Help me I cannot renew the SSL certificate of my website

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://masshopping.com.ve/

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for admin.masshopping.com.ve
http-01 challenge for mail.masshopping.com.ve
http-01 challenge for masshopping.com.ve
http-01 challenge for webmail.masshopping.com.ve
http-01 challenge for www.masshopping.com.ve
Using the webroot path /home/masshing/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain admin.masshopping.com.ve
Challenge failed for domain mail.masshopping.com.ve
Challenge failed for domain masshopping.com.ve
Challenge failed for domain webmail.masshopping.com.ve
Challenge failed for domain www.masshopping.com.ve
http-01 challenge for admin.masshopping.com.ve
http-01 challenge for mail.masshopping.com.ve
http-01 challenge for masshopping.com.ve
http-01 challenge for webmail.masshopping.com.ve
http-01 challenge for www.masshopping.com.ve
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

My web server is (include version): Webmin 1.981 / Virtualmin 6.17-3

The operating system my web server runs on is (include version): Ubuntu Linux 20.04.3

My hosting provider, if applicable, is: Contabo (VPS)

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin 1.981 / Virtualmin 6.17-3

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

Welcome to the community @XavierTM

Can you show the contents of the /etc/letsencrypt/cli.ini file - if present

Also, the contents of the file in /etc/letsencrypt/renewal/ for your domain names. It will probably be the admin name as that was first.

Lastly, what is the DocumentRoot you currently have in Apache for these VirtualHosts?

It looks to me like the values for the webroot folders are out-of-sync with your current Apache setup. Please format the outputs of each of the above separately with the PreformattedText option (Ctrl-E) in the format menu. Thanks.

2 Likes

This is what I have in
etc / letsencrypt / cli.ini

Because we are using logrotate for greater flexibility, disable the

internal certbot logrotation.

max-log-backups = 0

and in

etc / letsencrypt / renewal / masshopping.com.ve.conf

this:

renew_before_expiry = 30 days

version = 0.40.0
archive_dir = /etc/letsencrypt/archive/masshopping.com.ve
cert = /etc/letsencrypt/live/masshopping.com.ve/cert.pem
privkey = /etc/letsencrypt/live/masshopping.com.ve/privkey.pem
chain = /etc/letsencrypt/live/masshopping.com.ve/chain.pem
fullchain = /etc/letsencrypt/live/masshopping.com.ve/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 9cbab5d12ecb915f2d44b55203e8ca3f
authenticator = webroot
webroot_path = / home / masshing / public_html,
server = https://acme-v02.api.letsencrypt.org/directory
rsa_key_size = 2048
manual_public_ip_logging_ok = True
[[webroot_map]]

DocumentRoot in apache /home/masshing/public_html

I think everything is correct, right?

1 Like

Yes, it looks ok. But, does that path really have spaces in between the folder parts? All the other paths look formatted nice. Not sure if font problem or syntax issue.

If you could format it with Preformatted text that would be better. Or place three backticks like ``` before and after the renewal conf contents.

2 Likes

Ok, Only this appears in: /etc/letsencrypt/cli.ini

# Because we are using logrotate for greater flexibility, disable the
# internal certbot logrotation.
max-log-backups = 0

This:

/etc/letsencrypt/renewal/masshopping.com.ve.conf
# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/masshopping.com.ve
cert = /etc/letsencrypt/live/masshopping.com.ve/cert.pem
privkey = /etc/letsencrypt/live/masshopping.com.ve/privkey.pem
chain = /etc/letsencrypt/live/masshopping.com.ve/chain.pem
fullchain = /etc/letsencrypt/live/masshopping.com.ve/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 9cbab5d12ecb915f2d44b55203e8ca3f
authenticator = webroot
webroot_path = /home/masshing/public_html,
server = https://acme-v02.api.letsencrypt.org/directory
rsa_key_size = 2048
manual_public_ip_logging_ok = True
[[webroot_map]]

