Ssl_module used in ports.conf but does not exist

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is uroflowabara.ddns.net

I ran this command: sudo certbot --apache

everything looks like it worked.

It produced this output:This site can’t be reacheduroflowabara.ddns.net refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

My web server is (include version): Apache2

The operating system my web server runs on is (include version):debian 10

My hosting provider, if applicable, is: (on a raspi)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

I see that in the Virtual Hosts and in ports_conf there are

Listen 443
I do not have this ssl_module installed?
Could this be why it does not work?

Hi @jbrohan,

Welcome to the community forum!

You’ll need to enable the SSL module for Apache. You can check what modules are available by running:

$ echo | a2enmod | grep -i ssl

To actually enable it, run:

$ sudo a2enmod ssl

Hi Phil

Thank you so much for your kind reply.

a2enmod ssl says it’s already running.

I’m getting “the site can’t be reached” when I run it as https

My plan was to go through the apache2.conf step by step making sure that each configuration file does its “thing”

/etc/apache2/ports.conf

Listen 80

    Listen 443
    Listen 443

This looks to me as though port 443 is not setup for Listening if ssl_module isn’t there or the gnutils.c

I’m on a raspberry pi under debian buster, and I followed the Let’s Encrypt as carefully as I could.

http://uroflowabara.ddns.net works fine (brings up the debian Apache welcome page.

https://uroflowabara.ddns.net gives me “this site can’t be reached”

I am so impressed with Let’s Encrypt, I’m sure it’s just a simple thing.

Do you know of a checklist I can go through to ensure that my one site works properly.

@jbrohan,

Can you run apache2ctl -S and also paste each of your vhost configurations please?

Thanks Phil.
I still have my suspicions of “” which seems to control the https port. It’s in /etc/apache2/ports.conf !!?

Thank you so much for your help. A kind and knowledgeable word is welcome in this stressful time.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message
VirtualHost configuration:
*:443 uroflowcanada.ddns.net (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33


Virtual Hosts (443)
sudo cat /etc/apache2/sites-enabled/000-default-le-ssl.conf

<VirtualHost *:443>

The ServerName directive sets the request scheme, hostname and port that

the server uses to identify itself. This is used when creating

redirection URLs. In the context of virtual hosts, the ServerName

specifies what hostname must appear in the request’s Host: header to

match this virtual host. For the default virtual host (this file) this

value is not decisive as it is used as a last resort host regardless.

However, you must set it for any further virtual host explicitly.

#ServerName www.example.com

ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

Available loglevels: trace8, …, trace1, debug, info, notice, warn,

error, crit, alert, emerg.

It is also possible to configure the loglevel for particular

modules, e.g.

#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

For most configuration files from conf-available/, which are

enabled or disabled at a global level, it is possible to

include a line for only one particular virtual host. For example the

following line enables the CGI configuration for this host only

after it has been globally disabled with “a2disconf”.

#Include conf-available/serve-cgi-bin.conf

ServerName uroflowcanada.ddns.net

SSLCertificateFile /etc/letsencrypt/live/uroflowcanada.ddns.net/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/uroflowcanada.ddns.net/privkey.pem

Include /etc/letsencrypt/options-ssl-apache.conf

Virtual hosts (80)
urouser@raspberrypi : ~ $ sudo cat /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>

The ServerName directive sets the request scheme, hostname and port that

the server uses to identify itself. This is used when creating

redirection URLs. In the context of virtual hosts, the ServerName

specifies what hostname must appear in the request’s Host: header to

match this virtual host. For the default virtual host (this file) this

value is not decisive as it is used as a last resort host regardless.

However, you must set it for any further virtual host explicitly.

#ServerName www.example.com

ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

Available loglevels: trace8, …, trace1, debug, info, notice, warn,

error, crit, alert, emerg.

It is also possible to configure the loglevel for particular

modules, e.g.

#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

For most configuration files from conf-available/, which are

enabled or disabled at a global level, it is possible to

include a line for only one particular virtual host. For example the

following line enables the CGI configuration for this host only

after it has been globally disabled with “a2disconf”.

#Include conf-available/serve-cgi-bin.conf

RewriteEngine on

RewriteCond %{SERVER_NAME} =uroflowcanada.ddns.net

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Hi Phil

Thanks for your quick reply. I am learning more about this elegant piece of software which runs major websites as well as my tiny server on a raspberryPi. I am sure I’m near to getting SSL working, and your help is Most welcome.

John

urouser@raspberrypi:~ $ sudo apache2ctl -S

[sudo] password for urouser:

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message

VirtualHost configuration:

*:443 uroflowcanada.ddns.net (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)

*:80 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)

ServerRoot: “/etc/apache2”

Main DocumentRoot: “/var/www/html”

Main ErrorLog: “/var/log/apache2/error.log”

Mutex default: dir="/var/run/apache2/" mechanism=default

Mutex mpm-accept: using_defaults

Mutex watchdog-callback: using_defaults

Mutex rewrite-map: using_defaults

Mutex ssl-stapling-refresh: using_defaults

Mutex ssl-stapling: using_defaults

Mutex ssl-cache: using_defaults

PidFile: “/var/run/apache2/apache2.pid”

Define: DUMP_VHOSTS

Define: DUMP_RUN_CFG

User: name=“www-data” id=33

Group: name=“www-data” id=33

urouser@raspberrypi:~ $

Virtual host 443

urouser@raspberrypi:~ $ sudo cat /etc/apache2/sites-enabled/000-default-le-ssl.conf

<VirtualHost *:443>

# The ServerName directive sets the request scheme, hostname and port that

# the server uses to identify itself. This is used when creating

# redirection URLs. In the context of virtual hosts, the ServerName

# specifies what hostname must appear in the request's Host: header to

# match this virtual host. For the default virtual host (this file) this

# value is not decisive as it is used as a last resort host regardless.

# However, you must set it for any further virtual host explicitly.

#ServerName [www.example.com](http://www.example.com)

ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,

# error, crit, alert, emerg.

# It is also possible to configure the loglevel for particular

# modules, e.g.

#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are

# enabled or disabled at a global level, it is possible to

# include a line for only one particular virtual host. For example the

# following line enables the CGI configuration for this host only

# after it has been globally disabled with "a2disconf".

#Include conf-available/serve-cgi-bin.conf

ServerName uroflowcanada.ddns.net

SSLCertificateFile /etc/letsencrypt/live/uroflowcanada.ddns.net/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/uroflowcanada.ddns.net/privkey.pem

Include /etc/letsencrypt/options-ssl-apache.conf

Virtual host 80

urouser@raspberrypi:~ $ sudo cat /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>

# The ServerName directive sets the request scheme, hostname and port that

# the server uses to identify itself. This is used when creating

# redirection URLs. In the context of virtual hosts, the ServerName

# specifies what hostname must appear in the request's Host: header to

# match this virtual host. For the default virtual host (this file) this

# value is not decisive as it is used as a last resort host regardless.

# However, you must set it for any further virtual host explicitly.

#ServerName [www.example.com](http://www.example.com)

ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,

# error, crit, alert, emerg.

# It is also possible to configure the loglevel for particular

# modules, e.g.

#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are

# enabled or disabled at a global level, it is possible to

# include a line for only one particular virtual host. For example the

# following line enables the CGI configuration for this host only

# after it has been globally disabled with "a2disconf".

#Include conf-available/serve-cgi-bin.conf

RewriteEngine on

RewriteCond %{SERVER_NAME} =uroflowcanada.ddns.net

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Hi Phil

On “check your website” I find that there are 2 errors.

I made a certificate for uroflowabara.ddns.net before I found out about LetsEncrypt. Should I abandon this and try another domain?

Hi @jbrohan

different Serial numbers are not good. But that's

  • a name server problem, not a domain problem
  • if the A / AAAA / CAA / TXT records identical, it's not a problem

So it's not really a problem that blocks creating a Letsencrypt certificate (same with Html-Content problems etc.).

Hi Juergen

Thank you for your kind reply. I am very interested to get this LetsEncrypt working. Can I summarize my status and show some .conf files?

I’m trying to install uroflowmain.ddns.net on LAMP on a raspberrypi.

http:uroflowmain.ddns.net/test.php works fine (shows my test.php output)

https://uroflowmain.ddns.net/test.php on chrome gives me

"This site can’t be [reacheduroflowmain.ddns.net](http://reacheduroflowmain.ddns.net) refused to connect.
ERR_CONNECTION_REFUSED"

I also have uroflowabara.ddns.net and uroflowcanada.ddns.net

me urouser@raspberrypi:~ $ **sudo apache2ctl -S**

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80                   127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
*:443                  is a NameVirtualHost
         default server [uroflowcanada.ddns.net](http://uroflowcanada.ddns.net) (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost [uroflowcanada.ddns.net](http://uroflowcanada.ddns.net) (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
                 alias [uroflowabara.ddns.net](http://uroflowabara.ddns.net)
                 alias [uroflowmain.ddns.net](http://uroflowmain.ddns.net)
         port 443 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
> User: name="www-data" id=33
Group: name="www-data" id=33
urouser@raspberrypi:~ $

urouser@raspberrypi:~ $ **sudo cat /etc/apache2/ports.conf**
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80
<IfModule ssl_module>
	Listen 443
</IfModule>

<IfModule mod_gnutls.c>
	Listen 443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
urouser@raspberrypi:~ $

note I've commented out teh rewrite rule hoping that it will not redirect http-> https.

**urouser@raspberrypi**:**~ $** sudo **cat /etc/apache2/sites-enabled/000-default.conf**

<VirtualHost *:80>

	# The ServerName directive sets the request scheme, hostname and port that

	# the server uses to identify itself. This is used when creating

	# redirection URLs. In the context of virtual hosts, the ServerName

	# specifies what hostname must appear in the request's Host: header to

	# match this virtual host. For the default virtual host (this file) this

	# value is not decisive as it is used as a last resort host regardless.

	# However, you must set it for any further virtual host explicitly.

	#ServerName [www.example.com](http://www.example.com)

	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,

	# error, crit, alert, emerg.

	# It is also possible to configure the loglevel for particular

	# modules, e.g.

	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log

	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are

	# enabled or disabled at a global level, it is possible to

	# include a line for only one particular virtual host. For example the

	# following line enables the CGI configuration for this host only

	# after it has been globally disabled with "a2disconf".

	#Include conf-available/serve-cgi-bin.conf

#RewriteEngine on

#RewriteCond %{SERVER_NAME} =[uroflowcanada.ddns.net](http://uroflowcanada.ddns.net)

#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

**urouser@raspberrypi**:**~ $** 

**urouser@raspberrypi**:**~ $** **sudo cat /etc/apache2/sites-enabled/000-default-le-ssl.conf**

<IfModule mod_ssl.c>

<VirtualHost *:443>

	# The ServerName directive sets the request scheme, hostname and port that

	# the server uses to identify itself. This is used when creating

	# redirection URLs. In the context of virtual hosts, the ServerName

	# specifies what hostname must appear in the request's Host: header to

	# match this virtual host. For the default virtual host (this file) this

	# value is not decisive as it is used as a last resort host regardless.

	# However, you must set it for any further virtual host explicitly.

	#ServerName [www.example.com](http://www.example.com)

