I ran certbot on my apache server now the sites just time out. Everything seems like it worked… Not sure where to start troubleshooting…
login as: chris
chris@192.168.100.10's password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-124-generic x86_64)
- Documentation: https://help.ubuntu.com
- Management: https://landscape.canonical.com
- Support: Ubuntu Pro | Ubuntu
7 packages can be updated.
0 updates are security updates.
*** System restart required ***
Last login: Tue May 29 22:02:47 2018 from 192.168.100.54
chris@cns-itpro:~$ sudo service apache2 restart
[sudo] password for chris:
chris@cns-itpro:~$ sudo nano /etc/apache2/sites-available/
chris@cns-itpro:~$ cd /etc/apache2/sites-available
chris@cns-itpro:/etc/apache2/sites-available$ ls
000-default.conf invoiceninja.conf invoiceninja.conf.save
default-ssl.conf invoiceninja.conf.bak
chris@cns-itpro:/etc/apache2/sites-available$ sudo nano invoiceninja.conf
chris@cns-itpro:/etc/apache2/sites-available$ clear
chris@cns-itpro:/etc/apache2/sites-available$ sudo certbot --apache
[sudo] password for chris:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
1: cns-itpro.com
2: ininja.cns-itpro.com
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cns-itpro.com
http-01 challenge for ininja.cns-itpro.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/invoiceninja-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/invoiceninja-l e-ssl.conf
Enabling available site: /etc/apache2/sites-available/invoiceninja-le-ssl.conf
Created an SSL vhost at /etc/apache2/sites-available/invoiceninja-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/invoiceninja-l e-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP ac cess.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/invoiceninja.conf to ssl vhost i n /etc/apache2/sites-available/invoiceninja-le-ssl.conf
Redirecting vhost in /etc/apache2/sites-enabled/invoiceninja.conf to ssl vhost i n /etc/apache2/sites-available/invoiceninja-le-ssl.conf
Congratulations! You have successfully enabled https://cns-itpro.com and
https://ininja.cns-itpro.com
You should test your configuration at:
SSL Server Test: cns-itpro.com (Powered by Qualys SSL Labs)
SSL Server Test (Powered by Qualys SSL Labs)
IMPORTANT NOTES:
-
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/cns-itpro.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/cns-itpro.com/privkey.pem
Your cert will expire on 2018-08-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew all of
your certificates, run "certbot renew" -
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation
chris@cns-itpro:/etc/apache2/sites-available$
Your server doesn’t have a open port 443 (https)…
Please try to open it and connect again…
P.S. I have no idea why your server doesn’t connect… (Timeout)
Can you check your firewall ?
Or check if Apache started successfully
Thank you
Server is listening on port 443 and 80
Firewall has ports 80 and 443 forwarded to the server
Try:
openssl s_client -connect 127.0.0.1:443 -servername cns-itpro.com
Then again but from the Internet
openssl s_client -connect cns-itpro.com:443 -servername cns-itpro.com
Show:
sudo ufw status
ifconfig | grep ask
Hi,
Please confirm your IP address is 65.184.42.219.
Because this IP (which pointed to your hostnames), doesnt open port 443. More over, he.net & my local portqry shows the port 443 is filtered. Means a firewall or something is definitely blocking it (else it would show not listening)
Is it possible that your server only forward true requests when it’s coming from local internet?
Thank you
I have not enabled the firewall on the server. I have a pfsense box. It has to be in there somewhere
As far as filtering Hmm.... I'll have to dig a little deeper in the firewall to see but I have not intentionally filtered 443. I have squid loaded for DNS filtering it uses an internal proxy. Not sure if that would cause that though. I'll look at the logs.
Yeah. Copy the port 80 lines to 443.
I already have a rule created for port 443.
I have found the issue.
Just need to figure out what part of that rule is blocking the traffic. My forwarding rules are at the top of the list and should be process first. Shouldn't be blocking it. Looks like a ton of other people are having this same issue.
Got it… Thanks for helping me work though this!!
Glad to have helped.
Cheers
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.