Certbot apache succeeded now site times out

I ran certbot on my apache server now the sites just time out. Everything seems like it worked… Not sure where to start troubleshooting…

login as: chris
chris@'s password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-124-generic x86_64)

7 packages can be updated.
0 updates are security updates.

*** System restart required ***
Last login: Tue May 29 22:02:47 2018 from
chris@cns-itpro:~$ sudo service apache2 restart
[sudo] password for chris:
chris@cns-itpro:~$ sudo nano /etc/apache2/sites-available/
chris@cns-itpro:~$ cd /etc/apache2/sites-available
chris@cns-itpro:/etc/apache2/sites-available$ ls
000-default.conf invoiceninja.conf invoiceninja.conf.save
default-ssl.conf invoiceninja.conf.bak
chris@cns-itpro:/etc/apache2/sites-available$ sudo nano invoiceninja.conf
chris@cns-itpro:/etc/apache2/sites-available$ clear
chris@cns-itpro:/etc/apache2/sites-available$ sudo certbot --apache
[sudo] password for chris:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: cns-itpro.com
2: ininja.cns-itpro.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cns-itpro.com
http-01 challenge for ininja.cns-itpro.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/invoiceninja-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/invoiceninja-l e-ssl.conf
Enabling available site: /etc/apache2/sites-available/invoiceninja-le-ssl.conf
Created an SSL vhost at /etc/apache2/sites-available/invoiceninja-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/invoiceninja-l e-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP ac cess.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/invoiceninja.conf to ssl vhost i n /etc/apache2/sites-available/invoiceninja-le-ssl.conf
Redirecting vhost in /etc/apache2/sites-enabled/invoiceninja.conf to ssl vhost i n /etc/apache2/sites-available/invoiceninja-le-ssl.conf

Congratulations! You have successfully enabled https://cns-itpro.com and

You should test your configuration at:
SSL Server Test: cns-itpro.com (Powered by Qualys SSL Labs)
SSL Server Test (Powered by Qualys SSL Labs)


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2018-08-28. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew all of
    your certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation


Your server doesn’t have a open port 443 (https)…

Please try to open it and connect again…

P.S. I have no idea why your server doesn’t connect… (Timeout)

Can you check your firewall ?
Or check if Apache started successfully

Thank you


Server is listening on port 443 and 80

Firewall has ports 80 and 443 forwarded to the server

openssl s_client -connect -servername cns-itpro.com
Then again but from the Internet
openssl s_client -connect cns-itpro.com:443 -servername cns-itpro.com

sudo ufw status
ifconfig | grep ask


Please confirm your IP address is
Because this IP (which pointed to your hostnames), doesnt open port 443. More over, he.net & my local portqry shows the port 443 is filtered. Means a firewall or something is definitely blocking it (else it would show not listening)

Is it possible that your server only forward true requests when it’s coming from local internet?

Thank you

I have not enabled the firewall on the server. I have a pfsense box. It has to be in there somewhere


As far as filtering Hmm.... I'll have to dig a little deeper in the firewall to see but I have not intentionally filtered 443. I have squid loaded for DNS filtering it uses an internal proxy. Not sure if that would cause that though. I'll look at the logs.

Yeah. Copy the port 80 lines to 443.

I already have a rule created for port 443.

I have found the issue.

Just need to figure out what part of that rule is blocking the traffic. My forwarding rules are at the top of the list and should be process first. Shouldn't be blocking it. Looks like a ton of other people are having this same issue.

Got it… Thanks for helping me work though this!!

1 Like

Glad to have helped.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.