SSL not working - no site access via browser

prw1947 · February 5, 2021, 9:52pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.artisticslate.com

I ran this command: certbot --apache

It produced this output: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/artisticslate.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/artisticslate.com-0001/privkey.pem
Your cert will expire on 2021-05-06.

My web server is (include version): Server version: Apache/2.4.41 (Ubuntu)
Server built: 2020-08-12T19:46:17

The operating system my web server runs on is (include version): Ubuntu server 20.04

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

This was the second run of certbot since I suspected the first run may have caused an issue even though it produced a similar output. I selected to allow http as well as https access but now only one site can be reached - htpp://www.artisticslate.com the other sites (all hosted on the same server) can not longer be reached - all DNS names are managed by no-ip since this server is a homw one and does not have a static ip address.

_az · February 5, 2021, 10:01pm

It looks like your server is not accepting traffic on port 443, which is needed for HTTPS.

Make sure that you have allowed that port on your server's firewall and that you have port forwarded it on your router as well.

The difference here is that www.artisticslate.com doesn't redirect to HTTPS, so you can access it without problems.

artisticslate.com does redirect to HTTPS, which needs port 443 to be reachable. Because the port is not reachable, the site doesn't load.

prw1947 · February 5, 2021, 10:09pm

That did the trick - I feel so dumb not even thinking about the stupid router.
All site are now up - THANKS

rg305 · February 6, 2021, 4:25am

I'm glad you were able to obtain a certificate...
But I can't help to wonder - Why there is -0001 in this new one?

Please show:
cerbot certificates
and also:
apachectl -S

prw1947 · February 6, 2021, 4:53am

This is due to running certbot twie, see below:
$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 1.12.0 renewal configuration file found at /etc/letsencrypt/renewal/artisticslate.com.conf with version 0.40.0 of Certbot. This might not work.

Found the following certs:
Certificate Name: artisticslate.com-0001
Domains: artisticslate.com paulrw.ddns.net tprepublicanclub.ddns.net
Expiry Date: 2021-05-06 20:15:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/artisticslate.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/artisticslate.com-0001/privkey.pem
Certificate Name: artisticslate.com
Domains: artisticslate.com paulrw.ddns.net tprepublicanclub.ddns.net www.artisticslate.com
Expiry Date: 2021-05-06 17:57:38+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/artisticslate.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/artisticslate.com/privkey.pem

$ sudo apachectl -S
VirtualHost configuration:
*:443 is a NameVirtualHost
default server ArtisticSlate.com (/etc/apache2/sites-enabled/ArtisticSlate.com-le-ssl.conf:2)
port 443 namevhost ArtisticSlate.com (/etc/apache2/sites-enabled/ArtisticSlate.com-le-ssl.conf:2)
alias www.ArtisticSlate.com
alias artisticslate.com
port 443 namevhost Paulrw.ddns.net (/etc/apache2/sites-enabled/Paulrw.ddns.net-le-ssl.conf:2)
alias www.Paulrw.ddns.net
alias paulrw.ddns.net
port 443 namevhost TpRepublicanClub.ddns.net (/etc/apache2/sites-enabled/TpRepublicanClub.ddns.net-le-ssl.conf:2)
alias www.TpRepublicanClub.ddns.net
alias tprepublicanclub.ddns.net
*:80 is a NameVirtualHost
default server 192.168.0.81 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost 192.168.0.81 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost ArtisticSlate.com (/etc/apache2/sites-enabled/ArtisticSlate.com.conf:1)
alias www.ArtisticSlate.com
port 80 namevhost Paulrw.ddns.net (/etc/apache2/sites-enabled/Paulrw.ddns.net.conf:1)
alias www.Paulrw.ddns.net
port 80 namevhost TpRepublicanClub.ddns.net (/etc/apache2/sites-enabled/TpRepublicanClub.ddns.net.conf:1)
alias www.TpRepublicanClub.ddns.net
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

rg305 · February 6, 2021, 6:11am

This is due to running certbot with two different (but similar) sets of names:
[you probably don't need ~~both~~ [either one]; and should remove the one you are not using]

As you can see, the names on the certs don't fully cover all the names in use:

/etc/apache2/sites-enabled/ArtisticSlate.com-le-ssl.conf:
 - namevhost ArtisticSlate.com
 - alias www.ArtisticSlate.com
 - alias artisticslate.com <<<<< duplicate name - should be removed <<<<<
/etc/apache2/sites-enabled/Paulrw.ddns.net-le-ssl.conf:
 - namevhost Paulrw.ddns.net
 - alias www.Paulrw.ddns.net <<<<< name not in cert <<<<<
 - alias paulrw.ddns.net <<<<< duplicate name - should be removed <<<<<
/etc/apache2/sites-enabled/TpRepublicanClub.ddns.net-le-ssl.conf:
 - namevhost TpRepublicanClub.ddns.net
 - alias www.TpRepublicanClub.ddns.net <<<<< name not in cert <<<<<
 - alias tprepublicanclub.ddns.net <<<<< duplicate name - should be removed <<<<<

Names are NOT case sensitive:
ArtisticSlate.com = artisticslate.com
Paulrw.ddns.net = paulrw.ddns.net
TpRepublicanClub.ddns.net = tprepublicanclub.ddns.net

system · March 8, 2021, 6:12am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.