I need help to set up SSL on my webserver

Help
1

Im trying to enter mi site by ssl https conection but I cant here is the error I think:

[pid 8729] AH01909: www.archivomental.com:443:0 server certificate does NOT include an ID which matches the se>[Sun Jun 11 16:52:16.359534 2023] [mpm_prefork:notice] [pid 8729] AH00163: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 configured -- resuming normal operations

My domain is: www.archivomental.com

I ran this command: certonly --webroot -w /var/www/archivomental -d archivomental.com -d www.archivomental.com

It produced this output: seems to be ok

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): ubuntu 20.04 lts

My hosting provider, if applicable, is: hostinger

I can login to a root shell on my machine (yes or no, or I don't know): by default no but I enter with mi user then y change to sudo su

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no y just use the shell

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

My virtualHost set up, with this one I can enter with http on the web but I cant by https

<VirtualHost *:80>

    ServerName www.archivomental.com
    ServerAlias archivomental.com
    DocumentRoot /var/www/archivomental

    RewriteEngine On
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
    RewriteCond %{HTTPS} off
    RewriteRule   "^/(.*)_SSL$"   "https://%{SERVER_NAME}/$1" [R,L]

</VirtualHost>


<VirtualHost *:443>

    ServerName www.archivomental.com
    ServerAlias archivomental.com
    DocumentRoot /var/www/archivomental

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/archivomental.com-0002/cert1.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/archivomental.com-0002/privkey1.pem
    SSLCertificateChainFile /etc/letsencrypt/live/archivomental.com-0002/chain1.pem

</VirtualHost>

with this set up I just cant enter:

<VirtualHost *:443>
    ServerName www.archivomental.com
    ServerAlias archivomental.com
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/archivomental.com/cert3.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/archivomental.com/privkey3.pem

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
2

There are a few things I notice, such as the difference between:

and:

It seems you have multiple certificates for the same domain name listed in Certbot. The -0002 suffix suggests duplicates. You can check all the certificates known to Certbot with the command:

sudo certbot certificates

Please make sure you choose the correct certificate "lineage" from Certbot to be used in your Apache configuration.

Further more:

And

There should NOT be any files with numbered suffixes in the subdirectories of the /live/ directory. This is evidence of manual tampering with the /etc/letsencrypt/live/ directories which is a VERY BAD IDEA. It could and often would break Certbot.

And the last thing: with your Apache version (2.4.52, you didn't mention the entire version in the questionnaire, had to look it up, thanks about that):

The SSLCertificateChainFile directive has been deprecated since Apache version 2.4.8 already. It's better not to use it.

The alternative to SSLCertificateChainFile is to use fullchain.pem instead or cert.pem in combination with the separate use of chain.pem.

2 Likes
3

Ok thank you I really appreciate it, I'll check all you say and try to fix it

Te output of, sudo certbot certificates say that:

hiddenotebook@ubuntu:~$ sudo certbot certificates
[sudo] password for hiddenotebook:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/archivomental.com-0001.conf produced an unexpected error: target /etc/letsencrypt/archive/archivomental.com-0001/cert1.pem of symlink /etc/letsencrypt/live/archivomental.com-0001/cert.pem does not exist. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/archivomental.com.conf produced an unexpected error: expected /etc/letsencrypt/live/archivomental.com/cert3.pem to be a symlink. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: archivomental.com-0002
    Serial Number: 4d23484f0523e95c1e7b702835801990aae
    Key Type: RSA
    Domains: archivomental.com www.archivomental.com
    Expiry Date: 2023-09-09 16:22:27+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/archivomental.com-0002/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/archivomental.com-0002/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/archivomental.com-0001.conf
  /etc/letsencrypt/renewal/archivomental.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I erase the certs because I get this message [pid 8729] AH01909: www.archivomental.com:443:0 server certificate does NOT include an ID which matches

4

How did you erase the certs?

3 Likes
5

why you say so? is not recommendable to erase? I did it because I wan to start from the begining.

6

It's not usually as helpful as people think it is, and it often creates other problems. But the question here was how you did it, and the reason for the question, I expect, is that you did it incompletely, as shown by the errors of Renewal configuration file /etc/letsencrypt/renewal/archivomental.com-0001.conf produced an unexpected error: target /etc/letsencrypt/archive/archivomental.com-0001/cert1.pem of symlink /etc/letsencrypt/live/archivomental.com-0001/cert.pem does not exist. Skipping.. The correct way to delete a cert that's managed by certbot is certbot delete --cert-name archivomental.com, naturally substituting whatever name is actually on the cert.

5 Likes
7

I erase this completely yes by root with rm -R command so I'm afraid I erase the files completely :sweat_smile:

8

That is NOT a "complete erase".
To do that, you must do:
certbot delete --cert-name example.com

3 Likes
9

I did that too that problem is gone thank you so much.

