My domain is: stdominicchapel.org
My web server is: Apache2
The operating system my web server runs on is: Ubuntu 18.04
I can login to a root shell on my machine: yes
I’m using a control panel to manage my site: no
The version of my client is: certbot 0.31.0
The issue I am having is that my connection is timing out every time I try to access my site. Here is my site.conf file:
# Listen 80
LoadModule wsgi_module /usr/lib/apache2/modules/mod_wsgi.so
User ******
Group www-data
WSGIScriptAlias / /var/www/wsgi_scripts/sdchapelorg.wsgi
WSGIDaemonProcess stdominicchapel python-home=/var/www/sdchapel.org/env python-path=/var/www/sdchapel.org/app threads=5
WSGIRestrictEmbedded On
WSGIProcessGroup stdominicchapel
WSGIApplicationGroup %{GLOBAL}
<VirtualHost *:80>
ServerAdmin user@email.com
ServerName stdominicchapel.org
ServerAlias www.stdominicchapel.org
ErrorLog /var/www/stdominicchapel.org/logs/error.log
CustomLog /var/www/stdominicchapel.org/logs/access.log combined
Alias /static/ /var/www/sdchapel.org/app/static/
RewriteEngine On
RewriteCond %{SERVER_NAME} =www.stdominicchapel.org [OR]
RewriteCond %{SERVER_NAME} =stdominicchapel.org
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
#WSGIScriptAlias / /var/www/wsgi_scripts/sdchapelorg.wsgi
#WSGIDaemonProcess stdominicchapel python-home=/var/www/sdchapel.org/env python-path=/var/www/sdchapel.org/app threads=5
#WSGIRestrictEmbedded On
#WSGIProcessGroup stdominicchapel
#WSGIApplicationGroup %{GLOBAL}
<Directory /var/www/wsgi_scripts>
Require all granted
</Directory>
<Directory /var/www/sdchapel.org>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
ServerAdmin user@email.com
ServerName stdominicchapel.org
ServerAlias www.stdominicchapel.org
ErrorLog /var/www/stdominicchapel.org/logs/error.log
CustomLog /var/www/stdominicchapel.org/logs/access.log combined
Alias /static/ /var/www/sdchapel.org/app/static/
<Directory /var/www/wsgi_scripts>
Require all granted
</Directory>
<Directory /var/www/sdchapel.org>
Require all granted
</Directory>
SSLCertificateFile /etc/letsencrypt/live/stdominicchapel.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/stdominicchapel.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
# enable HTTP/2, if available
Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
# Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>
# intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
#SSLUseStapling On
#SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
1 Like
rg305
May 2, 2020, 10:04pm
2
HTTP is connecting.
You need to ensure the path is open.
curl -Iki http://www.stdominicchapel.org/
HTTP/1.1 301 Moved Permanently
Date: Sat, 02 May 2020 22:02:44 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: https://www.stdominicchapel.org/
Content-Type: text/html; charset=iso-8859-1
curl -Iki https://www.stdominicchapel.org/
curl: (7) Failed to connect to www.stdominicchapel.org port 443: Connection timed out
1 Like
Hi @corei8
works https internal? From that machine?
curl https://stdominicchapel.org/
If yes, it's a firewall / router problem.
If not, what says
apachectl -S
1 Like
@JuergenAuer apachectl -S gives:
AH00526: Syntax error on line 67 of /etc/apache2/sites-enabled/stdominicchapel.org.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/stdominicchapel.org/fullchain.pem' does not exist or is empty
Action '-S' failed.
Https does not work internally.
1 Like
rg305
May 3, 2020, 2:30am
5
It seems your Apache config is “broken”.ls -l /etc/letsencrypt/live/stdominicchapel.org/certbot certificates
1 Like
ubuntu@ip-*-*-*-*:~$ ls -l /etc/letsencrypt/live/stdominicchapel.org/
total 4
-rwxr-xr-x 1 user www-data 692 Apr 25 20:42 README
lrwxrwxrwx 1 user www-data 43 Apr 25 20:42 cert.pem -> ../../archive/stdominicchapel.org/cert1.pem
lrwxrwxrwx 1 user www-data 44 Apr 25 20:42 chain.pem -> ../../archive/stdominicchapel.org/chain1.pem
lrwxrwxrwx 1 user www-data 48 Apr 25 20:42 fullchain.pem -> ../../archive/stdominicchapel.org/fullchain1.pem
lrwxrwxrwx 1 user www-data 46 Apr 25 20:42 privkey.pem -> ../../archive/stdominicchapel.org/privkey1.pem
ubuntu@ip-*-*-*-*:~$ certbot certificates
The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
ubuntu@ip-*-*-*-*:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: stdominicchapel.org
Domains: stdominicchapel.org
Expiry Date: 2020-07-24 19:42:18+00:00 (VALID: 81 days)
Certificate Path: /etc/letsencrypt/live/stdominicchapel.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/stdominicchapel.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 Like
corei8:
corei8:
apachectl -S gives:
Same run it as root?
