Help with SSL/TLS setup on FreeBSD 13.1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
myrkur.net
I ran this command:
sudo certbot --apache -d myrkur.net -d www.myrkur.net
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Unable to read ssl_module file; not disabling session tickets.
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): linukongurinn@protonmail.com

---

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?

---

(Y)es/(N)o: y

---

Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.

---

(Y)es/(N)o: y
Account registered.
Requesting a certificate for myrkur.net and www.myrkur.net

Successfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live/myrkur.net/fullchain.pem
Key is saved at: /usr/local/etc/letsencrypt/live/myrkur.net/privkey.pem
This certificate expires on 2023-06-08.
These files will be updated when the certificate renews.

Deploying certificate
Successfully deployed certificate for myrkur.net to /usr/local/etc/apache24/extra/httpd-vhosts-le-ssl.conf

We were unable to find a vhost with a ServerName or Address of www.myrkur.net.
Which virtual host would you like to choose?

---

1: httpd-vhosts.conf | myrkur.net | | Enabled
2: httpd-vhosts-le-ssl.conf | myrkur.net | HTTPS | Enabled

---

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Successfully deployed certificate for www.myrkur.net to /usr/local/etc/apache24/extra/httpd-vhosts-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://myrkur.net and https://www.myrkur.net

NEXT STEPS:

• The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See User Guide — Certbot 2.4.0 documentation for instructions.

---

If you like Certbot, please consider supporting our work by:

• Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
• Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

---

My web server is (include version):
z@myrkur:~ $ httpd -v
Server version: Apache/2.4.55 (FreeBSD)
Server built: unknown
The operating system my web server runs on is (include version):
FreeBSD 13.1
My hosting provider, if applicable, is:
my own
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
z@myrkur:~ $ certbot --version
certbot 2.1.0

..also:
z@myrkur:~ $ apachectl
AH00112: Warning: DocumentRoot [/usr/local/www/apache24/data/myrkur.net] does not exist
AH00112: Warning: DocumentRoot [/usr/local/www/apache24/data/myrkur.net] does not exist
AH00526: Syntax error on line 13 of /usr/local/etc/apache24/extra/httpd-vhosts-le-ssl.conf:
SSLCertificateFile: file '/usr/local/etc/letsencrypt/live/myrkur.net/fullchain.pem' does not exist or is empty

If anyone is kind enough to help it would be appreciated.
Thanks

Try sudo apachectl. The certificates files are not readable as an unprivileged user by default.

z@myrkur:~ $ sudo apachectl
AH00112: Warning: DocumentRoot [/usr/local/www/apache24/data/myrkur.net] does not exist
AH00112: Warning: DocumentRoot [/usr/local/www/apache24/data/myrkur.net] does not exist
httpd (pid 2156) already running

..and myrku.net shows:
Secure Connection Failed

An error occurred during a connection to www.myrkur.net. PR_END_OF_FILE_ERROR

Error code: PR_END_OF_FILE_ERROR

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Thanks for the reply.

It looks like Apache is serving HTTP (rather than HTTPS) on port 443.

There can be a couple of ways this happens:

• Configuration error in Apache. sudo apachectl -t -D DUMP_VHOSTS can help confirm.
• Port forwarding issue. If you have port 443 externally redirected to port 80 internally, then this would happen.

z@myrkur:~ $ sudo apachectl -t -D DUMP_VHOSTS
AH00112: Warning: DocumentRoot [/usr/local/www/apache24/data/myrkur.net] does not exist
AH00112: Warning: DocumentRoot [/usr/local/www/apache24/data/myrkur.net] does not exist
VirtualHost configuration:
*:80 myrkur.net (/usr/local/etc/apache24/extra/httpd-vhosts.conf:40)
*:443 myrkur.net (/usr/local/etc/apache24/extra/httpd-vhosts-le-ssl.conf:2)

..checking router port forwarding, sec.

Port forwarding seems alright, 80 to 80. I'll add 443 now. Still get the same error on the web browser.
Port forwarding on my router:

I appreciate the replies, thanks.

