The server unexpectedly closed the connection


#1

I installed the certificate with certbot and chose the option to divert all http requests to https

My domain is:
www.blackboxstaff.co.uk
I ran this command:
sudo certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?


1: blackbox.dev
2: www.blackbox.dev
3: blackboxstaff.co.uk
4: www.blackboxstaff.co.uk


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 4
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.blackboxstaff.co.uk
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/www.blackboxstaff.co.uk-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/www.blackboxstaff.co.uk-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/www.blackboxstaff.co.uk-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/www.blackboxstaff.co.uk.conf to ssl vhost in /etc/apache2/sites-available/www.blackboxstaff.co.uk-le-ssl.conf


Congratulations! You have successfully enabled https://www.blackboxstaff.co.uk

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.blackboxstaff.co.uk


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.blackboxstaff.co.uk/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/www.blackboxstaff.co.uk/privkey.pem
    Your cert will expire on 2019-04-12. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version):

Apache2

The operating system my web server runs on is (include version):
Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No


#2

You should check the appropriate Apache error logs for something useful.

Also, check your firewall or router settings: port 443 should be opened.

By the way: by only selecting number “4”, you only got a certificate for the www subdomain. Most of the time, one would want a certificate for the ‘base’ domain as wel as the www subdomain. In your case, by selecting 3 as wel as 4.


#3

Thanks for your help. I’m pretty new to this so don’t really know what to look for in the logs or indeed which logs to look at. When I selected 3and 4 initially it threw an error message. There is only one site running on the server. I created the vhost because certbot wanted to check DNS records matched www.blackboxstaff.co.uk.


#4

This has appeared in the error logs a few times:

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message


#5

Hi @davetown

there are some errors you should fix.

Your vHosts should have ServerName - entries. Something like

<VirtualHost *:80>
    DocumentRoot "/www/example1"
    ServerName www.example.com

    # Other directives here
</VirtualHost>

Because you have a www and a non-www version, use something like

<VirtualHost *:80>
    DocumentRoot "/www/server1"
    ServerName blackboxstaff.co.uk
    ServerAlias www.blackboxstaff.co.uk
</VirtualHost>

But don’t add these parts, check the existing configuration and change it.

Then there are additional errors ( https://check-your-website.server-daten.de/?q=blackboxstaff.co.uk ):

Domainname Http-Status redirect Sec. G
http://blackboxstaff.co.uk/
88.208.252.9 301 http://77.233.155.188 0.066 D
http://www.blackboxstaff.co.uk/
84.9.29.47 301 https://www.blackboxstaff.co.uk/ 0.090 A
http://77.233.155.188 -14 10.023 T
Timeout - The operation has timed out
https://blackboxstaff.co.uk/
88.208.252.9 -2 1.093 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 88.208.252.9:443
https://www.blackboxstaff.co.uk/
84.9.29.47 -14 10.027 T
Timeout - The operation has timed out
http://blackboxstaff.co.uk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
88.208.252.9 301 http://77.233.155.188 0.070 D
http://www.blackboxstaff.co.uk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
84.9.29.47 301 https://www.blackboxstaff.co.uk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.097 A
https://www.blackboxstaff.co.uk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.024 T
Timeout - The operation has timed out

Your http redirects to an ip address, which isn’t the ip address of your domain.

And https is blocked. May be a firewall or a wrong internal configuration.

Your non-www and your www have different ip addresses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
blackboxstaff.co.uk A 88.208.252.9 yes 1 0
AAAA yes
www.blackboxstaff.co.uk A 84.9.29.47 yes 1 0
AAAA yes

Has your server two different ip addresses? Or is this a wrong configuration?

So start with the ip addresses, then the vHosts.


#6

Thanks very much for your help. I think I have fixed these issues but am still getting the same “unexpectedly closed the connection” error with https access (I commented out the divert lines in order to get access via http again)

Rather than one vhosts file there are several in etc/apache2/sites-available:

000-default.conf default-ssl.conf example.com.conf laravel.conf www.blackboxstaff.co.uk.conf www.blackboxstaff.co.uk-le-ssl.conf

I have applied the ServerName and ServerAlias lines to all of them apart from laravel.conf and example.com.conf

Is this correct?


#7

Now you have fixed a lot of things: Only one ip address, no wrong redirect.

