Issue of setting up SSL on port 81

I am running a Apache2 webserver from home. Currently the server is working on http. My setup is sketched.

incoming traffice to my home router IP port 81 ==> my home router (94.147.65.45) ==> my Ubuntu server running Apache2 listening on port 80.

I have two computers connected to my home router. Therefore external port 80 is occupied, as the traffic goes to another server. In order to direct traffic to my Ubuntu server running Apache2, I have setup port forwarding in my home router so external port 81 is mapped to local IP address of Ubuntu server running Apache2 with internal port 80.

To set up SSL I have done the followings:

Followed the guideline using certbot

sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

All the above run without problem. I then edited this configuration file that originally looked like this

(env) hd2900@hd2900:~/Documents/Python/hd2900TakeawayPrint$ cat /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	WSGIDaemonProcess flaskapp threads=5 python-home=/home/hd2900/Documents/Python/hd2900TakeawayPrint/env
	WSGIScriptAlias / /home/hd2900/Documents/Python/hd2900TakeawayPrint/flaskapp.wsgi
	WSGIApplicationGroup %{GLOBAL}

	<Directory /home/hd2900/Documents/Python/hd2900TakeawayPrint>
	     WSGIProcessGroup flaskapp
	     Require all granted
	</Directory>

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

changed it to the below, where I uncommented the servername and commented out the wsgi lines. I have made a A record in DNS so that www.hd2900service.dimsum.dk is directed to my router IP 94.147.65.45.

cat /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	
	ServerName www.hd2900service.dimsum.dk

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	#WSGIDaemonProcess flaskapp threads=5 python-home=/home/hd2900/Documents/Python/hd2900TakeawayPrint/env
	#WSGIScriptAlias / /home/hd2900/Documents/Python/hd2900TakeawayPrint/flaskapp.wsgi
	#WSGIApplicationGroup %{GLOBAL}

	<Directory /home/hd2900/Documents/Python/hd2900TakeawayPrint>
	     WSGIProcessGroup flaskapp
	     Require all granted
	</Directory>

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

After editing the configuration file I run the below command and got a failure that I am not sure how to debug.

(env) **hd2900@hd2900** : **~/Documents/Python/hd2900TakeawayPrint** $ sudo certbot --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Enter email address (used for urgent renewal and security notices)

(Enter 'c' to cancel): myEmailAddress@emailDomain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server. Do you agree?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing, once your first certificate is successfully issued, to

share your email address with the Electronic Frontier Foundation, a founding

partner of the Let's Encrypt project and the non-profit organization that

develops Certbot? We'd like to send you email about our work encrypting the web,

EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: N

Account registered.

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: www.hd2900service.dimsum.dk

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): 1

Requesting a certificate for www.hd2900service.dimsum.dk

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:

Domain: www.hd2900service.dimsum.dk

Type: dns

Detail: DNS problem: NXDOMAIN looking up A for www.hd2900service.dimsum.dk - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My domain is: www.dimsum.dk

I ran this command: see above

It produced this output:

My web server is (include version): Apache/2.4.48 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Well, this of course is your first problem: the www (sub)subdomain does not exist. The "main subdomain" hd2900service.dimsum.dk does exist, but its www (sub)subdomain doesn't.

Also, Let's Encrypt is required to use one of a few ports for the validation, one being 80 and one not being is port 81. So if your Ubuntu server is really only available through port 81 from the world wide web, the http-01 challenge won't work. Other challenges (dns-01, tls-alpn-01) might work, but I do not recommend that. Why? Read further:

I would advice to place your Ubuntu server behind a reverse proxy running on your other host which is occupying port 80. You'd set up the reverse proxy such that requests for (www.)hd2900service.dimsum.dk are not actually managed by the webserver doing the reverse proxying, but send to your Ubuntu host through the internal network.

2 Likes

Thanks for pointing it out as two separate problems. I am able to move my webserver to another router, where it can be reached via port 80. So the second problem can be solved quite simply.

