HTTPS not working after installing certbot


#1

I installed a certificate from certbot using these instructions, and everything seems fine. I got the Congratulations you successfully enabled https://api.param.me message. Additionally,

sudo apachect1 configtest says Syntax OK
sudo service apache2 restart works

but HTTPS still doesn’t work (it times out)

I don’t know whether it matters or not but I should mention that www.param.me is hosted by Github Pages and its HTTPS works perfectly. I have 4 A records pointing @ to Github’s IP addresses, and 1 A record pointing api.param.me to my server, 206.167.183.187. My server has a virtual host in sites-enabled\api.param.me.conf that looked like this

<VirtualHost *:80>
    ServerAdmin contact@param.me
    ServerName api.param.me
    DocumentRoot /var/www/param
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Certbot added this to sites-enabled\api.param.me.conf

<VirtualHost *:443>
    ServerAdmin contact@param.me
    ServerName api.param.me
    DocumentRoot /var/www/param
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/api.param.me/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/api.param.me/privkey.pem

</VirtualHost>

And created sites-enabled\api.param.me-le-ssl.conf which looks like this

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin contact@param.me
    ServerName api.param.me
    DocumentRoot /var/www/param
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/api.param.me/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/api.param.me/privkey.pem
</VirtualHost>
</IfModule>

Domain: api.param.me

Web server: Apache 2.4.29

Operating system: Ubuntu 18.04

I can login to a root shell on my machine: Yes

Control Panel: No

Certbot Version: 0.31.0


#2

Could there be a firewall blocking port 443?

Or a port forwarding configuration issue, if that’s involved?


#3

I’m not too sure on how I would check but I tried sudo ufw status and it returned Status: inactive. I haven’t touched any firewall/port forwarding configurations though


#4

Hi @paramt

two different vHosts with the same ServerName and port 443?

You have created 4 certificates

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1328795857 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-03-29 20:55:06 2019-06-27 19:55:06 api.param.me duplicate nr. 4
1326751937 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-03-29 01:07:57 2019-06-27 00:07:57 api.param.me duplicate nr. 3
1326640608 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-03-29 00:11:10 2019-06-26 23:11:10 api.param.me duplicate nr. 2
1326655302 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-03-29 00:10:12 2019-06-26 23:10:12 api.param.me duplicate nr. 1

but all certificates are new.

Looks like it is your first certificate.

Is mod_ssl.c installed?

What says

apachectl -S

#5

apachectl -S outputs

VirtualHost configuration:
*:80                   is a NameVirtualHost
     default server host-192-168-208-5.openstacklocal (/etc/apache2/sites-enabled/000-default.conf:1)
     port 80 namevhost host-192-168-208-5.openstacklocal (/etc/apache2/sites-enabled/000-default.conf:1)
     port 80 namevhost api.mathu.ca (/etc/apache2/sites-enabled/api.mathu.ca.conf:1)
     port 80 namevhost api.param.me (/etc/apache2/sites-enabled/api.param.me.conf:1)
*:443                  is a NameVirtualHost
     default server host-192-168-208-5.openstacklocal (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
     port 443 namevhost host-192-168-208-5.openstacklocal (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
     port 443 namevhost api.mathu.ca (/etc/apache2/sites-enabled/api.mathu.ca-le-ssl.conf:2)
     port 443 namevhost api.mathu.ca (/etc/apache2/sites-enabled/api.mathu.ca.conf:10)
     port 443 namevhost api.param.me (/etc/apache2/sites-enabled/api.param.me-le-ssl.conf:2)
     port 443 namevhost api.param.me (/etc/apache2/sites-enabled/api.param.me.conf:10)

ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used

And my php.info has mod_ssl listed under Loaded Modules. If it would help here’s my info.php
http://206.167.183.187/info.php


#6

Looks like you have duplicated entries. Remove one of these (first, make a backup).

But (more important):

That’s a local ip. So there must be a router or a firewall somewhere else. That must have a rule

yourpublic ip + 443 extern -> 192.168.208.5. + 443 intern


#7

I removed one of the duplicate entries, but I’m having trouble finding the redirect. Is there a certain directory where such rules are located? I tried putting

RewriteEngine off

in both /var/www/.htaccess as well as /etc/apache2/sites-enabled/000-default-le-ssl.conf but apachectl -S still shows the same thing


#8

That’s not a redirect in your webserver configuration.

That may be a router or a firewall otherwhere.

Your ip address 192.168 is a local address, so your webserver is invisible.

But your port 80 is visible, your port 443 not (checked with https://check-your-website.server-daten.de/?q=api.param.me ):

Domainname Http-Status redirect Sec. G
http://api.param.me/
206.167.183.187 200 0.233 H
https://api.param.me/
206.167.183.187 -14 10.026 T
Timeout - The operation has timed out
http://api.param.me/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
206.167.183.187 404 0.234 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.29 (Ubuntu) Server at api.param.me Port 80

So this instance must have a rule

206.167.183.187 + port 80 -> 192.168.208.5 + port 80

You need the same with port 443.