The http - part is correct:


Domainname Http-Status redirect Sec. G
http://blackboxstaff.co.uk/
84.9.29.47 200 0.174 H
http://www.blackboxstaff.co.uk/
84.9.29.47 200 0.167 H
https://blackboxstaff.co.uk/
84.9.29.47 -14 10.023 T
Timeout - The operation has timed out
https://www.blackboxstaff.co.uk/
84.9.29.47 -14 10.027 T
Timeout - The operation has timed out
http://blackboxstaff.co.uk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
84.9.29.47 404 0.117 A
Not Found
http://www.blackboxstaff.co.uk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
84.9.29.47 404 0.114 A
Not Found

Checking your https I see a timeout. Not a “unexpectedly closed the connection”.

Perhaps your browser has an old cache.

You should have only one Server per hostname / port. Not two or more.

If you have a single file www.blackboxstaff.co.uk.conf, this is the place of the http / port 80 server.

And www.blackboxstaff.co.uk-le-ssl.conf is the place of the https / port 443. Don’t create double entries with the same servername / alias.


#8

So I should delete the other .conf files or just remove the ServerName and ServerAlias Entries in those files?


#9

I don’t know if you need these files and what’s the content. Remove double definitions.


#10

No I have no idea either. I think the 000-default.conf file is a catchall of some sort. Still getting the timeout when I try and use https.

https://www.ssllabs.com/ssltest/analyze.html?d=www.blackboxstaff.co.uk says it is probably a firewall issue?


#11

It’s the same timeout I’ve reported ( The server unexpectedly closed the connection ).

Is there a firewall? Is your apache running and listening port 443? What says netstat?


