Not able to get to website

Help
1

We self-host our website. It is behind a firewall. We have our domain pointed to the firewall. We NAT so that traffic to the domain goes to the web server. We installed certbot and successfully installed the certificates. However, we could no longer get to our Wordpress website. It is now directing to an IIS7 server which used to host our website. Even after running the certbot delete, we still cannot get to our website. Here is an audit trail:

root@debian-lamp:/home/jetpack# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): ************ (email address removed)

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?

(Y)es/(N)o: y

Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: y
Account registered.

Which names would you like to activate HTTPS for?

1: mcjcohio.org
2: www.mcjcohio.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2
Requesting a certificate for mcjcohio.org and www.mcjcohio.org
Performing the following challenges:
http-01 challenge for mcjcohio.org
http-01 challenge for www.mcjcohio.org
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf

Congratulations! You have successfully enabled https://mcjcohio.org and
https://www.mcjcohio.org

Subscribe to the EFF mailing list (email: brian.buttrey@mcjcohio.org).

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/mcjcohio.org/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/mcjcohio.org/privkey.pem
    Your certificate will expire on 2021-08-12. To obtain a new or
    tweaked version of this certificate in the future, simply run
    certbot again with the "certonly" option. To non-interactively
    renew all of your certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

root@debian-lamp:/home/jetpack# service apache2 stop
root@debian-lamp:/home/jetpack# service apache2 start
root@debian-lamp:/home/jetpack# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: mcjcohio.org
2: www.mcjcohio.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): c
Please specify --domains, or --installer that will help in domain names autodiscovery, or --cert-name for an existing certificate name.
root@debian-lamp:/home/jetpack# certbot delete
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which certificate(s) would you like to delete?

1: mcjcohio.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

The following certificate(s) are selected for deletion:

Are you sure you want to delete the above certificate(s)?

(Y)es/(N)o: y
Deleted all files relating to certificate mcjcohio.org.
root@debian-lamp:/home/jetpack# service apache2 restart

My domain is: mcjcohio.org

I ran this command: certbot --apache

It produced this output: We are now unable to access our website

My web server is (include version): Apache

The operating system my web server runs on is (include version): Debian GNU/Linux 10 (buster)

My hosting provider, if applicable, is: Self Hosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.15.0

2

Hi @brianbuttrey, and welcome to the LE community forum :slight_smile:

You would do us all well to show the output of:
history

Instead of whatever was shown above.
Until then, and presuming the shown above is in top-down chronological order, then these commands where executed in this order:

root@debian-lamp:/home/jetpack# certbot --apache
root@debian-lamp:/home/jetpack# service apache2 stop
root@debian-lamp:/home/jetpack# service apache2 start
root@debian-lamp:/home/jetpack# certbot
root@debian-lamp:/home/jetpack# certbot delete
root@debian-lamp:/home/jetpack# service apache2 restart

From which and from your stated problem I can only say:
certbot delete does not undo any changes made by certbot --apache
[It can actually makes matters worse.]

Please show the output of:
certbot certificates
apachectl -S

1 Like
3

root@debian-lamp:/home/jetpack# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

No certificates found.

root@debian-lamp:/home/jetpack# ^C
root@debian-lamp:/home/jetpack# apachectl -S
VirtualHost configuration:
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
root@debian-lamp:/home/jetpack#

4

19 apt install snapd
20 apt get-update install snapd
21 apt-get install snapd
22 apt update
23 apt list --upgradeable
24 apt install snapd
25 uptime
26 clear
27 get-app install snapd
28 apt-get install snapd
29 sudo snap install core; sudo snap refresh core
30 sudo snap install core;
31 sudo apt update
32 apt install snapd
33 apt install snap*
34 apt install snapd*
35 uname -a
36 apt update
37 apt upgrade
38 apt install snapd
39 lear
40 clear
41 lsb_release -a
42 apt-get install snapd
43 vi /etc/apt/sources.list
44 vi /etc/apt/sources.list
45 apt update
46 apt upgrade
47 apt install snapd
48 snap install core
49 sanp refresh core
50 snap refresh core
51 remove certbot
52 apt remove certbot
53 snap install --classic certbot
54 ln -s /snap/bin/certbot /usr/bin/certbot
55 certbot --apache
56 service apache2 stop
57 service apache2 start
58 certbot
59 certbot delete
60 service apache2 restart
61 certbot delte
62 certbot delete
63 certbot certificates
64 certbot revoke
65 cerbot revoke --.mcjcohio.org
66 service apache2 stop
67 service apache2 start
68 certbot --version
69 cd /etc/apache2/sites-available/
70 ls
71 del .
72 delete .
73 rm /etc/apache2/sites-available/
74 ls
75 rm /etc/letsencrypt/live/mcjcohio.org/*
76 cd /etc/letsencrypt
77 ls
78 rm /etc/letsencrypt/*
79 rm -r /etc/letsencript/*
80 rm -r /etc/letsencrypt/*
81 cd /etc/apache2/sites-available
82 ls
83 exit
84 certbot certificates
85 apachectl -S
86 history
root@debian-lamp:/home/jetpack#

5

Please stop deleting perfectly fine certificates. They by themselve are not the issue here.

It's probably something as simple as an incorrect portmap: is your port 443 (HTTPS) correctly portmapped in your firewall/router? Or is it by any chance still pointing to your IIS server?

I'm guessing previously you only had a HTTP website on port 80. No HTTPS, so no port 443 used. After getting a certificate successfully, certbot installed a HTTP to HTTPS redirect. But because your portmap was incorrect, it ended up redirecting to a whole different server.

Please doublecheck if the scenario I guessed above is correct or not.

In any case, as said, the certificates by itself CANNOT cause such an issue. It has to be some kind of configuration problem, either Apache or firewall/router. So STOP deleting and re-issuing perfectly fine certificates. That will only lead to extra load on the Let's Encrypt systems and can lead to you running into rate limits.

1 Like
6

Thank you. I apologize as I'm not normally a Unix user and panicked. Anyway, we're now speculating it is because any 443 traffic coming into our firewall is directed to the IIS server. We're working on a way to redirect different 443 traffic to the appropriate end points.

So, that begs the next question. Can I re-run the certbot --apache to re-install the certificates or should I do something else to re-establish the SSL/certificates? Again, my apologies.

1 Like
7

If you've deleted all the contents of the entire /etc/letsencrypt/ there's nothing left to re-install. You'd re-issue a brand new certificate from Let's Encrypt. Depending on how many times you've deleted everything and re-issued a certificate already it might work or issuance is blocked due to a rate limit.

By the way, this has nothing to do with Unix vs. Windows, this is mainly due to lack of understanding how Let's Encrypt works and basic debugging skills.

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.