Redirected to an unreachable https webpage (timeout)

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: multital.inalco.fr

Since I ran sudo certbot --apache the http page is redirected to https but the page fails dut to a timeout

Also:

Produced this output:

Assessment failed: Unable to connect to the server

I also checked https://check-your-website.server-daten.de/?q=multital.inalco.fr

And I've found no where a mention of port 443 only 8443

|Domain |IP |Port|Cert.|

|multital.inalco.fr|multital.inalco.fr|8443|name does not match|

193.51.82.102|193.51.82.102|8443|name does not match

I read several discussions of the community related to my problem but I didn't mange to find a solution.

My web server is (include version): apache2

The operating system my web server runs on is (include version): centos 7

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0

Here is the http config file:

<VirtualHost *:80>
    ServerName multital_wsgi

   # WSGIDaemonProcess main user=adrien group=adrien python-eggs=/var/www/multital_env/python_egg_cache  python-path=/var/www/multital_env/lib/python2.7/site-packages processes=3 threads=5

    #WSGIDaemonProcess store user=adrien group=adrien python-eggs=/var/www/multital_env/python_egg_cache  python-path=/var/www/multital_env/lib/python2.7/site-packages processes=3 threads=5 

    WSGIApplicationGroup %{GLOBAL}
    WSGIProcessGroup main

    WSGIScriptAlias / /var/www/multital_env/multital/wsgi/app.wsgi

    <Location /store>
    WSGIProcessGroup store
    </Location>

    #allow access to directory where .wsgi script is found
    <Directory /var/www/multital_env/multital/wsgi>
    Require all granted
    </Directory>

    #Serve static files directly without TurboGears
    Alias /img /var/www/multital_env/multital/multital/public/img
    Alias /css /var/www/multital_env/multital/multital/public/css
    Alias /javascript /var/www/multital_env/multital/multital/public/javascript
    Alias /fonts /var/www/multital_env/multital/multital/public/fonts
    Alias /readme /home/adrien/multital_readme_html
    Alias /medias /home/adrien/multital_medias

    <Directory /home/adrien/multital_readme_html>
    Options FollowSymLinks
    Require all granted
    </Directory>

    <Directory /home/adrien/multital_medias>
    Options FollowSymLinks
    Require all granted
    </Directory>

CustomLog logs/multital-access_log combined
    ErrorLog logs/multital-error_log

RewriteEngine on
RewriteCond %{SERVER_NAME} =multital.inalco.fr [OR]
RewriteCond %{SERVER_NAME} =multital_wsgi
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

And the https config file:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName multital_wsgi

    WSGIDaemonProcess main user=adrien group=adrien python-eggs=/var/www/multital_env/python_egg_cache  python-path=/var/www/multital_env/lib/python2.7/site-packages processes=3 threads=5

    WSGIDaemonProcess store user=adrien group=adrien python-eggs=/var/www/multital_env/python_egg_cache  python-path=/var/www/multital_env/lib/python2.7/site-packages processes=3 threads=5

    WSGIApplicationGroup %{GLOBAL}
    WSGIProcessGroup main

    WSGIScriptAlias / /var/www/multital_env/multital/wsgi/app.wsgi

    <Location /store>
    WSGIProcessGroup store
    </Location>

    #allow access to directory where .wsgi script is found
    <Directory /var/www/multital_env/multital/wsgi>
    Require all granted
    </Directory>

    #Serve static files directly without TurboGears
    Alias /img /var/www/multital_env/multital/multital/public/img
    Alias /css /var/www/multital_env/multital/multital/public/css
    Alias /javascript /var/www/multital_env/multital/multital/public/javascript
    Alias /fonts /var/www/multital_env/multital/multital/public/fonts
    Alias /readme /home/adrien/multital_readme_html
    Alias /medias /home/adrien/multital_medias

    <Directory /home/adrien/multital_readme_html>
    Options FollowSymLinks
    Require all granted
    </Directory>

    <Directory /home/adrien/multital_medias>
    Options FollowSymLinks
    Require all granted
    </Directory>

ServerAlias multital.inalco.fr

SSLCertificateFile /etc/letsencrypt/live/multital.inalco.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/multital.inalco.fr/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/multital.inalco.fr/chain.pem
</VirtualHost>
</IfModule>

Best regards

1 Like
2

Hi and welcome to the LE community!

