Ssllabs test return "Assessment failed: No secure protocols supported" after successfull instalation

klebermo · July 3, 2017, 1:19am

After I run:

certbot --apache

on a Ubuntu 16.06 system, the process finishes with a message telling me the certificate was installed with success:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: klebermota.eti.br
2: www.klebermota.eti.br
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/klebermota.eti.br.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate for klebermota.eti.br to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate for www.klebermota.eti.br to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enhancement redirect was already set.
Enhancement redirect was already set.

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://klebermota.eti.br and
https://www.klebermota.eti.br

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=klebermota.eti.br
https://www.ssllabs.com/ssltest/analyze.html?d=www.klebermota.eti.br
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/klebermota.eti.br/fullchain.pem. Your cert
   will expire on 2017-09-09. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Some rewrite rules copied from
   /etc/apache2/sites-available/000-default.conf were disabled in the
   vhost for your HTTPS site located at
   /etc/apache2/sites-available/000-default-le-ssl.conf because they
   have the potential to create redirection loops.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

but when I test my site (both urls ‘klebermota.eti.br’ and ‘www.klebermota.eti.br’) in the ssllabs website, I get the error:

Assessment failed: No secure protocols supported

Someone can give a hint of what’s wrong here?

schoen · July 3, 2017, 2:33am

Oi @klebermo,

The browser error for your site shows that, for some reason, your site speaks HTTP instead of HTTPS on port 443.

This is generally due to a misconfiguration in the Apache configuration files in /etc/apache2/sites-available (which may be partly Certbot’s fault here).

Could you take a look at those configuration files and see if you can see why they are causing HTTP to be spoken on port 443? It could be a VirtualHost directive mentioning port 443 in your original non-HTTPS configuration file, or it could be that you don’t have mod_ssl installed.

If you can’t figure it out, feel free to post your Apache configuration files here and we can try to figure out what’s happened.

klebermo · July 3, 2017, 1:19pm

Hi @schoen

There is my configuration files from /etc/apache2/sites-available:

000-default.conf

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com
        ServerName klebermota.eti.br
        ServerAlias www.klebermota.eti.br

        ServerAdmin klebermo@gmail.com
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =klebermota.eti.br
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

000-default-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com
        ServerName klebermota.eti.br
        ServerAlias www.klebermota.eti.br

        ServerAdmin klebermo@gmail.com
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
        RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

#RewriteCond %{SERVER_NAME} =klebermota.eti.br
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
SSLCertificateFile /etc/letsencrypt/live/klebermota.eti.br/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/klebermota.eti.br/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

a2query -m ssl confirms ssl is enabled. Not sure what could be wrong here.

schoen · July 3, 2017, 4:45pm

Could anything else be set to listen on port 443? Maybe you could run

grep -r 443 /etc/apache2

to check if there is some other configuration file referring to it.

klebermo · July 3, 2017, 4:48pm

that command return this output:

/etc/apache2/ports.conf:        Listen 443
/etc/apache2/ports.conf:        Listen 443
/etc/apache2/sites-available/000-default.conf.save:<VirtualHost *.443>
/etc/apache2/sites-available/000-default-le-ssl.conf:<VirtualHost *:443>
/etc/apache2/sites-available/default-ssl.conf.old:      <VirtualHost _default_:443>

do i should remove this old configuration files? I mean, 000-default.conf.save and default-ssl.conf.old.

schoen · July 3, 2017, 5:11pm

Yes, maybe try moving them into /tmp or your home directory.

klebermo · July 3, 2017, 8:49pm

Did that, and restart apache, but the same continues to happen. Should I made some change in this ports.conf file too? Currently, has this content:

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

rg305 · July 3, 2017, 9:14pm

Look closely...
Closer.

Do you see the TYPO?

It's in the center line: *.443

klebermo · July 3, 2017, 9:46pm

that’s the old file 000-default.conf (this is the reason for the suffix .save in the end) which is no longer present in this directory.

rg305 · July 3, 2017, 11:23pm

can you show the contents of sites-enabled ?
ls -l /etc/apache2/sites-enabled/

klebermo · July 3, 2017, 11:40pm

total 0                                                                                                                                                                                   
lrwxrwxrwx 1 root root 35 Jun  6 23:09 000-default.conf -> ../sites-available/000-default.conf                                                                                            
lrwxrwxrwx 1 root root 42 Jun 11 12:22 000-default-le-ssl-conf -> ../sites-available/000-default-le-ssl.conf

rg305 · July 3, 2017, 11:43pm

show both (if empty, delete):
/etc/apache2/sites-enabled/000-default.conf
/etc/apache2/sites-enabled/000-default-le-ssl-conf

rg305 · July 3, 2017, 11:50pm

And yet another (possible) TYPO:
/etc/apache2/sites-enabled/000-default-le-ssl-conf

If the include statement was *.conf then that should have been:
/etc/apache2/sites-enabled/000-default-le-ssl.conf

system · August 2, 2017, 11:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.