#12

Netstat:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.22.150:ssh cpc136226-broo9-2:64223 ESTABLISHED
tcp 0 0 localhost:48920 localhost:mysql TIME_WAIT
tcp 0 0 192.168.22.150:ssh 36.156.24.99:40014 ESTABLISHED
tcp 0 0 localhost:48918 localhost:mysql TIME_WAIT
tcp 0 0 localhost:48916 localhost:mysql TIME_WAIT
tcp 0 200 192.168.22.150:ssh cpc136226-broo9-2:57349 ESTABLISHED
tcp6 0 0 192.168.22.150:http static-84-9-29-47:56471 TIME_WAIT
tcp6 0 0 192.168.22.150:http 192.168.22.154:64413 TIME_WAIT
tcp6 0 0 192.168.22.150:http 02ddee9c.bb.sky.c:59970 TIME_WAIT
tcp6 0 0 192.168.22.150:http 192.168.22.154:64422 FIN_WAIT2
tcp6 0 0 192.168.22.150:http 192.168.22.154:64417 TIME_WAIT
tcp6 0 0 192.168.22.150:http static-84-9-29-47:56476 TIME_WAIT
tcp6 0 0 192.168.22.150:http 192.168.22.154:64423 FIN_WAIT2
tcp6 0 0 192.168.22.150:http 02ddee9c.bb.sky.c:59968 TIME_WAIT
tcp6 0 0 192.168.22.150:http 192.168.22.154:64415 TIME_WAIT
tcp6 0 0 192.168.22.150:http 192.168.22.154:64419 TIME_WAIT
getnameinfo failed
tcp6 0 0 192.168.22.150:http [UNKNOWN]:65535 SYN_RECV
tcp6 0 0 192.168.22.150:http static-84-9-29-47:56475 TIME_WAIT
tcp6 0 0 192.168.22.150:http 192.168.22.154:64416 TIME_WAIT
tcp6 0 0 192.168.22.150:http 192.168.22.154:64418 TIME_WAIT
tcp6 0 0 192.168.22.150:http 02ddee9c.bb.sky.c:59974 TIME_WAIT
tcp6 0 0 192.168.22.150:http 192.168.22.154:64410 TIME_WAIT
tcp6 0 0 192.168.22.150:http 192.168.22.154:64414 TIME_WAIT
tcp6 0 0 192.168.22.150:http 192.168.22.154:64412 TIME_WAIT
tcp6 0 0 192.168.22.150:http 192.168.22.154:64421 TIME_WAIT
tcp6 0 0 192.168.22.150:http 192.168.22.154:64420 TIME_WAIT
tcp6 0 0 192.168.22.150:http 192.168.22.154:64411 TIME_WAIT
tcp6 0 0 192.168.22.150:http 02ddee9c.bb.sky.c:59973 TIME_WAIT
tcp6 0 0 192.168.22.150:http static-84-9-29-47:56472 TIME_WAIT
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 DGRAM 26694568 /run/user/1000/systemd/notify
unix 3 DGRAM 10032 /run/systemd/notify
unix 7 DGRAM 10047 /run/systemd/journal/socket
unix 16 DGRAM 10048 /run/systemd/journal/dev-log
unix 2 DGRAM 10222 /run/systemd/journal/syslog
unix 2 DGRAM 15285 /var/spool/postfix/dev/log
unix 3 STREAM CONNECTED 18868
unix 3 STREAM CONNECTED 18875
unix 3 STREAM CONNECTED 18782
unix 3 STREAM CONNECTED 18874
unix 3 STREAM CONNECTED 17830
unix 3 STREAM CONNECTED 17829
unix 3 STREAM CONNECTED 26694774
unix 3 STREAM CONNECTED 18872
unix 3 STREAM CONNECTED 15380
unix 3 STREAM CONNECTED 17835
unix 3 STREAM CONNECTED 17800
unix 3 STREAM CONNECTED 26652811 /var/run/dbus/system_bus_socket
unix 2 DGRAM 18691
unix 2 DGRAM 15376
unix 3 STREAM CONNECTED 17833
unix 3 STREAM CONNECTED 17799
unix 3 STREAM CONNECTED 15379
unix 3 STREAM CONNECTED 17832
unix 3 STREAM CONNECTED 18783
unix 3 STREAM CONNECTED 17839
unix 3 STREAM CONNECTED 26608250 /run/systemd/journal/stdout
unix 3 STREAM CONNECTED 17805
unix 3 STREAM CONNECTED 17838
unix 3 STREAM CONNECTED 26652595
unix 2 DGRAM 18886
unix 3 STREAM CONNECTED 17836
unix 3 STREAM CONNECTED 18867
unix 3 STREAM CONNECTED 26694773
unix 3 STREAM CONNECTED 17808
unix 3 STREAM CONNECTED 17842
unix 3 STREAM CONNECTED 26607598
unix 3 STREAM CONNECTED 17806
unix 3 STREAM CONNECTED 17841
unix 3 STREAM CONNECTED 17803
unix 3 DGRAM 26608259
unix 3 STREAM CONNECTED 26656682
unix 3 STREAM CONNECTED 26608236
unix 3 STREAM CONNECTED 11124 /run/systemd/journal/stdout
unix 3 STREAM CONNECTED 11407
unix 3 DGRAM 26608258
unix 2 DGRAM 26694697
unix 3 STREAM CONNECTED 26811275
unix 3 DGRAM 26608257
unix 2 DGRAM 26629536
unix 2 DGRAM 26608252
unix 3 STREAM CONNECTED 14752 /run/systemd/journal/stdout
unix 3 STREAM CONNECTED 15516 /var/run/dbus/system_bus_socket
unix 3 STREAM CONNECTED 14751
unix 3 DGRAM 26608256
unix 3 STREAM CONNECTED 15018 /run/systemd/journal/stdout
unix 3 STREAM CONNECTED 17820
unix 3 STREAM CONNECTED 18871
unix 3 STREAM CONNECTED 15275
unix 3 STREAM CONNECTED 26607519 /var/run/dbus/system_bus_socket
unix 2 DGRAM 26694720
unix 3 STREAM CONNECTED 15017
unix 2 DGRAM 15954
unix 3 STREAM CONNECTED 15508 /var/run/dbus/system_bus_socket
unix 3 STREAM CONNECTED 26810050
unix 3 STREAM CONNECTED 26811276
unix 2 DGRAM 15269
unix 3 STREAM CONNECTED 26628529 /run/systemd/journal/stdout
unix 3 STREAM CONNECTED 15277
unix 3 STREAM CONNECTED 17821
unix 3 STREAM CONNECTED 14879
unix 3 STREAM CONNECTED 14888 /run/systemd/journal/stdout
unix 2 DGRAM 15086
unix 3 STREAM CONNECTED 17860
unix 3 STREAM CONNECTED 17802
unix 3 STREAM CONNECTED 26657069
unix 3 DGRAM 26629540
unix 2 DGRAM 26807436
unix 3 DGRAM 26629541
unix 2 DGRAM 26811259
unix 2 DGRAM 26657023
unix 2 DGRAM 11095
unix 3 STREAM CONNECTED 14816
unix 3 STREAM CONNECTED 17809
unix 2 DGRAM 26694709
unix 3 STREAM CONNECTED 26657068
unix 3 STREAM CONNECTED 14887 /run/systemd/journal/stdout
unix 3 STREAM CONNECTED 15147
unix 3 STREAM CONNECTED 15149 /run/systemd/journal/stdout
unix 3 STREAM CONNECTED 17827
unix 3 STREAM CONNECTED 17847
unix 3 STREAM CONNECTED 17787
unix 3 STREAM CONNECTED 17796
unix 3 STREAM CONNECTED 17845
unix 2 DGRAM 16405
unix 3 STREAM CONNECTED 17818
unix 3 STREAM CONNECTED 17844
unix 3 STREAM CONNECTED 17817
unix 3 STREAM CONNECTED 17851
unix 3 STREAM CONNECTED 17850
unix 3 STREAM CONNECTED 17797
unix 2 DGRAM 14061
unix 3 STREAM CONNECTED 17826
unix 3 STREAM CONNECTED 17785
unix 2 DGRAM 18525
unix 2 DGRAM 26657064
unix 3 STREAM CONNECTED 17823
unix 3 STREAM CONNECTED 17848
unix 3 STREAM CONNECTED 17784
unix 3 STREAM CONNECTED 26631989
unix 3 STREAM CONNECTED 17811
unix 3 STREAM CONNECTED 17854
unix 3 STREAM CONNECTED 17790
unix 3 STREAM CONNECTED 17812
unix 3 STREAM CONNECTED 17853
unix 3 STREAM CONNECTED 26694539
unix 3 STREAM CONNECTED 17788
unix 3 STREAM CONNECTED 26810049
unix 3 STREAM CONNECTED 26631033 /run/systemd/journal/stdout
unix 3 STREAM CONNECTED 26694703 /run/systemd/journal/stdout
unix 3 STREAM CONNECTED 17824
unix 3 STREAM CONNECTED 17859
unix 3 STREAM CONNECTED 17793
unix 3 STREAM CONNECTED 17814
unix 3 STREAM CONNECTED 17794
unix 3 STREAM CONNECTED 26629534
unix 3 STREAM CONNECTED 17815
unix 2 DGRAM 26656705
unix 3 STREAM CONNECTED 17857
unix 3 STREAM CONNECTED 17791
unix 3 STREAM CONNECTED 17856
unix 3 STREAM CONNECTED 14270
unix 3 STREAM CONNECTED 26657049 /run/systemd/journal/stdout
unix 3 STREAM CONNECTED 14645 /run/systemd/journal/stdout


