Https not working after 'succesful' certbot --apache operation

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
quickwebnav.com

I ran this command: sudo certbot --apache

It produced this output:
-ubuntu-trusty-64:~$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): inman.turbo@gmail.com


Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory


(A)gree/©ancel: A


Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.


(Y)es/(N)o: Y
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): quickwebnav.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for quickwebnav.com
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1


Congratulations! You have successfully enabled https://quickwebnav.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=quickwebnav.com


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/quickwebnav.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/quickwebnav.com/privkey.pem
    Your cert will expire on 2019-07-14. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/quickwebnav.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for quickwebnav.com
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/quickwebnav.com/fullchain.pem



** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/quickwebnav.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


IMPORTANT NOTES:

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My web server is (include version):
|Apache Version|Apache/2.4.7 (Ubuntu)|
|—|---|
|Apache API Version|20120211|
|Server Administrator|webmaster@localhost|
|Hostname:Port|quickwebnav.com:80|

|Loaded Modules|core mod_so mod_watchdog http_core mod_log_config mod_logio mod_version mod_unixd mod_access_compat mod_alias mod_auth_basic mod_authn_core mod_authn_file mod_authz_core mod_authz_host mod_authz_user mod_autoindex mod_deflate mod_dir mod_env mod_filter mod_mime prefork mod_negotiation mod_php7 mod_rewrite mod_setenvif mod_socache_shmcb mod_ssl mod_status|

The operating system my web server runs on is (include version): Ubunto 14.04 (Trusty)

My hosting provider, if applicable, is: N/A? Domain is purchased through godaddy but the dns is pointed to a non-godaddy IP. Note: I host other domains at godaddy and have a cert I can use there, but I want to host this one elsewhere.

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

#2

Hi @inman.turbo

checking your domain (via https://check-your-website.server-daten.de/?q=quickwebnav.com ):

Domainname Http-Status redirect Sec. G
http://quickwebnav.com/
96.89.79.178 200 0.310 H
http://www.quickwebnav.com/
96.89.79.178 200 0.303 H
https://quickwebnav.com/
96.89.79.178 -4 0.573 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
https://www.quickwebnav.com/
96.89.79.178 -4 0.584 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

Google CT shows the new certificate (crt.sh not), so you have created a new certificate.

Looks like Certbot doesn’t understand your configuration.

Uh, that’s very old.

What says

certbot certificates
apachectl configtest
apachectl fullstatus
apachectl -S
#3

Hello JuergenAur, thanks for the quick response.

sudo certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: quickwebnav.com
Domains: quickwebnav.com
Expiry Date: 2019-07-14 14:46:39+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/quickwebnav.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/quickwebnav.com/privkey.pem


sudo apachectl configtest
syntax ok

apachectl fullstatus

Apache Server Status for localhost (via 127.0.0.1)

Server Version: Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f
Server MPM: prefork
Server Built: Apr 3 2019 18:04:25


Current Time: Monday, 15-Apr-2019 19:25:46 UTC
Restart Time: Monday, 15-Apr-2019 15:35:01 UTC
Parent Server Config. Generation: 8
Parent Server MPM Generation: 7
Server uptime: 3 hours 50 minutes 44 seconds
Server load: 0.00 0.01 0.05
Total accesses: 84 - Total Traffic: 196 kB
CPU Usage: u.01 s.05 cu0 cs0 - .000433% CPU load
.00607 requests/sec - 14 B/second - 2389 B/request
1 requests currently being processed, 6 idle workers

__W

Scoreboard Key:
“_” Waiting for Connection, “S” Starting up, “R” Reading Request,
“W” Sending Reply, “K” Keepalive (read), “D” DNS Lookup,
“C” Closing connection, “L” Logging, “G” Gracefully finishing,
“I” Idle cleanup of worker, “.” Open slot with no current process

Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request
0-7 26130 0/8/25 _ 0.01 5487 0 0.0 0.01 0.01 10.0.2.2 quickwebnav.com:80 GET /.well-known/acme-challenge/check-your-website-dot-server-d
1-7 26131 0/9/16 _ 0.01 7936 1 0.0 0.03 0.03 10.0.2.2 quickwebnav.com:80 HEAD / HTTP/1.1
2-7 26132 0/10/ _ 0.02 4982 1 0.0 0.06 0.08 10.0.2.2 quickwebnav.com:80 GET / HTTP/1.1
17
3-7 26133 0/6/10 _ 0.01 5489 1 0.0 0.04 0.04 10.0.2.2 quickwebnav.com:80 GET / HTTP/1.1
4-7 26134 0/2/8 W 0.00 0 0 0.0 0.00 0.00 127.0.0.1 quickwebnav.com:80 GET /server-status HTTP/1.0
5-7 26317 0/7/8 _ 0.01 4982 2 0.0 0.02 0.02 10.0.2.2 quickwebnav.com:80 GET / HTTP/1.1


