Have not been able to get this running at all under https. Have gone from an established system to a fresh re-install of the OS and only the relevant software to get a page to serve through https. After over 48 hours at this I am at a loss of what to do to try and make this work anymore. Any help would be greatly appreciated.
My domain is: nacnud3000.com
I ran this command:
sudo certbot --apache
It produced this output:
Requesting a certificate for nacnud3000.com and www.nacnud3000.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/nacnud3000.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/nacnud3000.com/privkey.pem
This certificate expires on 2021-12-07.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for nacnud3000.com to /etc/apache2/sites-available/nacnud3000-le-ssl.conf
Successfully deployed certificate for www.nacnud3000.com to /etc/apache2/sites-available/nacnud3000-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://nacnud3000.com and https://www.nacnud3000.com
My web server is (include version):
Apache/2.4.41 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu Server 20.04 LTS
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.19.0
There is.
My router has 80 & 443 open and forwarded to the server.
Server firewall is UFW with Apache Full and OpenSSL allowed.
I've been able to verify that 80 & 443 are visible externally, and regular http functions without issue.
The problem seems to be in your Apache config.
Please show the outputs of: sudo cat /etc/apache2/sites-available/nacnud3000-le-ssl.conf sudo cat /etc/apache2/mods-enabled/ssl.conf
[I suspect this is the first site to be secured on this server]
OR
Are you using some sort of GeoLocaiton blocking or anything similar?
This is indeed the first site to be secured on this server. I have a domain that is already hosted by a paid service which I intend to bring over to my server once I have this figured out with the domain I bought for testing (nacnud3000.com).
The outputs are as follows:
nacnud3000-le-ssl.conf
<IfModule mod_ssl.c>
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
# (The mechanism dbm has known memory leaks and should not be used).
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
# (Disabled by default, the global Mutex directive consolidates by default
# this)
#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate. See the
# ciphers(1) man page from the openssl package for list of all available
# options.
# Enable only secure ciphers:
SSLCipherSuite HIGH:!aNULL
# SSL server cipher order preference:
# Use server priorities for cipher algorithm choice.
# Clients may prefer lower grade encryption. You should enable this
# option if you want to enforce stronger encryption, and can afford
# the CPU cost, and did not override SSLCipherSuite in a way that puts
# insecure ciphers first.
# Default: Off
#SSLHonorCipherOrder on
# The protocols to enable.
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
# SSL v2 is no longer supported
SSLProtocol all -SSLv3
# Allow insecure renegotiation with clients which do not yet support the
# secure renegotiation protocol. Default: Off
#SSLInsecureRenegotiation on
# Whether to forbid non-SNI clients to access name based virtual hosts.
# Default: Off
#SSLStrictSNIVHostCheck On
</IfModule>
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
sudo apachectl -t -D DUMP_VHOSTS
Returns:
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 nacnud3000.com (/etc/apache2/sites-enabled/nacnud3000-le-ssl.conf:2)
*:80 nacnud3000.com (/etc/apache2/sites-enabled/nacnud3000.conf:1)
Something is indeed not adding up.
I have restarted the system, router, and modem.
Started on a Raspberry Pi 4 on the same OS, tried with Raspbian x64 & x32 flavors.
Did a fresh setup on an older AMD x64 setup that is the machine now.
All encountering the same issues.
I've even tried a self signed cert manually setup to see if that had any change but I still encounter the same issues, the HDD was reformatted and a fresh install completed after that did not work.
My ISP does not block any ports and every test I've tried on the ports being able to get through pass.
I am considering a fresh OS re-install and giving NGINX a spin as I am not attached to using Apache and haven't tried that yet.
Only as a test:
Let's try using another port for SSL.
Find the "Listen 443" statement
[usually found in the "ports.conf" file]
And add another line to it.
Like: Listen 9876
Then modify the line "<VirtualHost *:443>"
to: <VirtualHost *:9876>
restart apache and test: https://nacnud3000.com:9876/
That gets us somewhere.
Set ports.conf to listen on 9876.
Set nacnud3000-le-ssl.conf to 9876.
Allowed 9876 through UFW firewall.
Forwarded 9876 to server in router.
Restarted Apache
Going to https://nacnud3000.com:9876 is successful and using SSL.
Page Info in Firefox shows 'Connection Encrypted (TLS_AES_128_GCM_SHA256, 128 bit keys, TLS 1.3)' & verified by Let's Encrypt.
Changed all back to 443 & restart Apache, back to same issue.
Is it possible that while my ISP does not block ports they could be blocking the necessary protocols to allow the SSL handshake on 443?
Removed 9876 - 9876 from router forwarding.
Updated 443 - 9876 in router forwarding.
Refreshed & received same error on test.
Rebooted router, manually ran ddclient to update domain DNS info.
Verified updated DNS info active.
Test returns same error.