This:

etc/apache2/sites-available
<VirtualHost 193.34.144.174:80>
    SuexecUserGroup "#1002" "#1002"
    ServerName masshopping.com.ve
    ServerAlias www.masshopping.com.ve
    ServerAlias mail.masshopping.com.ve
    ServerAlias webmail.masshopping.com.ve
    ServerAlias admin.masshopping.com.ve
    ServerAlias *.masshopping.com.ve
    DocumentRoot /home/masshing/public_html
    ErrorLog /var/log/virtualmin/masshopping.com.ve_error_log
    CustomLog /var/log/virtualmin/masshopping.com.ve_access_log combined
    ScriptAlias /cgi-bin /home/masshing/public_html/cgi-bin
    DirectoryIndex index.php index.php4 index.php5 index.htm index.html
    <Directory /home/masshing/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    AddType application/x-httpd-php .php
    #extra config to disable default index.html
    DirectoryIndex disabled
    DirectoryIndex index.php
    </Directory>
    <Directory /home/masshing/cgi-bin>
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    #extra config to disable default index.html
    DirectoryIndex disabled
    DirectoryIndex index.php
    </Directory>
    RewriteEngine on
    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R]
    RewriteCond %{HTTP_HOST} =webmail.masshopping.com.ve
    RewriteRule ^(?!/.well-known)(.*) https://masshopping.com.ve:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.masshopping.com.ve
    RewriteRule ^(?!/.well-known)(.*) https://masshopping.com.ve:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php7.4
<Files awstats.pl>
AuthName "masshopping.com.ve statistics"
AuthType Basic
AuthUserFile /home/masshing/.awstats-htpasswd
require valid-user
</Files>
RedirectMatch ^/(?!.well-known)(.*)$ https://masshopping.com.ve/$1
php_admin_value engine Off
<FilesMatch \.php$>
    SetHandler proxy:fcgi://localhost:8000
</FilesMatch>
</VirtualHost>
<VirtualHost 193.34.144.174:443>
    SuexecUserGroup "#1002" "#1002"
    ServerName masshopping.com.ve
    ServerAlias www.masshopping.com.ve
    ServerAlias mail.masshopping.com.ve
    ServerAlias webmail.masshopping.com.ve
    ServerAlias admin.masshopping.com.ve
    ServerAlias *.masshopping.com.ve
    DocumentRoot /home/masshing/public_html
    ErrorLog /var/log/virtualmin/masshopping.com.ve_error_log
    CustomLog /var/log/virtualmin/masshopping.com.ve_access_log combined
    ScriptAlias /cgi-bin /home/masshing/public_html/cgi-bin
    DirectoryIndex index.php index.php4 index.php5 index.htm index.html
    <Directory /home/masshing/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    AddType application/x-httpd-php .php
    #extra config to disable default index.html
    DirectoryIndex disabled
    DirectoryIndex index.php
    </Directory>
    <Directory /home/masshing/cgi-bin>
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    #extra config to disable default index.html
    DirectoryIndex disabled
    DirectoryIndex index.php
    </Directory>
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.masshopping.com.ve
    RewriteRule ^(?!/.well-known)(.*) https://masshopping.com.ve:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.masshopping.com.ve
    RewriteRule ^(?!/.well-known)(.*) https://masshopping.com.ve:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php7.4
<Files awstats.pl>
AuthName "masshopping.com.ve statistics"
AuthType Basic
AuthUserFile /home/masshing/.awstats-htpasswd
require valid-user
</Files>
SSLEngine on
SSLCertificateFile /home/masshing/ssl.cert
SSLCertificateKeyFile /home/masshing/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCACertificateFile /home/masshing/ssl.ca
php_admin_value engine Off
<FilesMatch \.php$>
    SetHandler proxy:fcgi://localhost:8000
</FilesMatch>
</VirtualHost>

That's OK?

1 Like
etc/letsencrypt/cli.ini
# Because we are using logrotate for greater flexibility, disable the
# internal certbot logrotation.
max-log-backups = 0
etc/letsencrypt/renewal/masshopping.com.ve.conf
# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/masshopping.com.ve
cert = /etc/letsencrypt/live/masshopping.com.ve/cert.pem
privkey = /etc/letsencrypt/live/masshopping.com.ve/privkey.pem
chain = /etc/letsencrypt/live/masshopping.com.ve/chain.pem
fullchain = /etc/letsencrypt/live/masshopping.com.ve/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 9cbab5d12ecb915f2d44b55203e8ca3f
authenticator = webroot
webroot_path = /home/masshing/public_html,
server = https://acme-v02.api.letsencrypt.org/directory
rsa_key_size = 2048
manual_public_ip_logging_ok = True
[[webroot_map]]

