Failed to Apply SSL to Subdomain


#1

This is first time I use Let’s Encrypt to apply the SSL onto my development website.

I run this command to install the SSL to my subdomain, dev.wispri.com.
sudo certbot --apache -d dev.wispri.com

After a while, It shows the connection timeout.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dev.wispri.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. dev.wispri.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://dev.wispri.com/.well-known/acme-challenge/tI0URZiBb1KWJCelIg4kITWTHKhnCzyfbSg6YhJkegs: Timeout after connect (your server may be slow or overloaded)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: dev.wispri.com
   Type:   connection
   Detail: Fetching
   http://dev.wispri.com/.well-known/acme-challenge/tI0URZiBb1KWJCelIg4kITWTHKhnCzyfbSg6YhJkegs:
   Timeout after connect (your server may be slow or overloaded)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

I am using OS Linux 18.04 and apache2.
This is my UFW Status

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
3306                       ALLOW       Anywhere
Apache Full                ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
3306 (v6)                  ALLOW       Anywhere (v6)
Apache Full (v6)           ALLOW       Anywhere (v6)
22/tcp (v6)                ALLOW       Anywhere (v6)

I am not sure what is the exact problem.
Could anyone help me to point the issue out?


#2

Your webserver simply doesn’t answer. Let’s Encrypt and also my telnet client can connect to dev.wispri.com on port 80, but when asked for a resource (simply http://dev.wispri.com/ for example), there’s no answer coming back.

Do you see any kind of error in your Apache error logs? Is there some sort of load balancer or reverse proxy in between?


#3

Hi @AidenWH

checked your website:

Domainname Http-Status redirect Sec. G
http://dev.wispri.com/
142.93.242.110 -14 10.030 T
Timeout - The operation has timed out
https://dev.wispri.com/
142.93.242.110 -2 1.290 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 142.93.242.110:443
http://dev.wispri.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
142.93.242.110 -14 10.023 T
Timeout - The operation has timed out

http has a timeout, but https is active blocked.

I’m not so firm with this firewall. But if port 443 is blocked, port 80 not. Do you have a running port 80? Or only port 443?


#4

The firewall may be allowing “Full” (whatever that means…)
But is the web server listening?
And is your vhost config setup correctly to receive port 80 auth requests?
Please show:
ls -l /etc/apache/sites-enabled
grep -Eri 'listen|virtualhost|servername|serveralias'sslcert' /etc/apache2/


#5

Hi @rg305,
This is the result after running the command.

total 0
lrwxrwxrwx 1 root root 30 Dec 17 02:17 wispri.conf -> ../sites-available/wispri.conf

#6
ss -tlnp | grep ":80"
apachectl -t -D DUMP_VHOSTS

#7

Please show file:
/etc/apache/sites-available/wispri.conf

and also:
grep -Eri ‘listen|virtualhost|servername|serveralias’sslcert’ /etc/apache/

(apache or apache2 - adjust accordingly)


#8

This is the wsipri.conf.

<VirtualHost *:80>
    ServerName dev.wispri.com
    ServerAlias dev.wispri.com
    DocumentRoot /var/www/wispri/public
    <Directory /var/www/wispri/public>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Are you missing one syntax?


#9

Hi @_az,

This is the output.


AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80                   dev.wispri.com (/etc/apache2/sites-enabled/wispri.conf:1)

#10

2 TYPOs try:
grep -Eri ‘listen|virtualhost|servername|serveralias|sslcert’ /etc/apache2/


#11

(again) Please show file:
/etc/apache2/sites-available/wispri.conf


#12

Thanks. Did the ss command not show anything?


#13

This is the output from the command.

