Certificate created but "No secure protocols supported"

Help
#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:webologix.com

I ran this command:certbot

It produced this output:

...
6: webologix.com
7: mail.webologix.com
8: www.webologix.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 6 7 8
Obtaining a new certificate
Created an SSL vhost at /etc/apache2/sites-available/webologix.com.vhost-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/webologix.com.vhost-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/webologix.com.vhost-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/webologix.com.vhost-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/webologix.com.vhost-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.webologix.com,
https://webologix.com, and https://mail.webologix.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.webologix.com
https://www.ssllabs.com/ssltest/analyze.html?d=webologix.com
https://www.ssllabs.com/ssltest/analyze.html?d=mail.webologix.com

My web server is (include version):Apache 2.4

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): USED ISPCONFIG BUT NOT ANYMORE

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Certificate generation is well done but when I verify wit ssllabs.com I get the error

Assessment failed: No secure protocols supported

1 Like
#2

You’re providing the HTTP protocol (normally used on port 80) on port 443 (normally used for HTTPS). See for yourself: http://webologix.com:443/ (notice the discrepancy between the protocol (http and port (443). Your Apache configuration is erroneous.

1 Like
#3

Sorry but I don’t understand how that can be. How can I figure out this ?

Here is my ports.conf

Listen 80

<IfModule ssl_module>
Listen 443
</IfModule>

<IfModule mod_gnutls.c>
Listen 443
</IfModule>

and the vhost (generated by LE):

ks307144 sites-enabled > cat mysite.com.vhost-le-ssl.conf   
<IfModule mod_ssl.c>
<VirtualHost *:443>

                                        DocumentRoot /var/www/clients/client1/web16/web

                ServerName mysite.com
                ServerAlias www.mysite.com
                ServerAlias mail.mysite.com
                ServerAdmin webmaster@mysite.com


                ErrorLog /var/log/ispconfig/httpd/mysite.com/error.log
                CustomLog /var/log/ispconfig/httpd/mysite.com/access.log combined

                Alias /error/ "/var/www/mysite.com/web/error/"
                ErrorDocument 400 /error/400.html
                ErrorDocument 401 /error/401.html
                ErrorDocument 403 /error/403.html
                ErrorDocument 404 /error/404.html
                ErrorDocument 405 /error/405.html
                ErrorDocument 500 /error/500.html
                ErrorDocument 502 /error/502.html
                ErrorDocument 503 /error/503.html

                <IfModule mod_ssl.c>
                </IfModule>

                <Directory /var/www/mysite.com/web>
                                # Clear PHP settings of this website
                                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                SetHandler None
                                </FilesMatch>
                                Options +FollowSymLinks
                                AllowOverride All
                                                                Require all granted
                                                </Directory>
                <Directory /var/www/clients/client1/web16/web>
                                # Clear PHP settings of this website
                                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                SetHandler None
                                </FilesMatch>
                                Options +FollowSymLinks
                                AllowOverride All
                                                                Require all granted
                                                </Directory>




                # suexec enabled
                <IfModule mod_suexec.c>
                        SuexecUserGroup web16 client1
                </IfModule>
                <IfModule mod_fastcgi.c>
                                <Directory /var/www/clients/client1/web16/cgi-bin>
                                                                                Require all granted
                                                                    </Directory>
                                <Directory /var/www/mysite.com/web>
                                        <FilesMatch "\.php[345]?$">
                                                SetHandler php-fcgi
                                        </FilesMatch>
                                </Directory>
                                <Directory /var/www/clients/client1/web16/web>
                                        <FilesMatch "\.php[345]?$">
                                                SetHandler php-fcgi
                                        </FilesMatch>
                                </Directory>
                Action php-fcgi /php-fcgi virtual
                                Alias /php-fcgi /var/www/clients/client1/web16/cgi-bin/php-fcgi-*-80-mysite.com
                FastCgiExternalServer /var/www/clients/client1/web16/cgi-bin/php-fcgi-*-80-mysite.com -idle-timeout 300 -socket /var/lib/php7.0-fpm/web16.sock -pass-header Authorization  -pass-header Content-Type
                </IfModule>
                <IfModule mod_proxy_fcgi.c>
                        #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.0-fpm/web16.sock|fcgi://localhost//var/www/clients/client1/web16/web/$1
                        <Directory /var/www/clients/client1/web16/web>
                                <FilesMatch "\.php[345]?$">
                                                SetHandler "proxy:unix:/var/lib/php7.0-fpm/web16.sock|fcgi://localhost"
                                </FilesMatch>
                        </Directory>
                        </IfModule>