etc/apache/sites-available/masshopping.com.ve.conf
<VirtualHost 193.34.144.174:80>
    SuexecUserGroup "#1002" "#1002"
    ServerName masshopping.com.ve
    ServerAlias www.masshopping.com.ve
    ServerAlias mail.masshopping.com.ve
    ServerAlias webmail.masshopping.com.ve
    ServerAlias admin.masshopping.com.ve
    ServerAlias *.masshopping.com.ve
    DocumentRoot /home/masshing/public_html
    ErrorLog /var/log/virtualmin/masshopping.com.ve_error_log
    CustomLog /var/log/virtualmin/masshopping.com.ve_access_log combined
    ScriptAlias /cgi-bin /home/masshing/public_html/cgi-bin
    DirectoryIndex index.php index.php4 index.php5 index.htm index.html
    <Directory /home/masshing/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    AddType application/x-httpd-php .php
    #extra config to disable default index.html
    DirectoryIndex disabled
    DirectoryIndex index.php
    </Directory>
    <Directory /home/masshing/cgi-bin>
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    #extra config to disable default index.html
    DirectoryIndex disabled
    DirectoryIndex index.php
    </Directory>
    RewriteEngine on
    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R]
    RewriteCond %{HTTP_HOST} =webmail.masshopping.com.ve
    RewriteRule ^(?!/.well-known)(.*) https://masshopping.com.ve:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.masshopping.com.ve
    RewriteRule ^(?!/.well-known)(.*) https://masshopping.com.ve:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php7.4
<Files awstats.pl>
AuthName "masshopping.com.ve statistics"
AuthType Basic
AuthUserFile /home/masshing/.awstats-htpasswd
require valid-user
</Files>
RedirectMatch ^/(?!.well-known)(.*)$ https://masshopping.com.ve/$1
php_admin_value engine Off
<FilesMatch \.php$>
    SetHandler proxy:fcgi://localhost:8000
</FilesMatch>
</VirtualHost>
<VirtualHost 193.34.144.174:443>
    SuexecUserGroup "#1002" "#1002"
    ServerName masshopping.com.ve
    ServerAlias www.masshopping.com.ve
    ServerAlias mail.masshopping.com.ve
    ServerAlias webmail.masshopping.com.ve
    ServerAlias admin.masshopping.com.ve
    ServerAlias *.masshopping.com.ve
    DocumentRoot /home/masshing/public_html
    ErrorLog /var/log/virtualmin/masshopping.com.ve_error_log
    CustomLog /var/log/virtualmin/masshopping.com.ve_access_log combined
    ScriptAlias /cgi-bin /home/masshing/public_html/cgi-bin
    DirectoryIndex index.php index.php4 index.php5 index.htm index.html
    <Directory /home/masshing/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    AddType application/x-httpd-php .php
    #extra config to disable default index.html
    DirectoryIndex disabled
    DirectoryIndex index.php
    </Directory>
    <Directory /home/masshing/cgi-bin>
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    #extra config to disable default index.html
    DirectoryIndex disabled
    DirectoryIndex index.php
    </Directory>
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.masshopping.com.ve
    RewriteRule ^(?!/.well-known)(.*) https://masshopping.com.ve:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.masshopping.com.ve
    RewriteRule ^(?!/.well-known)(.*) https://masshopping.com.ve:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php7.4
<Files awstats.pl>
AuthName "masshopping.com.ve statistics"
AuthType Basic
AuthUserFile /home/masshing/.awstats-htpasswd
require valid-user
</Files>
SSLEngine on
SSLCertificateFile /home/masshing/ssl.cert
SSLCertificateKeyFile /home/masshing/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCACertificateFile /home/masshing/ssl.ca
php_admin_value engine Off
<FilesMatch \.php$>
    SetHandler proxy:fcgi://localhost:8000
</FilesMatch>
</VirtualHost>

1 Like

Hmmm. Seems right. Let's test access to challenge location to be sure.

mkdir -p /home/masshing/public_html/.well-known/acme-challenge
echo testdata1234 > /home/masshing/public_html/.well-known/acme-challenge/Test-1234

Then try:

http://masshopping.com.ve/.well-known/acme-challenge/Test-1234

Leave test file after so I can try too.
I will be away for a bit so others may try

2 Likes

I did what you mentioned, no errors, and only when entering: (http://masshopping.com.ve/.well-known/acme-challenge/Test-1234)

This comes out:

Not Found
The requested URL was not found on this server.
1 Like

Now we know why Certbot is failing. It is expecting its challenge file there.

