Reverse Proxy of Apache on Centos TLS handshake fail or time out

#1

Dear LE’s community,
I install letsencrypt using certbot --apache, on Centos 7 machine for reverse proxying to backend server in the same machine.

Certificate is generated succesfully (with always redirection to https option). virtual host are defined, but when i visit from my browser (moziila ff as well as chrome) always fail, take very long time on TLS handshaking then give me error message:

"Secure Connection Failed

The connection to the server was reset while the page was loading.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem."

on Chrome:
" This site can’t be reached

ptkib.id took too long to respond.

Try:

ERR_TIMED_OUT"

please everybody help, what is really caused this problem?

I can restart the httpd daemon without error

Waiting for kind help. Thank you,

Bun Hin

#2

Hi @Bun

is this your domain name? If yes, first, there are Cloudflare ip addresses ( https://check-your-website.server-daten.de/?q=ptkib.id ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
ptkib.id A 104.28.30.153 yes 1 0
A 104.28.31.153 yes 1 0
AAAA 2606:4700:30::681c:1e99 yes
AAAA 2606:4700:30::681c:1f99 yes
www.ptkib.id A 104.28.30.153 yes 1 0
A 104.28.31.153 yes 1 0
AAAA 2606:4700:30::681c:1e99 yes
AAAA 2606:4700:30::681c:1f99 yes

To fix the problem it’s normally easier if you first remove Cloudflare, fix the problem, then add Cloudflare again.

Second, there are loops:

L https://ptkib.id/ 104.28.30.153
301
https://ptkib.id/
Error direct loop
L https://ptkib.id/ 104.28.31.153
301
https://ptkib.id/
Error direct loop
L https://ptkib.id/ 2606:4700:30::681c:1e99
301
https://ptkib.id/
Error direct loop
L https://ptkib.id/ 2606:4700:30::681c:1f99
301
https://ptkib.id/
Error direct loop
L https://www.ptkib.id/ 104.28.30.153
301
https://www.ptkib.id/
Error direct loop
L https://www.ptkib.id/ 104.28.31.153
301
https://www.ptkib.id/
Error direct loop
L https://www.ptkib.id/ 2606:4700:30::681c:1e99
301
https://www.ptkib.id/
Error direct loop
L https://www.ptkib.id/ 2606:4700:30::681c:1f99
301
https://www.ptkib.id/
Error direct loop

So it’s impossible to use that site.

#3

Hi @JuergenAuer,

Thank you for your help and information, i well suspend the cloudflare NS, then recheck my virtualhost config, dont have clue yet why it get those kind of redirect yet. May be i create certificate both for ptkib.id as will as the alias www.ptkib.id, is it so?

I have deactivate all redirect to https. And i cant reachh the server (apache sample page displayed), but if i use https to connect i got the same problem.

#4

There is a new check of your domain - https://check-your-website.server-daten.de/?q=ptkib.id

http and http + /.well-known/acme-challenge works, https has a timeout:

Domainname Http-Status redirect Sec. G
http://ptkib.id/
36.89.38.225 403 0.444 M
Forbidden
http://www.ptkib.id/
36.89.38.225 403 0.403 M
Forbidden
https://ptkib.id/
36.89.38.225 -14 10.030 T
Timeout - The operation has timed out
https://www.ptkib.id/
36.89.38.225 -14 10.026 T
Timeout - The operation has timed out
http://ptkib.id/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
36.89.38.225 404 0.427 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.
http://www.ptkib.id/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
36.89.38.225 404 0.393 A
Not Found

Checking your ip address directly - https://check-your-website.server-daten.de/?q=36.89.38.225

The same picture: http works, https not:

Domainname Http-Status redirect Sec. G
http://36.89.38.225/
36.89.38.225 403 0.406 M
Forbidden
https://36.89.38.225/
36.89.38.225 -14 10.027 T
Timeout - The operation has timed out
http://36.89.38.225/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
36.89.38.225 404 0.423 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.

But I can’t see: Is this a firewall? Or isn’t https configured?

What says

apachectl configtest
apachectl fullstatus
apachectl -S
#5

apachectl configtest sayas sysntax OK
apachectl -$ then display nothing

virtualerver for https is configured, but i dont create any filder under var/www/html for the domain

i suspct the folder and file permission for the letsencrypt but not sure ( is it not configured correctly by certbot --apache?

that moment the letsencrypt folder is owned by root group root, access and readable by root

for test i just create the index.html file, it is ok for http, but not work for https

#6

It’s apachectl -S - not $. That shows your vHosts.