	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,

	# error, crit, alert, emerg.

	# It is also possible to configure the loglevel for particular

	# modules, e.g.

	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log

	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are

	# enabled or disabled at a global level, it is possible to

	# include a line for only one particular virtual host. For example the

	# following line enables the CGI configuration for this host only

	# after it has been globally disabled with "a2disconf".

	#Include conf-available/serve-cgi-bin.conf

ServerName [uroflowcanada.ddns.net](http://uroflowcanada.ddns.net)

Include /etc/letsencrypt/options-ssl-apache.conf

ServerAlias [uroflowabara.ddns.net](http://uroflowabara.ddns.net)

ServerAlias [uroflowmain.ddns.net](http://uroflowmain.ddns.net)

SSLCertificateFile /etc/letsencrypt/live/[uroflowabara.ddns.net/fullchain.pem](http://uroflowabara.ddns.net/fullchain.pem)

SSLCertificateKeyFile /etc/letsencrypt/live/[uroflowabara.ddns.net/privkey.pem](http://uroflowabara.ddns.net/privkey.pem)

</VirtualHost>

</IfModule>

Why is there a duplicated definition?

Your port 443 vHost looks like you have created that manual. Let Certbot do that job. And why is ServerName / ServerAlias splittet?

Checking https://uroflowmain.ddns.net/test.php I see a timeout, not a connection refused.

Hi Juergen

I am using a https://www.noip.com/ dynamic hostname service. I made three hostnames to try and get one of them to work!

Listen 443 Listen 443

Why is there a duplicated definition?

That’s the way it comes from apt-get install apache2 on a raspberrypi. Can I just delete the <IfModule and leave “Listen 443” ?

Your port 443 vHost looks like you have created that manual. Let Certbot do that job. And why is ServerName / ServerAlias splittet?

I would LOVE to let Certbot do it all, but it didn’t. After the run of Certbot the HttpS version of my site gave connection refused! It gave me connection_refused. So I commented out the redirect in the vhosts for port 80 thinking that a syntax error might be causing the problem.

Is there any way I can just remove all my bumbling and start again with certbot. I did go out and buy a new SD card and re-installed everything, but it still clogs here.

In debugging a normal program we put comments in to find out where it is crashing, so we can go step by step and find the error. Is there any way to do this with apache configuration?

I appreciate very much the goals and energy that you all are putting into Letsencrypt. I want very much to get it working and then perhaps help others to secure their websites.

Thank you very much

John

Checking [https://uroflowmain.ddns.net/test.php](https://uroflowmain.ddns.net/test.php) I see a timeout, not a connection refused.

still connection refused here in Chrome on a Mac.

Thank you again for a kind voice out of the mysterious world of web servers!

Yours Sincerely

John

Here is the apache2ctl -S output and the 2 virtual hosts files… 80 is fine 443 gets refused.

**urouser@raspberrypi:~ $ sudo cat /etc/apache2/sites-enabled/000-default-le-ssl.conf**
<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName [www.example.com](http://www.example.com)

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

ServerName [uroflowcanada.ddns.net](http://uroflowcanada.ddns.net)
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias [uroflowabara.ddns.net](http://uroflowabara.ddns.net)
ServerAlias [uroflowmain.ddns.net](http://uroflowmain.ddns.net)
SSLCertificateFile /etc/letsencrypt/live/[uroflowabara.ddns.net/fullchain.pem](http://uroflowabara.ddns.net/fullchain.pem)
SSLCertificateKeyFile /etc/letsencrypt/live/[uroflowabara.ddns.net/privkey.pem](http://uroflowabara.ddns.net/privkey.pem)
</VirtualHost>
</IfModule>
urouser@raspberrypi:~ $ 

**urouser@raspberrypi:~ $ sudo cat /etc/apache2/sites-enabled/000-default-le-ssl.conf**
<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName [www.example.com](http://www.example.com)

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

ServerName [uroflowcanada.ddns.net](http://uroflowcanada.ddns.net)
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias [uroflowabara.ddns.net](http://uroflowabara.ddns.net)
ServerAlias [uroflowmain.ddns.net](http://uroflowmain.ddns.net)
SSLCertificateFile /etc/letsencrypt/live/[uroflowabara.ddns.net/fullchain.pem](http://uroflowabara.ddns.net/fullchain.pem)
SSLCertificateKeyFile /etc/letsencrypt/live/[uroflowabara.ddns.net/privkey.pem](http://uroflowabara.ddns.net/privkey.pem)
</VirtualHost>
</IfModule>

@jbrohan,

First we’ll check DNS for your domains (looks good).

$ dig uroflowmain.ddns.net +short
74.59.228.16
$ dig uroflowcanada.ddns.net +short
74.59.228.16
$ dig uroflowabara.ddns.net +short
74.59.228.16

Next we’ll take a look at the open ports on your machine. Apache isn’t currently binding to port 443, or it just may not be opened in your firewall. We’ll troubleshoot this below the code snippet.

$ nmap -T4 -A 74.59.228.16
Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-14 13:51 EST
Stats: 0:00:24 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 13:52 (0:00:16 remaining)
Nmap scan report for modemcable016.228-59-74.mc.videotron.ca (74.59.228.16)
Host is up (0.055s latency).
Not shown: 996 filtered ports
PORT     STATE  SERVICE    VERSION
53/tcp   open   domain     (generic dns response: NOTIMP)
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open   http       Apache httpd 2.4.38 ((Raspbian))
|_http-server-header: Apache/2.4.38 (Raspbian)
|_http-title: Apache2 Debian Default Page: It works
81/tcp   closed hosts2-ns
8080/tcp closed http-proxy
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=11/14%Time=5DCDA251%P=x86_64-redhat-linux-gnu%r
SF:(DNSVersionBindReqTCP,20,"\0\x1e\0\x06\x81\x85\0\x01\0\0\0\0\0\0\x07ver
SF:sion\x04bind\0\0\x10\0\x03")%r(DNSStatusRequestTCP,E,"\0\x0c\0\0\x90\x0
SF:4\0\0\0\0\0\0\0\0");

What’s the output of the following commands?

sudo netstat -plunt | egrep '(80|443)'
sudo iptables -nL

Next let’s look at your apache vhosts. Back up your vhost configurations and then can you test using these updated vhost configurations please? Remember to restart/reload apache after making the change.