Now we have to figure out why that test file gets a 404 Not Found. Could you have other rewrites like in an htaccess? Or, have a stray Alias somewhere for the document root or well-known folders? I only briefly looked at your rewrite statements but need to look harder I suppose.

I see the http headers show Varnish. Could your Fastly CDN be interfering?

Please leave the Test-1234 file in place until this gets resolved. Thanks

UPDATE:
@XavierTM Here are the http headers I saw from my attempt earlier. I dont use Varnish but it seems the numbers in X-Varnish header can be used to match to its logs.

curl -I http://masshopping.com.ve/.well-known/acme-challenge/Test-1234

HTTP/1.1 404 Not Found
Date: Mon, 29 Nov 2021 19:24:13 GMT
Server: Apache
Content-Length: 196
Content-Type: text/html; charset=iso-8859-1
X-Varnish: 487 485
Age: 4
Via: 1.1 varnish (Varnish/6.2)
Connection: keep-alive
2 Likes

How can I know why the 404 error is generated? I show you the .htaccess file of the web page?

1 Like

That is more for you to sort but I will help if I can. To recap, you placed a file under your Apache DocumentRoot and we cannot see it from the internet using curl. So, something is interfering.

I would look at your htaccess if it has any redirects in it. I am not familiar with Varnish but is it just for caching or is it also like a CDN which it might have rules which could reject URLs not defined in it? Are you using a CDN like Fastly?

In the Varnish docs they say the numbers in X-Varnish header can match to their log. Is that possible for you to do? Maybe it will provide a clue.

And, look at your Apache access logs. See if they show a 404 Not Found as you expect. Just trying to find more info to help identify what is getting in the way of finding a file in that folder.

That's all I can think of for now.

Update: Oh, is your Varnish setup new since you last got fresh certs?

2 Likes

@XavierTM The problem is Varnish (almost certainly)

This retrieves the test file:

curl -k  https://masshopping.com.ve/.well-known/acme-challenge/Test-1234

Note it is https - not http. Let's Encrypt will use http first for the http challenge. That is failing with 404.

I have learned Varnish sits "in front" of your server and caches http requests. There must be something in your varnish config (VCL file?) that is blocking the requests to the /.well-known/acme-challenge/ files.

I suppose it could be something else but this seems by far the most likely.

2 Likes

Ok, if I already understood you, I will try to find the solution, I just don't understand much about Varnish, let me review and I'll write to you

2 Likes

I think that is a Plugin of cache that i have in Wordpress

1 Like

I just deleted everything I had from the Cache Plugin, but I still get an error when trying to renew the certificate

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for admin.masshopping.com.ve
http-01 challenge for mail.masshopping.com.ve
http-01 challenge for masshopping.com.ve
http-01 challenge for webmail.masshopping.com.ve
http-01 challenge for www.masshopping.com.ve
Using the webroot path /home/masshing/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain admin.masshopping.com.ve
Challenge failed for domain mail.masshopping.com.ve
Challenge failed for domain masshopping.com.ve
Challenge failed for domain webmail.masshopping.com.ve
Challenge failed for domain www.masshopping.com.ve
http-01 challenge for admin.masshopping.com.ve
http-01 challenge for mail.masshopping.com.ve
http-01 challenge for masshopping.com.ve
http-01 challenge for webmail.masshopping.com.ve
http-01 challenge for www.masshopping.com.ve
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: admin.masshopping.com.ve
   Type:   unauthorized
   Detail: Invalid response from
   http://admin.masshopping.com.ve/.well-known/acme-challenge/wALsPWosQ1Xfk_ACeaE1WgK260N3Behq8PMC0zoCrWc
   [193.34.144.174]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   Domain: mail.masshopping.com.ve
   Type:   unauthorized
   Detail: Invalid response from
   http://mail.masshopping.com.ve/.well-known/acme-challenge/JMXnkHWM3LxXYDxlDNTc2n_IzNb-QurVGqSIoSM4A9k
   [193.34.144.174]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   Domain: masshopping.com.ve
   Type:   unauthorized
   Detail: Invalid response from
   http://masshopping.com.ve/.well-known/acme-challenge/0BI62GGrfIMPsa3Sof-bMwpt4-a4_j34E0pltFSR6x0
   [193.34.144.174]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   Domain: webmail.masshopping.com.ve
   Type:   unauthorized
   Detail: Invalid response from
   http://webmail.masshopping.com.ve/.well-known/acme-challenge/7PTPMlWEsspIqvah0l-QE55c83p81c2sEmb1Ifbe5rg
   [193.34.144.174]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   Domain: www.masshopping.com.ve
   Type:   unauthorized
   Detail: Invalid response from
   http://www.masshopping.com.ve/.well-known/acme-challenge/xwSlox4Boso61zaOR_IhokotLJaaocC2ohGktBZQv9U
   [193.34.144.174]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
1 Like