/etc/apache2/mods-available/info.conf:  #  http://servername/server-info (requires that mod_info.c be loaded).
/etc/apache2/mods-available/status.conf:        # with the URL of http://servername/server-status
/etc/apache2/sites-available/wispri.conf:<VirtualHost *:80>
/etc/apache2/sites-available/wispri.conf:    ServerName dev.wispri.com
/etc/apache2/sites-available/wispri.conf:    ServerAlias dev.wispri.com
/etc/apache2/sites-available/wispri.conf:</VirtualHost>
/etc/apache2/sites-available/000-default.conf:<VirtualHost *:80>
/etc/apache2/sites-available/000-default.conf:  # The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-available/000-default.conf:  # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/000-default.conf:  #ServerName www.example.com
/etc/apache2/sites-available/000-default.conf:</VirtualHost>
/etc/apache2/sites-available/default-ssl.conf:  <VirtualHost _default_:443>
/etc/apache2/sites-available/default-ssl.conf:          #   SSLCertificateFile directive is needed.
/etc/apache2/sites-available/default-ssl.conf:          SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf:          SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
/etc/apache2/sites-available/default-ssl.conf:          #   Point SSLCertificateChainFile at a file containing the
/etc/apache2/sites-available/default-ssl.conf:          #   the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-available/default-ssl.conf:          #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
/etc/apache2/sites-available/default-ssl.conf:  </VirtualHost>
/etc/apache2/conf-available/localized-error-pages.conf:# even on a per-VirtualHost basis.  If you include the Alias in the global server
/etc/apache2/conf-available/other-vhosts-access-log.conf:# Define an access log for VirtualHosts that don't define their own logfile
/etc/apache2/ports.conf:# have to change the VirtualHost statement in
/etc/apache2/ports.conf:Listen 80
/etc/apache2/ports.conf:        Listen 443
/etc/apache2/ports.conf:        Listen 443
/etc/apache2/apache2.conf:#   supposed to determine listening ports for incoming connections which can be
/etc/apache2/apache2.conf:# If you do not specify an ErrorLog directive within a <VirtualHost>
/etc/apache2/apache2.conf:# logged here.  If you *do* define an error logfile for a <VirtualHost>
/etc/apache2/apache2.conf:# Include list of ports to listen on

#14

That looks mostly ok.

Please show files:
/etc/apache2/ports.conf << ignore this line
/etc/apache2/sites-available/wispri.conf

Because “Listen 443” is shown twice: << this is normal


#15

Additionally. please show output of:
top -n 1


#16
  1. Apache = port 80
  2. Apache Secure = port 443
  3. Apache Full = both port 80 and 443

So UFW is NOT the problem…
Yet
HTTPS connections = instant fail (this is expected):
wget https://dev.wispri.com/.well-known/acme-challenge/1234
–2018-12-17 03:25:03-- https://dev.wispri.com/.well-known/acme-challenge/1234
Resolving dev.wispri.com (dev.wispri.com)… 142.93.242.110
Connecting to dev.wispri.com (dev.wispri.com)|142.93.242.110|:443… failed: Connection refused.

But HTTP … never responds:
wget http://dev.wispri.com/.well-known/acme-challenge/1234
–2018-12-17 03:26:01-- http://dev.wispri.com/.well-known/acme-challenge/1234
Resolving dev.wispri.com (dev.wispri.com)… 142.93.242.110
Connecting to dev.wispri.com (dev.wispri.com)|142.93.242.110|:80… connected.
HTTP request sent, awaiting response…