I am not sure what you mean by sub-subdomain. Do you mean that www is being interpreted as a subdomain? If that is the case, this can be solved by chainging the serverName in /etc/apache2/sites-available/000-default.conf from

ServerName www.hd2900service.dimsum.dk

to
ServerName hd2900service.dimsum.dk

I will try this tomorrow and get back with an update.

1 Like

It really depends on your definition of "subdomain" or if it's required to use the word sub multiple times, i.e. one for every label added onto the apex domain name.

However, how we call it is not really important. What is important is that the hostname you're using in your webserver and certificate needs to be present in the DNS.

If that's possible then yes, that sounds like a good solution too. Don't forget to update the IP address in the DNS :wink:

1 Like

I have now given port 80 to my webserver. Also I run the command on the certbot without issues. What puzzles me is that when I try to reach my website on hd2900service.dimsum.dk it just hangs. If I open a webbrowser and input my ip address http://94.147.65.45/ I am being directed to the Apache default page. In my apache default configuration I file I have

hd2900@hd2900 : ~ $ sudo cat /etc/apache2/sites-available/000-default.conf

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName hd2900service.dimsum.dk
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =hd2900service.dimsum.dk
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

All trafic going to port 80 should be redirected to https port 443. In the configuration file

hd2900@hd2900:~$ sudo cat /etc/apache2/sites-available/000-default-le-ssl.conf 
<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	
	ServerName hd2900service.dimsum.dk

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	WSGIDaemonProcess flaskapp threads=5 python-home=/home/hd2900/Documents/Python/hd2900TakeawayPrint/env
	WSGIScriptAlias / /home/hd2900/Documents/Python/hd2900TakeawayPrint/flaskapp.wsgi
	WSGIApplicationGroup %{GLOBAL}

	<Directory /home/hd2900/Documents/Python/hd2900TakeawayPrint>
	     WSGIProcessGroup flaskapp
	     Require all granted
	</Directory>

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf


SSLCertificateFile /etc/letsencrypt/live/hd2900service.dimsum.dk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hd2900service.dimsum.dk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Here what should happen is that the wsgi layer should activate a simple flask script prompting a text message.

My firewall settings currently is

hd2900@hd2900:~$ sudo ufw status
Status: active

To Action From


22/tcp ALLOW Anywhere
OpenSSH ALLOW Anywhere
Apache Full ALLOW Anywhere
80/tcp ALLOW Anywhere
443 ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
81/tcp (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)

It can be seen that both port 80 and port 443 are activated. I also assured in DNS that the domain hd2900service.dimsum.dk is pointing to my router IP 94.147.65.45

Hello Osiris,

Can you have a look at my post below? I am still experiencing issues and I don't know how to troubleshoot. Any comments and suggestions are welcome. Thanks!

1 Like

Your webserver is successfully redirecting from HTTP on port 80 to HTTPS on port 443. However, port 443 gives a timeout, possibly a firewall issue as you've figured out.

That said, I'm not familiar with ufw so I don't know if the lack of /tcp in the output of ufw at port 443 matters much?

Also, if I look at the traceroutes for port 80 and 443, there's a difference:

Port 80:

server ~ # traceroute -T -p 80 94.147.65.45
traceroute to 94.147.65.45 (94.147.65.45), 30 hops max, 60 byte packets
(...)
 6  ti3004c400-ae2-0.ti.telenor.net (146.172.105.10)  28.346 ms  23.946 ms  24.228 ms
 7  ti6000b400-ae0-0.ti.telenor.net (146.172.105.2)  24.199 ms  24.186 ms  24.488 ms
 8  148.122.9.38 (148.122.9.38)  27.488 ms  27.477 ms  28.095 ms
 9  94.147.3.241 (94.147.3.241)  29.771 ms  29.760 ms  29.932 ms
10  94.147.3.240 (94.147.3.240)  30.553 ms  31.035 ms  31.024 ms
11  * * *
12  94.147.65.45 (94.147.65.45)  38.117 ms  38.090 ms  38.078 ms
13  94.147.65.45 (94.147.65.45)  65.887 ms  65.861 ms  65.848 ms
server ~ # 

