Site down and I'm at a complete loss

Help
1

Primary domain is 7thrank.com. Server is Apache. No recent changes since updating my certs. I’m getting " This site can’t be reached". :frowning:

Nothing useful in the logs except for the following at startup:

[Thu Nov 28 17:04:24.899776 2019] [ssl:warn] [pid 2299] AH01909: wordpress.7thrank.com:443:0 server certificate does NOT include an ID which matches the server name

Accessing any site does not generate an entry in the access or error log(?) I have turned on WP_DEBUG (wordpress site) but still nothing.

Any advice appreciated. Config files follow:

Found the following certs:
Certificate Name: 7thrank.com
Domains: 7thrank.com
Expiry Date: 2020-02-15 19:14:20+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/7thrank.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/7thrank.com/privkey.pem
Certificate Name: home.chessregister.com
Domains: home.chessregister.com
Expiry Date: 2020-02-15 21:41:17+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/home.chessregister.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/home.chessregister.com/privkey.pem
Certificate Name: smilerestored.com
Domains: smilerestored.com
Expiry Date: 2020-02-15 19:51:49+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/smilerestored.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/smilerestored.com/privkey.pem

<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

    <Directory /var/www/html/>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

ServerName 7thrank.com
ServerAlias www.7thrank.com
ServerAlias smilerestored.com
ServerAlias home.chessregister.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =7thrank.com [OR]
##RewriteCond %{SERVER_NAME} =www.7thrank.com [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

ServerAdmin webmaster@localhost DocumentRoot /var/www/html 
    <Directory /var/www/html/>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
ServerName 7thrank.com
ServerAlias www.7thrank.com
SSLCertificateFile /etc/letsencrypt/live/7thrank.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/7thrank.com/privkey.pem

<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

    <Directory /var/www/html/>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
ServerName smilerestored.com
SSLCertificateFile /etc/letsencrypt/live/smilerestored.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/smilerestored.com/privkey.pem

<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

    <Directory /var/www/html/>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
ServerName home.chessregister.com
SSLCertificateFile /etc/letsencrypt/live/home.chessregister.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/home.chessregister.com/privkey.pem

ServerAdmin webmaster@localhost 
            DocumentRoot /var/www/html

            # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
            # error, crit, alert, emerg.
            # It is also possible to configure the loglevel for particular
            # modules, e.g.
            #LogLevel info ssl:warn

            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined

            # For most configuration files from conf-available/, which are
            # enabled or disabled at a global level, it is possible to
            # include a line for only one particular virtual host. For example the
            # following line enables the CGI configuration for this host only
            # after it has been globally disabled with "a2disconf".
            #Include conf-available/serve-cgi-bin.conf

            #   SSL Engine Switch:
            #   Enable/Disable SSL for this virtual host.
            SSLEngine on

            #   A self-signed (snakeoil) certificate can be created by installing
            #   the ssl-cert package. See
            #   /usr/share/doc/apache2/README.Debian.gz for more info.
            #   If both key and certificate are stored in the same file, only the
            #   SSLCertificateFile directive is needed.
            SSLCertificateFile      /etc/letsencrypt/live/7thrank.com/fullchain.pem
            SSLCertificateKeyFile /etc/letsencrypt/live/7thrank.com/privkey.pem

            #   Server Certificate Chain:
            #   Point SSLCertificateChainFile at a file containing the
            #   concatenation of PEM encoded CA certificates which form the
            #   certificate chain for the server certificate. Alternatively
            #   the referenced file can be the same as SSLCertificateFile
            #   when the CA certificates are directly appended to the server
            #   certificate for convinience.
            #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

            #   Certificate Authority (CA):
            #   Set the CA certificate verification path where to find CA
            #   certificates for client authentication or alternatively one
            #   huge file containing all of them (file must be PEM encoded)
            #   Note: Inside SSLCACertificatePath you need hash symlinks
            #                to point to the certificate files. Use the provided
            #                Makefile to update the hash symlinks after changes.
            #SSLCACertificatePath /etc/ssl/certs/
            #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

            #   Certificate Revocation Lists (CRL):
            #   Set the CA revocation path where to find CA CRLs for client
            #   authentication or alternatively one huge file containing all
            #   of them (file must be PEM encoded)
            #   Note: Inside SSLCARevocationPath you need hash symlinks
            #                to point to the certificate files. Use the provided
            #                Makefile to update the hash symlinks after changes.
            #SSLCARevocationPath /etc/apache2/ssl.crl/
            #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

            #   Client Authentication (Type):
            #   Client certificate verification type and depth.  Types are
            #   none, optional, require and optional_no_ca.  Depth is a
            #   number which specifies how deeply to verify the certificate
            #   issuer chain before deciding the certificate is not valid.
            #SSLVerifyClient require
            #SSLVerifyDepth  10

            #   SSL Engine Options:
            #   Set various options for the SSL engine.
            #   o FakeBasicAuth:
            #        Translate the client X.509 into a Basic Authorisation.  This means that
            #        the standard Auth/DBMAuth methods can be used for access control.  The
            #        user name is the `one line' version of the client's X.509 certificate.
            #        Note that no password is obtained from the user. Every entry in the user
            #        file needs this password: `xxj31ZMTZzkVA'.
            #   o ExportCertData:
            #        This exports two additional environment variables: SSL_CLIENT_CERT and
            #        SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
            #        server (always existing) and the client (only existing when client
            #        authentication is used). This can be used to import the certificates
            #        into CGI scripts.
            #   o StdEnvVars:
            #        This exports the standard SSL/TLS related `SSL_*' environment variables.
            #        Per default this exportation is switched off for performance reasons,
            #        because the extraction step is an expensive operation and is usually
            #        useless for serving static content. So one usually enables the
            #        exportation for CGI and SSI requests only.
            #   o OptRenegotiate:
            #        This enables optimized SSL connection renegotiation handling when SSL
            #        directives are used in per-directory context.
            #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                            SSLOptions +StdEnvVars
            </FilesMatch>
            <Directory /usr/lib/cgi-bin>
                            SSLOptions +StdEnvVars
            </Directory>