I tried this:

z@myrkur:~ $ cd /usr/local/www/apache24/data/
z@myrkur:/usr/local/www/apache24/data $ mkdir myrkur.net
mkdir: myrkur.net: Permission denied
z@myrkur:/usr/local/www/apache24/data $ sudo mkdir myrkur.net
Password:
z@myrkur:/usr/local/www/apache24/data $ sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 myrkur.net (/usr/local/etc/apache24/extra/httpd-vhosts.conf:40)
*:443 myrkur.net (/usr/local/etc/apache24/extra/httpd-vhosts-le-ssl.conf:2)
z@myrkur:/usr/local/www/apache24/data $ sudo certbot --apache -d myrkur.net -d www.myrkur.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Unable to read ssl_module file; not disabling session tickets.
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /usr/local/etc/letsencrypt/renewal/myrkur.net.conf)

What would you like to do?

---

1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)

---

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Deploying certificate
Successfully deployed certificate for myrkur.net to /usr/local/etc/apache24/extra/httpd-vhosts-le-ssl.conf
Successfully deployed certificate for www.myrkur.net to /usr/local/etc/apache24/extra/httpd-vhosts-le-ssl.conf
Failed redirect for myrkur.net
Unable to set the redirect enhancement for myrkur.net.

NEXT STEPS:

• The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name myrkur.net

Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
z@myrkur:/usr/local/www/apache24/data $ sudo certbot --cert-name myrkur.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Unable to read ssl_module file; not disabling session tickets.
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /usr/local/etc/letsencrypt/renewal/myrkur.net.conf)

What would you like to do?

---

1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)

---

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Deploying certificate
Successfully deployed certificate for myrkur.net to /usr/local/etc/apache24/extra/httpd-vhosts-le-ssl.conf
Successfully deployed certificate for www.myrkur.net to /usr/local/etc/apache24/extra/httpd-vhosts-le-ssl.conf
Failed redirect for myrkur.net
Unable to set the redirect enhancement for myrkur.net.

NEXT STEPS:

• The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name myrkur.net

Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Still get the same error on the web browser.

On the Apache server itself, can you try run these two commands:

curl -Ik https://localhost
curl -I http://localhost:443

I'm a bit stumped because your Apache vhosts looks fine.

z@myrkur:/usr/local/www/apache24/data $ curl -Ik https://localhost
HTTP/1.1 200 OK
Date: Fri, 10 Mar 2023 21:37:03 GMT
Server: Apache/2.4.55 (FreeBSD) OpenSSL/1.1.1o-freebsd PHP/8.2.0
Content-Type: text/html;charset=ISO-8859-1

z@myrkur:/usr/local/www/apache24/data $ curl -I http://localhost:443
HTTP/1.1 400 Bad Request
Date: Fri, 10 Mar 2023 21:41:06 GMT
Server: Apache/2.4.55 (FreeBSD) OpenSSL/1.1.1o-freebsd PHP/8.2.0
Content-Length: 362
Connection: close
Content-Type: text/html; charset=iso-8859-1

I may have damaged something in the httpd.conf file as I tried numerous edits before I could get the regular http server up and running.

The problem definitely looks like port forwarding. The Apache configuration is correct and HTTPS works fine on port 443 when accessed locally.

Maybe try removing and re-adding the port forwarding rules, and fill in the optional "External Port" fields as well.

Maybe also check the FreeBSD firewall rules, if any? Could be a port redirection in there.

Changed it a bit, and this goes through:

Now I get a different error on the web browser:

Unable to connect

An error occurred during a connection to www.myrkur.net.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web.

Any ideas?

Is it possible that your router requires port 443 for its own usage? Is there somewhere you can change that binding?

That could be the case. Maybe the ISP needs the port 443 to configure the router from their side.

