https://nextcloud.asus.jeansibelius.net/.well-known/acme-challenge/letsdebug-test
@69ms: Dialing 2606:4700:3031::ac43:9c9c
@74ms: Experienced error: remote error: tls: handshake failure

AAAANotWorking
ERROR
nextcloud.asus.jeansibelius.net has an AAAA (IPv6) record (2606:4700:3031::6815:80b) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
Get "https://nextcloud.asus.jeansibelius.net/.well-known/acme-challenge/letsdebug-test": remote error: tls: handshake failure

Trace:
@0ms: Making a request to http://nextcloud.asus.jeansibelius.net/.well-known/acme-challenge/letsdebug-test (using initial IP 2606:4700:3031::6815:80b)
@0ms: Dialing 2606:4700:3031::6815:80b
@66ms: Server response: HTTP 301 Moved Permanently
@66ms: Received redirect to https://nextcloud.asus.jeansibelius.net/.well-known/acme-challenge/letsdebug-test
@66ms: Dialing 2606:4700:3031::6815:80b
@72ms: Experienced error: remote error: tls: handshake failure

ANotWorking
ERROR
nextcloud.asus.jeansibelius.net has an A (IPv4) record (104.21.8.11) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "https://nextcloud.asus.jeansibelius.net/.well-known/acme-challenge/letsdebug-test": remote error: tls: handshake failure

Trace:
@0ms: Making a request to http://nextcloud.asus.jeansibelius.net/.well-known/acme-challenge/letsdebug-test (using initial IP 104.21.8.11)
@0ms: Dialing 104.21.8.11
@43ms: Server response: HTTP 301 Moved Permanently
@43ms: Received redirect to https://nextcloud.asus.jeansibelius.net/.well-known/acme-challenge/letsdebug-test
@43ms: Dialing 104.21.8.11
@48ms: Experienced error: remote error: tls: handshake failure

ANotWorking
ERROR
nextcloud.asus.jeansibelius.net has an A (IPv4) record (172.67.156.156) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "https://nextcloud.asus.jeansibelius.net/.well-known/acme-challenge/letsdebug-test": remote error: tls: handshake failure

Trace:
@0ms: Making a request to http://nextcloud.asus.jeansibelius.net/.well-known/acme-challenge/letsdebug-test (using initial IP 172.67.156.156)
@0ms: Dialing 172.67.156.156
@48ms: Server response: HTTP 301 Moved Permanently
@48ms: Received redirect to https://nextcloud.asus.jeansibelius.net/.well-known/acme-challenge/letsdebug-test
@48ms: Dialing 172.67.156.156
@54ms: Experienced error: remote error: tls: handshake failure

CloudflareCDN
WARNING
The domain nextcloud.asus.jeansibelius.net is being served through Cloudflare CDN. Any Let's Encrypt certificate installed on the origin server will only encrypt traffic between the server and Cloudflare. It is strongly recommended that the SSL option 'Full SSL (strict)' be enabled.
https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-

CloudflareSSLNotProvisioned
WARNING
The domain nextcloud.asus.jeansibelius.net is being served through Cloudflare CDN and a certificate has not yet been provisioned yet by Cloudflare.
https://support.cloudflare.com/hc/en-us/articles/203045244-How-long-does-it-take-for-Cloudflare-s-SSL-to-activate-
2 Likes
9

@kazimierzkrauze one more thing

Rate Limit Current Status Domain
50 Certificates per Registered Domain per week OK (7 / 50 this week.) jeansibelius.net
5 Duplicate Certificates per week Limit exceeded. Next issuable at 23 Apr 2024 13:35:10 UTC nextcloud.asus.jeansibelius.net
Summary generated at Let's Debug Toolkit .

image
image930×772 10.7 KB

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher.

2 Likes
10

Thai is possible. I am a hobbist in the field of IT.
After installation of certificate when I tried to go to my page I realized that I was automatically transferred to port 80. So in Apache config file I changed ":80" to ":443":
bildo
After that I reloaded Apache and the problem appeared.
Should I change it back to 80?

11

Here is a list of issued certificates crt.sh | nextcloud.asus.jeansibelius.net, the latest being 2024-04-19.

image
image1199×429 25.8 KB

1 Like
12

Thanks I will do that.

1 Like
13

Likely but I do not know Apache.
Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist. :slight_smile:

1 Like
14

Thank you for your help!

2 Likes
15

You have your domain name proxied at Cloudflare and are using their CDN.

Cloudflare is handling the redirect from HTTP to HTTPS. That change you made to Apache from port 80 to 443 is wrong. Port 443 needs cert definitions which that didn't have.

But, it looks like an HTTPS connection to their CDN edge might be failing which is very strange. You would be better off asking about this on the Cloudflare community.

Here is your DNS

nslookup nextcloud.asus.jeansibelius.net
Address: 104.21.8.11
Address: 172.67.156.156
Address: 2606:4700:3031::6815:80b
Address: 2606:4700:3031::ac43:9c9c

You might want to consider using the Cloudflare Origin CA Certificate. Once you get past this initial error that gives you a certificate you can use behind their CDN. It might be easier for you to startup using that.

2 Likes
16

Thank I'll ask them.

It would certainly be easier but I am planning to create a bunch more certificates and, as far as I know, Cloudflare will give me only one.

1 Like
17

Not sure what you mean by that but it's a good thing to get sorted out at their community.

I thought you could have 200 names on one of their CA Origin certs:

3 Likes
19

If all your sites are behind CF CDN, then you only need one cert on your server.
You should be able to use the same CF origin cert on all your vhosts.
[CF needs to cover all the names with certs]

2 Likes
20

Just remember that those Cloudflare Origin CA certificates aren't valid for direct connections. You will need to always use the Cloudflare proxy to connect when you use a Cloudflare Origin CA certificate.

4 Likes
21

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.