Ookla Https only on ports 8080 and 5060, not 443

My Ookla server is litening on ports 8080 and 5060 via https successfully, but i get a cert error on port 443. the Ookla server tester says it fails to get local certificate issuer. I have tried reinstalling the cert with certbot delete and certbot --apache to no avail. I thnk my key is messed up for some reasone. Is there a way to have Let’s Encrypt totally erase my key and everything on their end and start over? My server died and I had to rebuild, so I think it’s missing a link somewhere because the chain was broken with the server rebuild.

My domain is: speedtest.waveruralconnect.com

I ran this command: certbot --apache

It produced this output: created a new cert and then I restarted httpd and ooklaserver.sh

My web server is (include version): Apache/2.4.6

The operating system my web server runs on is (include version): Centos 7.6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.36.0

Hi @jwhitten3,

There's no reason that having Let's Encrypt delete or invalidate this certificate would be of any benefit to you. The problem you're having isn't with the certificate itself, but only with your server configuration. Deleting or revoking a certificate on the CA site isn't necessary or useful for issuing subsequent certificates, since you're allowed to have multiple valid certificates covering the same domain names at the same time.

If that were so, you wouldn't be able to use the certificate on any port!

What you're seeing here is that the server on port 443 is not using your Let's Encrypt certificate at all, but rather a different test certificate. All that should be necessary is to change your web server configuration so that it also uses the Let's Encrypt certificate for the port 443 HTTPS service, just as it does on the other ports.

You could try something like sudo apachectl -t -D DUMP_VHOSTS to see where each certificate in your Apache configuration is being referenced within your Apache configuration.

1 Like

Thank you for the information. I will look at my httpd.conf port 443 config and see where it is pointing. Thank you,

Jake Whitten
Network Coordinator
WAVE Rural Connect, LLC.

1-479-213-2408

1 Like

I was able to find a spot in my config that was using another default cert. now I can go to http(s)://speedtest.waveruralconnect.com:8080/5060 successfully. However, I am still getting a fail via https with the Ookla server tester.

image001.jpg

image002.jpg

1 Like

The situation on your site has changed—now port 443 works properly with regard to the certificate but simply doesn’t show the site content. (If you tested it in your browser before, you might need to quit and restart your browser in order to accurately see the current server behavior.)

1 Like

Oh yes, I forgot to add that info. I made a “blank” index.html page so that it didn’t show the default Apache homepage. I can change it to something simple so people will know that the site is working.

Jake Whitten
Network Coordinator
WAVE Rural Connect, LLC.

1-479-213-2408

1 Like

Also, I just resubmitted to Ookla for https approval. Fingers crossed! Thank you for your help.

Jake Whitten
Network Coordinator
WAVE Rural Connect, LLC.

1-479-213-2408

Hi @jwhitten3

checking your site there is a small error - https://check-your-website.server-daten.de/?q=speedtest.waveruralconnect.com

Other speedtest users had the same problem and had to fix it.

Good: You have a correct certificate

CN=speedtest.waveruralconnect.com
	15.08.2019
	13.11.2019
expires in 85 days	speedtest.waveruralconnect.com - 1 entry

your standard url uses that certificate

Domainname Http-Status redirect Sec. G
http://speedtest.waveruralconnect.com/
170.176.224.5 200 0.320 H
https://speedtest.waveruralconnect.com/
170.176.224.5 200 4.244 B
http://speedtest.waveruralconnect.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
170.176.224.5 404 0.320 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.

But your connections:

The wrong ip connection isn't a problem, ignore it.

But the chain of your port 8080 is incomplete. There is the intermediate certificate missing.

Use fullchain.pem instead of cert.pem. fullchain.pem contains both certificates - your own certificate and the Letsencrypt intermediate certificate.

1 Like

So if I’m understsnding correctly, I need to reference fullchain.pem where I am referencing cert.pem? I will make that change, restart web services and test again today.

Jake Whitten
Network Coordinator
WAVE Rural Connect, LLC.

1-479-213-2408

2 Likes

That worked like a champ! I had a few minutes Bierce leaving for work to make the change in ooklaserver.properties file and restarted the ooklaserver daemon. I am now passing the ookla tester in all categories. Thanks again!

Jake Whitten
Network Coordinator
WAVE Rural Connect, LLC.

1-479-213-2408

2 Likes

Yep, now it works.

The chain of port 8080 is complete.

PS: Ookla speedtest works with one port. That port supports both protocols.

http://speedtest.waveruralconnect.com:8080/
https://speedtest.waveruralconnect.com:8080/
1 Like

Wow, I don’t think I’ve ever seen that work with HTTP and HTTPS in any other server software!

2 Likes

Well they said at Ookla that certbot uses port 80 to renew the cert, so that’s why I have it open.

Jake Whitten
Network Coordinator

WAVE Rural Connect

1-479-213-2408

1 Like

VestaCP / Port 8083 uses the same idea.

One sample - a subdomain with a correct certificate:

One port, both protocols are working.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.