Help with Ubuntu 16.04 Apache and LetsEncrypt set up


#1

Hello, My first post on here, so here goes:
I have a working Ubuntu 16.04 server set up with a few apache virtual hosts, hosting a few sites for me and my mates. I use webmin to manage it normally. I want to use letsencrypt, so I followed this tutorial: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04
All the sites are WordPress and users are CHrooted to their home directories so when they FTP in they can’t mess with any other stuff. When I change the wordpress URL to https instead on https I get and error that says:

"Secure Connection Failed

An error occurred during a connection to www.mydomain.net SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified."

I’m pretty sure that my Apache SSL module is installed and working, port 443 is open on my firewall too. A port scan confirms this.
I can see a couple .pem files in etc/letsencrypt/keys but have no idea where to start to understand why it’s not working.
After it didn’t work with the first how to guide above, I tried this method: https://certbot.eff.org/#ubuntuxenial-apache
Same error when tying to view SSL pages.
Any help would be much appreciated.
Thank you.


#2

That usually indicates that apache is serving plain http on port 443. Double check that mod_ssl is enabled, the vHosts include “SSLEngine on” and that apache has been reloaded after making any changes.


#3

Thanks for the quick reply. Yes, mod_ssl and dependencies are enabled.
I just tried to add the SSLEngine on to one of my Virtual hosts file, restarted apache and got "Failed to start apache : Starting apache2 (via systemctl): apache2.serviceJob for apache2.service failed because the control process exited with error code. See “systemctl status apache2.service” and “journalctl -xe” for details.
failed!
I think I may have put it in the wrong place? I put it in /etc/apache2/sites-available/*mydomain.net.conf


#4

That’s the correct location assuming that the sites are enabled.
Running “systemctl status apache2.service” should tell you why apache can’t start.


#5

Running systemctl status apache2.service gave me this:

● apache2.service - LSB: Apache2 web server
Loaded: loaded (/etc/init.d/apache2; bad; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: inactive (dead) since Thu 2016-07-14 20:49:36 NZST; 2min 1s ago
Docs: man:systemd-sysv-generator(8)
Process: 9942 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS)
Process: 9212 ExecStart=/etc/init.d/apache2 start (code=exited, status=0/SUCCESS)

Jul 14 20:09:20 ubuntu-server systemd[1]: Starting LSB: Apache2 web server…
Jul 14 20:09:20 ubuntu-server apache2[9212]: * Starting Apache httpd web server apache2
Jul 14 20:09:20 ubuntu-server apache2[9212]: AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1.
Jul 14 20:09:21 ubuntu-server apache2[9212]: *
Jul 14 20:09:21 ubuntu-server systemd[1]: Started LSB: Apache2 web server.
Jul 14 20:49:36 ubuntu-server apache2[9942]: * Stopping Apache httpd web server apache2
Jul 14 20:49:36 ubuntu-server apache2[9942

I moved SSLengine on up to the second line in the virtual host conf file and tried to restart apache. This time I got an error
AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message
[Thu Jul 14 20:49:36.783996 2016] [ssl:emerg] [pid 9230] AH02572: Failed to configure at least one certificate and key for *my domain.net.nz:443
[Thu Jul 14 20:49:36.784024 2016] [ssl:emerg] [pid 9230] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Thu Jul 14 20:49:36.784028 2016] [ssl:emerg] [pid 9230] AH02312: Fatal error initialising mod_ssl, exiting.
[Thu Jul 14 20:49:36.784030 2016] [:emerg] [pid 9230] AH00020: Configuration Failed, exiting

Not sure what to do now, looks like there no certificate or keys? or mod_ssl is broken? Not sure which?


#6

Next thing to check is that SSLCertificateFile and SSLCertificateKeyFile are defined correctly.


#7

How do I do that? Where are they defined?


#8

In the vHosts, ideally just under SSLEngine on. They need to be the paths to the relevant .pem files (fullchain.pem and privkey.pem) under /etc/letsencrypt/live/


#9

OK, thanks. I thought that none of that had to be done due to the letsencrypt script? and it would just work. When I followed the tutorial and installed letsecrypt, it asked me what domains I wanted to configure SSL for, a pop up with a list of all the virtual hosts on the server. I’ll check the paths tomorrow and report back. it’s late here in New Zealand. Thanks for your help so far :slight_smile:


#10

I’ve just been reading through lots of letsencrypt logs and other letsencrypt related stuff on my server. I don’t actually understand how letsencrypt works. I think the letsencrypt apache.conf files are somehow stored in letsencrypt and not in the usual apache sites available place, (no mention of them in my virtual host .conf files, and they are accessed with a redirect? Same with the certificate. If I knew where the certificate was stored I would be able to set up SSL “normally” with webmins SSL options, but letsencrypt seems to be quite a bit different. It’s like letsencrypt has buried all the important .conf files somewhere else and redirects to them, but I’m not sure.
It’s got to a point where I am about to give up. I’d now like to start a fresh and see if I can get just one domain going with SSL.
So, my question is “How do I completely remove letsencrypt?”


#11

The certificates are stored in /etc/letsencrypt/live/yourdomain. The files in there are symbolic links to the actual certificate files, so when you renew your cert you don’t have to update your configuration.

For the version of Apache I think you’re using (at least 2.4.8), you’d use fullchain.pem for the certificate file, and privkey.pem for the private key.


#12

I don’t appear to have a “live” folder in etc/letsencrypt or a domain folder or fullchain.pem


#13

the keys folder just contains this:


#14

and CSR contains this:


#15

I just ran certbot again and got this error:

Domain: *mydomain.net
Type: connection
Detail: Failed to connect to (myip):443 for TLS-SNI-01
challenge

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

The site does work with a normal http connection and I have opened the port on my router firewall.
If I scan my server from within my lan (with fing app on my phone) fing reports that port 443 is open for https. I went to my wan ip:443 and just got the same Error code: SSL_ERROR_RX_RECORD_TOO_LONG
I also tried changing my wordpress config.php to https instead of http and visiting the domain again with https and :443 at the end and still got the same error code.
So I’m still stuck what to do next?


#16

Just did a port scan of my public ip and yes the port is open.
PORT STATE SERVICE VERSION
443/tcp open http Apache httpd 2.4.18 ((Ubuntu))


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.