Linux web server renewal of ssl certificate

ITthisisDrew · May 8, 2024, 10:50pm

Ok the cert renewed and the command went through. Now when I go to the site I get a welcome to nginx page?

MikeMcQ · May 8, 2024, 10:57pm

Huh. Too much to parse for me right now. I agree HTTP (port 80) is being replied to by an nginx system. Before it was Apache.

But, HTTPS to that domain still fails. What is supposed to happen for HTTPS to that domain?

Can you show contents of this file:

/etc/letsencrypt/renewal/crm.cashesoftware.com.conf

Here is old and new HTTP requests just for reference

# Before cert
curl -i http://crm.cashesoftware.com
HTTP/1.1 301 Moved Permanently
Date: Wed, 08 May 2024 22:21:15 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: https://crm.cashesoftware.com/

# After cert (shows nginx welcome page data)
curl -i http://crm.cashesoftware.com
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Wed, 08 May 2024 22:51:06 GMT
Content-Type: text/html
Content-Length: 612

Rip · May 8, 2024, 11:00pm

Seems like there may be two servers running on the system.
apache2 and nginx.

Bruce5051 · May 8, 2024, 11:02pm

Hi @ITthisisDrew,

Here is a list of issued certificates crt.sh | crm.cashesoftware.com, the latest being 2024-05-08.
Looks like the certificate was successfully renewed.

However from around the world HTTPS seems to get Result of "Connection timed out"
see Permanent link to this check report

Using nmap it seem that Port 443 (i.e. for HTTPS) is filtered (i.e. blocked)

$ nmap -Pn -p80,433 crm.cashesoftware.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-08 15:59 PDT
Nmap scan report for crm.cashesoftware.com (216.206.113.109)
Host is up (0.067s latency).
rDNS record for 216.206.113.109: 216-206-113-109.dia.static.centurylink.net

PORT    STATE    SERVICE
80/tcp  open     http
433/tcp filtered nnsp

Nmap done: 1 IP address (1 host up) scanned in 1.97 seconds

Edit: new corrected Port 443; I had a typo of 433, sorry!
(but still no significant difference)

$ nmap -Pn -p80,443 crm.cashesoftware.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-08 17:03 PDT
Nmap scan report for crm.cashesoftware.com (216.206.113.109)
Host is up (0.058s latency).
rDNS record for 216.206.113.109: 216-206-113-109.dia.static.centurylink.net

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

ITthisisDrew · May 8, 2024, 11:05pm

how can I stop nginx? i dont know how that happened

ITthisisDrew · May 8, 2024, 11:07pm

ok everyone keeps telling me 443 is not listening...I understand...How can I enable it to listen on this server?

Bruce5051 · May 8, 2024, 11:09pm

Hi @ITthisisDrew,

Maybe it is, but are your routers and firewalls allowing Port 443 to pass through?

MikeMcQ · May 8, 2024, 11:10pm

Please show that. I think Certbot may have started up a "partial" nginx

Seeing the above will help determine the fix.

Unless you can reboot that server but I"m guessing that might be disruptive given all your domain names.

ITthisisDrew · May 8, 2024, 11:10pm

I just rebooted the server....doesn't seem to help....I will grab that file

ITthisisDrew · May 8, 2024, 11:12pm

firewall is allowing it....server is not listening on 443

Bruce5051 · May 8, 2024, 11:14pm

@ITthisisDrew

Please share the output of
sudo netstat -pant | grep -E ':443|:80' | grep -i listen
Use sudo ss -pant ... if you don't have netstat

ITthisisDrew · May 8, 2024, 11:31pm

Bruce5051 · May 8, 2024, 11:32pm

I now agree with you assessment of

ITthisisDrew · May 8, 2024, 11:33pm

i know a little...how can I get 443 listening? I was able to remove nginx from the server now too

Bruce5051 · May 8, 2024, 11:36pm

Certainly I wasn't trying to say or imply that; sorry!

Others have already been helping you with

I will not intrude.

Rip · May 8, 2024, 11:36pm

I am going to lay a bit low as I have injured my back just as you started this thread... And I certainly don't want to muddy the water and confuse the issues as they are being worked out by Mike and Bruce...
JUST FOR REFERENCE
Assuming (not a good thing to do) you want to serve your site(s) on apache:
sudo systemctl status nginx
sudo systemctl stop nginx

Then paste the complete output from these commands. copy and paste the entire output here (If we need to we can tidy it up for you.)

sudo apache2ctl -t -D -DUMP_VHOSTS
use three backticks to paste code:

paste output

sudo apache2ctl -t -D -DUMP_MODULES

paste output

sudo apache2ctl restart
sudo apache2ctl stop
sudo apache2ctl graceful

from the cli help:

Usage: /usr/sbin/apache2ctl start|stop|restart|graceful|graceful-stop|configtest|statu
s|fullstatus|help

RIP

ITthisisDrew · May 8, 2024, 11:36pm

here you go :

ITthisisDrew · May 8, 2024, 11:39pm

keeps giving me these

Rip · May 8, 2024, 11:46pm

@ITthisisDrew images are getting cut off where important information lives.. .Can you please post the TEXT output of the terminal, .. It will really really help.

ITthisisDrew · May 8, 2024, 11:47pm

it is a virtual machine....I cannot copy from it... I can only screen snip...it seems like apache is not running or not running on port 80 anymore?

Topic		Replies	Views
How to (re)create cert - I just have standard Apache vhost config files for port 80, 443 Help	28	561	April 24, 2025
Certificate renewed but didn't update on the website Help	36	399	September 15, 2024
Failed authorization procedure. ucdirector.oitdev.io (http-01): urn:ietf:params:acme:error:unauthorized Help	44	4260	November 29, 2019
Missed Vhost on Port 80 (after Apache update), but it is there Help	19	1337	June 5, 2022
Certbot Updates - Not Able to Renew Cert Help	37	4986	May 31, 2021

Linux web server renewal of ssl certificate

Related topics