Result running as root:
[Sun May 03 23:21:36.247163 2020] [so:warn] [pid 14960:tid 140374011902912] AH01574: module wsgi_module is already loaded, skipping
[Sun May 03 23:21:36.248322 2020] [so:warn] [pid 14960:tid 140374011902912] AH01574: module wsgi_module is already loaded, skipping
VirtualHost configuration:
*:80 stdominicchapel.org (/etc/apache2/sites-enabled/stdominicchapel.org.conf:15)
*:443 stdominicchapel.org (/etc/apache2/sites-enabled/stdominicchapel.org.conf:47)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="corei8" id=1001
Group: name="www-data" id=33
I have tried to reinstall the certs but I cannot get the site to connect. Should I completely uninstall certbot and try again? Since I could run apachectl -S as root does that mean that I did something in the installation that made it so that my site could only serve the certs if it had root privileges?
rg305
May 6, 2020, 2:29am
10
If certbot certificates shows valid cert(s), there is no need for that and would not change anything related to those certs.
As strange as that sounds, it may match the strangeness of the problem...cat /etc/letsencrypt/live/stdominicchapel.org/fullchain.pem ]
1 Like
Here is something:
$ certbot certificates
The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
Does this permission denied situation have anything to do with the issue? sudo finds valid certificates.
EDIT curl https://stdominicchapel.org and I get to my webpage but I cannot connect through a browser. I have tried Chrome, Firefox and Safari. It seems that I am very close to having this thing fixed, but what could be preventing the connection between the browsers and the server?
1 Like
rg305
May 6, 2020, 6:13pm
12
What does apachectl -S now show?sudo apachectl -S
and also, please show the output of:sudo netstat -pant | grep -i listen
1 Like
corei8:~$ apachectl -S
apache2: Syntax error on line 80 of /etc/apache2/apache2.conf: Cannot load /home/ubuntu/.local/lib/python3.6/site-packages/mod_wsgi/server/mod_wsgi-py36.cpython-36m-x86_64-linux-gnu.so into server: /home/ubuntu/.local/lib/python3.6/site-packages/mod_wsgi/server/mod_wsgi-py36.cpython-36m-x86_64-linux-gnu.so: cannot open shared object file: Permission denied
Action '-S' failed.
The Apache error log may have more information.
corei8:~$ sudo apachectl -S
[sudo] password for corei8:
[Wed May 06 19:44:28.713620 2020] [so:warn] [pid 28518:tid 139963176606656] AH01574: module wsgi_module is already loaded, skipping
[Wed May 06 19:44:28.725842 2020] [so:warn] [pid 28518:tid 139963176606656] AH01574: module wsgi_module is already loaded, skipping
VirtualHost configuration:
*:443 stdominicchapel.org (/etc/apache2/sites-enabled/stdominicchapel.org-le-ssl.conf:2)
*:80 stdominicchapel.org (/etc/apache2/sites-enabled/stdominicchapel.org.conf:15)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="corei8" id=1001
Group: name="www-data" id=33
corei8:~$ sudo netstat -pant | grep -i listen
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 687/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 897/sshd
tcp6 0 0 :::443 :::* LISTEN 15377/apache2
tcp6 0 0 :::80 :::* LISTEN 15377/apache2
tcp6 0 0 :::22 :::* LISTEN 897/sshd
rg305
May 6, 2020, 9:53pm
14
I see apache2 running on ports 80 and 443:
I see apache configs for your domain on both of those ports:
There must be something wrong with the port 443 config for that domain name./etc/apache2/sites-enabled/stdominicchapel.org-le-ssl.conf
1 Like
rg305
May 6, 2020, 9:56pm
15
Or there is another completely unrelated issue causing you problems…
curl -Iki https://www.stdominicchapel.org/ curl: (6) Could not resolve host: www.stdominicchapel.org
curl -Iki https://stdominicchapel.org/ curl: (6) Could not resolve host: stdominicchapel.org
Perhaps there is a DNS issue.
1 Like
Looks like the set of name servers has changed - stdominicchapel.org - Make your website better - DNS, redirects, mixed content, certificates
Checked some manual, some have a refused answer, ns-276.awsdns-34.com answers correct.
1 Like
rg305
May 6, 2020, 10:07pm
17
1 Like
PS: But the correct ip address is visible, http answers and redirects to https.
Https has a timeout.
So there is a blocking firewall or something else (.htaccess etc.).
Hostname: ec2-3-23-38-54.us-east-2.compute.amazonaws.com
AWS has an own firewall. That's sometimes a problem.
3 Likes
corei8
May 6, 2020, 10:54pm
19
stdominicchapel.org-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin user@email.com
ServerName stdominicchapel.org
ServerAlias www.stdominicchapel.org
ErrorLog /var/www/stdominicchapel.org/logs/error.log
CustomLog /var/www/stdominicchapel.org/logs/access.log combined
Alias /static/ /var/www/sdchapel.org/app/static/
<Directory /var/www/wsgi_scripts>
Require all granted
</Directory>
<Directory /var/www/sdchapel.org>
Require all granted
</Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/stdominicchapel.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/stdominicchapel.org/privkey.pem
</VirtualHost>
</IfModule>
1 Like
corei8
May 6, 2020, 11:01pm
20
@JuergenAuer Thank you very much for the suggestion!
It was as simple as going into the Lightsail Networking page and adding a port.
All is working right now! Thank you very much!
I will be sure to come back here if I I have any more issues.
3 Likes
