Timeout during connect (likely firewall problem), deleted cert and failed to reinstall

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: microlink.com.my

I ran this command: sudo certbot --apache

It produced this output:

Error while running apache2ctl configtest.

Action 'configtest' failed.

The Apache error log may have more information.

AH00526: Syntax error on line 7 of /etc/apache2/sites-enabled/mssbweb-dev-le-ssl.conf:

SSLCertificateFile: file '/etc/letsencrypt/live/microlink.com.my/fullchain.pem' does not exist or is empty

My web server is (include version):
Ubuntu 16.04.1 LTS (Xenial Xerus)

The operating system my web server runs on is (include version):
Linux 4.4.0-36-generic x86_64

My hosting provider, if applicable, is:
Azure VM

I can login to a root shell on my machine (yes or no, or I don't know):
I can SSH but not as root

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.29.0

Test result for www.microlink.com.my using http-01

[ANotWorking](https://letsdebug.net/www.microlink.com.my/1113963#ANotWorking-Error)

ERROR

www.microlink.com.my has an A (IPv4) record (52.237.79.2) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

A timeout was experienced while communicating with www.microlink.com.my/52.237.79.2: Get "https://www.microlink.com.my/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://www.microlink.com.my/.well-known/acme-challenge/letsdebug-test (using initial IP 52.237.79.2)
@0ms: Dialing 52.237.79.2
@470ms: Server response: HTTP 301 Moved Permanently
@471ms: Received redirect to https://www.microlink.com.my/.well-known/acme-challenge/letsdebug-test
@471ms: Dialing 52.237.79.2
@10000ms: Experienced error: context deadline exceeded

[IssueFromLetsEncrypt](https://letsdebug.net/www.microlink.com.my/1113963#IssueFromLetsEncrypt-Error)

ERROR

A test authorization for www.microlink.com.my to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

52.237.79.2: Fetching https://www.microlink.com.my/.well-known/acme-challenge/8GitIfY9NgbJhu7nTX0pKe6Xdj0hPfoUcgtizO3mfHU: Timeout during connect (likely firewall problem)

Welcome to the community @thetechyhub

Your port 443 is blocked (probably) in your firewall. I connect to your site fine with port 80 (http) but not port 443 (https). Once you fix that your microlink.com.my site should be fine.

I am puzzled by the error about the mssbweb-dev-le-ssl.conf error though. Is that a different site you are trying to setup? Because I see you got a cert for your microlink site and usually the conf files are named like the domain name.

3 Likes

Hi @MikeMcQ thank for your prompt reply.

There is another staging site in the server, when i first install sudo certbot --apache, I installed for all the domains and this file mssbweb-dev-le-ssl.conf comes first

I was trying with this solution here SSLCertificateFile: file doesnt exist or is empty - #3 by tolgacan just a few moments ago. to comment out the said Syntax error line 7.
and the server failed to start.

apache2.service - LSB: Apache2 web server
   Loaded: loaded (/etc/init.d/apache2; bad; vendor preset: enabled)
  Drop-In: /lib/systemd/system/apache2.service.d
           └─apache2-systemd.conf
   Active: inactive (dead) since Fri 2022-07-15 13:46:20 UTC; 5s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 6329 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS)
  Process: 6011 ExecReload=/etc/init.d/apache2 reload (code=exited, status=0/SUCCESS)
  Process: 6308 ExecStart=/etc/init.d/apache2 start (code=exited, status=0/SUCCESS)

How should I unblocked my port 443 and how can I restart my server in this case?

--

Updates: I run sudo ufw allow 443 and sudo ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
443                        ALLOW IN    Anywhere                  
443 (v6)                   ALLOW IN    Anywhere (v6)         

However, when i run netstat -tnl, it doesn't show 443

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:29131         0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:1270            0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN   

Still unable to start the server.

sudo systemctl restart apache2
returns

Job for apache2.service failed because the control process exited with error code. See "systemctl status apache2.service" and "journalctl -xe" for details.

systemctl status apache2.service
returns

● apache2.service - LSB: Apache2 web server
   Loaded: loaded (/etc/init.d/apache2; bad; vendor preset: enabled)
  Drop-In: /lib/systemd/system/apache2.service.d
           └─apache2-systemd.conf
   Active: failed (Result: exit-code) since Fri 2022-07-15 15:02:44 UTC; 1min 13s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 10057 ExecStart=/etc/init.d/apache2 start (code=exited, status=1/FAILURE)

Jul 15 15:02:44 MSSBWebUbuntu apache2[10057]:  * The apache2 configtest failed.
Jul 15 15:02:44 MSSBWebUbuntu apache2[10057]: Output of config test was:
Jul 15 15:02:44 MSSBWebUbuntu apache2[10057]: AH00526: Syntax error on line 7 of /etc/apache2/sites-enabled/mssbweb-dev-le-ssl.conf:
Jul 15 15:02:44 MSSBWebUbuntu apache2[10057]: SSLCertificateFile: file '/etc/letsencrypt/live/microlink.com.my/fullchain.pem' does not exist or is empty
Jul 15 15:02:44 MSSBWebUbuntu apache2[10057]: Action 'configtest' failed.
Jul 15 15:02:44 MSSBWebUbuntu apache2[10057]: The Apache error log may have more information.
Jul 15 15:02:44 MSSBWebUbuntu systemd[1]: apache2.service: Control process exited, code=exited status=1
Jul 15 15:02:44 MSSBWebUbuntu systemd[1]: Failed to start LSB: Apache2 web server.
Jul 15 15:02:44 MSSBWebUbuntu systemd[1]: apache2.service: Unit entered failed state.
Jul 15 15:02:44 MSSBWebUbuntu systemd[1]: apache2.service: Failed with result 'exit-code'.
1 Like

The error seems pretty clear:

What happened to that file/cert?
Please show:
certbot certificates

2 Likes

Hi @rg305

I ran sudo certbot delete --cert-name dev.microlink.com.my previous trying to delete this cert for the staging site, but unable to reinstall.

I have issue ssh into the server currently as it returns port 22: Operation timed out. Will have to contact my hosting provider in order to be able to reconnect again.

Previously when i ran
certbot certificates

certbot certificates
The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/tmptmjdvdo2/log or re-run Certbot with -v for more details.

then i ran

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No certificates found.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

then I tried to run sudo certbot --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 7 of /etc/apache2/sites-enabled/mssbweb-dev-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/microlink.com.my/fullchain.pem' does not exist or is empty

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apache2ctl configtest.\nAction 'configtest' failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 7 of /etc/apache2/sites-enabled/mssbweb-dev-le-ssl.conf:\nSSLCertificateFile: file '/etc/letsencrypt/live/microlink.com.my/fullchain.pem' does not exist or is empty\n")

That explains the missing cert file.
In order to get the web server running again, you will have to remove, or disable, the HTTPS server block that is using that now missing cert.

3 Likes

Hi @rg305 ,

How should I remove that? Should I just comment those lines out in mssbweb-dev-le-ssl.conf?

No.

Please show the output of:
apachectl -t -D DUMP_VHOSTS

3 Likes

I still have issue connecting to the server now. Will come back once I can access again.
Thanks so much for help!

1 Like