Http and https are working only local

Wijnand · September 19, 2023, 2:51pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: alf4all.nl

I ran this command: sudo snap install --classic certbot

It produced this output: all ok

My web server is (include version): Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.4.52 LTS

My hosting provider, if applicable, is: local

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

Before installing Certbot http worked fine (as well local and via the internet). Afther installing Certbot, http and https on local browser worked perfect, as well http and https via the internet dosn't work. Still I forwarded port 80 in my router to the server with Apache, strange http via internet does not work anymore. https local came with a warning: potential security risk. how can i control if the certbot did it good?
Thanks and regards...
Wijnand

Bruce5051 · September 19, 2023, 4:13pm

Hello @Wijnand, welcome to the Let's Encrypt community.

Using the online tool Let's Debug yields these results https://letsdebug.net/alf4all.nl/1616053

Note that http://alf4all.nl/.well-known/acme-challenge/sometestfile is being redirected to https://alf4all.nl/.well-known/acme-challenge/sometestfile

$ curl -Ii http://alf4all.nl/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Tue, 19 Sep 2023 16:11:10 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: https://alf4all.nl/.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1

And that Port 443 (for HTTPS) is filtered

$ nmap -Pn -p80,443 alf4all.nl
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-19 09:08 PDT
Nmap scan report for alf4all.nl (88.159.57.235)
Host is up (0.16s latency).
rDNS record for 88.159.57.235: 88-159-57-235.fixed.kpn.net

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds

Wijnand · September 20, 2023, 2:29pm

Problem solved, thanks a lot. Is there a simple explanation somewhere of the result of "Let's debug"?

MikeMcQ · September 20, 2023, 3:40pm

The explanation is that you got a cert properly and must have chosen the --apache plug-in as installer. This created a VirtualHost for HTTPS and changed your existing HTTP VirtualHost so that it redirected to HTTPS

But, you did not have port 443 open on your router so HTTPS requests failed. And, since HTTP was being redirected to HTTPS they also failed.

These worked locally for you because those requests don't go through your router.

Let's Debug is mostly used to diagnose problems getting a cert although in this case it pointed to the redirection and the nmap output showed the blocking (filtering) of port 443

Does that help?

Wijnand · September 20, 2023, 5:52pm

Thank you very much for the explanation. I had already adjusted my router and that helped. I just didn't realize that http requests via the internet are no longer accepted, but they are still accepted within the local network. Greetings, Wijnand...