Certificate generated but website still not secure

Seb971 · November 19, 2021, 5:58pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: yoottle.com

My web server is (include version): OVH

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): yes

I am having some problems protecting my website yoottle.com , after going through the whole process with certbot my website is still not protected. I went through all the steps and got the certificate at the end of it all. Yet, still not secured.

Hope to get some help

MikeMcQ · November 19, 2021, 6:10pm

@Seb971 Welcome to the community!

Before reviewing the steps you took to get a certificate did you restart your Apache server? It does not appear to be listening on port 443.

Seb971 · November 19, 2021, 6:21pm

Thank you so much for your message @MikeMcQ

No I don't believe the Apache server was restarted, I solely followed the steps on the Certbot tutorial. I must have missed the part to restart the Apache server.

How can I change my Apache server so that it would listen on port 443? Is this something that would resolve the issue?

Thank you again

Osiris · November 19, 2021, 6:26pm

What exact commands did you use and what were the outputs? You seem to have removes those questions from the questionnaire, but those were of utmost importance.

MikeMcQ · November 19, 2021, 7:04pm

I am now also curious what those steps were. @Seb971 would you explain?

And, I see now that you are using both nginx and apache servers. Can you briefly explain that configuration? That is, I see nginx responds to requests to yoottle.com but it redirects to www.yoottle.com which apache responds to.

I would guess you are using nginx as a proxy to apache. Maybe just restarting nginx is all that is needed if that is the case?

I see you have issued Lets Encrypt certs since August. Has https for anything worked since then?

Seb971 · November 19, 2021, 7:26pm

Hello @MikeMcQ @Osiris after doing some researches it seems it has something to do with "mixed-content"

I have an active api with the website (api.yoottle.com which uses http) it seems like I need to correct all entries with "https" - Do you believe that may be it?

If so, can I run these commands myself with ROOT LEVEL ACCESS or would I need to hire a developper?

To answer your questions here are the commands I used (Certbot):
sudo snap install core; sudo snap refresh core
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo snap install --classic certbot
sudo certbot --apache
sudo certbot renew --dry-run

I had to choose the domain I want to secure and I got the successful message.

I used the redirection "*requests to yoottle.com but it redirects to www.yoottle.com* because for some reasons when I point my DNS for my domain "yoottle.com" to my VPS on OVH, the api does not pull on yoottle.com (I get the website with no content) but will pull on www.yoottle.com

Thank you so much for your help

MikeMcQ · November 19, 2021, 8:02pm

That is something you need to correct but it is not related to the connection problem. I cannot see your https site at all either to www.yoottle.com or yoottle.com. See:
https://decoder.link/sslchecker/yoottle.com/443 and try both.

Right now I do not see a port 443 open at all (update: for www.yoottle.com). Is there something in your OVH setup that is needed to allow that? I do not know OVH so cannot help.

Another problem you will have is trying to redirect requests to https://yoottle.com. The way you have it setup now is for OVH to redirect yoottle.com but it won't be able to handle https redirects (as it wont have a certificate for your domain). You should just setup the DNS A records to point to your server at the www IP.

Name:   yoottle.com
Address: 213.186.33.5
Name:   www.yoottle.com
Address: 51.210.255.216

Seb971 · November 19, 2021, 8:34pm

This is the problem I am having. When I setup a DNS A record to point it my server 51.210.255.216 it causes my api to stop working. I only see the website with no content (hence why I made the redirection to www) It seems only www pulls the content

And you are right these are 2 different problems. I believe I have an api problem which stops the website (with no www) to pull the content. and then a second problem which is the certificate.

I don't know how to resolve neither... please help

rg305 · November 19, 2021, 11:38pm

Now there's an IPv6 address involved...

Name:     yoottle.com
Addresse: 2001:41d0:304:200::c35e
          51.210.255.216

Name:      www.yoottle.com
Addresses: 2001:41d0:304:200::c35e
           51.210.255.216

Seb971 · November 19, 2021, 11:50pm

It's my vps' IPv6 address... would it help if I remove it?

rg305 · November 20, 2021, 12:05am

I'll let you be the judge of that:

IPv4

curl -Ii4 yoottle.com
HTTP/1.1 200 OK
Date: Sat, 20 Nov 2021 00:03:53 GMT
Server: Apache/2.4.46 (Ubuntu)
Last-Modified: Wed, 17 Nov 2021 09:16:42 GMT
ETag: "1e1e-5d0f880079280"
Accept-Ranges: bytes
Content-Length: 7710
Vary: Accept-Encoding
Content-Type: text/html

IPv6

curl -Ii6 yoottle.com
curl: (56) Recv failure: Connection reset by peer

MikeMcQ · November 20, 2021, 12:34am

Ok, I see you have made much progress. I now get a response from yoottle.com and www.yoottle.com for both http and https - hurray! I see your DNS now has both pointing to the same IP - terrific.

And, the IPv6 is gone so that is good. I saw @rg305 reported it failing and I saw it too as I started response so you must have just fixed it.

To recap, I can reach your site on https and see your Lets Encrypt cert from yesterday.

It is looking ok to me. What else remains a problem?

Seb971 · November 20, 2021, 12:49am

So far so good... except I have no content on my website.

The static content content is being pulled but I cannot see the content of the website. I am attaching a picture of what the website looks like with content. This is why I feel the problem lies somewhere in the api.yoottle.com because as soon as I stop the certificate the content pulls again

MikeMcQ · November 20, 2021, 1:10am

That's still big progress.

Now, do you have a URL your site uses to grab content?

Seb971 · November 20, 2021, 1:22am

api.yoottle.com

I believe is what the site uses to grab content

MikeMcQ · November 20, 2021, 1:46am

OK, I used my browsers "Developer Tools" and watched the "Network" activity loading your page. You should learn how to use your browsers tool too. I see several URLs that do not load one of which is:

https://api.yoottle.com/user/category/listing

If I try it directly I get a http code 200. But, loading in a browser on your page it returns an http code 500 (server rejects request).

You should look at your server definitions for your api.yoottle.com. I see its IP is the same as your others so it seems you control it. See under what conditions it returns a 500 and then, well, fix it Post your server definitions for api.yoottle.com if you need help.

Update: @Seb971 I see you are making further progress. The http 500 code is fixed. I see you still have some "mixed content" failures. Using my trusty browser "Developer Tools" I see there are five places you load the same video URL using http:

http://api.yoottle.com/media/video/(long number omitted)-pad_maiis_bd.mp4

These URL should also be https to avoid the "mixed content" warning from browsers. My browser auto-upgraded these to https but warns about them anyway. Looks like you are very close.

system · December 20, 2021, 1:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.