Secure Connection Failed with Apache behind router

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tvt.pl

I ran this command:
sudo certbot --apache --agree-tos --redirect -m admin@tvt.pl -d tvt.pl -d www.tvt.pl

It produced this output:
Deploying certificate
Successfully deployed certificate for tvt.pl to /etc/apache2/sites-available/tvt.pl-le-ssl.conf
Successfully deployed certificate for www.tvt.pl to /etc/apache2/sites-available/tvt.pl-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://tvt.pl and https://www.tvt.pl

My web server is (include version): Server version:
Apache/2.4.57 (Debian)

The operating system my web server runs on is (include version):

Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm

My hosting provider, if applicable, is: My private server with Comcast ISP

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.6.0

I got Certbot certificate to the domain and all works fine when my Debian server with Apache web server is connected directly to cable modem (Comcast provider), but when I connect my Debian server to router and the router to cable modem I am not able to reach tvt.pl domain at all.

All web browers says: Secure Connection Failed.

I need to say I have set up port 80, 22 and 443 forwarding on my router. My Debian server has ufw firewall with open ports 80, 22 and 443. All is working when server is directly connected to modem, but does not work when I add my router.

I have spend 3 days working on that and do not have more ideas what can be wrong. I will appreciate your help and time.

Have you properly routed port 80 to your server port 80 and port 443 to your server port 443?

If so, can you show us result of this

sudo apache2ctl -t -D DUMP_VHOSTS

UPDATE:
Sorry, just saw your update with more info. It definitely sounds like a routing problem on your site. Just carefully check your router NAT to your server and back. Make sure you maintain the correct ports.

Please add any new info in a fresh reply.

3 Likes

As I presented above, I have set up forwarding of ports 80, 443 and 22 on router and below ufw firewall for "WWW Full" (ports 80 and 443) and "SSH" (port 22).

I am able to connect to the Debian server via ssh. What else can I try to find the issue?
I appreciate your help and time.

sudo ufw status
Status: active

To Action From


WWW Full ALLOW Anywhere
SSH ALLOW Anywhere
WWW Full (v6) ALLOW Anywhere (v6)
SSH (v6) ALLOW Anywhere (v6)

It has to be something in the router if it all works fine with your server plugged in to your modem.

I don't know how that router works ... do you need to specify 443 in the local port for the https server too?

Is there maybe an admin panel for your router that is stealing port 443?

You could check the firewall section on the router and make sure it's not interfering. Although, it doesn't look like a firewall problem because of the responses.

3 Likes

This is the error when I try to connect either http://tvt.pl or https://tvt.pl

See my post just prior to yours. But, more sample tests are below. It is sometimes difficult to see what happens using browsers.

(good result, redirects)
curl -I http://tvt.pl
HTTP/1.1 301 Moved Permanently
Server: Apache/2.4.57 (Debian)
Location: https://tvt.pl/

curl -I https://tvt.pl
curl: (35) error:0A000126:SSL routines::unexpected eof while reading
3 Likes

Thank you MikeMcQ for your help. This is my router settings and all looks ok for me.

curl -I http://tvt.pl
Redirect all request to https://tvt.pl
but why curl -I https://tvt.pl returns "unexpected eof while reading" ? Is it something wrong with the tvt.pl-le-ssl.conf ?

Thank you for information about curl. I am still learning. I appreciate your help.

Here there are results for curl -l http://tvt.pl and curl -l https://tvt.pl

sudo curl -I http://tvt.pl
HTTP/1.1 301 Moved Permanently
Date: Thu, 13 Jul 2023 21:57:42 GMT
Server: Apache/2.4.57 (Debian)
Location: https://tvt.pl/
Content-Type: text/html; charset=iso-8859-1

sudo curl -I https://tvt.pl
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to tvt.pl:443

1 Like

That's the same error you showed in the browser. HTTPS is broken. I am sure there is a more technical explanation but I don't see it useful here.

You said this all worked with your server plugged into your modem. So, it is unlikely to be an Apache config problem. But,

3 Likes

sudo apache2ctl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:443 is a NameVirtualHost
default server tvt.pl (/etc/apache2/sites-enabled/tvt.pl-le-ssl.conf:2)
port 443 namevhost tvt.pl (/etc/apache2/sites-enabled/tvt.pl-le-ssl.conf:2)
alias www.tvt.pl
port 443 namevhost xn--dobrywybr-d7a.pl (/etc/apache2/sites-enabled/xn--dobrywybr-d7a.pl-le-ssl.conf:2)
alias www.xn--dobrywybr-d7a.pl
*:80 is a NameVirtualHost
default server czekoladoweprezenty.pl (/etc/apache2/sites-enabled/czekoladoweprezenty.pl.conf:1)
port 80 namevhost czekoladoweprezenty.pl (/etc/apache2/sites-enabled/czekoladoweprezenty.pl.conf:1)
alias www.czekoladoweprezenty.pl
port 80 namevhost tvt.pl (/etc/apache2/sites-enabled/tvt.pl.conf:1)
alias www.tvt.pl
port 80 namevhost xn--dobrywybr-d7a.pl (/etc/apache2/sites-enabled/xn--dobrywybr-d7a.pl.conf:1)
alias www.xn--dobrywybr-d7a.pl

MikeMcQ, the ssl for domain tvt.pl was working fine when Apache was connected to modem directly. It had different IP. When I connected Apache to router and router to modem now the Router got different IP from ISP (Comcast). I updated DNS IP on my DNS provider. Should I generate a new certbot certificate when IP is new? Can it be a problem?

I think it might be helpful if I mention that my router is giving local IP 192.168.1.2 for my server Debian with Apache and it's static. I run out of ideas after 3 days :frowning:

No. The cert is not connected to a specific IP in any way

After your test with server directly to modem did you power off the modem, router, and server, then re-wire your network, and power up modem, router, and server? When changing configs that can be helpful.

I don't see anything odd in your Apache DUMP_VHOSTS. I was looking for an IP specific VirtualHost but don't see that.

This clearly seems like a router issue and nothing to do with Let's Encrypt certs. You should probably try an Asus router forum and review all the docs for your router.

Make sure no other service in the router is using HTTPS for any other reason, as one example.

Maybe some other volunteer will offer help but I have no other ideas. Best of luck to you.

3 Likes

Thank you for clarification that the new IP does not affect certbot certificate.

You mentioned "Make sure no other service in the router is using HTTPS for any other reason". I have Dynamic DNS (DDNS) switch on. Maybe it can be the issue?
I am going to switch it off and will let you know.

Thank you anyway. Have a wonderful day in Florida :slight_smile:

1 Like

Not a likely problem.
Compare the outputs of:

  • curl ifconfig.io
  • host tvt.pl

image
Unless you intend on using that name ("whatever.asuscomm.com"), you really don't need it on.
[you already have a domain]

2 Likes

And to triple-check...
Please show the output of:
ifconfig | grep net

2 Likes

Thank you rg305.
I have switched it off anyway, just to be 100% certain and you are right. I still cannot connect to https://tvt.pl

1 Like