No effect in Apache

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: forum.phantasy.dev

I ran this command: sudo certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: forum.phantasy.dev
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/forum.phantasy.dev.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for forum.phantasy.dev

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/forum.phantasy.dev/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/forum.phantasy.dev/privkey.pem
This certificate expires on 2025-05-16.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for forum.phantasy.dev to /etc/apache2/sites-enabled/proxy-ssl-host.conf
Your existing certificate has been successfully renewed, and the new certificate has been installed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version): Apache/2.4.62 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 24.10

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.2.0

Apache config:

<VirtualHost *:80>
    ServerName forum.phantasy.dev
    Redirect Permanent / https://forum.phantasy.dev/
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =forum.phantasy.dev
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
 
<VirtualHost *:443>
    ServerName forum.phantasy.dev
    DocumentRoot /var/www/phpbb
 
    <Directory /var/www/phpbb>
        <IfModule mod_php5.c>
            php_flag register_globals off
        </IfModule>
 
        Options +FollowSymLinks
        AllowOverride All
        order allow,deny
        allow from all
    </Directory>
     
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/forum.phantasy.dev/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/forum.phantasy.dev/privkey.pem
</VirtualHost>

Any attempt to visit forum.phantasy.dev will time out, my assumption is that its because the cert just isn't working and .dev domains force https, I can pull up the apache landing page via the IP just fine.

I'm not sure if I'm getting shoved into some sort of redirect loop or what.

2

You're incorrect in your assumption. Timeouts are usually caused by a firewall or a missing NAT portmap.

HTTPS uses port 443 while HTTP uses port 80. Your port 80 is open, as is SSH port 22, but port 443 simply isn't opened in one or more firewalls and/or has a missing NAT portmap.

A certificate itself will NOT cause timeouts. Therefore:

Renewing and replacing a perfectly fine certificate is NOT the solution to your problem. And even if certificates could cause a timeout, it's not like Let's Encrypt is issuing bad certificates just once in a while which could be fixed by issuing a new one. If that were to be the case, this Community would have been flooded with new threads in just a few minutes, seeing Let's Encrypt issues about 5 million certs daily. If even a small percentage of those certs were somehow "broken", it would affect a lot of people, not just you.

2 Likes
3

This basically told me what I needed to know, I had on initial setup of apache2 enabled UFW and even made sure to allow OpenSSH through ahead of time so I wouldn't lock myself out, didn't occur to me to go back and ensure that SSL would be fine, a quick sudo ufw allow 443 and I can get though now.

Its been years since I touched any of this, I used to not have to deal with SSL and made the mistake of grabbing a .dev domain which requires that I have it set up as it gets redirected to https. Too used to doing everything through docker containers where apache2/nginx and LetsEncrypt is ready to go out of the box.