Cannot connect to server after certificate installation

Hi @corei8

works https internal? From that machine?

curl https://stdominicchapel.org/

If yes, it’s a firewall / router problem.

If not, what says

apachectl -S
1 Like

@JuergenAuer apachectl -S gives:

AH00526: Syntax error on line 67 of /etc/apache2/sites-enabled/stdominicchapel.org.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/stdominicchapel.org/fullchain.pem' does not exist or is empty
Action '-S' failed.

Https does not work internally.

1 Like

It seems your Apache config is “broken”.
The certificate file is missing (or empty).
Please show the outputs of:
ls -l /etc/letsencrypt/live/stdominicchapel.org/
certbot certificates

1 Like
ubuntu@ip-*-*-*-*:~$ ls -l /etc/letsencrypt/live/stdominicchapel.org/
total 4
-rwxr-xr-x 1 user www-data 692 Apr 25 20:42 README
lrwxrwxrwx 1 user www-data  43 Apr 25 20:42 cert.pem -> ../../archive/stdominicchapel.org/cert1.pem
lrwxrwxrwx 1 user www-data  44 Apr 25 20:42 chain.pem -> ../../archive/stdominicchapel.org/chain1.pem
lrwxrwxrwx 1 user www-data  48 Apr 25 20:42 fullchain.pem -> ../../archive/stdominicchapel.org/fullchain1.pem
lrwxrwxrwx 1 user www-data  46 Apr 25 20:42 privkey.pem -> ../../archive/stdominicchapel.org/privkey1.pem
ubuntu@ip-*-*-*-*:~$ certbot certificates
The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
ubuntu@ip-*-*-*-*:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: stdominicchapel.org
    Domains: stdominicchapel.org
    Expiry Date: 2020-07-24 19:42:18+00:00 (VALID: 81 days)
    Certificate Path: /etc/letsencrypt/live/stdominicchapel.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/stdominicchapel.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 Like

Same run it as root?

If yes:

  • Make a backup
  • Disable that not working vHost
  • use certbot --reinstall, so Certbot should create a correct vHost
  • perhaps modify the configuration manual.
2 Likes

Result running as root:

[Sun May 03 23:21:36.247163 2020] [so:warn] [pid 14960:tid 140374011902912] AH01574: module wsgi_module is already loaded, skipping
[Sun May 03 23:21:36.248322 2020] [so:warn] [pid 14960:tid 140374011902912] AH01574: module wsgi_module is already loaded, skipping
VirtualHost configuration:
*:80                   stdominicchapel.org (/etc/apache2/sites-enabled/stdominicchapel.org.conf:15)
*:443                  stdominicchapel.org (/etc/apache2/sites-enabled/stdominicchapel.org.conf:47)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="corei8" id=1001
Group: name="www-data" id=33

I have tried to reinstall the certs but I cannot get the site to connect. Should I completely uninstall certbot and try again? Since I could run apachectl -S as root does that mean that I did something in the installation that made it so that my site could only serve the certs if it had root privileges?

If certbot certificates shows valid cert(s), there is no need for that and would not change anything related to those certs.

As strange as that sounds, it may match the strangeness of the problem…
If you could execute commands as “corei8” or “www-data” users, you might be able to see the problem first-hand.
[ commands like: cat /etc/letsencrypt/live/stdominicchapel.org/fullchain.pem ]

1 Like

Here is something:

$ certbot certificates
The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.

Does this permission denied situation have anything to do with the issue? sudo finds valid certificates.


EDIT
I can now run curl https://stdominicchapel.org and I get to my webpage but I cannot connect through a browser. I have tried Chrome, Firefox and Safari. It seems that I am very close to having this thing fixed, but what could be preventing the connection between the browsers and the server?

