Sometimes my SSL doesn't working properly?


#1

My domain is: bhavikji.com I have created a subdomain demoapi.bhavikji.com it was working fine but suddenly it stops this is the second time it is happening

I ran this command: sudo certbot --apache -d demoapi.bhavikji.com to create a new certificate and where I got the success message, the server is working on ubuntu 18.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Certbot 0.26.1

What should I do it is working fine on the main domain but I am facing these issues on subdomains.


#2

Hi @bhavikji

there are some errors in your configuration (checked via https://check-your-website.server-daten.de/?q=demoapi.bhavikji.com ):

You have an ipv4 and ipv6

Host T IP-Address is auth. ∑ Queries ∑ Timeout
demoapi.bhavikji.com A 206.189.141.216 yes 1 0
AAAA 2400:6180:100:d0::88b:e001 yes
www.demoapi.bhavikji.com Name Error yes 1 0

But there are different http status results:

Domainname Http-Status redirect Sec. G
http://demoapi.bhavikji.com/
2400:6180:100:d0::88b:e001 301 https://demoapi.bhavikji.com/ 0.283 A
http://demoapi.bhavikji.com/
206.189.141.216 200 0.924 H
https://demoapi.bhavikji.com/
206.189.141.216 200 2.953 B
https://demoapi.bhavikji.com/
2400:6180:100:d0::88b:e001 -4 0.593 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
http://demoapi.bhavikji.com:443/
206.189.141.216 400 0.310 Q
Bad Request
http://demoapi.bhavikji.com:443/
2400:6180:100:d0::88b:e001 200 0.313 Q
http://demoapi.bhavikji.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2400:6180:100:d0::88b:e001 301 https://demoapi.bhavikji.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.284 A
http://demoapi.bhavikji.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
206.189.141.216 404 0.297 A
Not Found
https://demoapi.bhavikji.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -4 0.576 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.

Ipv6 + http has a redirect, ipv4 + http not. https + ipv6 is wrong, port 443 answers with http content (instead of https).

Is your ipv6 configured? If not, remove the ipv6 address.

https works only with ipv4 correct.

But your /.well-known/acme-challenge is redirected to https. Letsencrypt prefers ipv6, a wrong certificate isn’t a problem. Sending http over port 443 is a problem.


#3

thanks for the response @JuergenAuer, I my ipv6 is enabled so in that case what could I can do to fix this issue?


#4

Check your listen directives:

Listen [::]:80
Listen [::]:443

Same with your vHost-blocks.


#5

@JuergenAuer where I will find these directives any help you can offer?


#6

Also now I tested over this https://check-your-website.server-daten.de/?q=demoapi.bhavikji.com
and found is name error is resolved but it is pointing http to 443 port @jurgenhaas


#7

This “name error” isn’t a problem. The comment:

A DNS: “Name Error” means: No www-dns-entry defined. This isn’t a problem

The subdomain check-your-website.server-daten.de doesn’t have a www-version www.check-your-website.server-daten.de, there would be the same “Name Error”.

In one of your Apache config files.


#8

ok I checked in etc/apache2/ports.conf

there it is listening to correct ports the entire file looks like

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

and I am pretty sure that vhosts are pointed to the same port as in conf files (demoapi.bhavikji.com.conf points to *:80) and whereas (demoapi.bhavikji.com-le-ssl.conf points to 206.189.141.216:443)

is it the right place where I looked?


#9

@JuergenAuer if they are fine then what is the actual problem here?


#10

Tthis specficly binds only to an IPv4 IP:

If you want to use both IPv4 and IPv6, you will need to include both.
Change the vhost block like:
<VirtualHost *:80 [::]:80>
or
<VirtualHost *:443 [::]:443>

And don’t include the port after a servername.
Like:
servername www.mydomain:443
[this is bad practice]


#11

@rg305 I have subdomains so for I can’t put *:443 I put the port after ip in vhost. however even after that the ports are redirecting correctly but I am facing the issue.


#12

I don’t understand what “subdomains” have to do with IP:port bindings.

Ok,then if you need both IPv4 and IPv6, then put both your IPs and their ports in the vhost block:
Something like this example (change to your IPs):
<VirtualHost 4.3.2.1:80 [2001:4321:abcd::1ab2]:80>
[but this is usually not recommended for reasons like IPs can change, what if the real IP is NOT on the host (host is behind NAT)]

It really is much simpler to use * than to type the IPs into every vhost block.
[and it is far too easy to making a typing mistake - especially with long IPv6 addresses]


#13

@rg305 earlier I was facing issue in redirection so to avoid that I have to put IP in vhost for subdomain because even from subdomain it was redirecting back to main domain. what are the best practices to working with subdomains?


#14

That sounds like the redirection is not correct.
I would start looking at that first.
Make sure it does exactly what you want it to do, then continue with cert request(s).

You can show the redirections here if you need help (or opinion) with them.


#15

@rg305 for that do I need to remove existing certs? and try work with http first?


#16

No!
Do not remove valid certs - that is like taking steps backwards.
[you will be going in wrong direction]

Show the problem area(s) that you have (or had).
And what you did to try to fix.


#17

@rg305 when first I created subdomain it was redirecting back to main domain I had words with DO and they told me there is some issue in SSL which I figured out that vhost is redirecting all request to main domain using *:443 to fix that thing I added ipv4 with :443 request now I am facing this issue which I have added here. I have 2 subdomains and none of them is working properly.


#18

Sounds like the “fix” only works by luck or chance.
Apache is notorious for running at all cost - it will allow almost any misconfiguration to pass.

Can you show the full config?
Or go piece by piece…
starting with the main config file:
/etc/apache2/apache2.conf


#19

it was just a problem of default.conf

all I need to hit this command

sudo a2dissite 000-default.conf

Thanks for your time guys


closed #20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.