1 Like
10

Ok I clean all the archivomental.com-0001, archivomental.com-0002 and archivomental.com-0003

I install again following this indications install from certbot webpage adding archivomental.com and www.archivomental.com

with this command sudo certbot --apache

but now I get this message from the browser:

https://archivomental.com/

Secure connection failed

An error occurred while connecting to archivomental.com. PR_CONNECT_RESET_ERROR

Error code: PR_CONNECT_RESET_ERROR

The page you are trying to view cannot be displayed because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Can anibody help please?

11

I'm only able to reach your site via HTTP.
It times out via HTTPS.
So, I can't see what you are seeing.

3 Likes
12

I agree with @rg305; port is 443/tcp filtered https

$ nmap -Pn -p80,443 www.archivomental.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-13 12:11 PDT
Nmap scan report for www.archivomental.com (79.108.121.253)
Host is up (0.18s latency).
rDNS record for 79.108.121.253: 79.108.121.253.dyn.user.ono.com

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 4.75 seconds
2 Likes
13

Ok then what means filtered https? I need to do something?

When I hit http://archivomental.com/ take me to Apache's welcome page but I disable that site.

Here is all I change on mi site:
VirtualHost:

<VirtualHost *:443>
    ServerAdmin alber.kss79@gmail.com
    ServerName www.archivomental.com
    ServerAlias archivomental.com
    DocumentRoot /var/www/archivomental
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =archivomental.com [OR]
RewriteCond %{SERVER_NAME} =www.archivomental.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

In /etc/hosts I added this line:
127.0.1.1 servername.archivomental.com

In /etc/apache2/apache2.conf I added this line to the end:
ServerName localhost

@ubuntu:~$ sudo ufw show added

Added user rules (see 'ufw status' for running firewall):
ufw allow OpenSSH
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 'Apache Full'

In sudo nano /etc/ssh/sshd_config I got this configuration:

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 30
PermitRootLogin prohibit-password
StrictModes yes
MaxAuthTries 3
MaxSessions 4

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

Why does it take me to the default apache page if it is disabled?
Do you see any error in my configuration?
what means 443/tcp filtered https?

Thank you all for your help.

1 Like
15

Why are you doing HTTPS to HTTPS redirection? [that would create a loop - when working]
That server block is already port 443 [HTTPS].
It is probably not "working" because it doesn't have "SSLEngine on".

3 Likes
16

Thank you my friend! I din't do hat configuration, the command sudo certbot --apache do it for me.
I follow a tutorial that says

Run this command to get a certificate and have Certbot edit your apache configuration automatically to serve it, turning on HTTPS access in a single step

sudo certbot --apache
17

So I sould do this?

<VirtualHost *:443>
    ServerAdmin alber.kss79@gmail.com
    ServerName www.archivomental.com
    ServerAlias archivomental.com
    DocumentRoot /var/www/archivomental

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =archivomental.com [OR]
    RewriteCond %{SERVER_NAME} =www.archivomental.com
    #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
18

That's mostly correct.
You should move these four lines to the HTTP vhost config file [if not already in there]:

3 Likes
19

Que tal hermano? asere. now I got everything under control I erase the certs and install a new ones so everything is correct but not complete...

Here is my vitualHost conf:

<VirtualHost *:80>
        # Domain setings
        ServerAdmin alcalacompra.tienda@gmail.com
        ServerName www.alcalacompra.com
        ServerAlias alcalacompra.com
        DocumentRoot /var/www/prestashop
        # Prestashop needs
        <Directory /var/www/prestashop>
        Options -Indexes +FollowSymLinks
        AllowOverride All
        </Directory>
        # Error and access log files
        ErrorLog ${APACHE_LOG_DIR}/prestashop.error.log
        CustomLog ${APACHE_LOG_DIR}/prestashop.access.log combined
        # Redirec to HHTPS
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =archivomental.com [OR]
        RewriteCond %{SERVER_NAME} =www.archivomental.com
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# LoadModule ssl_module modules/mod_ssl.so

<VirtualHost *:443>
    ServerName www.alcalacompra.com
    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/alcalacompra.com/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/alcalacompra.com/privkey.pem"
</VirtualHost>

But I still not be able to https mi domain... here is my firewall conf
ubuntu@ubuntu:/etc/apache2/sites-available$ sudo ufw show added
Added user rules (see 'ufw status' for running firewall):

ufw allow 80/tcp
ufw allow 22/tcp
ufw allow Apache
ufw allow 8080/tcp
ufw allow OpenSSH
ufw allow 443/tcp
ufw allow 'Apache Full'

What's happens here? anybody knows please help!

20

The secure vhost is missing:

4 Likes
21

That should be:

        RewriteCond %{SERVER_NAME} =alcalacompra.com [OR]
        RewriteCond %{SERVER_NAME} =www.alcalacompra.com
4 Likes