#17

Hi @rg305

This is the output of top -n 1

%Cpu(s): 93.3 us,  6.7 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
MiB Mem :    985.3 total,    117.8 free,    352.3 used,    515.2 buff/cache
MiB Swap:      0.0 total,      0.0 free,      0.0 used.    452.1 avail Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
21397 root      20   0   24000  16440   8008 R  12.5   1.6   0:00.06 apport
21398 root      20   0   24256  16524   8092 R  12.5   1.6   0:00.06 apport
21399 root      20   0   24000  16180   7904 R  12.5   1.6   0:00.06 apport
21400 root      20   0   24000  16440   8008 R  12.5   1.6   0:00.06 apport
21403 root      20   0   23744  15992   7984 R  12.5   1.6   0:00.06 apport
21404 root      20   0   23608  15868   7856 R  12.5   1.6   0:00.06 apport
21407 root      20   0   23608  15884   7860 R  12.5   1.6   0:00.06 apport
21408 root      20   0   23608  16112   8100 R  12.5   1.6   0:00.06 apport
    1 root      20   0  131296   9092   6704 S   0.0   0.9   0:01.94 systemd
    2 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kthreadd
    3 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_gp
    4 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_par_gp
    6 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kworker/0:0H-kblockd
    8 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 mm_percpu_wq
    9 root      20   0       0      0      0 S   0.0   0.0   0:00.89 ksoftirqd/0
   10 root      20   0       0      0      0 R   0.0   0.0   0:03.61 rcu_sched
   11 root      20   0       0      0      0 I   0.0   0.0   0:00.00 rcu_bh
   12 root      rt   0       0      0      0 S   0.0   0.0   0:00.00 migration/0
   13 root      rt   0       0      0      0 S   0.0   0.0   0:00.01 watchdog/0
   14 root      20   0       0      0      0 S   0.0   0.0   0:00.01 cpuhp/0
   15 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kdevtmpfs
   16 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 netns
   17 root      20   0       0      0      0 S   0.0   0.0   0:00.00 rcu_tasks_kthre
   18 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kauditd
   19 root      20   0       0      0      0 S   0.0   0.0   0:00.00 khungtaskd
   20 root      20   0       0      0      0 S   0.0   0.0   0:00.00 oom_reaper
   21 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 writeback
   22 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kcompactd0
   23 root      25   5       0      0      0 S   0.0   0.0   0:00.00 ksmd
   24 root      39  19       0      0      0 S   0.0   0.0   0:00.09 khugepaged
   25 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 crypto
   26 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kintegrityd
   27 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kblockd
   28 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 ata_sff
   29 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 md
   30 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 edac-poller
   31 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 devfreq_wq
   33 root      rt   0       0      0      0 S   0.0   0.0   0:00.00 watchdogd
   36 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kswapd0
   37 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kworker/u3:0
   38 root      20   0       0      0      0 S   0.0   0.0   0:00.00 ecryptfs-kthrea
   83 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kthrotld
   84 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 acpi_thermal_pm
   85 root      20   0       0      0      0 S   0.0   0.0   0:00.00 scsi_eh_0
   86 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 scsi_tmf_0
   87 root      20   0       0      0      0 S   0.0   0.0   0:00.00 scsi_eh_1
   88 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 scsi_tmf_1
   94 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 ipv6_addrconf
  103 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kstrp
  120 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 charger_manager
  160 root      20   0       0      0      0 S   0.0   0.0   0:00.00 scsi_eh_2
  161 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 scsi_tmf_2
  162 root       0 -20       0      0      0 I   0.0   0.0   0:00.09 kworker/0:1H-kblockd
  163 root      20   0       0      0      0 I   0.0   0.0   0:00.26 kworker/0:2-events
  266 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 raid5wq
  315 root      20   0       0      0      0 S   0.0   0.0   0:00.10 jbd2/vda1-8
  316 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 ext4-rsv-conver
  391 root      20   0    2448    680    616 S   0.0   0.1   0:00.00 none
  394 root      19  -1   54540  11448  10664 S   0.0   1.1   0:00.49 systemd-journal
  395 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 iscsi_eh
  401 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 ib-comp-wq
  403 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 ib_mcast
root@ubuntu-s-1vcpu-1gb-nyc1-01:~# clear
root@ubuntu-s-1vcpu-1gb-nyc1-01:~# top -n 1
top - 03:26:37 up  1:06,  1 user,  load average: 2.06, 2.26, 2.10
Tasks: 101 total,   1 running,  98 sleeping,   0 stopped,   2 zombie
