Well, I don’t know what the problem is exactly.
You could confirm that port 80 isn’t blocked by running
echo bonjour | nc -l 80
on your server, and then from another machine, running
nc www.mydomain.fr 80
and confirming that you see the word “bonjour”.
This isn’t using the HTTP protocol or any web technology, it’s using the TCP port directly to send some literal, uninterpreted data.
(You will need to be root in order to run the nc -l 80 command.)
Result on my server :
nc: Address already in use
Result from another machine (the second RPI) :
nothing
Result of netstat -ntpl :
tcp6 0 0 :::80 :::* LISTEN 2998/apache2
tcp6 0 0 :::443 :::* LISTEN 2998/apache2
It seems to be OK…
Oups !!!
Something strange…
When I try to reach www.mydomain.fr with HTTP, the site is unreachable…
I open port 80 on my internet box firewall…
==> KO
I change apache port to listen 8080 and make a redirection from 80 to 8080 on my internet box…
==> OK, the site is reachable…
I don’t understand !!!
And when I try certbot certonly --webroot, it’s OK. The certificates were generated…
But… That don’t work !!!
After moving the certificates in a personnal directory on /etc/apache2, configuring apache, stop and start service apache2, the service apache is down…
Message in errorlog :
[Wed Mar 15 21:20:06.959913 2017] [ssl:emerg] [pid 16676] AH02562: Failed to configure certificate 192.168.1.141:443:0 (with chain), check /etc/apache2/.certs/0000_csr-certbot.pem
[Wed Mar 15 21:20:06.960012 2017] [ssl:emerg] [pid 16676] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Wed Mar 15 21:20:06.960113 2017] [ssl:emerg] [pid 16676] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
AH00016: Configuration Failed
[Wed Mar 15 21:22:38.396505 2017] [ssl:info] [pid 16788] AH01914: Configuring server 192.168.1.141:443 for SSL protocol
[Wed Mar 15 21:22:38.398182 2017] [ssl:debug] [pid 16788] ssl_engine_init.c(390): AH01893: Configuring TLS extension handling
[Wed Mar 15 21:22:38.398472 2017] [ssl:emerg] [pid 16788] AH02562: Failed to configure certificate 192.168.1.141:443:0 (with chain), check /etc/apache2/.certs/0000_csr-certbot.pem
[Wed Mar 15 21:22:38.398570 2017] [ssl:emerg] [pid 16788] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Wed Mar 15 21:22:38.398673 2017] [ssl:emerg] [pid 16788] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
AH00016: Configuration Failed
OK. I have found the errors et correct it (the file to place on configuration file default-ssl).
No error message on errorlog when I restart Apache service…
But when I try ton reach my site using HTTPS, on my android phone with Google Chrome, this is what I see :
Your connexion is not private…
NET::ERR_CERT_COMMON_NAME_INVALID
In errorlog, I can see that :
[Wed Mar 15 21:51:21.487842 2017] [ssl:info] [pid 17841] (70014)End of file found: [client 80.215.227.83:30517] AH01991: SSL input filter read failed.
And I have this message when I do service apache 2 status :
The SSLCertificateChainFile directive is deprecated
For Apache 2.4 it should be something like
SSLCertificateFile /etc/letsencrypt/live/mydomain.fr/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.fr/privkey.pem
in your configuration file.
I have :
SSLCertificateFile /etc/letsencrypt/live/mydomain.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.fr/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/mydomain.fr/fullchain.pem
I’ve maded changes like you tell…
OK for service apache2 status…
But KO for the other error…
Well, I suggest you tell us what the domain name is.
mydomain is mehl-family.fr
I can’t connect at all to that domain on port 443. What URL where you trying to access when you received the NET::ERR_CERT_COMMON_NAME_INVALID error?
https://www.mehl-family.fr:21935/EZSM/ (for example)
That works OK without the www. part. The only trouble is that the certificate covers the base domain without the www. version, which is not really a configuration problem but just a problem about the names for which the certificate was requested.
So, you should re-run your Certbot command but be sure to list each name that you want the certificate to cover with the -d option.
certbot certonly --webroot -d ??
It’s like
certbot certonly --webroot -w /your/webroot/location -d mehl-family.fr -d www.mehl-family.fr
You need to specify the webroot location, which presumably you found before in order to specify it when you originally got the certificate.
The existing certificate can be replaced automatically with a larger one in this case. You may be asked whether you want to do this. You can bypass that question by adding --expand to that command, which is equivalent to answering yes to the question.
Error message :
Failed authorization procedure. www.mehl-family.fr (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to www.mehl-family.fr
Did you have to make some change before in order to make the webroot method work? I didn’t understand what you did in order to make it succeed.