HTTP vhost: /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	
    ServerName uroflowcanada.ddns.net
    ServerAlias uroflowabara.ddns.net uroflowmain.ddns.net 
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular

	# modules, e.g.
	#LogLevel info ssl:warn
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}

</VirtualHost>

HTTPS vhost: /etc/apache2/sites-enabled/000-default-le-ssl.conf

<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName [www.example.com](http://www.example.com)

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

    ServerName uroflowcanada.ddns.net
    ServerAlias uroflowabara.ddns.net uroflowmain.ddns.net
    SSLCertificateFile /etc/letsencrypt/live/uroflowabara.ddns.net/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/uroflowabara.ddns.net/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

On your own command line, can you run curl -vIL http://localhost and curl -vIL https://localhost and paste that output? This will verify that you can at least hit the HTTPS vhost internally on your raspberry pi.

Hi Phil
Thanks for your kind replies. Here is a summary of current status.
I reinstalled Apache and Certbot.
My Domain name is uroflowcanada.ddns.net from NOIP. Itis a dynamic dns expected to run on a Raspberry Pi connected to a regular wifi port in a house or office setting
The HTTP http://uroflowcanada.ddns.net url works exactly correctly
The HTTPS https://uroflowcanada.ddns.net fails with ERR_CONNECTION_REFUSED
I am sorry there is so much ‘stuff’ I’ve included as much as I can in the hopes that the magic line will pop out to your experienced eye.
My opinion.
I don’t think it’s getting very far into the system when it’s HTTPS. The rejection comes quickly, before it can be logged in /var/apache2/error.log. It’s likely some necessary component that is not loaded. I an logging at trace8 level, but it does not seem to be working for even http.

Thank you so much. I’ll keep an eye on the forum page as well as the email.
I cut out some boring parts of the output to get it below 32K.

Yours Sincerely
John

Included here are .
Error logs with LogLevel : trace8
The error log indicates a problem with mod_md
The logs indicate only that the apache2 started and it found certificates for 443 https://uroflowcanada.ddns.net

sudo apache2ctl -S
Looks good.
Listing of the sites-available virtual hosts on this machine.
To my unpracticed eye this looks OK too.

dig output -> 74.59.228.16
if you search for the bold words like dig, you’ll find the output.
nmap printout is voluminous and lacks reference to https