                # add support for apache mpm_itk
                <IfModule mpm_itk_module>
                        AssignUserId web16 client1
                </IfModule>

                <IfModule mod_dav_fs.c>
                # Do not execute PHP files in webdav directory
                        <Directory /var/www/clients/client1/web16/webdav>
                                <ifModule mod_security2.c>
                                        SecRuleRemoveById 960015
                                        SecRuleRemoveById 960032
                                </ifModule>
                                <FilesMatch "\.ph(p3?|tml)$">
                                        SetHandler None
                                </FilesMatch>
                        </Directory>
                        DavLockDB /var/www/clients/client1/web16/tmp/DavLock
                        # DO NOT REMOVE THE COMMENTS!
                        # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
                        # WEBDAV END
                </IfModule>








Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.mysite.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.mysite.com/privkey.pem
</VirtualHost>
</IfModule>
#4

Any help or idea apreciated

#5

What’s the output of apache2ctl -S ?

1 Like
#6 
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server joomla-development.eu (/etc/apache2/sites-enabled/100-joomla-development.eu.vhost:7)
         port 80 namevhost joomla-development.eu (/etc/apache2/sites-enabled/100-joomla-development.eu.vhost:7)
                 alias www.joomla-development.eu
         port 80 namevhost mon-voyage-a-cuba.com (/etc/apache2/sites-enabled/100-mon-voyage-a-cuba.com.vhost:7)
                 alias www.mon-voyage-a-cuba.com
                 alias mail.mon-voyage-a-cuba.com
         port 80 namevhost webologix.com (/etc/apache2/sites-enabled/100-webologix.com.vhost:7)
                 alias www.webologix.com
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex fcgid-pipe: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33
1 Like
#7

Where did your mysite.com.vhost-le-ssl.conf go? :face_with_raised_eyebrow:

#8

Sorry, I forgot to replace names. mysite.com.vhost-le-ssl.conf is webologix.com.vhost-le-ssl.conf and it doesn’t appear in the apache2ctl -S results

What is that “-S” flag. I don’t see it in man apache2ctl documentation ?

#9

That vhost seems to not be executed:

 > cat /etc/apache2/sites-enabled/webologix.com.vhost-le-ssl.conf 
<Directory /var/www/webologix.com>
        AllowOverride None
        Require all denied
</Directory>

<VirtualHost *:443>
        DocumentRoot /var/www/webologix.com/web
        ServerName webologix.com
        ServerAlias www.webologix.com
        ServerAdmin mtn@webologix.com

        ErrorLog /var/log/ispconfig/httpd/webologix.com/error.log
        LogFormat "%h %l %u %t \"%r\" %>s %b" CLF
        CustomLog /var/log/ispconfig/httpd/webologix.com/access.log common
        LogLevel debug

        <Directory /var/www/webologix.com/web>
                Options FollowSymLinks
                AllowOverride All
                Require all granted
        </Directory>

SSLCertificateFile /etc/letsencrypt/live/www.webologix.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.webologix.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

syntax is correct and ssl module is loaded:

 > apache2 -t -D DUMP_MODULES | grep ssl
 ssl_module (shared)
 > apache2ctl configtest
Syntax OK

What else could prevent that vhost from executing ?

#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.