My web server is (include version):
The operating system my web server runs on is (include version):
Armbian 21.02.3 Buster with Linux 5.10.21-imx6
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
What I have done so far is to
Uncomment all rows in the site config found in etc/apache2/sites-available/pacolola.conf which relates to redirection to https (restart server afterwards)
Made sure it's possible to access https://pacolola.net/.well-known/acme-challenge/test
Checking the access settings on my home router which is set to medium, blocking NETBIOS and DNS
Attempted to disable the server firewall temporarily ufw disabled while renewing the certificate. Firewall is back on again.
Checked the status over at https://check-your-website.server-daten.de/?q=pacolola.net which yes, says that the connection over port 80 gives the error status -14, but I don't know what further actions I can take now.
I have a nextcloud instance running on a subdomain if that is of any interest.
It seems like you have assigned IP address to this host, but the port for 80 is not open... It's actually not at all necessary for you to close port 80 (as it's a normal communication port). Can you try to allow port 80 access now and see if the host respond?
P.S. sorry I'm on mobile, so my tools are limited.
I had port 80 open according to /etc/apache2/ports.conf : Listen 80
And can't see anything blocking the port on the router. I'll have to look in other places where port 80 could be blocked. sudo lsof -n -sTCP:LISTEN -i:80 returns:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
apache2 1726 root 4u IPv6 1602318 0t0 TCP *:http (LISTEN)
apache2 2044 www-data 4u IPv6 1602318 0t0 TCP *:http (LISTEN)
apache2 2045 www-data 4u IPv6 1602318 0t0 TCP *:http (LISTEN)
Thank you for the response.
If i parsed the message correctly, you actually only listened on IPv6... (Type IPv6)
Can you double check on your apache configuration?
AND, your IPv4 port 80 is still filtered
P.S. If you are worrying about degrade attack, you can setup a blanket redirection that sent all incoming traffic through 301 redirection to https
Thanks for taking interest @JuergenAuer .
The firewall/router config is the same for port 80 as it is for 443.
I checked out what was coming out from apachectl -S and noticed that port :80 was serving the subdomain nextcloud.pacolola.net and not the main one. I changed virtual host file nextcloud.pacolola.net.conf to be more specific about what was served from port 80, <VirtualHost nextcloud.pacolola.net:80>.
After that I'm get the following:
18.104.22.168:80 nextcloud.pacolola.net (/etc/apache2/sites-enabled/nextcloud.pacolola.net.conf:1)
*:4443 127.0.0.1 (/etc/apache2/sites-enabled/ncp.conf:2)
*:80 pacolola.net (/etc/apache2/sites-enabled/pacolola.conf:1)
*:443 is a NameVirtualHost
default server nextcloud.pacolola.net (/etc/apache2/sites-enabled/nextcloud.pacolola.net-le-ssl.conf:2)
port 443 namevhost nextcloud.pacolola.net (/etc/apache2/sites-enabled/nextcloud.pacolola.net-le-ssl.conf:2)
port 443 namevhost nextcloud.pacolola.net (/etc/apache2/sites-enabled/nextcloud.pacolola.net.conf:10)
port 443 namevhost pacolola.net (/etc/apache2/sites-enabled/pacolola-le-ssl.conf:2)
port 443 namevhost 127.0.0.1 (/etc/apache2/sites-enabled/pacolola.conf:15)
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
User: name="www-data" id=33
Group: name="www-data" id=33
I finally got a certificate running with the following command: certbot -d pacolola.net --manual --preferred-challenges dns certonly.
I have a Dynamic DNS set on my router as the ISP doesn't provide a a static one and am using NO-IP as the name registrar and DNS provider. Tried using acme-dns-certbot but it wasn't picking up the TXT record set for _acme-challenge.pacolola.net. Luckily certbot did.