Cert apply correct but website fails to run after

Help
1

After install the certificates my website is nolonger accessible.

My domain is: www.si-tech.com.hk

I ran this command: Certbot --Apache

It produced this output: long string of text. Basically saying the certs had completed and were installed correctly

My web server is (include version): Apache 2.4.37

The operating system my web server runs on is (include version): Centos 8 (4.18.0-408)

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don't know): logon locally

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.29.0

Thank you for assisting us in helping YOU!

First I need to say I am not fully professional at this. It took me 6 days of try and re-try
Install -wipe and re-install till I got an installation of Centos / apache that was accommodating to certbot, many failures and scanning website to see where I went wrong.
Finally I got a website that certbot actually accepted and let me install the required letsencrypt certificate.
I tested with letsdebug.net to be sure I had nothing that would be wrong.
NOTE the website has been working as a website for the past 3 years.
After I apply the letsencrypt certificates with no errors showing, I completed all the questions about location and user successfully.
Now the website no longer is visible to outside users and I dont know why.
I re-ran the letsdebug.net again after install the certificates and it tells me that my system is not suitable to install the (installed) certificates.
I ran the simulate renew the cert and it ran without error.
I don’t know where to look now.

"si-tech.com.hk has an A (IPv4) record (119.247.79.211) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address."

&

"A test authorization for si-tech.com.hk to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued."

1 Like
2

Hi @Bernard, and welcome to the LE community forum :slight_smile:

Please show the output of:
apachectl -t -D DUMP_VHOSTS

1 Like
3

[root@si-tech ~]# apachectl -t -D dump_vhosts
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
[root@si-tech ~]#

4

Try:
httpd -T -D DUMP_VHOSTS
OR
httpd -S

1 Like
5

Hi rg305 thanks the fast reply.
something I just tried, if I type thew server IP address from a pc outside the office it shows the website, but the web name www.si-tech.com.hk times out

1 Like
6

Hi
[root@si-tech ~]# httpd -T -D DUMP_VHOSTS
VirtualHost configuration:
*:80 www.si-tech.com.hk (/etc/httpd/sites-enabled/si-tech.com.hk.conf:1)
*:443 is a NameVirtualHost
default server 119247079211.ctinets.com (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost 119247079211.ctinets.com (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost www.si-tech.com.hk (/etc/httpd/sites-available/si-tech.com.hk-le-ssl.conf:2)
alias si-tech.com.hk
[root@si-tech ~]#

7

OK, let's check these two things.
Show the outputs of:
#1: certbot certificates
#2: cat /etc/httpd/sites-available/si-tech.com.hk-le-ssl.conf

1 Like
8

ok here you go

[root@si-tech ~]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: www.si-tech.com.hk
Serial Number: 399222dc0def6899f4788872a2654820b4d
Key Type: RSA
Domains: si-tech.com.hk www.si-tech.com.hk
Expiry Date: 2022-12-04 09:36:09+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/www.si-tech.com.hk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.si-tech.com.hk/privkey.pem

[root@si-tech ~]# cat /etc/httpd/sites-available/si-tech.com.hk-le-ssl.conf

<VirtualHost *:443>
ServerName www.si-tech.com.hk
ServerAlias si-tech.com.hk
DocumentRoot /var/www/si-tech.com.hk/html
ErrorLog /var/www/si-tech.com.hk/log/error.log
CustomLog /var/www/si-tech.com.hk/log/requests.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.si-tech.com.hk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.si-tech.com.hk/privkey.pem


[root@si-tech ~]#

9

That seems correct.
Please show the output of:
cat /etc/httpd/sites-enabled/si-tech.com.hk.conf

[I think that file is missing the alias statement]

1 Like
10

sites enabled has a linked file of the same name as in sites- available but shows nothing as below

cat: /etc/httpd/sites-enables/si-tech.com.hk.conf: No such file or directory

cat /etc/httpd/sites-available/si-tech.com.hk.conf

<VirtualHost *:80>
    ServerName www.si-tech.com.hk
    ServerAlias si-tech.com.hk
    DocumentRoot /var/www/si-tech.com.hk/html
    ErrorLog /var/www/si-tech.com.hk/log/error.log
    CustomLog /var/www/si-tech.com.hk/log/requests.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.si-tech.com.hk [OR]
RewriteCond %{SERVER_NAME} =si-tech.com.hk
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
11

not enables
try enabled

If it is the same as that one, then the alias is there [just didn't show in the output earlier].

1 Like
12

Sorry. silly typing error

cat /etc/httpd/sites-enabled/si-tech.com.hk.conf

<VirtualHost *:80>
    ServerName www.si-tech.com.hk
    ServerAlias si-tech.com.hk
    DocumentRoot /var/www/si-tech.com.hk/html
    ErrorLog /var/www/si-tech.com.hk/log/error.log
    CustomLog /var/www/si-tech.com.hk/log/requests.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.si-tech.com.hk [OR]
RewriteCond %{SERVER_NAME} =si-tech.com.hk
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
1 Like
13

Is there a firewall?
Is there any Geo-location / Geo-fencing device?
Is there any program running like fail2ban?
Are there any IP block lists being used?

I can't reach your site via HTTPS.
I can only reach it via HTTP.

curl -Ii https://si-tech.com.hk/
curl: (7) Failed to connect to si-tech.com.hk port 443: Connection timed out

curl -Ii http://si-tech.com.hk/
HTTP/1.1 301 Moved Permanently
Date: Wed, 07 Sep 2022 07:23:26 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k
Location: https://si-tech.com.hk/
Content-Type: text/html; charset=iso-8859-1
1 Like
14

Is there a firewall? yes
Is there any Geo-location / Geo-fencing device? no
Is there any program running like fail2ban? no
Are there any IP block lists being used? no

15

Make sure the firewall allows port 80 and 443 access.
It must be blocking LetsDebug and LE staging IPs on port 80.
[and my IP too (for 443) - lol]

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: www.si-tech.com.hk
  Type:   connection
  Detail: 119.247.79.211: Fetching https://www.si-tech.com.hk/.well-known/acme-challenge/JOgyMFLXQh_nwSPBblmuo2w4mIDtVJ2qq8FMXEJzGAQ: Timeout during connect (likely firewall problem)
1 Like
16

both ports are open 80 & 443

17

And, yet, some IPs can't get through.
Something is blocking some IPs from some ports.

1 Like
18

Yes but I dont see where I opened a lot of ports when I saw the message from letsdebug
Is it possible to disable the firewall temporary

19

I don't ever advise turning off any firewall [even for brief time].
Can you show the firewall setting?

1 Like
20

how to show