HTTPSConnectionPool

My domain is:
szerhov.tk = via https not working
89.184.67.34 = via http all working
*all domains that i create are working perfect via http

The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 18.04.2 LTS
Release: 18.04
Codename: bionic

My hosting provider:
Mirohost

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Also i got this error:

http https://flat.show !10408

http: error: SSLError: HTTPSConnectionPool(host=‘flat.show’, port=443): Max retries exceeded with url: / (Caused by SSLError(SSLEOFError(8, ‘EOF occurred in violation of protocol (_ssl.c:1056)’))) while doing GET request to URL: https://flat.show/

Firewall is off.

Apache Listen:
tcp6 0 0 :::80 :::* LISTEN 1037/apache2
tcp6 0 0 :::443 :::* LISTEN 1037/apache2

szverhov.tk.conf:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.

ServerName szverhov.tk

ServerAdmin webmaster@localhost

DocumentRoot /var/www/www

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

RewriteEngine on
RewriteCond %{SERVER_NAME} =szverhov.tk
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

szverhov.tk-le-ssl.conf :

<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.

ServerName szverhov.tk

ServerAdmin webmaster@localhost

DocumentRoot /var/www/www

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

SSLCertificateFile /etc/letsencrypt/live/szverhov.tk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/szverhov.tk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

vim: syntax=apache ts=4 sw=4 s

ports.conf :

NameVirtualHost *:80
Listen 80

Listen 443

I think somthing wrong with 443 port, but cant understand what.

Hi @szverhov

there are no ip addresses defined ( https://check-your-website.server-daten.de/?q=szerhov.tk ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
szerhov.tk Name Error yes 1 0
www.szerhov.tk Name Error yes 1 0

You may have internal access. But if you use http-01 validation, Letsencrypt checks your webserver.

That requires a dns-entry (minimal A- or AAAA - record - ipv4 or ipv6 address) and a running webserver (port 80).

Your nameservers:

www.szerhov.tk • a.ns.tk
szerhov.tk • a.ns.tk

There you have to create a public, worldwide visible dns entry yourdomain -> yourip

PS: Checking your ip http works.

Domainname Http-Status redirect Sec. G
http://89.184.67.34/
89.184.67.34 200 0.107 H
https://89.184.67.34/
89.184.67.34 -4 0.324 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. Authentication failed because the remote party has closed the transport stream.
http://89.184.67.34/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
89.184.67.34 404 0.093 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.29 (Ubuntu) Server at 89.184.67.34 Port 80

So add a dns entry szerhov.tk --> 89.184.67.34

Hi, i must apologize, situatuion is next, on server with ip 89.184.67.34 i was holding my live project, but for some reason yesterday, https just died on server, i dont understant reasons even why, sertificates was generated month ago. Clients was really angry so i moved project to another server. And now im trying to understand whats goingon on 89.184.67.34, i changed domain to szverhov.tk, but was allready tired, and forgot to manage all configurations on this dns. I made all the settings around dns today, can u please look it again and give me some advice?

P.S. Sorry for my English, i learn it by my self.

There is a new check of your domain, ~1 hour old - https://check-your-website.server-daten.de/?q=szerhov.tk

The same picture: No ip address:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
szerhov.tk Name Error yes 1 0
www.szerhov.tk Name Error yes 1 0

Compare it with my main domain (the main domain of the tool https://check-your-website.server-daten.de/?q=server-daten.de ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
server-daten.de A 85.215.2.228 yes 1 0
AAAA 2a01:238:301b::1228 yes
www.server-daten.de A 85.215.2.228 yes 1 0
AAAA 2a01:238:301b::1228 yes

You need minimal one A record.

How do you manage your dns settings? Perhaps share a screenshot.

Looks like the domain isn’t delegated / active / etc.

The name servers of the tk zone

Domain	Nameserver	NS-IP
www.szerhov.tk
	•  a.ns.tk
szerhov.tk
	•  a.ns.tk
tk
	•  a.ns.tk / ams
		•
	•  b.ns.tk / ams
		•
	•  c.ns.tk / ams
		•
	•  d.ns.tk / ams
		•

must have a dns NS entry. So

nslookup -type=NS szverhof.tk. a.ns.tk.

shows an answer.

domain is szverhov.tk i maid mistake in first my first post-_-

Yep, now the DNS is ok. Typo happens :wink:

There is a check of your domain - https://check-your-website.server-daten.de/?q=szverhov.tk

http works.

And important: You have a new Letsencrypt certificate:

Issuer not before not after Domain names LE-Duplicate next LE
CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-07 14:56:41 2019-08-05 14:56:41 szverhov.tk
1 entries duplicate nr. 1

But your https doesn’t work.

Perhaps your config is incomplete. Use

https://mozilla.github.io/server-side-tls/ssl-config-generator/

to compare the results.

apache, ssl :

szverhov.tk-le-ssl.conf :

<VirtualHost *:443>

    ServerName szverhov.tk

    ServerAdmin webmaster@localhost
    
    DocumentRoot /var/www/www

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLCertificateFile      /etc/letsencrypt/live/szverhov.tk/cert.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/szverhov.tk/privkey.pem
    
    Header always set Strict-Transport-Security "max-age=15768000"

</VirtualHost>

# intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

[Wed May 08 13:10:07.297134 2019] [mpm_event:notice] [pid 4363:tid 140365050641344] AH00493: SIGUSR1 received. Doing graceful restart
[Wed May 08 13:10:07.301294 2019] [ssl:error] [pid 4363:tid 140365050641344] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: CN=szverhov.tk / issuer: CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US / serial: 03856BA72CF7EC3AE9E8BF72A5B93A474EC9 / notbefore: May 7 14:56:41 2019 GMT / notafter: Aug 5 14:56:41 2019 GMT]
[Wed May 08 13:10:07.301305 2019] [ssl:error] [pid 4363:tid 140365050641344] AH02604: Unable to configure certificate szverhov.tk:443:0 for stapling
[Wed May 08 13:10:07.301481 2019] [ssl:warn] [pid 4363:tid 140365050641344] AH01909: 89.184.67.34.mirohost.net:443:0 server certificate does NOT include an ID which matches the server name
[Wed May 08 13:10:07.301515 2019] [ssl:error] [pid 4363:tid 140365050641344] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: CN=flatshow / issuer: CN=flatshow / serial: C001C62495902BEB / notbefore: Apr 1 12:31:31 2019 GMT / notafter: Mar 29 12:31:31 2029 GMT]
[Wed May 08 13:10:07.301519 2019] [ssl:error] [pid 4363:tid 140365050641344] AH02604: Unable to configure certificate 89.184.67.34.mirohost.net:443:0 for stapling
[Wed May 08 13:10:07.301551 2019] [mpm_event:notice] [pid 4363:tid 140365050641344] AH00489: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.0g configured – resuming normal operations
[Wed May 08 13:10:07.301555 2019] [core:notice] [pid 4363:tid 140365050641344] AH00094: Command line: ‘/usr/sbin/apache2’

Don’t add Stapling if your main configuration doesn’t work.

You can speed up a check if you use your ip address - https://check-your-website.server-daten.de/?q=89.184.67.34

The freenom - nameservers are buggy, a check time of 370 seconds is terrible.

What says

apachectl -S

Is there another working SSL vHost on that machine? Looks like you have a general configuration problem.

and for now i only left szverhov.tk

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.