<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /home/laravel/lms/public
<Directory /home/laravel/lms/public>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine off
RewriteCond %{SERVER_NAME} =lms.nphcda.gov.ng
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
The RewriteEngine Off blocks the Certbot --apache temp config changes. Comment out those 3 lines or set it On
You should also use the same ServerName that you use in your port 443 VirtualHost
3 Likes
After trying the first suggestions, i tried this command: sudo certbot renew --quiet, and I didn't get any error and when i try sudo certbot renew it show this
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/lms.nphcda.gov.ng.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/lms.nphcda.gov.ng/fullchain.pem expires on 2023-11-17 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
but I still can't access my site using HTTPS
Looks good, probably your renewal with --quiet was successful.
You can check your certificates with sudo certbot certificates
1 Like
the certificate has been renewed but i get this error Unsupported protocol The client and server don't support a common SSL protocol version or cipher suite.
Can you show us contents of that file?
Please use the 3 backticks before and after the contents so info is not lost
```
contents of file
```
3 Likes
<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /home/laravel/lms/public
<Directory /home/laravel/lms>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
Require all granted
</Directory>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
ServerName lms.nphcda.gov.ng
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/lms.nphcda.gov.ng/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/lms.nphcda.gov.ng/privkey.pem
</VirtualHost>
</IfModule>
That looks good. Are you sure HTTPS requests (port 443) are getting to that Apache server?
Do you see the requests in your Apache error or access log?
3 Likes
Yes HTTPS requests are getting to Apache
i tried this command
curl -I https://lms.nphcda.gov.ng
and got this
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
That's what I get too. Do you see that error in your Apache error log too?
3 Likes
[Sat Aug 19 21:53:31.366547 2023] [mpm_prefork:notice] [pid 1328214] AH00169: caught SIGTERM, shutting down
[Sat Aug 19 21:55:15.311463 2023] [mpm_prefork:notice] [pid 1329462] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operations
[Sat Aug 19 21:55:15.311583 2023] [core:notice] [pid 1329462] AH00094: Command line: '/usr/sbin/apache2'
[Sat Aug 19 22:24:16.398299 2023] [mpm_prefork:notice] [pid 1329462] AH00169: caught SIGTERM, shutting down
[Sat Aug 19 22:24:24.146297 2023] [mpm_prefork:notice] [pid 1335898] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operations
[Sat Aug 19 22:24:24.146655 2023] [core:notice] [pid 1335898] AH00094: Command line: '/usr/sbin/apache2'
[Sat Aug 19 22:46:30.646076 2023] [mpm_prefork:notice] [pid 1335898] AH00169: caught SIGTERM, shutting down
[Sat Aug 19 22:46:31.462877 2023] [mpm_prefork:notice] [pid 1341246] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operations
[Sat Aug 19 22:46:31.465136 2023] [core:notice] [pid 1341246] AH00094: Command line: '/usr/sbin/apache2'
[Sat Aug 19 23:17:52.137145 2023] [mpm_prefork:notice] [pid 1341246] AH00169: caught SIGTERM, shutting down
[Sat Aug 19 23:17:52.369597 2023] [mpm_prefork:notice] [pid 1347708] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operations
[Sat Aug 19 23:17:52.369715 2023] [core:notice] [pid 1347708] AH00094: Command line: '/usr/sbin/apache2'
I think you should see that connection error in the log. I don't think you are reaching that VirtualHost
You could try removing the above two lines from your <VirtualHost *:443> That's just a wild guess
Make sure to restart Apache after
3 Likes
Please show this file:
4 Likes
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
As a test...
Try changing this:
To this:
SSLProtocol all -SSLv2 -SSLv3
And then restart Aapache.
3 Likes
I hope that doesn't do much, because if it does... what openssl/apache versions do we have?
4 Likes
Didn't do much
OpenSSL 1.1.1f 31 Mar 2020
1 Like
It's not the newest but it's recent enough.
4 Likes