I tried rebooting the server. ifconfig is here:

z@myrkur:~ $ ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
ether f4:6d:04:65:ec:a5
inet 192.168.1.101 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::f66d:4ff:fe65:eca5%re0 prefixlen 64 scopeid 0x1
inet6 2a01:6f01:1206:3400:f66d:4ff:fe65:eca5 prefixlen 64 autoconf
media: Ethernet autoselect (1000baseT )
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

internal addresses http://192.168.1.101 and https://192.168.1.101 both work, but the https one gives a certificate warning. So this must be an issue with the router I think.

Thanks for all the replies.

I see neither Port 80 or Port 443 Open with nmap -Pn

$ nmap -Pn www.myrkur.net
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-10 21:56 UTC
Nmap scan report for www.myrkur.net (153.92.146.57)
Host is up (0.19s latency).
rDNS record for 153.92.146.57: nova-153-092-146-057.cpe.novanet.is
Not shown: 996 closed ports
PORT    STATE    SERVICE
25/tcp  filtered smtp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 40.27 seconds

I'm gonna give my ISP a call tomorrow if they're open, see how come the ports don't open.
Currently the router is set up as detailed by my ISP

After contacting my ISP she advised me to reset the router. Upon doing so I was able to open the ports, 80 and 443 on TCP to internal ip of 192.168.1.102 which is my freebsd server. When I type the internal ip in to the browser it works, even with https:// (with a warning) but when I type my external ip I can only access the non-secure http. The https://[my-external-ip] gives me a Error code: PR_END_OF_FILE_ERROR

Thanks for all the replies my dudes and dudettes.

To use the HTTP-01 Challenge the challenge needs the domain name to map to a Public Facing IP Address.

To find your Public Facing IP Address(es) use these:

curl -4 ifconfig.co
curl -6 ifconfig.co

or/and

curl -4 ifconfig.io
curl -6 ifconfig.io

Also it look like HTTP (not HTTPS) is being served on Port 443

$ curl -Ii http://www.myrkur.net
HTTP/1.1 301 Moved Permanently
Date: Wed, 15 Mar 2023 20:17:37 GMT
Server: Apache/2.4.55 (FreeBSD) OpenSSL/1.1.1o-freebsd PHP/8.2.0
Location: https://www.myrkur.net/
Content-Type: text/html; charset=iso-8859-1

$ curl -Ii http://www.myrkur.net:443
HTTP/1.1 301 Moved Permanently
Date: Wed, 15 Mar 2023 20:17:44 GMT
Server: Apache/2.4.55 (FreeBSD) OpenSSL/1.1.1o-freebsd PHP/8.2.0
Location: https://www.myrkur.net/
Content-Type: text/html; charset=iso-8859-1

$ curl -Ii https://www.myrkur.net
curl: (35) error:0A00010B:SSL routines::wrong version number

It needs to be "External Port Number", not "External Source Port Number". The latter, you should keep blank.

This still looks like the same issue to me - your router is not letting you port forward 443 to 443.

z@myrkur:~ $ sudo curl -4 ifconfig.co
Password:
153.92.146.57
z@myrkur:~ $ sudo curl -6 ifconfig.co
curl: (7) Couldn't connect to server
z@myrkur:~ $ curl -4 ifconfig.io
153.92.146.57
z@myrkur:~ $ curl -6 ifconfig.io
curl: (7) Couldn't connect to server

I get the same issue when I try to add numbers to the External Port Number field on the router page. But if I check whether port 443 or 80 is open via https://ismyportopen.com/ it shows that they are open. But as you said it seems port 443 is being redirected to http instead of https. Do you know how I can fix this? Maybe I need a new router.

Edit: Also, here is my router configuration in case you're wondering:

Thanks

You are showing Internal Port Number vs

If I try to add the ports in to the "External Port Number" fields I get this error:

The ISP says everything looks good on their end, but they have trouble accessing the router. I might have to replace the router it seems. Any ideas?
I may have edited some config file to move all https:// traffic to http:// earlier because I couldn't get https working some months ago. Is there a config file which allows for this?

Thanks