Varnish is still interfering it looks like. See below http request fails (and see X-Varnish header) but https works

curl -I  http://masshopping.com.ve/.well-known/acme-challenge/Test-1234
HTTP/1.1 404 Not Found
Date: Mon, 29 Nov 2021 21:45:31 GMT
Server: Apache
Content-Length: 196
Content-Type: text/html; charset=iso-8859-1
X-Varnish: 131427 131425
Age: 9
Via: 1.1 varnish (Varnish/6.2)
Connection: keep-alive

curl -Ik https://masshopping.com.ve/.well-known/acme-challenge/Test-1234
HTTP/1.1 200 OK
Date: Mon, 29 Nov 2021 21:46:00 GMT
Server: Apache
Last-Modified: Mon, 29 Nov 2021 19:17:38 GMT
ETag: "d-5d1f24b41c9be"
Accept-Ranges: bytes
Content-Length: 13
content-Security-Policy: upgrade-insecure-requests

Until the http request succeeds there is no point trying for fresh certificates

2 Likes

I have tried to disable Varnish but I still get the error
HTTP / 1.1 503 Backend Fetch Failed

1 Like

That indicates that Varnish is still active but is not getting a response from your Apache server. Note that the curl response headers now say Server is Varnish - not Apache.

curl -I  http://masshopping.com.ve/.well-known/acme-challenge/Test-1234

HTTP/1.1 503 Backend fetch failed
Date: Mon, 29 Nov 2021 22:20:52 GMT
Server: Varnish
Content-Type: text/html; charset=utf-8
Retry-After: 5
X-Varnish: 229390
Age: 0
Via: 1.1 varnish (Varnish/6.2)
Content-Length: 283
Connection: keep-alive

I am sorry I do not know more details of how Varnish is configured. From their docs there is a VCL file so if you can find that it might be helpful.
https://www.varnish-software.com/wiki/content/tutorials/varnish/varnish_ubuntu.html
Are you managing these configurations yourself or is this being done through a panel of some kind?

2 Likes

I opened the file default.vcl

#
# This is an example VCL file for Varnish.
#
# It does not do anything by default, delegating control to the
# builtin VCL. The builtin VCL is called when there is no explicit
# return statement.
#
# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/
# and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples.

# Marker to tell the VCL compiler that this VCL has been adapted to the
# new 4.0 format.
vcl 4.0;

# Default backend definition. Set this to point to your content server.
backend default {
    .host = "172.0.0.1";
    .port = "8080";
}

sub vcl_recv {
    # Happens before we check if we have this in cache already.
    #
    # Typically you clean up the request here, removing cookies you don't need,
    # rewriting the request, etc.
}

sub vcl_backend_response {
    # Happens after we have read the response headers from the backend.
    #
    # Here you clean the response headers, removing silly Set-Cookie headers
    # and other mistakes your backend does.
}

sub vcl_deliver {
    # Happens when we have all the pieces we need, and are about to send the
    # response to the client.
    #
    # You can do accounting or modifying the final object here.
}

in etc/varnish/default.vcl

1 Like

Hmm. Is Varnish new since you setup the certs before?

That Varnish config points to a server that you have not yet shown. Note the host IP and the port 8080. The Apache config you showed does not have such a server.

And, you have gone backwards in that I cannot connect to your site with http now at all. I get a curl (7) connection refused message. (https still works with the -k)

I strongly believe Varnish is the cause of your problems but I am afraid I am not helping you in a productive way. Perhaps you could try a Varnish forum or whatever you are using to configure your system. I don't mind helping with this - I just don't think it is working well.

2 Likes