#13

ss -tlp:

State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 80 127.0.0.1:mysql :
LISTEN 0 100 :pop3 :
LISTEN 0 100 :imap2 :
LISTEN 0 128 :ssh :
LISTEN 0 100 :smtp :
LISTEN 0 128 :::https :::

LISTEN 0 128 :::https :::

LISTEN 0 128 :::https :::

LISTEN 0 100 :::pop3 :::

LISTEN 0 100 :::imap2 :::*
LISTEN 0 128 :::http-alt :::*
LISTEN 0 128 :::http :::*
LISTEN 0 128 :::ssh :::*
LISTEN 0 100 :::smtp :::*


#14

Please read the documentation.

You need the -a option to see the listen - ports, not only the connected ports.


#15

Does this tell you anything or do you need the whole output?


#16

Maybe this output will be simpler:
netstat -pant


#17

It looks a lot simpler but does this mean that the server is listening on 443 or not ?


#18

It is listening on 443.
:::443

Try it again with sudo, so we can see which process is associated with it:
sudo netstat -pant | grep 443


#19

tcp6 0 0 :::443 :::* LISTEN 26128/apache2
tcp6 0 0 :::443 :::* LISTEN 26128/apache2
tcp6 0 0 :::443 :::* LISTEN 26128/apache2


#20

There is no ipv4 port 443 listening.

So ipv4 users can’t connect your site.