Https is not working any more http is

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Don't want to show it's a open port to my home.

I ran this command: certbot renew
certbot --force-renewal

It produced this output: certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/XXXXXX.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/XXXXXXX/fullchain.pem expires on 2022-08-11 (skipped)
No renewals were attempted.

My web server is (include version): Apache version 2.4.41

The operating system my web server runs on is (include version): Ubuntu Linux 20.04.4

My hosting provider, if applicable, is: xfinity

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

The internet was down for about 3 hours they were working on it down the road.

My server boot drive got filled up too. From a backup I did and the drive was not mounted to it backed it up on the boot. I fixed that.

After that I could not go to it. I get 'Your connection to this site is not secure" so it will not let me go on it.

Can see if did renew I did not save what it said when it 1st renewed but it's went all the way to 2022-08-11

I just don't get why is says not secure now. I typed in https:// just how I did before I even had the old https open and refresh and it can't be displayed. I can go to port 80 and doing a port scan 443 is not blocked. So Apache is working.

Hope some one can help.

-Raymond Day

2

Using force hardly ever does what you are asking.
There is no way to force something that is broken to just work.

That said, let's go look for what's broken...
I read "Apache version 2.4.41".
I would start there.
Make sure the Internet can see your device on port 80 [should we need to renew a cert] and port XXXXX [wherever you want to operate your secure connection].
Then review the output for any IP:PORT overlaps:
apachectl -t -D DUMP_VHOSTS

[reply with your findings and we'll continue from there]

1 Like
3

root@rayday:~# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 XXXXX (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 XXXXX (/etc/apache2/sites-enabled/webmin.1601516549-le-ssl.conf:2)
root@rayday:~#

That is what the command shows. But I X out my host name.

-Raymond Day

4

Try:

sudo ss -tlpn | grep -i apache

and check if your port forwarding is still working on both ports 80 and 443.

1 Like
5

I looked at the 443 file it shows in the last post. I have a older backup and looked at both.

The old one just had 2 lines like this:

[quote="Ray, post:5, topic:177701, full:true"]
I looked at the 443 file it shows in the last post. I have a older backup and looked at both.

The old one just had 2 lines like this:

IfModule mod_ssl.c>
/IfModule>

Removed the beginning < else it will not show in here.

But the new one looks like this with my host name X out. I think it made this when I was trying to fix the https.

ServerName XXXXXXXX ServerAlias XXXXXXXXX DocumentRoot /media/WD-10TB-2/USBdisk2-3TB/var/www Options Indexes FollowSymLinks Includes ExecCGI AllowOverride All Order deny,allow Require all granted 
    <Directory "/media/WP-4TB/wordpress">
        Options Indexes FollowSymLinks Includes ExecCGI
        AllowOverride All
        Order deny,allow
        Require all granted
    </Directory>
    Alias /blog1 /media/WP-4TB/wordpress
    Alias /phpsysinfo /usr/share/phpsysinfo
    Alias /kenny "/media/VHS-videos/from%20closet-pc/Kennys%20Hi8%20videos"

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/XXXXXXX/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/XXXXXXX/privkey.pem
</VirtualHost>

Hope this helps to find out why https is not working.

-Raymond Day

6

When accessing your site securely and receiving the "Your connection to this site is not secure", please view the cert presented and compare it to the first cert in the file:

[note: by "compare" I mean visually - checking their expiration dates and names covered]

2 Likes
7

Not sure what to compare it with. You mean the old backup one?

It has 3 -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- long random type letter between the 3.

All 3 start with the begin and end certificate like I said in here.

-Raymond Day

8

OK, I see you are unfamiliar with .pem formatted certs.
If you have a windows PC and notepad, simply copy/paste the first cert into a new local file and name it anything.cer or anything.crt
Then just double click that new local file.

Then you can visually compare the expiration dates and covered names.

1 Like
9

OK I did that and here it is copied to a .jpg with my host name X's out.

my server fullchain
my server fullchain402×515 29 KB

I am thinking just start over fresh? Can I just remove all the old letsencrypt and start over?

Thank you.

-Raymond Day

1 Like
10

I ran "certbot certonly" and it failed saying to look at /var/log/letsencrypt for more detailes.

Here is what the end of that files says my help.

Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1249, in certonly
le_client = _init_le_client(config, auth, installer)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 614, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 261, in init
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 46, in acme_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File "/usr/lib/python3/dist-packages/acme/client.py", line 808, in init
directory = messages.Directory.from_json(net.get(server).json())
File "/usr/lib/python3/dist-packages/acme/client.py", line 1138, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1088, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fbd0198c640>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
2022-05-16 10:46:12,779:ERROR:certbot.log:An unexpected error occurred:

-Raymond Day

11

I found out could not ping google.com so worked on fixing that and got it fixed and ran this and looks like it worked.

root@XXXXXX:~# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): 1

One or more of the entered domain names was not valid:

1: Requested name 1 is an IP address. The Let's Encrypt certificate authority
will not issue certificates for a bare IP address.

Would you like to re-enter the names?

(Y)es/(N)o: y
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): XXXXXX.XXX
Obtaining a new certificate

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/XXXXXX.me-0001/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/XXXXXX.XXX-0001/privkey.pem
    Your cert will expire on 2022-08-14. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

root@XXXXXX:~# ping google.com
PING google.com (142.251.32.14) 56(84) bytes of data.
64 bytes from ord38s33-in-f14.1e100.net (142.251.32.14): icmp_seq=1 ttl=57 time=22.4 ms
64 bytes from ord38s33-in-f14.1e100.net (142.251.32.14): icmp_seq=2 ttl=57 time=25.0 ms
64 bytes from ord38s33-in-f14.1e100.net (142.251.32.14): icmp_seq=3 ttl=57 time=20.0 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 19.978/22.457/24.996/2.049 ms
root@XXXXXX:~#

I waited about 20 minutes and still not connecting with https but does with http. Just says " This site can’t be reached"

Now that the got the network working right is there some command I can do to fix this now?

Thank you.

-Raymond Day

12

Went to the SSL Server Test web page and it says:

Assessment failed: Unable to connect to the server

After I did this:

certbot --test-cert

Then seen in that text so I did this:

certbot --break-my-certs

I had to answer some things and all seem to work no errors but still https not working.

-Raymond Day

13

You don't have to show the contents.
But you do have to verify them.
The General tab shows that validity date range.
Click the details tab and then scroll down to Subject Alternate Names
There you can verify the names in question.

1 Like
14

You must use URLs in the form:
https://{a real name - not an IP}/[whatever]
[with a name that is covered by a valid cert]

2 Likes
15

It just says
DNS Name=XXXXXXX
It's right.

-Raymond Day

16

I do that but it still says:

This site can’t be reached

-Raymond Day

17

If I do this command:

certbot renew

It came back with this text in red.

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 434, in init
self.configfile = configobj.ConfigObj(config_filename)
File "/usr/lib/python3/dist-packages/configobj.py", line 1229, in init
self._load(infile, configspec)
File "/usr/lib/python3/dist-packages/configobj.py", line 1318, in _load
raise error
configobj.ConfigObjError: Parsing failed with several errors.
First error at line 9.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 65, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 436, in init
raise errors.CertStorageError(
certbot.errors.CertStorageError: error parsing /etc/letsencrypt/renewal/xxxxxxx.conf
Renewal configuration file /etc/letsencrypt/renewal/xxxxxxxx.conf is broken. Skipping.

Is it bad to just remove it all and start over?

-Raymond Day

18

All I mostly want is for my LAN WordPress to be on the WAN so I can update it when not at home. I have like a day to day blog on it.

I have a backup with just a set up with a copy of my WordPress.

certbot was not installed so I installed it.

I forward port 443 and 80 to it.

But I get this error in red color.

An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: XXXXXX: see Rate Limits - Let's Encrypt

Do I just have to wait for this?

I can get on it with the LAN. To type and update things.

-Raymond Day

19

Guess I have to wait a week. But I have another WAN name link to my home IP and used that and name this other server that.

It looked like all worked but I got "This site can't provide a secure connection"

It looked like this with my host name Xed out because it's a open port to home here.

certbot certonly --webroot -w /var/www/html -d xxxxxxx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for xxxxxx

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/xxxxxx/fullchain.pem
Key is saved at: /etc/letsencrypt/live/xxxxxx/privkey.pem
This certificate expires on 2022-08-15.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

If you like Certbot, please consider supporting our work by:

root@xxxxxx:~#

Do I have to run some other Certbot command but can't run them a lot else it locks you out and have to wait a week or so.

-Raymond Day

20

Yes, you are trying to fix the problem where it is NOT broken.

And now you get this additional problem:

1 Like