Fresh server and ssl cert installation, 400 Bad Request Port 80

yolosand.com

I have issued many certs using certbot, I don't know why I am suddenly having this problem. I have even resorted to destroying the instance and starting from scratch on a new one, but still running into the same problem.

Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Apache/2.4.41 (Ubuntu) Server at yolosand.com Port 80

Output for ufw status
Status: active

To Action From


OpenSSH ALLOW Anywhere
Apache Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)

yolosand.com.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName yolosand.com
ServerAlias www.yolosand.com
DocumentRoot /var/www/yolosand.com
ErrorLog {APACHE_LOG_DIR}/error.log CustomLog {APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.yolosand.com [OR]
RewriteCond %{SERVER_NAME} =yolosand.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</ VirtualHost>

yolosand.com-le-ssl.conf
< IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName yolosand.com
ServerAlias www.yolosand.com
DocumentRoot /var/www/yolosand.com
ErrorLog {APACHE_LOG_DIR}/error.log CustomLog {APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/yolosand.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yolosand.com/privkey.pem
</ VirtualHost>
</ IfModule>

ERROR LOG
[mpm_prefork:notice] [pid 24861] AH00169: caught SIGTERM, shutting down
[mpm_prefork:notice] [pid 25097] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operations
[core:notice] [pid 25097] AH00094: Command line: '/usr/sbin/apache2'

2 Likes

Hi @donottaptheglass

please read your error message.

https://yolosand.com/ answers with that:

Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Apache/2.4.41 (Ubuntu) Server at yolosand.com Port 80

So you see: External port 443 / https -> internal port 80 instead of port 443.

Looks like your router has a wrong port forwarding.

But

http://yolosand.com:443/

doesn't work, there is a PR_Reset. So there are additional errors.

apachectl -S
3 Likes

I've tried editing both yolosand.com.conf and yolosand.com-le-ssl.conf in so many different ways, nothing has worked. So I have deleted both files.

I edited 000-default.conf and default-ssl.conf to have webroot /var/www/yolosand.com and this is what I am receiving:

When I visit http://yolosand.com, it is from the desired webroot /var/www/yolosand.com

When I visit https://yolosand.com, it is from /var/www/html. The ssl cert being from R3. No idea what R3 is.

I have never seen this behavior before, I am pretty lost on where to go from here. Neither of the vhost configurations include the ssl cert file locations, so where is it even pulling the certificate?

2 Likes

Hello again, my friend. :slightly_smiling_face:

Let's first confirm that this is actually the IP address of the current server:

yolosand.com. 1799 IN A 64.225.89.148

1 Like

Now you have fixed your wrong port forwarding - https://check-your-website.server-daten.de/?q=yolosand.com#url-checks

Domainname Http-Status redirect Sec. G
http://yolosand.com/ 64.225.89.148 200 Html is minified: 100,00 % 0.327 H
small visible content (num chars: 9)
HELLO ???
http://www.yolosand.com/ 64.225.89.148 200 Html is minified: 100,00 % 0.330 H
small visible content (num chars: 9)
HELLO ???
https://yolosand.com/ 64.225.89.148 GZip used - 3172 / 10946 - 71,02 % Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 1/2866 200 Html is minified: 223,07 % 4.106 B
https://www.yolosand.com/ 64.225.89.148 GZip used - 3172 / 10946 - 71,02 % Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 1/2866 200 Html is minified: 223,07 % 4.317 B

Both https have the correct certificate, the R3 is the new Letsencrypt intermediate certificate.

The Apache default page is visible via https. So your DocumentRoot is wrong, compare that with your port 80 definitions.

Your output of

apachectl -S

is required to check your configuration.

4 Likes

Hey @griffin! The DNS for yolosand.com is pointing to 64.225.89.148 which is the ip for the load balancer. Currently there is only one server attached to this load balancer, which is 128.199.4.217, and this is where I am editing the vhosts and running certbot.

3 Likes

I changed the 000-default.conf and default-ssl.conf to be webroot /var/www/html, so now when I visit yolosand.com at either http or https, it goes to the apache welcome page.

Neither the 000-default.conf or the default-ssl.conf have the ServerName yolosand.com specified or cert files included. Any thoughts on how this is working?

Here is my output for

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used

So when I setup my own webroot, along with it's own conf files, after running certbot this is when I start receiving the Bad Request.

1 Like

You don't have a minimal configuration with a matching port 80 vHost.

So the result is expected.

Create such a host, your system has a documentation you have to use with root access.

Then again apachectl -S, the port 80 vHost must be visible. Then certbot --reinstall.

3 Likes

@JuergenAuer

How is there a working HTTPS? Old apache instances not killed/reloaded? I suspect the load balancer.

@donottaptheglass

Please run this for me on the load balancer:

sudo apachectl -S

1 Like

Sorry, I do not understand. I thought the 000-default.conf is the config for port 80, is it not? Anytime I create a new conf file with the webroot /var/www/yolosand.com, apache is still not recognizing it.

I spun up a new server on digitalocean and I was able to issue a normal ssl cert per Certbot's instructions. The moment I tried issuing a wildcard ssl cert (also using certbot's instructions) with the use of their certbot plugin with provider digitalocean, I was no longer able to access the site at https.

2 Likes

There is no ServerName defined. Your configuration doesn't have minimal requirements, so the not working result is expected.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.