I'm a complete newbie to SSL but I appear to have successfully installed a certificate. However my browser continues to show " This site can’t provide a secure connection".
I'm using certbot 5.6.0 with Apache 2.4.58 on a VPS with Ubuntu 24.04.4. I installed a certificate on the domain and "certbot certificates" clearly shows it has a valid certificate. I have cleared my browser cache, I have checked my Apache2 config file and certbot has rewritten that correctly, and I've made sure there are no links to http resources in the files being served.
The only thing that I'm concerned about is DNS. I've read about something called DNS-01 but I'm not sure what it is. The certificate was installed without any errors, but the DNS for the domain is on a different server from the website because I've just taken control of a new VPS and haven't moved the domain registration across, simply pointed the A record to the new server. Would this affect the certificate?
If the IP in your public DNS were wrong no requests would reach your server. The dns-01 challenge is just a different way to get a cert. You would not have been able to get a cert using an http-01 challenge if that IP was wrong. Is your server showing a page about a movie by Simon and Alan? Because that's what I see with an HTTP request.
Yes, HTTPS requests to your system are failing. The two most likely reasons are an incorrect Apache config or faulty router port forwarding such as sending requests that come in on port 443 to port 80.
Let's start by reviewing your Apache config. Please show output of this:
As you can see I have a number of virtual hosts but www.humblestation.co.uk is the only one I've tried to SSL-ify so far.
These are the active lines of my config file for the domain. I've temporarily commented out the Rewrite lines inserted by certbot so that the domain can still be accessed with http:
I wouldn't use the IP address in the VitualHost statement and instead use *:80 or *:443. But, be sure to change all of your Vhosts if you do change them. Specifying IP addresses is rarely needed. That isn't likely causing this problem
You should check your router or network config or equipment to ensure inbound requests on port 443 are sent to Apache on port 443. HTTP requests to port 443 work but they should not. In fact, they get the same reply as HTTP to port 80
I wouldn't use the IP address in the VitualHost statement and instead use *:80 or *:443. But, be sure to change all of your Vhosts if you do
change them. Specifying IP addresses is rarely needed.
I think I did that in the distant past when for some reason I couldn't get
*:80 to work. It was probably something else causing the problem but I just
left the files as they were and copied them over when I set up the new VPS.
You should check your router or network config or equipment to ensure
inbound requests on port 443 are sent to Apache on port 443. HTTP
requests to port 443 work but they should not. In fact, they get the same
reply as HTTP to port 80
Yes, but as I said in my post, that's because I commented out certbot's
Rewrite lines so that the domain could still be viewed by http while I sort
out the SSL problem. I've now reinstated them so you should find that http
fails as you would have expected it to fail.
I don't have any port forwarding on my router and I don't have any problem
with other https sites.
So at the moment I'm no nearer a solution. Many thanks for your help.
The HTTP request I used specified port 443. It should not even arrive to your VHost for port 80 to be subject to that redirect.
You should setup unique access log (CustomLog) in the port 80 and port 443 VHosts for that domain. Then, try the two curl commands I showed and see which of the logs they appear in.
It looks like they will both end up in the port 80 Vhost log yet there should be one in each.
Yes, yes you are But that shouldn't be affecting this other domain and they are not yet setting up SSL for this name. For sure though needs fixing at some point.
You should setup unique access log (CustomLog) in the port 80 and port 443
VHosts for that domain. Then, try the two curl commands I showed and see
which of the logs they appear in.
It looks like they will both end up in the port 80 Vhost log yet there
should be one in each.
Well, what I actually get is both curl calls returning a result (shown
below), but the log (for port 80) only shows one of the calls, the one to
port 80.
So what do I have to in my server and where?
Alan
sh-5.2# curl -i http://www.humblestation.co.uk:80
HTTP/1.1 301 Moved Permanently
Server: Apache/2.4.58 (Ubuntu)
Location: https://www.humblestation.co.uk/
Content-Length: 329
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a
href="https://www.humblestation.co.uk/">here</a>.</p>
<hr>
<address>Apache/2.4.58 (Ubuntu) Server at www.humblestation.co.uk Port
80</address>
</body></html>
sh-5.2# curl -i http://www.humblestation.co.uk:443
HTTP/1.1 302 Found
Server: Apache/2.4.58 (Ubuntu)
Location: http://www.humblestation.co.uk/artc/home.aw
Content-Length: 317
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a
href="http://www.humblestation.co.uk/artc/home.aw">here</a>.</p>
<hr>
<address>Apache/2.4.58 (Ubuntu) Server at www.humblestation.co.uk Port
443</address>
</body></html>
I have no idea where this is coming from. There is only one config file for artcirclesb.co.uk and it's identical to all the other config files apart from the name.
Notice the replies are slightly different. The one to port 80 redirects to HTTPS and your home page
But, the one to port 443 redirects to a different location
You need to find out which VHost is processing that and then how to correct that. Add a unique log to the default port 80 VHost and the default port 443 VHost. The request is probably going to one of those rather than your intended VHost.
You need to find out which VHost is processing that and then how to
correct that. Add a unique log to the default port 80 VHost and the
default port 443 VHost. The request is probably going to one of those
rather than your intended VHost.
Hmm, interesting. It's created the log file for default 80 but the file is
empty. It hasn't even created the file for 443.
For your information, I've now solved the problem. A friend of a friend took a rummage in my config files and found that the server name in the default file hadn't been set. I thought the default file was purely to catch requests that weren't picked up by any of the virtual hosts and so I couldn't see why it would affect the others. It turns out that he didn't know it would know either! But anyway it seems the site is now working perfectly with https. Many thanks for the responses.
Do you mean you did not have a ServerName set in both the port 80 and the port 443 VHosts? Because I thought you said the access log for the 443 default VHost never showed anything inbound. I don't see how a missing ServerName would have prevented that.
Or, are you saying you did not have one in the base Apache config file? I'm not sure how that could affect VHosts if they all had ServerName specified.
Personally I would get rid of the IP addresses in your VirtualHost statements but be sure to do them all. Mixing IP-based VHosts with Name-based can easily cause problems. I didn't see any mix in the few you showed. If nothing else having the IP address there makes maintenance more tricky. See: Name-based Virtual Host Support - Apache HTTP Server Version 2.4 and note especially the comment "Using a wildcard (*) for the IP address in all of the VirtualHost directives makes this IP-based mapping irrelevant." This avoids the IP selection to rely solely on name-based (which is the most common method).
But that shouldn't be affecting this other domain and they are not yet setting up SSL for this name. For sure though needs fixing at some point.