Have Certificate from Certbot but site is not HTTPS

reve · June 7, 2023, 11:34pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: reve.works

I ran this command: sudo certbot certificates

It produced this output:
Found the following certs:
Certificate Name: reve.works
Serial Number: 389e3223373134a74ddc7766267955b1dad
Key Type: ECDSA
Domains: reve.works www.reve.works
Expiry Date: 2023-09-04 22:13:47+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/reve.works/fullchain.pem
Private Key Path: /etc/letsencrypt/live/reve.works/privkey.pem

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: OCI

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

Rip · June 8, 2023, 12:01am

Hi @reve Welcome to the forum.
Would you please share the command you used to obtain the certificates?
You answered most of the questions and we have enough to get on path for a resolution for you, but your installation command may give us the reason your certs are not actually in use yet.
Thanks

rg305 · June 8, 2023, 12:24am

I'd like to see the output of:
sudo apachectl -t -D DUMP_VHOSTS

[and more, but we'll start there]

reve · June 8, 2023, 12:24am

I think I did sudo certbot --apache -d reve.works -d www.reve.works. I did not do certonly, if that is what you are asking.

reve · June 8, 2023, 12:25am

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443  reve.works (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80   is a NameVirtualHost
  default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default-le-ssl.conf:40)
  port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default-le-ssl.conf:40)
  port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)

rg305 · June 8, 2023, 12:34am

Let's have a look at this file:

Rip · June 8, 2023, 12:35am

Rudy's CLI request is spot on.
You might also try and post:

grep -ERi ServerName /etc/apache2

is an annoying warning but the grep command will show you where to add your server name... (most likely)

reve · June 8, 2023, 12:37am

/etc/apache2/mods-available/status.conf:        # with the URL of http://servername/server-status
/etc/apache2/mods-available/info.conf:  #  http://servername/server-info (requires that mod_info.c be loaded).
/etc/apache2/mods-enabled/status.conf:  # with the URL of http://servername/server-status
/etc/apache2/sites-available/000-default-le-ssl.conf:   # The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-available/000-default-le-ssl.conf:   # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/000-default-le-ssl.conf:   #ServerName www.example.com
/etc/apache2/sites-available/000-default-le-ssl.conf:ServerName reve.works
/etc/apache2/sites-available/000-default-le-ssl.conf:   # The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-available/000-default-le-ssl.conf:   # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/000-default-le-ssl.conf:   #ServerName www.example.com
/etc/apache2/sites-available/000-default.conf:  # The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-available/000-default.conf:  # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/000-default.conf:  #ServerName www.example.com
/etc/apache2/sites-enabled/000-default-le-ssl.conf:     # The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-enabled/000-default-le-ssl.conf:     # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-enabled/000-default-le-ssl.conf:     #ServerName www.example.com
/etc/apache2/sites-enabled/000-default-le-ssl.conf:ServerName reve.works
/etc/apache2/sites-enabled/000-default-le-ssl.conf:     # The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-enabled/000-default-le-ssl.conf:     # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-enabled/000-default-le-ssl.conf:     #ServerName www.example.com
/etc/apache2/sites-enabled/000-default.conf:    # The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-enabled/000-default.conf:    # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-enabled/000-default.conf:    #ServerName www.example.com

rg305 · June 8, 2023, 12:37am

These two files overlap:

And the one that has "le-ssl" is clearly NOT doing SSL.

rg305 · June 8, 2023, 12:40am

With applied noise reduction:

/etc/apache2/sites-available/000-default-le-ssl.conf:ServerName reve.works
/etc/apache2/sites-available/000-default.conf:  #ServerName www.example.com
/etc/apache2/sites-enabled/000-default-le-ssl.conf:     #ServerName www.example.com
/etc/apache2/sites-enabled/000-default-le-ssl.conf:ServerName reve.works
/etc/apache2/sites-enabled/000-default-le-ssl.conf:     #ServerName www.example.com
/etc/apache2/sites-enabled/000-default.conf:    #ServerName www.example.com

With even more more applied noise reduction:

/etc/apache2/sites-enabled/000-default-le-ssl.conf:ServerName reve.works

rg305 · June 8, 2023, 12:41am

Can we see this file too:
/etc/apache2/sites-enabled/000-default-le-ssl.conf

reve · June 8, 2023, 12:52am

Struggling with Filezilla, but I actually had a copy of that file from earlier:

<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf


ServerName reve.works
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.reve.works
SSLCertificateFile /etc/letsencrypt/live/www.reve.works/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.reve.works/privkey.pem
</VirtualHost>
</IfModule>

Rip · June 8, 2023, 1:00am

Is this block included in your config file?

Are you managing this server from a windows box?

reve · June 8, 2023, 1:05am

Yes

Yes. My PC runs Windows, and I am using Putty and Filezilla to do management.

Rip · June 8, 2023, 1:09am

Just a side note: WinSCP IMHO is a lot easier to manage Linux servers than Filezilla (even though I used filezilla for decades.) I read the word "struggling"...
Have you restarted your server?
apache2ctl reload
or
service apache2 restart

reve · June 8, 2023, 1:14am

I'll check it out!

I have

Rip · June 8, 2023, 1:16am

Have you cleaned up the config file as @rg305 suggested?

Rip · June 8, 2023, 1:22am

OMG!!
443/tcp filtered https
Gotta open 443 up to make it work!
Bet that's it!

rg305 · June 8, 2023, 1:25am

curl -Ii https://reve.works
curl: (7) Failed to connect to reve.works port 443: No route to host

rg305 · June 8, 2023, 1:28am

This is also interesting:

curl -Ii http://reve.works
HTTP/1.1 200 OK
Date: Thu, 08 Jun 2023 01:27:42 GMT
Server: Apache/2.4.52 (Ubuntu)
Link: <http://164.152.26.151/wp-json/>; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8