Srv Child Server number - generation
PID OS process ID
Acc Number of accesses this connection / this child / this slot
M Mode of operation
CPU CPU usage, number of seconds
SS Seconds since beginning of most recent request
Req Milliseconds required to process most recent request
Conn Kilobytes transferred this connection
Child Megabytes transferred this child
Slot Total megabytes transferred this slot

SSL/TLS Session Cache Status:
cache type: SHMCB, shared memory: 512000 bytes, current entries: 0
subcaches: 32, indexes per subcache: 88
index usage: 0%, cache usage: 0%
total entries stored since starting: 0
total entries replaced since starting: 0
total entries expired since starting: 0
total (pre-expiry) entries scrolled out of the cache: 0
total retrieves since starting: 0 hit, 0 miss
total removes since starting: 0 hit, 0 miss

Apache/2.4.7 (Ubuntu) Server at localhost Port 80

apachectl -S

VirtualHost configuration:
*:443 quickwebnav.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 quickwebnav.com (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

#4

Your main configuration looks ok.

But https doesn’t work.

Do you have some “untypical definitions”?

What’s the content of that file?

Has your Apache-log some additional informations?

#5
<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
ServerName quickwebnav.com
SSLCertificateFile /etc/letsencrypt/live/quickwebnav.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/quickwebnav.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
#6

error log shows nothing of interest as far as I can tell. ServerName and restart notices.
I’ve upgraded apache2 to latest version (clean install) and reinstalled with certbot (clean as well) the cert. Didn’t change anything. How do I get newer API?

[Mon Apr 15 19:50:45.909383 2019] [mpm_event:notice] [pid 12080:tid 140487727916928] AH00489: Apache/2.4.7 (Ubuntu) configured -- resuming normal operations
[Mon Apr 15 19:50:45.909458 2019] [core:notice] [pid 12080:tid 140487727916928] AH00094: Command line: '/usr/sbin/apache2'
[Mon Apr 15 19:51:31.844096 2019] [mpm_event:notice] [pid 12080:tid 140487727916928] AH00491: caught SIGTERM, shutting down
[Mon Apr 15 19:51:32.897664 2019] [mpm_prefork:notice] [pid 19620] AH00163: Apache/2.4.7 (Ubuntu) configured -- resuming normal operations
[Mon Apr 15 19:51:32.897726 2019] [core:notice] [pid 19620] AH00094: Command line: '/usr/sbin/apache2'
[Mon Apr 15 19:51:33.112636 2019] [mpm_prefork:notice] [pid 19620] AH00169: caught SIGTERM, shutting down
[Mon Apr 15 19:51:34.185557 2019] [mpm_prefork:notice] [pid 19694] AH00163: Apache/2.4.7 (Ubuntu) configured -- resuming normal operations
[Mon Apr 15 19:51:34.185602 2019] [core:notice] [pid 19694] AH00094: Command line: '/usr/sbin/apache2'
[Mon Apr 15 19:51:35.684417 2019] [mpm_prefork:notice] [pid 19694] AH00169: caught SIGTERM, shutting down
[Mon Apr 15 19:51:36.739917 2019] [mpm_prefork:notice] [pid 19748] AH00163: Apache/2.4.7 (Ubuntu) configured -- resuming normal operations
[Mon Apr 15 19:51:36.739961 2019] [core:notice] [pid 19748] AH00094: Command line: '/usr/sbin/apache2'
[Mon Apr 15 19:52:00.819957 2019] [mpm_prefork:notice] [pid 19748] AH00169: caught SIGTERM, shutting down
[Mon Apr 15 19:52:01.870184 2019] [mpm_prefork:notice] [pid 23201] AH00163: Apache/2.4.7 (Ubuntu) configured -- resuming normal operations
[Mon Apr 15 19:52:01.870241 2019] [core:notice] [pid 23201] AH00094: Command line: '/usr/sbin/apache2'
[Mon Apr 15 19:56:50.873448 2019] [mpm_prefork:notice] [pid 23201] AH00169: caught SIGTERM, shutting down
[Mon Apr 15 19:56:51.933652 2019] [mpm_prefork:notice] [pid 30919] AH00163: Apache/2.4.7 (Ubuntu) configured -- resuming normal operations
[Mon Apr 15 19:56:51.933690 2019] [core:notice] [pid 30919] AH00094: Command line: '/usr/sbin/apache2'
[Mon Apr 15 20:06:46.360422 2019] [mpm_prefork:notice] [pid 30919] AH00169: caught SIGTERM, shutting down
[Mon Apr 15 20:06:47.429755 2019] [mpm_prefork:notice] [pid 10935] AH00163: Apache/2.4.39 (Ubuntu) configured -- resuming normal operations
[Mon Apr 15 20:06:47.429797 2019] [core:notice] [pid 10935] AH00094: Command line: '/usr/sbin/apache2'
[Mon Apr 15 20:15:05.540983 2019] [mpm_prefork:notice] [pid 10935] AH00171: Graceful restart requested, doing restart
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 2603:3001:7b2:c000:a00:27ff:fec2:c3b1. Set the 'ServerName' directive globally to suppress this message
[Mon Apr 15 20:15:05.559340 2019] [mpm_prefork:notice] [pid 10935] AH00163: Apache/2.4.39 (Ubuntu) configured -- resuming normal operations
[Mon Apr 15 20:15:05.559351 2019] [core:notice] [pid 10935] AH00094: Command line: '/usr/sbin/apache2'
[Mon Apr 15 20:15:11.914399 2019] [mpm_prefork:notice] [pid 10935] AH00171: Graceful restart requested, doing restart
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 2603:3001:7b2:c000:a00:27ff:fec2:c3b1. Set the 'ServerName' directive globally to suppress this message
[Mon Apr 15 20:15:11.940473 2019] [mpm_prefork:notice] [pid 10935] AH00163: Apache/2.4.39 (Ubuntu) configured -- resuming normal operations
[Mon Apr 15 20:15:11.940485 2019] [core:notice] [pid 10935] AH00094: Command line: '/usr/sbin/apache2'
[Mon Apr 15 20:15:14.802119 2019] [mpm_prefork:notice] [pid 10935] AH00171: Graceful restart requested, doing restart
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 2603:3001:7b2:c000:a00:27ff:fec2:c3b1. Set the 'ServerName' directive globally to suppress this message
[Mon Apr 15 20:15:14.819377 2019] [mpm_prefork:notice] [pid 10935] AH00163: Apache/2.4.39 (Ubuntu) OpenSSL/1.1.1b configured -- resuming normal operations
[Mon Apr 15 20:15:14.819388 2019] [core:notice] [pid 10935] AH00094: Command line: '/usr/sbin/apache2'
[Mon Apr 15 20:15:33.596426 2019] [mpm_prefork:notice] [pid 10935] AH00169: caught SIGTERM, shutting down
[Mon Apr 15 20:15:34.665393 2019] [mpm_prefork:notice] [pid 11138] AH00163: Apache/2.4.39 (Ubuntu) OpenSSL/1.1.1b configured -- resuming normal operations
[Mon Apr 15 20:15:34.665436 2019] [core:notice] [pid 11138] AH00094: Command line: '/usr/sbin/apache2'
[Mon Apr 15 20:27:21.326836 2019] [mpm_prefork:notice] [pid 11138] AH00171: Graceful restart requested, doing restart
[Mon Apr 15 20:27:21.344557 2019] [mpm_prefork:notice] [pid 11138] AH00163: Apache/2.4.39 (Ubuntu) OpenSSL/1.1.1b configured -- resuming normal operations
[Mon Apr 15 20:27:21.344569 2019] [core:notice] [pid 11138] AH00094: Command line: '/usr/sbin/apache2'