It seems that either:

  • port 443 is not actually listening
    check that with:
    netstat -pant | grep -i listen
  • port 443 is being blocked by firewall rule

Port 8443 is listening but HTTP forwards to HTTPS (port 443), so 443 must be used or don't forward the challenge requests and handle them in HTTP:

curl -Iki multital.inalco.fr
HTTP/1.1 301 Moved Permanently
Date: Sun, 25 Oct 2020 22:50:10 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
Location: https://multital.inalco.fr/
Content-Type: text/html; charset=iso-8859-1

READERS: Get involved. Be heard. Do your part, it starts with: If you read something you like; then like it :heart: !

1 Like
3

Hi and thanks for your quick answer.

The 443 seems to be listening (see below). How could I check if the problem comes from a firewall rule ?

$ netstat -pant | grep -i listen
(Pas d'infos lues pour "-p": geteuid()=1000 mais vous devez être root.)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:5432 :::* LISTEN -
tcp6 0 0 :::443 :::* LISTEN

2 Likes
4

Do you have a firewall?

READERS: Get involved. Be heard. Do your part, it starts with: If you read something you like; then like it :heart: !

1 Like
5

I had not noticed this before, and it is well worth mentioning now.

Port 80 is being served by APACHE:

curl -Iki http://multital.inalco.fr/
HTTP/1.1 200 OK
Date: Mon, 26 Oct 2020 08:07:14 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
Pragma: no-cache
Cache-Control: no-cache
Set-cookie: multital=ad1b90ca4e56e7c3a5229532365fa444e6ece781eJx1zE0KhDAMQOGrSNYypH+p8TIlrVUKo4J2J959Ou7dv+9dEMoEYwfRoBos+llZYwW9MCL7IZIj7Zki9B0ESSmfZ55CLWtuShEaYibjPqgda9eiuoSvbMv/OR+PSkeWWvbtTdn7B0seI7I=; Path=/
Content-Length: 153724
Content-Type: text/html; charset=utf-8

Port 8443 is being served by NGINX

curl -Iki https://multital.inalco.fr:8443/
HTTP/2 200
server: nginx
date: Mon, 26 Oct 2020 08:07:55 GMT
content-type: text/html; charset=UTF-8
x-frame-options: SAMEORIGIN
last-modified: Mon, 26 Oct 2020 08:07:55 GMT
set-cookie: PHPSESSID=47b8ef88f875194a91ca0567af133827; path=/
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
strict-transport-security: max-age=31536000
x-content-type-options: nosniff

So the listener on port 443 may not be Apache...
Or there are some creative NAT rules / port forwarding going on...

Please show:

sudo ps -ef | grep -Ei 'apache|nginx'

READERS: Get involved. Be heard. Do your part, it starts with: If you read something you like; then like it :heart: !

1 Like
6

I used apache for the cerbot/letsencrypt procedure. I don't have nginx installed on my server.

Below is the output of $ sudo ps -ef | grep -Ei 'apache|nginx'

apache 15940 15793 0 08:08 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 16622 15793 0 08:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 16623 15793 0 08:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 16625 15793 0 08:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 17163 15793 0 08:58 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 17776 15793 0 09:21 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 17777 15793 0 09:21 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 17778 15793 0 09:21 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 17779 15793 0 09:21 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 17780 15793 0 09:21 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
adrien 24174 24146 0 13:32 pts/0 00:00:00 grep --color=auto -Ei apache|nginx

1 Like
7

And yet nginx is still heard responding (as shown above) for port 8443:

curl -Iki https://multital.inalco.fr:8443/
HTTP/2 200
server: nginx
date: Mon, 26 Oct 2020 15:54:48 GMT
content-type: text/html; charset=UTF-8
x-frame-options: SAMEORIGIN
last-modified: Mon, 26 Oct 2020 15:54:48 GMT
set-cookie: PHPSESSID=1ac67110558e42def8cd4c435a223f45; path=/
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
strict-transport-security: max-age=31536000
x-content-type-options: nosniff

I repeat myself here:

READERS: Get involved. Be heard. Do your part, it starts with: If you read something you like; then like it :heart: !

1 Like
8

Honestly, I can't say if there are some creative NAT rules / port forwarding going on. Do you have any idea of how I could check that ?

1 Like
9

Hi @dsadoun

open that url - https://multital.inalco.fr:8443/

There is a pfsense with a warning:

Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
Try accessing the router by IP address instead of by hostname.

So your router interface answers.

1 Like
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.