Get the ssl certificate successfully but it does not work

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: urbatis.net

I ran this command: sudo certbot certonly --webroot -w ~/smart_city/smart_city -d urbatis.net

It produced this output: IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/urbatis.net/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/urbatis.net/privkey.pem
    Your cert will expire on 2019-08-26. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version): Unix

The operating system my web server runs on is (include version): Ubuntu 16.04 xenial

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

I can’t reach my page by https://urbatis.net.

2

Hi @ishidaira233,

Please see these prior threads about the meaning of certonly:

https://community.letsencrypt.org/search?q=certonly%20means

2 Likes
3

Thank you for your reply! It’s the problem. But I retried by “sudo certbot --apache” and to reinstall this existing certificate so I don’t need to write configuration file. This time the message is :Congratulations! You have successfully enabled https://urbatis.net

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=urbatis.net

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/urbatis.net-0001/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/urbatis.net-0001/privkey.pem
    Your cert will expire on 2019-08-26. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

But I still can’t reach my site by https.

4

Hi @ishidaira233

your site is completely invisible ( https://check-your-website.server-daten.de/?q=urbatis.net ):

Domainname Http-Status redirect Sec. G
• http://urbatis.net/
217.182.139.143 -14 10.030 T
Timeout - The operation has timed out
• http://www.urbatis.net/
217.182.139.143 -14 10.030 T
Timeout - The operation has timed out
• https://urbatis.net/
217.182.139.143 -14 10.030 T
Timeout - The operation has timed out
• https://www.urbatis.net/
217.182.139.143 -14 10.026 T
Timeout - The operation has timed out
• http://urbatis.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
217.182.139.143 -14 10.026 T
Timeout - The operation has timed out
Visible Content:
• http://www.urbatis.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
217.182.139.143 -14 10.030 T
Timeout - The operation has timed out
Visible Content:

Only timeouts.

Is there a firewall? Or a missing router forwarding?

Works your site intern? Test from your webserver:

curl http://urbatis.net/
curl https://urbatis.net/
curl http://217.182.139.143/
curl https://217.182.139.143/

Same with your ip address - https://check-your-website.server-daten.de/?q=217.182.139.143

5

Thank you for your reply. Now it visible, I just encountered some problems with my apache service.

6

Yep, now there is a new check - https://check-your-website.server-daten.de/?q=urbatis.net

http works, https has a timeout.

What says

apachectl configtest
apachectl fullstatus
apachectl -S
7

I need to add sudo to run these commands. And here is the results:

sudo apachectl configtest

Syntax OK

sudo apachectl fullstatus

/usr/sbin/apachectl: line 101: www-browser: command not found
'www-browser -dump http://localhost:80/server-status' failed.

sudo apachectl -S

VirtualHost configuration:
*:443 urbatis.net (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 ns3079645.ip-217-182-139.eu (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

8

What's the content of that file:

And works https internal?

curl http://urbatis.net/
curl https://urbatis.net/
curl http://217.182.139.143/
curl https://217.182.139.143/
9

Content of /etc/apache2/sites-enabled/000-default-le-ssl.conf :

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
    ServerName urbatis.net
    Include /etc/letsencrypt/options-ssl-apache.conf
    ServerAlias www.urbatis.net
    SSLCertificateFile /etc/letsencrypt/live/www.urbatis.net/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.urbatis.net/privkey.pem
    </VirtualHost>
    </IfModule>

https internal doesn’t work, it tells “Failed to connect to 217.182.139.143 port 443: Connection refused” and “Failed to connect to urbatis.net port 443: Connection refused”

10

Your files are wrong:

These are your new files - add -0001

1 Like
11

I correct that. Now it’s match :

  ServerName urbatis.net
  Include /etc/letsencrypt/options-ssl-apache.conf
  ServerAlias www.urbatis.net
  SSLCertificateFile /etc/letsencrypt/live/urbatis.net-0001/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/urbatis.net-0001/privkey.pem
  </VirtualHost>
  </IfModule>

Should I do something else? It shows no certificates at https://check-your-website.server-daten.de/?q=urbatis.net

12

Same question:

Does it now work internal? If you see a connection refused, but https://check-your-website.server-daten.de/?q=urbatis.net shows a timeout, there are two different problems:

  • https must work internal (perhaps fixed with urbatis.net-0001)
  • there is a firewall or something else, that blocks, so the online tool doesn't see the connection refused, instead a timeout
13

It doesn’t work internal, which is still “Failed to connect to 217.182.139.143 port 443: Connection refused” and “Failed to connect to urbatis.net port 443: Connection refused”

14

Did you restart the server?

What says your error log?

1 Like
15

I find I have three certificates for my site:

Found the following certs:
Certificate Name: ns3079645.ip-217-182-139.eu
Domains: ns3079645.ip-217-182-139.eu
Expiry Date: 2018-09-17 08:51:52+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/ns3079645.ip-217-182-139.eu/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ns3079645.ip-217-182-139.eu/privkey.pem
Certificate Name: urbatis.net-0001
Domains: urbatis.net
Expiry Date: 2019-08-26 12:26:40+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/urbatis.net-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/urbatis.net-0001/privkey.pem
Certificate Name: urbatis.net
Domains: www.urbatis.net urbatis.net
Expiry Date: 2019-08-26 09:19:47+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/urbatis.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/urbatis.net/privkey.pem
Certificate Name: www.urbatis.net
Domains: www.urbatis.net
Expiry Date: 2019-08-26 12:29:55+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.urbatis.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.urbatis.net/privkey.pem

I don't if it's the problem, and I have restarted the server.
There is nothing in /var/log/apache2/error.log...
Thank you for your help and patience!

16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.