netstat plunt looks OK listening on 0.0.0.0 for 80 and 443

sudo iptables -nL looks OK

sudo ufw status 80 and 443 open seems fine

curl -vIL http://uroflowcanada.ddns.net

The /var/log/apache2/error.log
[Wed Nov 20 20:33:32.019390 2019] [core:trace4] [pid 520:tid 3069939424] mpm_common.c(536): mpm child 522 (gen 0/slot 0) exited
[Wed Nov 20 20:33:32.019887 2019] [core:trace4] [pid 520:tid 3069939424] mpm_common.c(536): mpm child 523 (gen 0/slot 1) exited
[Wed Nov 20 20:33:32.020197 2019] [core:info] [pid 520:tid 3069939424] AH00096: removed PID file /var/run/apache2/apache2.pid (pid=520)
[Wed Nov 20 20:33:32.020325 2019] [mpm_event:notice] [pid 520:tid 3069939424] AH00491: caught SIGTERM, shutting down
[Wed Nov 20 20:33:32.031613 2019] [core:trace4] [pid 520] mpm_common.c(431): end of generation 0
[Wed Nov 20 20:34:21.247997 2019] [ssl:trace2] [pid 912:tid 3069607648] ssl_engine_rand.c(126): Init: Seeding PRNG with 648 bytes of entropy
[Wed Nov 20 20:34:21.248357 2019] [ssl:info] [pid 912:tid 3069607648] AH01887: Init: Initializing (virtual) servers for SSL
[Wed Nov 20 20:34:21.248468 2019] [ssl:info] [pid 912:tid 3069607648] AH01914: Configuring server uroflowcanada.ddns.net:443 for SSL protocol
[Wed Nov 20 20:34:21.248564 2019] [ssl:debug] [pid 912:tid 3069607648] ssl_engine_init.c(1750): AH10083: Init: (uroflowcanada.ddns.net:443) mod_md support is unavailable.
[Wed Nov 20 20:34:21.248657 2019] [ssl:trace3] [pid 912:tid 3069607648] ssl_engine_init.c(579): Creating new SSL context (protocols: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3)
[Wed Nov 20 20:34:21.250621 2019] [ssl:trace1] [pid 912:tid 3069607648] ssl_engine_init.c(915): Configuring permitted SSL ciphers [ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDS…
SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!aNULL:!eNULL:!EXP]
[Wed Nov 20 20:34:21.251587 2019] [ssl:debug] [pid 912:tid 3069607648] ssl_engine_init.c(479): AH01893: Configuring TLS extension handling
[Wed Nov 20 20:34:21.255761 2019] [ssl:trace3] [pid 912:tid 3069607648] ssl_util_ssl.c(465): [uroflowcanada.ddns.net:443] modssl_X509_match_name: expecting name ‘uroflowcanada.ddns.net’, matched by ID ‘uroflowcanada.ddns.net
[Wed Nov 20 20:34:21.256543 2019] [ssl:debug] [pid 912:tid 3069607648] ssl_util_ssl.c(476): AH02412: [uroflowcanada.ddns.net:443] Cert matches for name ‘uroflowcanada.ddns.net’ [subject: CN=uroflowcanada.ddns.net / issuer: CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US / serial: 048BC71E036F4B99D4D55E5A925999149796 / notbefore: Nov 12 17:52:07 2019 GMT / notafter: Feb 10 17:52:07 2020 GMT]
[Wed Nov 20 20:34:21.256691 2019] [ssl:info] [pid 912:tid 3069607648] AH02568: Certificate and private key uroflowcanada.ddns.net:443:0 configured from /etc/letsencrypt/live/uroflowcanada.ddns.net/fullchain.pem and /etc/letsencrypt/live/uroflowcanada.ddns.net/privkey.pem
[Wed Nov 20 20:34:21.258328 2019] [ssl:info] [pid 912:tid 3069607648] AH01876: mod_ssl/2.4.38 compiled against Server: Apache/2.4.38, Library: OpenSSL/1.1.1d
[Wed Nov 20 20:34:21.344196 2019] [ssl:trace2] [pid 913:tid 3069607648] ssl_engine_rand.c(126): Init: Seeding PRNG with 648 bytes of entropy
[Wed Nov 20 20:34:21.386031 2019] [socache_shmcb:debug] [pid 913:tid 3069607648] mod_socache_shmcb.c(401): AH00821: shmcb_init allocated 512000 bytes of shared memory
[Wed Nov 20 20:34:21.386246 2019] [socache_shmcb:debug] [pid 913:tid 3069607648] mod_socache_shmcb.c(417): AH00822: for 511944 bytes (512000 including header), recommending 32 subcaches, 88 indexes each
[Wed Nov 20 20:34:21.386344 2019] [socache_shmcb:debug] [pid 913:tid 3069607648] mod_socache_shmcb.c(450): AH00824: shmcb_init_memory choices follow
[Wed Nov 20 20:34:21.386429 2019] [socache_shmcb:debug] [pid 913:tid 3069607648] mod_socache_shmcb.c(452): AH00825: subcache_num = 32
[Wed Nov 20 20:34:21.386860 2019] [socache_shmcb:debug] [pid 913:tid 3069607648] mod_socache_shmcb.c(454): AH00826: subcache_size = 15992
[Wed Nov 20 20:34:21.386963 2019] [socache_shmcb:debug] [pid 913:tid 3069607648] mod_socache_shmcb.c(456): AH00827: subcache_data_offset = 2128
[Wed Nov 20 20:34:21.387040 2019] [socache_shmcb:debug] [pid 913:tid 3069607648] mod_socache_shmcb.c(458): AH00828: subcache_data_size = 13864
[Wed Nov 20 20:34:21.387113 2019] [socache_shmcb:debug] [pid 913:tid 3069607648] mod_socache_shmcb.c(460): AH00829: index_num = 88
[Wed Nov 20 20:34:21.387738 2019] [socache_shmcb:info] [pid 913:tid 3069607648] AH00830: Shared memory socache initialised
[Wed Nov 20 20:34:21.387844 2019] [ssl:info] [pid 913:tid 3069607648] AH01887: Init: Initializing (virtual) servers for SSL
[Wed Nov 20 20:34:21.387929 2019] [ssl:info] [pid 913:tid 3069607648] AH01914: Configuring server uroflowcanada.ddns.net:443 for SSL protocol
[Wed Nov 20 20:34:21.388011 2019] [ssl:debug] [pid 913:tid 3069607648] ssl_engine_init.c(1750): AH10083: Init: (uroflowcanada.ddns.net:443) mod_md support is unavailable.
[Wed Nov 20 20:34:21.388098 2019] [ssl:trace3] [pid 913:tid 3069607648] ssl_engine_init.c(579): Creating new SSL context (protocols: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3)
[Wed Nov 20 20:34:21.390339 2019] [ssl:trace1] [pid 913:tid 3069607648] ssl_engine_init.c(915): Configuring permitted SSL ciphers [ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!aNULL:!eNULL:!EXP]
[Wed Nov 20 20:34:21.391309 2019] [ssl:debug] [pid 913:tid 3069607648] ssl_engine_init.c(479): AH01893: Configuring TLS extension handling
[Wed Nov 20 20:34:21.401183 2019] [ssl:trace3] [pid 913:tid 3069607648] ssl_util_ssl.c(465): [uroflowcanada.ddns.net:443] modssl_X509_match_name: expecting name ‘uroflowcanada.ddns.net’, matched by ID ‘uroflowcanada.ddns.net
[Wed Nov 20 20:34:21.401753 2019] [ssl:debug] [pid 913:tid 3069607648] ssl_util_ssl.c(476): AH02412: [uroflowcanada.ddns.net:443] Cert matches for name ‘uroflowcanada.ddns.net’ [subject: CN=uroflowcanada.ddns.net / issuer: CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US / serial: 048BC71E036F4B99D4D55E5A925999149796 / notbefore: Nov 12 17:52:07 2019 GMT / notafter: Feb 10 17:52:07 2020 GMT]
[Wed Nov 20 20:34:21.401881 2019] [ssl:info] [pid 913:tid 3069607648] AH02568: Certificate and private key uroflowcanada.ddns.net:443:0 configured from /etc/letsencrypt/live/uroflowcanada.ddns.net/fullchain.pem and /etc/letsencrypt/live/uroflowcanada.ddns.net/privkey.pem
[Wed Nov 20 20:34:21.403588 2019] [ssl:info] [pid 913:tid 3069607648] AH01876: mod_ssl/2.4.38 compiled against Server: Apache/2.4.38, Library: OpenSSL/1.1.1d
[Wed Nov 20 20:34:21.404047 2019] [watchdog:debug] [pid 913:tid 3069607648] mod_watchdog.c(454): AH010033: Watchdog: Running with WatchdogInterval 1000ms
[Wed Nov 20 20:34:21.404174 2019] [watchdog:debug] [pid 913:tid 3069607648] mod_watchdog.c(462): AH02974: Watchdog: found parent providers.
[Wed Nov 20 20:34:21.404264 2019] [watchdog:debug] [pid 913:tid 3069607648] mod_watchdog.c(508): AH02977: Watchdog: found child providers.
[Wed Nov 20 20:34:21.404344 2019] [watchdog:debug] [pid 913:tid 3069607648] mod_watchdog.c(516): AH02978: Watchdog: Looking for child (singleton).
[Wed Nov 20 20:34:21.404487 2019] [watchdog:debug] [pid 913:tid 3069607648] mod_watchdog.c(516): AH02978: Watchdog: Looking for child (default).
[Wed Nov 20 20:34:21.418527 2019] [core:trace4] [pid 913:tid 3069607648] mpm_common.c(536): mpm child 915 (gen 0/slot 0) started
[Wed Nov 20 20:34:21.420831 2019] [core:trace4] [pid 913:tid 3069607648] mpm_common.c(536): mpm child 916 (gen 0/slot 1) started
[Wed Nov 20 20:34:21.421119 2019] [mpm_event:notice] [pid 913:tid 3069607648] AH00489: Apache/2.4.38 (Raspbian) OpenSSL/1.1.1d configured – resuming normal operations
[Wed Nov 20 20:34:21.421222 2019] [mpm_event:info] [pid 913:tid 3069607648] AH00490: Server built: 2019-10-15T19:53:42
[Wed Nov 20 20:34:21.421391 2019] [core:notice] [pid 913:tid 3069607648] AH00094: Command line: ‘/usr/sbin/apache2’
[Wed Nov 20 20:34:21.421492 2019] [core:debug] [pid 913:tid 3069607648] log.c(1571): AH02639: Using SO_REUSEPORT: yes (1)
[Wed Nov 20 20:34:21.425685 2019] [watchdog:debug] [pid 915:tid 3069607648] mod_watchdog.c(567): AH02980: Watchdog: nothing configured?
[Wed Nov 20 20:34:21.431304 2019] [watchdog:debug] [pid 916:tid 3069607648] mod_watchdog.c(567): AH02980: Watchdog: nothing configured?
[Wed Nov 20 20:34:21.438779 2019] [mpm_event:debug] [pid 915:tid 3059082272] event.c(2314): AH02471: start_threads: Using epoll (wakeable)
[Wed Nov 20 20:34:21.456008 2019] [mpm_event:debug] [pid 916:tid 3059082272] event.c(2314): AH02471: start_threads: Using epoll (wakeable)
root@raspberrypi:/home/urouser#