            #   SSL Protocol Adjustments:
            #   The safe and default but still SSL/TLS standard compliant shutdown
            #   approach is that mod_ssl sends the close notify alert but doesn't wait for
            #   the close notify alert from client. When you need a different shutdown
            #   approach you can use one of the following variables:
            #   o ssl-unclean-shutdown:
            #        This forces an unclean shutdown when the connection is closed, i.e. no
            #        SSL close notify alert is send or allowed to received.  This violates
            #        the SSL/TLS standard but is needed for some brain-dead browsers. Use
            #        this when you receive I/O errors because of the standard approach where
            #        mod_ssl sends the close notify alert.
            #   o ssl-accurate-shutdown:
            #        This forces an accurate shutdown when the connection is closed, i.e. a
            #        SSL close notify alert is send and mod_ssl waits for the close notify
            #        alert of the client. This is 100% SSL/TLS standard compliant, but in
            #        practice often causes hanging connections with brain-dead browsers. Use
            #        this only for browsers where you know that their SSL implementation
            #        works correctly.
            #   Notice: Most problems of broken clients are also related to the HTTP
            #   keep-alive facility, so you usually additionally want to disable
            #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
            #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
            #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
            #   "force-response-1.0" for this.
            # BrowserMatch "MSIE [2-6]" \
            #               nokeepalive ssl-unclean-shutdown \
            #               downgrade-1.0 force-response-1.0

    </VirtualHost>
2

The text is a bit garbled.

What does this say?:
apachectl -S

3

Hmmm, looks like it’s only NOT available from my house(!) Truly weird. My server is hosted at Digital Ocean.

4

If you can, edit your post:

and add an immediate line following that with just:
```

5

ml@wordpress:~$ apachectl -S
AH00526: Syntax error on line 17 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/7thrank.com/fullchain.pem’ does not exist or is empty
Action ‘-S’ failed.
The Apache error log may have more information.

6

Copy and paste, please
This:

is NOT this:

Highlighted and zoomed/decorated for effect and detail:image

Oh no! Time to move! - LOL

Also, the site has mixed (http & https) content:
https://www.whynopadlock.com/results/44e37ed6-dfba-463f-af9e-240e6bbcf191

7

Hi @motoaddict

the site works with my browser. But there are mixed content warnings. Checking with https://check-your-website.server-daten.de/?q=7thrank.com ... check is running.

There is a Grade N, because the www version isn't secure.

The certificate has only one domain name:

CN=7thrank.com
	17.11.2019
	15.02.2020
expires in 79 days	7thrank.com - 1 entry

the www domain is missing.

There are 7 active certificates:

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-11-17 2020-02-15 7thrank.com - 1 entries
Let's Encrypt Authority X3 2019-11-17 2020-02-15 7thrank.com - 1 entries
Let's Encrypt Authority X3 2019-11-17 2020-02-15 7thrank.com - 1 entries
Let's Encrypt Authority X3 2019-10-31 2020-01-29 7thrank.com, smilerestored.com, www.7thrank.com, www.smilerestored.com - 4 entries
Let's Encrypt Authority X3 2019-10-31 2020-01-29 7thrank.com, home.chessregister.com, smilerestored.com, www.7thrank.com - 4 entries
Let's Encrypt Authority X3 2019-10-17 2020-01-15 7thrank.com, home.chessregister.com, smilerestored.com, www.7thrank.com - 4 entries
Let's Encrypt Authority X3 2019-10-17 2020-01-15 www.7thrank.com - 1 entries

And mixed content you should fix:

style
	http://7thrank.com/wp-content/uploads/2017/01/blockchain-ledger-1.jpg
	1
	http-link, change to https
8

Run it as root or sudo.

9

I’m aware of the mixed content. No clue why the site is not available via home WiFi. Guess I’ll contact DO.

10

Doh!

ml@wordpress:~$ sudo apachectl -S
VirtualHost configuration:
*:80 7thrank.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 is a NameVirtualHost
default server 7thrank.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost 7thrank.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
alias www.7thrank.com
port 443 namevhost smilerestored.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:20)
port 443 namevhost home.chessregister.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:37)
port 443 namevhost wordpress.7thrank.com (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

11

That’s terrible.

Your port 80 vHost list doesn’t match your port 443 vHost list.

Perhaps you have used http, but no vHost answers.

Create 3 port 80 vHosts.

7thrank.com + www.7thrank.com
smilerestored.com
home.chessregister.com

then a certificate with 7thrank.com + www.7thrank.com and use that.

12

Isn’t that what this does?

<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

    <Directory /var/www/html/>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

ServerName 7thrank.com
ServerAlias www.7thrank.com
ServerAlias smilerestored.com
ServerAlias home.chessregister.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =7thrank.com [OR]
##RewriteCond %{SERVER_NAME} =www.7thrank.com [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

13

Apache ignores that block, so it isn't listet via apachectl -S.

That's the reason sharing config files is only the second step.

PS: And that's one vHost with 4 domain names.

Your port 443 setup is different. That mix is terrible.

1 Like
14

Three dots does nothing to the following text.
Try three backticks (tilde key) instead.
image

You say:

But you don't show the file names nor their location.
It may make a world of difference.
For instance:
Files in /sites-available/ are NOT necessarily being used.
That would be the ones in /sites-enabled/
Plus they can be matched with the output of apachectl -S

Help US help YOU.

15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.