More information:
curl -Ii4 https://www.pastlife.works/
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
curl -Ii4 http://www.pastlife.works:443/
HTTP/1.1 200 OK
Date: Thu, 17 Feb 2022 01:29:02 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Mon, 07 Feb 2022 17:34:34 GMT
ETag: "11c6-5d7710392990f"
Accept-Ranges: bytes
Content-Length: 4550
Vary: Accept-Encoding
Content-Type: text/html
Thank you for the reply and for pointing this out.
So is this a client side problem with their browsers or operating systems or is it something that I can change in my .htaccess file or config files that would force my server to use IPv6?
Here is the output of apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
45.79.80.227:80 45.79.80.227 (/etc/apache2/sites-enabled/lexrex.xyz.conf:1)
45.79.80.227:443 45.79.80.227 (/etc/apache2/sites-enabled/lexrex.xyz.conf:12)
*:443 is a NameVirtualHost
default server lexrex.xyz (/etc/apache2/sites-enabled/lexrex.xyz-le-ssl.conf:2)
port 443 namevhost lexrex.xyz (/etc/apache2/sites-enabled/lexrex.xyz-le-ssl.conf:2)
alias www.lexrex.xyz
port 443 namevhost pastlife.works (/etc/apache2/sites-enabled/pastlife.works-le-ssl.conf:2)
alias www.pastlife.works
port 443 namevhost starseedgrowers.org (/etc/apache2/sites-enabled/starseedgrowers.org-le-ssl.conf:2)
alias www.starseedgrowers.org
*:80 is a NameVirtualHost
default server lexrex.xyz (/etc/apache2/sites-enabled/lexrex.xyz.conf:19)
port 80 namevhost lexrex.xyz (/etc/apache2/sites-enabled/lexrex.xyz.conf:19)
alias www.lexrex.xyz
port 80 namevhost pastlife.works (/etc/apache2/sites-enabled/pastlife.works.conf:1)
alias www.pastlife.works
port 80 namevhost starseedgrowers.org (/etc/apache2/sites-enabled/starseedgrowers.org.conf:1)
alias www.starseedgrowers.org
No, server side problem.
Please show the outputs of:
ifconfig | grep -Ei 'add|inet'
sudo netstat -pant | grep -i listen
curl -4 ifconfig.co
curl -6 ifconfig.co
cat /etc/apache2/sites-enabled/pastlife.works-le-ssl.conf
grep -Ri listen /etc/apache2
-bash: ifconfig: command not found
sudo netstat -pant | grep -i listen
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 480/sshd
tcp 0 0 0.0.0.0:8767 0.0.0.0:* LISTEN 490/ravend
tcp6 0 0 :::80 :::* LISTEN 492/apache2
tcp6 0 0 :::22 :::* LISTEN 480/sshd
tcp6 0 0 :::443 :::* LISTEN 492/apache2
tcp6 0 0 :::65532 :::* LISTEN 560/murmurd
tcp6 0 0 :::8766 :::* LISTEN 490/ravend
tcp6 0 0 :::8767 :::* LISTEN 490/ravend
curl -4 ifconfig.co
45.79.80.227
curl -6 ifconfig.co
2600:3c01::f03c:92ff:fef4:a0df
cat /etc/apache2/sites-enabled/pastlife.works-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin contact@pastlife.works
ServerName pastlife.works
ServerAlias www.pastlife.works
DocumentRoot /var/www/pastlife.works
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/pastlife.works/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pastlife.works/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
grep -Ri listen /etc/apache2
/etc/apache2/ports.conf:Listen 80
/etc/apache2/ports.conf: Listen 443
/etc/apache2/ports.conf: Listen 443
/etc/apache2/apache2.conf:# supposed to determine listening ports for incoming connections which can be
/etc/apache2/apache2.conf:# Include list of ports to listen on
hmm...
Very interesting.
What shows:
openssl version
Is there any IPS, or layer 7 firewall, involved?
