Certificate not found

Server
1

Domain: liaison.club

First time webmaster, using Ubuntu 16.04.6 LTS, Apache 2.4.18 and Webmin with root shell access.

Got my certificate with certbot with no problems.

Set the following virtual host on port 443:

DocumentRoot "/var/www/html"
ServerAdmin webmaster@localhost
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
<Directory "/var/www/html">
allow from all
Options None
Require all granted

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/liaison.club/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/liaison.club/privkey.pem
ServerName liaison.club
ServerAlias *.liaison.club
SSLProtocol +TLSv1.1 +TLSv1.2

I'm not sure if my DNS (with godaddy) has anything to do with, but here it is:

|  Type |       Name      |               Value                         |    TTL    |
| ----- | --------------- | ------------------------------------------- | --------- |
|   a   |        @        |           72.10.162.51                      |600 seconds|
| cname |       www       |                 @                           |  1 Hour   |
| cname |  _domainconnect |   _domainconnect.gd.domaincontrol.com       |  1 Hour   |
|   ns  |        @        |         ns49.domaincontrol.com              |  1 Hour   |
|   ns  |        @        |         ns50.domaincontrol.com              |  1 Hour   |
|  soa  |        @        | Primary nameserver: ns49.domaincontrol.com. |  1 Hour   |
|  txt  | _acme-challenge | 5WKORSQl_b2cH42ARm6_0TafgsjsPoHQLyUUSBOiYQA |  1 Hour   |

Everything works fine on http, but the certificates cannot be found by any client and thus nothing show up on https. Find a lot of people on the web with a similar problem, but none that seem to have a solution applicable to mine.

2

Hi @jack_action

your dns settings are correct ( https://check-your-website.server-daten.de/?q=liaison.club ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
liaison.club A 72.10.162.51 yes 2 0
AAAA yes
www.liaison.club C liaison.club yes 1 0
A 72.10.162.51 yes

But your configuration doesn't work, you have a Grade Q - http over port 443:

Domainname Http-Status redirect Sec. G
http://liaison.club/
72.10.162.51 200 0.224 H
http://www.liaison.club/
72.10.162.51 200 0.223 H
https://liaison.club/
72.10.162.51 -4 0.423 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
https://www.liaison.club/
72.10.162.51 -4 0.423 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
http://liaison.club:443/
72.10.162.51 200 0.226 Q

That's a typical error message:

The handshake failed due to an unexpected packet format.

So the tool rechecks if http over port 443 works -> oh, there should be an error message, instead, there is a http status 200 - ok.

Do you have a listen 443 - directive? And is your port 443 vHost enabled?

3

I have the following directive:

<IfModule ssl_module>
Listen 443
</IfModule>

And I have:

LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so

And the directives for my virtual host on port 443 is what I presented in my OP.

Not sure if there is something else I must do.

4

What says

apachectl -S

to check your vHosts?

5

apachectl -S:

VirtualHost configuration:
*:80 liaison.club (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 liaison.club (/etc/apache2/sites-enabled/webmin.1555727675.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

6

Problem solved: after looking at /var/log/apache2/error.log, I was informed that SSLEngine On shouldn’t be in virtual scope. It was removed and now I have a connection.

7

If you use webmin, it isn't a good idea to edit Apache files directly. Such server management systems are "closed worlds", so you should only use these.

And your configuration is incomplete, your domain is insecure.

CN=*.liaison.club
	20.04.2019
	19.07.2019
expires in 90 days	*.liaison.club - 1 entry

That works only with subdomains, not with liaison.club, that's the Grade N in your last check (22:01, 9 minutes earlier - https://check-your-website.server-daten.de/?q=liaison.club ).

Create one certificate with two domain names:

liaison.club
*.liaison.club

and use that. If you have created the DNS entries manual, then create two entries with the same name

_acme-challenge

and different values.

8

I did the modifications with Webmin. It is actually webmin that allow me to set the SSLEngine On in the virtual scope. I actually had no choices to set it on in the virtual scope, as I did not had the ‘SSL options’ button in the virtual hosts until I set it in the virtual scope. But removing the SSL from the virtual host (with Webmin) didn’t removed the button from the virtual host, probably because it was now already set.

I kind of figured out that the ‘*.’ in front of my domain name didn’t include the actual domain name. I will try again and see how it goes.

Thank you for help.

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.