IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/leptokaropoulos.gr/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/leptokaropoulos.gr/privkey.pem
Your cert will expire on 2018-08-20. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leVictory!
Show:
certbot certificates
You can edit the basic:
/etc/apache2/sites-available/default-ssl.conf:
or replace that file with the example @_az provided
or write your own⌠that makes little difference at this point.
In any case, just use those two files
Certificate Path: /etc/letsencrypt/live/leptokaropoulos.gr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/leptokaropoulos.gr/privkey.pem
1 Like
YAY 
-------------------------------------------------------------------------------
Found the following certs:
Certificate Name: leptokaropoulos.gr
Domains: leptokaropoulos.gr www.leptokaropoulos.gr
Expiry Date: 2018-08-20 09:01:44+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/leptokaropoulos.gr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/leptokaropoulos.gr/privkey.pem
-------------------------------------------------------------------------------if using
/etc/apache2/sites-available/default-ssl.conf:
replace
with
SSLCertificateFile /etc/letsencrypt/live/leptokaropoulos.gr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/leptokaropoulos.gr/privkey.pem
1 Like
In any case, your next task is to get Apache listening on port 443.
RememberâŚ
netstat -pant | grep -i listen
did not show anything bound to port 443.
try it again now - you will see
Depending on the version of apache, it could be as simple as:
sudo a2enmod ssl
Markos here. I couldnât comment any more, because my account was new.
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:6082 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::25 :::* LISTEN -
tcp6 0 0 :::143 :::* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -LOL - Yes 25 posts is the newbie limit.
See there is nothing listening on 443
Try:
sudo a2enmod ssl
#Apache2 ENable MODule SSL#
Then restart apache
service apache2 restart
or however you normally do that
1 Like
(No info could be read for "-p": geteuid()=1002 but you should be root.)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:6082 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::25 :::* LISTEN -
tcp6 0 0 :::443 :::* LISTEN -
tcp6 0 0 :::143 :::* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
So, I created the certificate and enabled the ssl module, so apache is now listening to :443 (and the certificate is used?). So, then I should forward Https to varnish right? And then set the renewals.
I am being economic with my answers 
Slow down cowboy!
One step at a time...
I don't see your IP listening on port 443.
wget https://leptokaropoulos.gr
--2018-05-22 06:23:53-- https://leptokaropoulos.gr/
Resolving leptokaropoulos.gr (leptokaropoulos.gr)... 195.201.138.70
Connecting to leptokaropoulos.gr (leptokaropoulos.gr)|195.201.138.70|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.
$ curl -X GET -I http://leptokaropoulos.gr:443
HTTP/1.1 302 Found
Date: Tue, 22 May 2018 10:24:56 GMT
Server: Apache/2.4.18 (Ubuntu)
I think there is a missing SSLEngine On or something somewhere. Or maybe mod_ssl not loaded.
What does your port 443 VirtualHost look like?
Maybe protocol settings missing?
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder onsudo a2enmod ssl:
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restartYeah "sslengine on" is within
So does
netstat -pant | grep -i listen
show 443 ? ? ?
1 Like
It does, because he is listening with HTTP (not HTTPS) on 443 
.
1 Like
then remove (or rem out) the "IF" & "END IF" section tags
<IfModule mod_ssl.c>
</IfModule>
to force ssl ???
1 Like
@whatHappened
Show the updated /etc/apache2/sites-enabled/default-ssl.conf file
You can remove all the lines that start with #
Also
apachectl -S
so we can get a broad overview of the vhosts.
Based on what the server is doing I would guess it was missing the SSL* directives within the 443 VirtualHost ⌠but who knows.
I think it is:
/etc/apache2/sites-available/
is NOT
/etc/apache2/sites-enabled/
Please show:
ls -l /etc/apache2/sites-enabled/
Hmm the default-ssl.conf is inside /etc/apache2/sites-available.
In any case:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/leptokaropoulos.gr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/leptokaropoulos.gr/privkey.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>Apache looks in sites-enabled (not in sites-available)
You would need a symbolic link to reference that file and have it included in the configuration.
Couldn't I copy the file from sites-available to sites-enabled?