Note no mention of the http://uroflowcanada.ddns.net that worked properly ??

root@raspberrypi:/home/urouser# sudo apache2ctl -S
[Wed Nov 20 20:47:13.177792 2019] [core:trace3] [pid 1038:tid 3069599456] core.c(3355): Setting LogLevel for all modules to trace8
AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message
VirtualHost configuration:
*:80 uroflowcanada.ddns.net (/etc/apache2/sites-enabled/uroflowcanada.ddns.net.conf:1)
*:443 uroflowcanada.ddns.net (/etc/apache2/sites-enabled/uroflowcanada.ddns.net.conf:9)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

Listing of the sites-available virtual hosts on this machine.

root@raspberrypi:/home/urouser# ls -l /etc/apache2/sites-available
total 16
-rw-r–r-- 1 root root 1332 Apr 2 2019 000-default.conf
-rw-r–r-- 1 root root 6338 Apr 2 2019 default-ssl.conf
-rw-r–r-- 1 root root 980 Nov 19 16:28 uroflowcanada.ddns.net.conf
root@raspberrypi:/home/urouser# sudo cat /etc/apache2/sites-available/uroflowcanada.ddns.net.conf
<VirtualHost *:80>
ServerAdmin jbrohan@gmail.com
ServerName uroflowcanada.ddns.net
ServerAlias www.uroflowcanada.ddns.net
DocumentRoot /var/www/uroflowcanada.ddns.net
ErrorLog {APACHE_LOG_DIR}/error.log CustomLog {APACHE_LOG_DIR}/access.log combined

<VirtualHost *:443>
#ServerName dev.example.com
ServerName uroflowcanada.ddns.net
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/uroflowcanada.ddns.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/uroflowcanada.ddns.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
#SSLCertificateFile “C:/prod/hosts.crt.pem”
#SSLCertificateKeyFile “C:/prod/hosts.key.pem”
#SSLCertificateChainFile “C:/prod/intermediate.crt.pem”
#Include conf/sites/dev.example.com.conf
DocumentRoot /var/www/uroflowcanada.ddns.net
ErrorLog {APACHE_LOG_DIR}/error.log CustomLog {APACHE_LOG_DIR}/access.log combined

root@raspberrypi:/home/urouser# ls -l /etc/apache2/sites-enabled
total 0
lrwxrwxrwx 1 root root 46 Nov 18 17:46 uroflowcanada.ddns.net.conf -> …/sites-available/uroflowcanada.ddns.net.conf
root@raspberrypi:/home/urouser#

dig output
root@raspberrypi:/home/urouser# dig uroflowcanada.ddns.net

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> uroflowcanada.ddns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52613
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;uroflowcanada.ddns.net. IN A

