SSL certificate doesn't work

god … I’m sleepy. Of course! I just hoped that to have been the error :sweat_smile:

Found the following certs:
Certificate Name: domain
Domains: domain
Expiry Date: 2018-10-02 21:39:21+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/domain/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain/privkey.pem
Certificate Name: domain
Domains: domain domain
Expiry Date: 2018-10-01 19:25:11+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/domain/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain/privkey.pem

I guess having two certificates for the www. might be the issue?

I don’t see why it’d be a problem, but being that it’s redundant and I’m out of other ideas, it’s worth deleting the useless one:

sudo certbot delete --cert-name www.x

Whether it helps your installation problem or not … who knows.

Doesn’t seem to have done anything.

I’m not sure what to think of the fact that the whole website isn’t accessable via https. I mean, I’d be fine with an security error or something but isn’t that a bit odd? I guess I could just go back to enabling cloudflair’s dns proxy and ssl certificate and hope that it won’t bite my ass down the road. But not having a local ssl certificate in case cloudflair dies is a bit of a bummer.

You can configure Apache by hand to listen on HTTPS for your domain, like I suggested before.

You have a perfectly usable certificate, it’s just that Certbot’s automatic Apache installer doesn’t work for some reason.

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin admin@example.com
    ServerName x
    ServerAlias x
    DocumentRoot /var/www/html/store/
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/x/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/x/privkey.pem
</VirtualHost>
</IfModule>

/etc/letsencrypt/options-ssl-apache.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
1 Like

I’ve added the virtual host part into the existing one, below the one regarding port 80 and changed the options-ssl-apache.conf and then restarted apache. Still getting the same connection refused error.

Might need to

sudo a2enmod ssl

If that doesn’t work, show apachectl -S again.

1 Like

You sir, are a legend. Thank you very much for the help. So I take it, that it actually was related to certbot’s automatic apache installer.

About 10 posts ago I was considering to ask you to remove the domain’s url from the posts once you’re done troubleshooting me but frankly, I probably wouldn’t bother myself to do that for a stranger after fixing his problem.

All in all, I’m infinitely grateful. You’re a legend! Thank you! (:

1 Like

No problem. You can ask a moderator (e.g. @mnordhoff) to remove your domain, if you or I do it, it just shows up in the edit history anyway.

I’m embarassed to ask that but … how do you send people private messages in here?

Edit: Appareantly I’m not allowed to send messages to the people in the moderator group. :face_with_raised_eyebrow:

Hi. I hid the relevant edit history.

I also edited a link in one of your posts.

I also accidentally reverted one of your posts to the bad version, then reverted it again to the good version. :sweat: My browser lagged and the button moved. :sweat:

@_az, could you edit post 24? Or do you mind if someone else does?

Edit: @aeciid: This whole thread has probably been archived by search engines, though.

Edit edit:

@aeciid, I edited a second one of your posts. (On purpose.)

@_az, actually several of your posts show the domain.

2 Likes

All done. I think. Thanks, @_az.

1 Like

Thank you so much! :slight_smile:

Even if it already has been archived by search engines, not having the domain actively displayed already goes a long shot in not making me appear like a total fraud to my customer :joy:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.