%Cpu(s):  0.0 us,  0.0 sy,  0.0 ni,100.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
MiB Mem :    985.3 total,    186.7 free,    283.4 used,    515.2 buff/cache
MiB Swap:      0.0 total,      0.0 free,      0.0 used.    521.0 avail Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
    1 root      20   0  131296   9092   6704 S   0.0   0.9   0:01.94 systemd
    2 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kthreadd
    3 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_gp
    4 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_par_gp
    6 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kworker/0:0H-kblockd
    8 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 mm_percpu_wq
    9 root      20   0       0      0      0 S   0.0   0.0   0:00.89 ksoftirqd/0
   10 root      20   0       0      0      0 I   0.0   0.0   0:03.62 rcu_sched
   11 root      20   0       0      0      0 I   0.0   0.0   0:00.00 rcu_bh
   12 root      rt   0       0      0      0 S   0.0   0.0   0:00.00 migration/0
   13 root      rt   0       0      0      0 S   0.0   0.0   0:00.01 watchdog/0
   14 root      20   0       0      0      0 S   0.0   0.0   0:00.01 cpuhp/0
   15 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kdevtmpfs
   16 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 netns
   17 root      20   0       0      0      0 S   0.0   0.0   0:00.00 rcu_tasks_kthre
   18 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kauditd
   19 root      20   0       0      0      0 S   0.0   0.0   0:00.00 khungtaskd
   20 root      20   0       0      0      0 S   0.0   0.0   0:00.00 oom_reaper
   21 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 writeback
   22 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kcompactd0
   23 root      25   5       0      0      0 S   0.0   0.0   0:00.00 ksmd
   24 root      39  19       0      0      0 S   0.0   0.0   0:00.09 khugepaged
   25 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 crypto
   26 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kintegrityd
   27 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kblockd
   28 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 ata_sff
   29 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 md
   30 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 edac-poller
   31 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 devfreq_wq
   33 root      rt   0       0      0      0 S   0.0   0.0   0:00.00 watchdogd
   36 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kswapd0
   37 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kworker/u3:0
   38 root      20   0       0      0      0 S   0.0   0.0   0:00.00 ecryptfs-kthrea
   83 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kthrotld
   84 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 acpi_thermal_pm
   85 root      20   0       0      0      0 S   0.0   0.0   0:00.00 scsi_eh_0
   86 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 scsi_tmf_0
   87 root      20   0       0      0      0 S   0.0   0.0   0:00.00 scsi_eh_1
   88 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 scsi_tmf_1
   94 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 ipv6_addrconf
  103 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kstrp
  120 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 charger_manager
  160 root      20   0       0      0      0 S   0.0   0.0   0:00.00 scsi_eh_2
  161 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 scsi_tmf_2
  162 root       0 -20       0      0      0 I   0.0   0.0   0:00.09 kworker/0:1H-kblockd
  163 root      20   0       0      0      0 I   0.0   0.0   0:00.26 kworker/0:2-events
  266 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 raid5wq
  315 root      20   0       0      0      0 S   0.0   0.0   0:00.10 jbd2/vda1-8
  316 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 ext4-rsv-conver
  391 root      20   0    2448    680    616 S   0.0   0.1   0:00.00 none
  394 root      19  -1   54540  11448  10664 S   0.0   1.1   0:00.49 systemd-journal
  395 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 iscsi_eh
  401 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 ib-comp-wq
  403 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 ib_mcast
  405 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 ib_nl_sa_wq
  413 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rdma_cm
  440 root      20   0   83324   1656   1480 S   0.0   0.2   0:00.00 lvmetad
  482 root      20   0   24952   4048   3068 S   0.0   0.4   0:00.28 systemd-udevd
  495 root       0 -20       0      0      0 S   0.0   0.0   0:00.00 loop0
  497 root       0 -20       0      0      0 S   0.0   0.0   0:00.00 loop1
  500 root       0 -20       0      0      0 S   0.0   0.0   0:00.00 loop2
  502 root       0 -20       0      0      0 S   0.0   0.0   0:00.00 loop3

#18

That apport has your CPU pegged at 100%
Is that normal and expected?


#19

These items are still pending:


#20

It should be normal.
Because we are using the most cheapest virtual machine.
So the CPU usage nearly 100% should be expected output for us.