1 Like

What does apachectl -S now show?
May be:
sudo apachectl -S

and also, please show the output of:
sudo netstat -pant | grep -i listen

1 Like
corei8:~$ apachectl -S
apache2: Syntax error on line 80 of /etc/apache2/apache2.conf: Cannot load /home/ubuntu/.local/lib/python3.6/site-packages/mod_wsgi/server/mod_wsgi-py36.cpython-36m-x86_64-linux-gnu.so into server: /home/ubuntu/.local/lib/python3.6/site-packages/mod_wsgi/server/mod_wsgi-py36.cpython-36m-x86_64-linux-gnu.so: cannot open shared object file: Permission denied
Action '-S' failed.
The Apache error log may have more information.
corei8:~$ sudo apachectl -S
[sudo] password for corei8:
[Wed May 06 19:44:28.713620 2020] [so:warn] [pid 28518:tid 139963176606656] AH01574: module wsgi_module is already loaded, skipping
[Wed May 06 19:44:28.725842 2020] [so:warn] [pid 28518:tid 139963176606656] AH01574: module wsgi_module is already loaded, skipping
VirtualHost configuration:
*:443                  stdominicchapel.org (/etc/apache2/sites-enabled/stdominicchapel.org-le-ssl.conf:2)
*:80                   stdominicchapel.org (/etc/apache2/sites-enabled/stdominicchapel.org.conf:15)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="corei8" id=1001
Group: name="www-data" id=33
corei8:~$ sudo netstat -pant | grep -i listen
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      687/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      897/sshd
tcp6       0      0 :::443                  :::*                    LISTEN      15377/apache2
tcp6       0      0 :::80                   :::*                    LISTEN      15377/apache2
tcp6       0      0 :::22                   :::*                    LISTEN      897/sshd

I see apache2 running on ports 80 and 443:

I see apache configs for your domain on both of those ports:

There must be something wrong with the port 443 config for that domain name.
Please show file:
/etc/apache2/sites-enabled/stdominicchapel.org-le-ssl.conf

1 Like

Or there is another completely unrelated issue causing you problems…

curl -Iki https://www.stdominicchapel.org/
curl: (6) Could not resolve host: www.stdominicchapel.org

curl -Iki https://stdominicchapel.org/
curl: (6) Could not resolve host: stdominicchapel.org

Perhaps there is a DNS issue.

1 Like

Looks like the set of name servers has changed - https://check-your-website.server-daten.de/?q=stdominicchapel.org

Checked some manual, some have a refused answer, ns-276.awsdns-34.com answers correct.

1 Like

I agree, and so does DNSVIZ:
See: https://dnsviz.net/d/stdominicchapel.org/dnssec/

1 Like

PS: But the correct ip address is visible, http answers and redirects to https.

Https has a timeout.

So there is a blocking firewall or something else (.htaccess etc.).

Hostname: ec2-3-23-38-54.us-east-2.compute.amazonaws.com

AWS has an own firewall. That’s sometimes a problem.

3 Likes

stdominicchapel.org-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>

    ServerAdmin user@email.com

    ServerName stdominicchapel.org
    ServerAlias www.stdominicchapel.org

    ErrorLog /var/www/stdominicchapel.org/logs/error.log
    CustomLog /var/www/stdominicchapel.org/logs/access.log combined

    Alias /static/ /var/www/sdchapel.org/app/static/

    <Directory /var/www/wsgi_scripts>
        Require all granted
    </Directory>

    <Directory /var/www/sdchapel.org>
        Require all granted
    </Directory>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/stdominicchapel.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/stdominicchapel.org/privkey.pem
</VirtualHost>
</IfModule>
1 Like

@JuergenAuer Thank you very much for the suggestion!

It was as simple as going into the Lightsail Networking page and adding a port.

All is working right now! Thank you very much!

I will be sure to come back here if I I have any more issues.

3 Likes

Thanks, good to know.

Now your site answers. :+1:

But there is a http status 500, so something internal is wrong.

2 Likes

I have some static files and a database there that have permission issues. It ought to be an easy fix. I had the same error with http but I wanted to get https solved before trying to get rid if the error.

2 Likes