#7

apachectl -S display nothing,

actualy i just configure i domain here 1 http, 1 https then test the letsencrypt

do i need to touch or modify folder and file permission that was generated by certbot?

#8

Then you don’t have correct vHosts, so Certbot may not know how to configure your https.

#9
    ServerAdmin xxxxxx@yyyyyy.com
    ServerName ptkib.id
    ServerAlias www.ptkib.id
    DocumentRoot /var/www/html/ptkib.id/public_html

<Directory /var/www/html/ptkib.id/public_html>
    Options -Indexes +FollowSymLinks
    AllowOverride All
</Directory>


    ErrorLog /var/log/httpd/ptkib.id.error.log
    LogLevel debug
    CustomLog /var/log/httpd/ptkib.id.access.log combined

ProxyRequests Off

Include /etc/letsencrypt/options-ssl-apache.conf

    SSLEngine on

#SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA$
#SSLHonorCipherOrder on

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder On

    SSLCertificateFile /etc/letsencrypt/live/ptkib.id/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/ptkib.id/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/ptkib.id/chain.pem

    # HSTS (optional)
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

    Header always set X-Frame-Options DENY

Prevent MIME based attacks

    Header set X-Content-Type-Options "nosniff"


    <Location "/" >
        Order deny,allow
        Deny from all
        Allow from all
    </Location>

RequestHeader set “X-Forwarded-Proto”“https”

SetEnv proxy-nokeepalive 1

ProxyPass / http://127.0.0.1:xxxx/

ProxyPassReverse / http://127.0.0.1:xxxx/

ProxyErrorOverride off

TransferLog /var/log/httpd/transfer.ptkib.id.log

#Fix IE problem (httpapache proxy dav error 408/409)

SetEnv proxy-nokeepalive 1

</VirtualHost>

apache did not complain with apachectl configtest, rstarted also ok
so i believe virtualhost sysntax is ok

#10

Where is there a listen directive? A port?

<VirtualHost *:443>

</VirtualHost>

Works https internal - curl https://yourdomain?

#11

the port is there.

.... ....
</VirtualHost>

it is there, i just not copied

#12

i have 2 letsencrypt installation in different machine, both using certbot apache, the one that is running the folder and file permission is less restrictive compared to the one that still not able to connect.

offcourse i can make it the same, but may be it will make a severe security issue

which is the correct and best way to keep or to go?

the folder that are differ in the permission:
csr folder 750 vs 755
renewal folder 750 vs 755
renewall-hooks folder 750 vs 755

inside the folder also have differrent permission:
inside renewal folder, has conf file 640 vs 644
inside renewal hooks have 3 folder 750 vs 755 (but all still empty on both)

The one interesting is inside is in “live” folder
inside has folder for domain 750 vs 755
inside domain folder all symlinks file to archive folder of respected domain, 777 vs 777

inside the archive folder --“domain” folder have the cert chain fullchain and privkey file

the difference is in privkey.pem 600 vs 644 (others are same 644)

#13

Hi @JuergenAuer,

I still not get reach any solution, do you have any alternatives? to make letsencrypt running on centos 7 with apache, I am sorry to bother you more.

thanks

#14

I don’t understand your proxy setup.

Perhaps you should use a setup without a proxy.

#15

Hi again @JuergenAuer,
I already setup server without proxy. turned off already

and also already try to delete the vhost off 443 and only have for port 80 then lets certbot to generate the vhost for 443.

still have problem.

#16

Hi @JuergenAuer

here is the vhost

ServerAdmin xxxxx@yyyyy.zzz
ServerName www.ptkib.id
ServerAlias ptkib.id
DocumentRoot /var/www/ptkib.id/public_html

<Directory /var/www/ptkib.id/public_html>
    Options -Indexes +FollowSymLinks
    AllowOverride All
</Directory>

<IfModule mod_rewrite.c>
    RewriteEngine On

</IfModule>

<Location "/" >
    Order deny,allow
    Deny from all
    Allow from all
</Location>

ErrorLog /var/log/httpd/ptkib.id.error.log
LogLevel warn
CustomLog /var/log/httpd/ptkib.id.access.log combined

SSLCertificateFile /etc/letsencrypt/live/ptkib.id/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ptkib.id/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/ptkib.id/chain.pem