Certbot, apache, https don't work

Hello everybody,

i successfully created a certificate with certbot for my apache virtual host. But when i open the domain in my browser i only got a error.

I got the following messages when i created the certificate:

root@zerlpa:/etc/apache2/sites-enabled# sudo certbot --apache -d webapp.zerlauth.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/webapp.zerlauth.net.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for webapp.zerlauth.net
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/webapp-le-ssl.conf
Deploying Certificate for webapp.zerlauth.net to VirtualHost /etc/apache2/sites-available/webapp-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/webapp-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting vhost in /etc/apache2/sites-available/webapp.conf to ssl vhost in /etc/apache2/sites-available/webapp-le-ssl.conf

Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://webapp.zerlauth.net

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=webapp.zerlauth.net

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/webapp.zerlauth.net/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/webapp.zerlauth.net/privkey.pem
  Your cert will expire on 2017-12-30. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot again
  with the “certonly” option. To non-interactively renew all of
  your certificates, run “certbot renew”

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
  Donating to EFF: https://eff.org/donate-le

and my apache config look like:

<VirtualHost *:443>
ServerName webapp.zerlauth.net
DocumentRoot “/var/www/webapp/”

    ErrorLog ${APACHE_LOG_DIR}/webapp-zerlauth-net-error-http.log
    CustomLog ${APACHE_LOG_DIR}/webapp-zerlauth-net-access-http.log combined

    <Directory "/var/www/webapp">
            Options Indexes FollowSymLinks
            AllowOverride All
             <IfVersion < 2.3 >
                     Order allow,deny
                     Allow from all
            </IfVersion>
            <IfVersion >= 2.3 >
                  Require all granted
            </IfVersion>
    </Directory>

SSLCertificateFile /etc/letsencrypt/live/webapp.zerlauth.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/webapp.zerlauth.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

Can anybody help me.
Please.

Can you maybe try ./certbot-auto renew --force-renewal not 100% sure but it might help you out.

nothing changed, i got a message that everything is renewals succeeded but the problem still exists

So if it says the certificate was renewed, did you restart / reload your web server ???

And if you go to /etc/letsencrypt/live/yourdomain.com/ what are the file dates on those certificates ??

They have the actual time, yes is restarted the apache manually.

What’s your domain name?

If your domain name really is webapp.zerlauth.net then you have serious DNS problems - Website Speed Test | Pingdom Tools ...... so is this your domain name or not ??

yes this is my domain

i created an A-record for this subdomain, is this not enough?

Your DNS is a mess, where are you hosting your DNS and what did you do ??? What's your nameservers, is it your own nameserver? You are missing all sorts of critical DNS records.

nslookup -type=ANY webapp.zerlauth.net 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	webapp.zerlauth.net
Address: 185.164.5.222

You should get a response like this

nslookup -type=ANY allover.co.za 8.8.8.8
;; Truncated, retrying in TCP mode.
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
allover.co.za
	origin = ns1.allover.co.za
	mail addr = dnsadmin.allover.co.za
	serial = 2017100102
	refresh = 14400
	retry = 3600
	expire = 604800
	minimum = 86400
allover.co.za	rdata_257 = \# 22 000569737375656C657473656E63727970742E6F7267
allover.co.za	text = "v=spf1 mx:smtp.allover.co.za" " mx:ub1.allover.co.za mx:ub2.allover.co.za mx:ns1.allover.co.za mx:ns2.allover.co.za" " ip4:198.50.154.31 ip4:158.69.2.21 ip4:158.69.2.22 ip4:158.69.2.23 ip4:167.114.219.16 ip4:167.114.208.94 ip4:149.56.195.48 ip6:2607:5300:60:775e::6 -all"
allover.co.za	mail exchanger = 10 smtp.allover.co.za.
allover.co.za	mail exchanger = 0 smtp.allover.co.za.
allover.co.za	nameserver = ns2.afraid.org.
allover.co.za	nameserver = ns2.allover.co.za.
allover.co.za	nameserver = puck.nether.net.
allover.co.za	nameserver = ns1.allover.co.za.
Name:	allover.co.za
Address: 167.114.219.16
allover.co.za	has AAAA address 2607:5300:60:775e::4

I don't think there is any DNS problem. @MitchellK keep in mind that you are checking webapp.zerlauth.net and it doesn't have its own zone, if you want to check those ANY requests, you should check them against the real zone... and in this case is zerlauth.net

Cheers,
sahsanu

Having a rough day @sahsanu … not thinking clearly.

nslookup -type=ANY zerlauth.net 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	zerlauth.net
Address: 81.19.154.98
zerlauth.net	nameserver = ns1.world4you.at.
zerlauth.net	nameserver = ns2.world4you.at.
zerlauth.net
	origin = ns1.world4you.at
	mail addr = hostmaster.world4you.com
	serial = 2017092602
	refresh = 10800
	retry = 3600
	expire = 604800
	minimum = 3600
zerlauth.net	mail exchanger = 10 zerlauth-net.mail.protection.outlook.com.
zerlauth.net	text = "v=spf1 include:spf.protection.outlook.com -all"

still not sure then why we get an A record for webapp.zerlauth.net with Address: 185.164.5.222 but SSL Labs cannot see it.

curl -I https://webapp.zerlauth.net
curl: (7) Failed to connect to webapp.zerlauth.net port 443: Connection refused

ssllabs can see the ip but the problem here is that it can't reach the server on port 443 (no route to host).

imagen963×697 51 KB

@zerlpaMMT, could you please show the output of the following commands?

This command as root or using sudo:

netstat -puant | grep LISTEN

These commands as root or as a normal user, doesn't matter:

echo | openssl s_client -connect localhost:443 -servername webapp.zerlauth.net 2>/dev/null | openssl x509 -noout -text | grep DNS

echo | openssl s_client -connect webapp.zerlauth.net:443 -servername webapp.zerlauth.net 2>/dev/null | openssl x509 -noout -text | grep DNS

Because...

1.- Apache is not working and it is not listening on port 443
2.- You have not forwarded requests to port 443 to your machine on your router.
3.- Your firewall is blocking incoming requests to port 443.
4.- Your ISP is blocking access to port 443.
5.- To be filled...

Cheers,
sahsanu

My bet is on a firewall blocking port 443.
Even port 80 seems to be blocked - at least from the U.S.
If it’s open form elsewhere, then maybe some Geo-location blocking device in play?
http://downforeveryoneorjustme.com/webapp.zerlauth.net says it’s up…

root@zerlpa:/home/zerlpa# netstat -puant | grep LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 364/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 19517/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 338/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 19517/apache2

root@zerlpa:/home/zerlpa# netstat -puant | grep LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 364/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 19517/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 338/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 19517/apache2

And:

root@zerlpa:/home/zerlpa# echo | openssl s_client -connect localhost:443 -servername webapp.zerlauth.net 2>/dev/null | openssl x509 -noout -text | grep DNS
DNS:webapp.zerlauth.net
root@zerlpa:/home/zerlpa# echo | openssl s_client -connect webapp.zerlauth.net:443 -servername webapp.zerlauth.net 2>/dev/null | openssl x509 -noout -text | grep DNS
DNS:webapp.zerlauth.net

Quite simple your Apache is NOT configured properly it’s not allowing access to your site.

3F01AEBE-F0D5-404F-A880-D7723478470F.png750×1334 42.1 KB

hm but what is the problem? i posted my config an that is not realy magic so i don’t understand this behaviour …
and localy the command “wget https://webapp.zerlauth.net” works.