Please show the output of:
ps -ef | grep -i apache | grep -v grep
OpenSSL 1.1.1d 10 Sep 2019
Not sure about IPS. I am using ufw with standard rules allowing http and https. I also have ports open for my mumble server, which is on the mumble public servers list also using the SSL certificate, and port open for the ravencoin node
I also have fail2ban running
root 492 1 0 15:51 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 498 492 0 15:51 ? 00:00:01 /usr/sbin/apache2 -k start
www-data 499 492 0 15:51 ? 00:00:00 /usr/sbin/apache2 -k start
Thanks for your help
Have you restarted the server?
I don't see anything obviously wrong.
[running out of options...]
Is it possible Apache is only listening on ipv6?
Judging from the netstat output, I mean.
No, when it shows tcp6, tcp4 is implied.
Notice how IPv4:80 nor IPv4:443 aren't listed, and yet it works for HTTP (on port 443):
curl -Ii4 http://www.pastlife.works:443/
HTTP/1.1 200 OK
Date: Thu, 17 Feb 2022 01:29:02 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Mon, 07 Feb 2022 17:34:34 GMT
ETag: "11c6-5d7710392990f"
Accept-Ranges: bytes
Content-Length: 4550
Vary: Accept-Encoding
Content-Type: text/html
It's like "SSLEngine on" is only being enabled for IPv6 (not for IPv4).
I'm also getting help from Linode.
Just rebooted. I noticed my /etc/hosts is a bit weird.
127.0.0.1 localhost
127.0.1.1 genesis.pastlife.works genesis
45.79.80.227 pastlife.works
45.79.80.227 www.pastlife.works
45.79.80.227 starseedgrowers.org
45.79.80.227 www.starseedgrowers.org
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
not sure if it's supposed to look like that.
There is some ipv4-exclusive config.
Can you show us that file?
it looks fine. (it can probably do without, bit some software needs those lines.)
Wow I think you may have found the issue but IDK why I did this or what to do about it. 
<VirtualHost 45.79.80.227:80>
ServerName 45.79.80.227
ServerAlias pastlife.works
DocumentRoot /var/www/pastlife.works
RewriteEngine on
RewriteCond %{SERVER_NAME} =pastlife.works [OR]
RewriteCond %{SERVER_NAME} =www.pastlife.works
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost 45.79.80.227:443>
ServerName 45.79.80.227
ServerAlias pastlife.works
DocumentRoot /var/www/pastlife.works
</VirtualHost>
<VirtualHost *:80>
ServerAdmin contact@pastlife.works
ServerName lexrex.xyz
ServerAlias www.lexrex.xyz
DocumentRoot /var/www/lexrex.xyz
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =lexrex.xyz [OR]
RewriteCond %{SERVER_NAME} =www.lexrex.xyz
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Delete that whole section.
Also delete the other section with the full IP address. Merge its content in the <VirtualHost *:80> section if necessary.
I think you both helped me fix it, cant tell though because it always "worked" on my end:
https://www.ssllabs.com/ssltest/analyze.html?d=pastlife.works
IPv6 always worked.
Ehm... If you don't have a specific reason to keep TLS 1.0 and 1.1 enabled, turn them off.
what is the significance of turning them off compared to what I have running now?
I entered my settings in the form there and it produced this
# generated 2022-02-17, Mozilla Guideline v5.6, Apache 2.4.38, OpenSSL 1.1.1d, modern configuration
# https://ssl-config.mozilla.org/#server=apache&version=2.4.38&config=modern&openssl=1.1.1d&guideline=5.6
# this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /path/to/signed_cert_and_intermediate_certs
SSLCertificateKeyFile /path/to/private_key
# enable HTTP/2, if available
Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>
# modern configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
Not sure what to do with that data or how to turn off TLS 1.0 & 1.1
There are some vulnerabilities. I wouldn't turn off TLS 1.2.
(I'd use the intermediate config, only use the modern one you you know your clients very well)
Don't enable http strict transport security until you understand what it does, please.