Port 443:

server ~ # traceroute -T -p 443 94.147.65.45
traceroute to 94.147.65.45 (94.147.65.45), 30 hops max, 60 byte packets
(...)
 6  ti3004c400-ae2-0.ti.telenor.net (146.172.105.10)  29.176 ms  25.077 ms  24.011 ms
 7  ti6000b400-ae0-0.ti.telenor.net (146.172.105.2)  23.980 ms  24.409 ms  24.398 ms
 8  148.122.9.38 (148.122.9.38)  47.481 ms  47.470 ms  47.667 ms
 9  94.147.3.241 (94.147.3.241)  29.178 ms  29.523 ms  30.208 ms
10  94.147.3.240 (94.147.3.240)  31.394 ms  31.382 ms  31.371 ms
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
(...)
29  * * *
30  * * *
server ~ # 

If you look at hop 12 and 13 in the port 80 traceroute, you'd see that the same IP address (yours) is listed twice . To me, this suggests there's a device doing NAT with hop 12 being the router doing the translation and hop 13 being the actual device behind the NAT router.

These hops are not present in the port 443 traceroute, which to me says hop 12, probably a router, is blocking traffic already before it's getting to your Ubuntu server.

3 Likes

Thanks for the traceroutes. Does this suggests that port 443 needs to be forwarded from the router? My understanding is that the traffic comes into router from port 80 which then is directed to the Ubuntu server behind the routerr. Once the server sees incoming connection via port 80 it automatically redirects it to port 443 internally in the server?

1 Like

Yes.

No, that's incorrect. The browser of a user makes connection to port 80 using HTTP. The webserver says to the browser: "Dude, you need to move to HTTPS!". Then, the browser closes the HTTP connection on port 80 and will make a new connection on port 443 using HTTPS. So that new HTTPS connection is directly from the user to your webserver through the router again.

1 Like

I just had a look at my router setting. Port 443 is disabled. The problem was solved when I created port forward from external 443 to my Ubuntu server IP on internal port 443 :grinning: The problem is now solved.

Just for my learning. The traceroutes is quite useful. Is it a standard installation in Ubuntu?

1 Like

The browser of a user makes connection to port 80 using HTTP. The webserver says to the browser: "Dude, you need to move to HTTPS!". Then, the browser closes the HTTP connection on port 80 and will make a new connection on port 443 using HTTPS. So that new HTTPS connection is directly from the user to your webserver through the router again.

Thanks so much this makes lots of sense to me now!

2 Likes

I don't know, I don't use Ubuntu. There seems to be a package called traceroute though, maybe it's already installed, maybe not: Ubuntu – Package Search Results -- traceroute

3 Likes

It might be part of net-tools

Nope.

You are right - it is packaged on its' own:

apt install traceroute
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  traceroute
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 45.4 kB of archives.
After this operation, 152 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic/universe amd64 traceroute amd64 1:2.1.0-2 [45.4 kB]
Fetched 45.4 kB in 5s (8,924 B/s)
Selecting previously unselected package traceroute.
(Reading database ... 139691 files and directories currently installed.)
Preparing to unpack .../traceroute_1%3a2.1.0-2_amd64.deb ...
Unpacking traceroute (1:2.1.0-2) ...
Setting up traceroute (1:2.1.0-2) ...
update-alternatives: using /usr/bin/traceroute.db to provide /usr/bin/traceroute (traceroute) in auto mode
update-alternatives: using /usr/bin/lft.db to provide /usr/bin/lft (lft) in auto mode
update-alternatives: using /usr/bin/traceproto.db to provide /usr/bin/traceproto (traceproto) in auto mode
update-alternatives: using /usr/sbin/tcptraceroute.db to provide /usr/sbin/tcptraceroute (tcptraceroute) in auto mode
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
3 Likes

Correct.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.