;; ANSWER SECTION:
uroflowcanada.ddns.net. 59 IN A 74.59.228.16

;; Query time: 31 msec
;; SERVER: 192.168.86.1#53(192.168.86.1)
;; WHEN: Wed Nov 20 21:11:08 GMT 2019
;; MSG SIZE rcvd: 67

dig uroflowcanada.ddns.net +short
74.59.228.16

nmap printout is voluminous and lacks reference to https.
nmap -T4 -A 74.59.228.16
Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-20 21:16 GMT
WARNING: Service 74.59.228.16:5000 had already soft-matched upnp, but now soft-matched rtsp; ignoring second value
WARNING: Service 74.59.228.16:5000 had already soft-matched upnp, but now soft-matched sip; ignoring second value
Nmap scan report for modemcable016.228-59-74.mc.videotron.ca (74.59.228.16)
Host is up (0.0095s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Raspbian))
|http-server-header: Apache/2.4.38 (Raspbian)
|http-title: Welcome to uroflowcanada.ddns.net!
81/tcp filtered hosts2-ns
5000/tcp open upnp MiniUPnP 1.9 (UPnP 1.1)
| fingerprint-strings:
| FourOhFourRequest, GetRequest:
| HTTP/1.0 404 Not Found
| Content-Type: text/html
| Connection: close
| Content-Length: 134
| Server: chromiumos/rolling UPnP/1.1 MiniUPnPd/1.9
| Ext:
| 404 Not Found

Not Found

The requested URL was not found on this server.
| GenericLines:
| 501 Not Implemented
| Content-Type: text/html
| Connection: close
| Content-Length: 149
| Server: chromiumos/rolling UPnP/1.1 MiniUPnPd/1.9
| Ext:
| 501 Not Implemented

Not Implemented

The HTTP Method is not implemented by this server.
| HTTPOptions:
| HTTP/1.0 501 Not Implemented
| Content-Type: text/html
| Connection: close
| Content-Length: 149
| Server: chromiumos/rolling UPnP/1.1 MiniUPnPd/1.9
| Ext:
| 501 Not Implemented

Not Implemented

The HTTP Method is not implemented by this server.
| RTSPRequest:
| RTSP/1.0 501 Not Implemented
| Content-Type: text/html
| Connection: close
| Content-Length: 149
| Server: chromiumos/rolling UPnP/1.1 MiniUPnPd/1.9
| Ext:
| 501 Not Implemented

Not Implemented

The HTTP Method is not implemented by this server.
| SIPOptions:
| SIP/2.0 501 Not Implemented
| Content-Type: text/html
| Connection: close
| Content-Length: 149
| Server: chromiumos/rolling UPnP/1.1 MiniUPnPd/1.9
| Ext:
|
501 Not Implemented

Not Implemented

The HTTP Method is not implemented by this server.
8080/tcp filtered http-proxy
8081/tcp open blackice-icecap?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Content-Length: 9
| Content-Type: text/plain
| Date: Wed, 20 Nov 2019 21:17:33 GMT
| Found
| GetRequest:
| HTTP/1.0 200 OK
| Content-Length: 1067
| Content-Type: text/html
| Date: Wed, 20 Nov 2019 21:17:33 GMT
| Google Wifi

This site was blocked.

<p class="status-desc
| HTTPOptions:
| HTTP/1.0 404 Not Found
| Content-Length: 9
| Content-Type: text/plain
| Date: Wed, 20 Nov 2019 21:17:38 GMT
| Found
| RTSPRequest:
| HTTP/1.1 404 Not Found
| Content-Length: 9
| Content-Type: text/plain
| Date: Wed, 20 Nov 2019 21:17:38 GMT
| Found
| SIPOptions:
| HTTP/1.1 404 Not Found
| Content-Length: 9
| Content-Type: text/plain
| Date: Wed, 20 Nov 2019 21:17:33 GMT
| Found
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5000-TCP:V=7.70%I=7%D=11/20%Time=5DD5AD6D%P=arm-unknown-linux-gnuea

SF:20404\x20Not\x20Found\r\nContent-Length:\x209\r\nContent-Type:\x20text/
SF:plain\r\nDate:\x20Wed,\x2020\x20Nov\x202019\x2021:17:38\x20GMT\r\n\r\nN
SF:ot\x20Found");
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE (using port 23/tcp)
HOP RTT ADDRESS
1 17.19 ms modemcable016.228-59-74.mc.videotron.ca (74.59.228.16)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 126.60 seconds
root@raspberrypi:/home/urouser#

Netstat plunt
netstat -plunt | egrep ‘80’
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 913/apache2
root@raspberrypi:/home/urouser# sudo netstat -plunt | egrep ‘443’
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 913/apache2
root@raspberrypi:/home/urouser#

sudo iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all – 0.0.0.0/0 0.0.0.0/0
ufw-before-input all – 0.0.0.0/0 0.0.0.0/0
ufw-after-input all – 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all – 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all – 0.0.0.0/0 0.0.0.0/0
ufw-track-input all – 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all – 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all – 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all – 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all – 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all – 0.0.0.0/0 0.0.0.0/0
ufw-track-forward all – 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all – 0.0.0.0/0 0.0.0.0/0
ufw-before-output all – 0.0.0.0/0 0.0.0.0/0
ufw-after-output all – 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all – 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all – 0.0.0.0/0 0.0.0.0/0
ufw-track-output all – 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-logging-input (1 references)
target prot opt source destination

Chain ufw-before-logging-output (1 references)
target prot opt source destination

Chain ufw-before-logging-forward (1 references)
target prot opt source destination

Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all – 0.0.0.0/0 0.0.0.0/0
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ufw-logging-deny all – 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
DROP all – 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0 icmptype 3
ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0 icmptype 12
ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
ufw-not-local all – 0.0.0.0/0 0.0.0.0/0
ACCEPT udp – 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp – 0.0.0.0/0 239.255.255.250 udp dpt:1900
ufw-user-input all – 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all – 0.0.0.0/0 0.0.0.0/0
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ufw-user-output all – 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0 icmptype 3
ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0 icmptype 12
ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0 icmptype 8
ufw-user-forward all – 0.0.0.0/0 0.0.0.0/0

Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:137
ufw-skip-to-policy-input udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:138
ufw-skip-to-policy-input tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
ufw-skip-to-policy-input tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
ufw-skip-to-policy-input udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ufw-skip-to-policy-input udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:68
ufw-skip-to-policy-input all – 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST

Chain ufw-after-output (1 references)
target prot opt source destination

Chain ufw-after-forward (1 references)
target prot opt source destination

Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all – 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target prot opt source destination

Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all – 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-reject-input (1 references)
target prot opt source destination

Chain ufw-reject-output (1 references)
target prot opt source destination

Chain ufw-reject-forward (1 references)
target prot opt source destination

Chain ufw-track-input (1 references)
target prot opt source destination

Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 ctstate NEW
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 ctstate NEW

Chain ufw-track-forward (1 references)
target prot opt source destination

Chain ufw-logging-deny (2 references)

Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
RETURN all – 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
RETURN all – 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all – 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
DROP all – 0.0.0.0/0 0.0.0.0/0

Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:22
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 /* ‘dapp_WWW%20Full’ */

Chain ufw-user-output (1 references)
target prot opt source destination

Chain ufw-user-forward (1 references)
target prot opt source destination

Chain ufw-user-logging-input (0 references)
target prot opt source destination

Chain ufw-user-logging-output (0 references)
target prot opt source destination

Chain ufw-user-logging-forward (0 references)
target prot opt source destination

Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all – 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT all – 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all – 0.0.0.0/0 0.0.0.0/0

sudo ufw status
Status: active

To Action From


22 ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
WWW Full ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
WWW Full (v6) ALLOW Anywhere (v6)

curl -vIL http://uroflowcanada.ddns.net

  • Expire in 0 ms for 6 (transfer 0x604880)
  • Expire in 50 ms for 1 (transfer 0x604880)
  • Trying 74.59.228.16…
  • TCP_NODELAY set
  • Expire in 200 ms for 4 (transfer 0x604880)
  • Connected to uroflowcanada.ddns.net (74.59.228.16) port 80 (#0)

HEAD / HTTP/1.1
Host: uroflowcanada.ddns.net
User-Agent: curl/7.64.0
Accept: /

< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Wed, 20 Nov 2019 21:39:25 GMT
Date: Wed, 20 Nov 2019 21:39:25 GMT
< Server: Apache/2.4.38 (Raspbian)
Server: Apache/2.4.38 (Raspbian)
< Last-Modified: Mon, 18 Nov 2019 17:44:27 GMT
Last-Modified: Mon, 18 Nov 2019 17:44:27 GMT
< ETag: “c6-597a27fc0a42c”
ETag: “c6-597a27fc0a42c”
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 198
Content-Length: 198

<

  • Connection #0 to host uroflowcanada.ddns.net left intact
    root@raspberrypi:/home/urouser# curl -vIL https://uroflowcanada.ddns.net

  • Expire in 0 ms for 6 (transfer 0x37b880)

  • Expire in 50 ms for 1 (transfer 0x37b880)

  • Trying 74.59.228.16…

  • TCP_NODELAY set

  • Expire in 200 ms for 4 (transfer 0x37b880)

  • connect to 74.59.228.16 port 443 failed: Connection refused

  • Failed to connect to uroflowcanada.ddns.net port 443: Connection refused

  • Closing connection 0
    curl: (7) Failed to connect to uroflowcanada.ddns.net port 443: Connection refused
    root@raspberrypi:/home/urouser#
    curl -vIL https://localhost

  • Expire in 0 ms for 6 (transfer 0x8ce880)

  • Trying ::1…

  • TCP_NODELAY set

  • Expire in 149990 ms for 3 (transfer 0x8ce880)

  • Expire in 200 ms for 4 (transfer 0x8ce880)

  • connect to ::1 port 443 failed: Connection refused

  • Trying 127.0.0.1…

  • TCP_NODELAY set

  • Expire in 149984 ms for 3 (transfer 0x8ce880)

  • Connected to localhost (127.0.0.1) port 443 (#0)

  • ALPN, offering h2

  • ALPN, offering http/1.1

  • successfully set certificate verify locations:

  • CAfile: none
    CApath: /etc/ssl/certs

  • TLSv1.3 (OUT), TLS handshake, Client hello (1):

  • TLSv1.3 (IN), TLS handshake, Server hello (2):

  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):

  • TLSv1.3 (IN), TLS handshake, Certificate (11):

  • TLSv1.3 (IN), TLS handshake, CERT verify (15):

  • TLSv1.3 (IN), TLS handshake, Finished (20):

  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):

  • TLSv1.3 (OUT), TLS handshake, Finished (20):

  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384

  • ALPN, server accepted to use http/1.1

  • Server certificate:

  • subject: CN=uroflowcanada.ddns.net

  • start date: Nov 12 17:52:07 2019 GMT

  • expire date: Feb 10 17:52:07 2020 GMT

  • subjectAltName does not match localhost

  • SSL: no alternative certificate subject name matches target host name ‘localhost’

  • Closing connection 0
    curl: (60) SSL: no alternative certificate subject name matches target host name ‘localhost’
    More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@raspberrypi:/home/urouser#

@jbrohan,

Apologies for the long delay in getting back to you.

Your internal curl call looks fine which means that your TLS vhost is configured correctly. curl -vIL https://localhost

Do you run a firewall on your network besides the raspberry pi firewall? Perhaps one that’s built into your router? If so, check if you can open TCP/443. At this point I think it’s just a simple networking issue.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.