Access.log:

10.0.2.2 - - [15/Apr/2019:20:00:33 +0000] "GET /index.php HTTP/1.1" 200 23690 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
10.0.2.2 - - [15/Apr/2019:20:06:54 +0000] "GET /index.php HTTP/1.1" 200 23696 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
10.0.2.2 - - [15/Apr/2019:20:15:08 +0000] "GET /.well-known/acme-challenge/eMX96QvrT-Mw0-fmRnK9srSlHkLbCEEV_rGc50cMjMw HTTP/1.1" 200 308 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
10.0.2.2 - - [15/Apr/2019:20:15:52 +0000] "GET /index.php HTTP/1.1" 200 23709 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
10.0.2.2 - - [15/Apr/2019:20:20:04 +0000] "GET / HTTP/1.1" 200 3539 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
10.0.2.2 - - [15/Apr/2019:20:22:05 +0000] "GET /index.php HTTP/1.1" 200 23709 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
#7

That’s your http log, that’s not relevant.

Checking with OpenSSL there is an error:

write:errno=10054

has some additional informations.

Something in your configuration is bad.

#8

Yes there must be. I just don’t know what it may be. Http works fine and certbot configured https automatically without errors. Where might I look for additional clues?

I’ve tried this with Ubunto and CentOs and both with the same result. No https. Does it matter that this is VM? But all ports are forwarding fine through host and port tests come back fine.

Port [21]is open on 96.89.79.178.

Port [22] is closed on 96.89.79.178.

Port [23] is closed on 96.89.79.178.

Port [25] is closed on 96.89.79.178.

Port [53] is closed on 96.89.79.178.

Port [80] is open on [96.89.79.178].

Port [110]is closed on 96.89.79.178.

Port [115] is closed on 96.89.79.178.

Port [135] is closed on 96.89.79.178.

Port [139] is closed on 96.89.79.178.

Port [143] is closed on 96.89.79.178.

Port [194] is closed on 96.89.79.178.

Port [443] is open on 96.89.79.178.

Port [445] is closed on 96.89.79.178.

Port [1433] is closed on 96.89.79.178.

Port [3306] is open on 96.89.79.178.

Port [3389] is closed on 96.89.79.178.

Port [5632]is closed on 96.89.79.178.

Port [5900] is closed on 96.89.79.178.

Port [6112] is closed on 96.89.79.178.