Connection broken at certain times

agrgal · September 27, 2019, 7:07am

First of all, excuse my poor English. This is the first time I run a secured web server (https) and a newbie using certbot. I thought everything was ok, and server works for a day or two, but at certain times, browsers (firefox and chrome) seem to reject TLS negotiation. So I need to reboot server to make it work again. I went over all configuration and I don’t find any problem beyond I know or guess. Maybe a speed problem (my ADSL provider is just a 20M bandwidth)? But I don’t think so either. If so, it wouldn’t work for a day or two, but who knows. I’m stuck on it. Any help would be very much appreciated!!!

Thanks a lot beforehand!!

My domain is: www.seritium.es

I ran this command: –

It produced this output: browser notification that certification hasn’t been negotiated.

My web server is (include version): Apache/2.4.38 (Debian)

The operating system my web server runs on is (include version): debian 10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): if I need, webmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

_az · September 27, 2019, 7:24am

Can you elaborate on the meaning of “reject”? Does your browser produce any specific error message when the problem is occurring?

This sounds vaguely like an OCSP stapling issue, which you could try fix by just disabling OCSP stapling in your webserver.

SSLUseStapling off

Not ideal, but it could help.

JuergenAuer · September 27, 2019, 8:00am

Hi @agrgal

checking your domain the main things are ok - https://check-your-website.server-daten.de/?q=seritium.es

You have a new certificate

CN=seritium.es
	22.09.2019
	21.12.2019
expires in 85 days	seritium.es, www.seritium.es - 2 entries

the certificate has both domain names (non-www and www) and both connections use that certificate.

But your WebMin port 10000 doesn’t use the certificate:

And you don’t have a redirect http -> https:

Domainname	Http-Status	redirect	Sec.	G
• http://seritium.es/ 80.26.26.122 GZip used - 493 / 940 - 47,55 %	200	Html is minified: 100,64 %	0.217	H

• http://www.seritium.es/ 80.26.26.122 GZip used - 493 / 940 - 47,55 %	200	Html is minified: 100,64 %	0.203	H

• https://seritium.es/ 80.26.26.122 GZip used - 137 / 150 - 8,67 % Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0	200	Html is minified: 100,00 %	3.017	B
small visible content

• https://www.seritium.es/ 80.26.26.122 GZip used - 137 / 150 - 8,67 % Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0	200	Html is minified: 100,00 %	2.876	B
small visible content (num chars: 15)

The self signed certificate on your port 10000 would show a message, but a reboot doesn’t change that.

Your missing redirect http -> https doesn’t produce such a message, that’s only the “insecure” information.

So a screenshot would be helpful.

agrgal · September 27, 2019, 9:24am

Thanks a lot! Browser advises as if webserver wasn’t secured. Yes, I maybe had saved a screenshot of it (in Spanish, I’m afraid) but I don’t know how to reproduce the error. I must wait to get it rendered again.
According to this web https://www.digicert.com/help , ocsstapling OCSP Stapling is not enable. Anyway, I had a look to three conf files: 000-default.conf, 000-default-le-ssl.conf & default-ssl.conf. 000-default (HTTP 80 - non secured web), 000-default-le-ssl.conf (HTTPS Lestencrypt conf file) and default-ssl.conf (old auto ssl conf). None of them refers to OCSP Stapling in any way.
Besides, I came across this idea. Could it be default-ssl.conf jams the server? I renamed it in order to block it.

_az · September 27, 2019, 9:26am

Even if it is in Spanish, the screenshot of the error would be very useful, if you can find it. Especially if you can show the full details.

Since stapling is not enabled, it’s not going to be the issue.

agrgal · September 27, 2019, 9:29am

Thanks JuergenAuer.
Yes, according to digicert nothing seems to be out-of-order. I didn’t choose redirect options because I wanted to advise people about port 80 HTTP won’t work any more.
Not sure about webmin issue. How can webmin use the same certificate? Thanks again.

JuergenAuer · September 27, 2019, 9:40am

There should be a Webmin configuration so that port 10000 uses the correct certificate, not the self signed.

agrgal · September 27, 2019, 10:44am

Thanks. I’ll have a look.
Besides the whole thing, I came across browsers advise part of the web content is not secured although webpages load. Since the site is a Moodle and several courses have been restored, old linked content is shown. Don’t know if this sort of issue has to do with my problem ???. Thanks again.

agrgal · October 6, 2019, 5:51pm

Since I renamed 000-default.conf to 000-default_OLD.conf the problem apparently seems to be solved. Not sure at all but issue haven’t come up again.If further information comes up, I’ll write again.

system · November 5, 2019, 5:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.