Unable to connect


#1

Bonjour

My domain is: https://meschakras.com/

I ran this command:
sudo ./certbot-auto --apache

It produced this output:
`- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/meschakras.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/meschakras.com/privkey.pem
Your cert will expire on 2018-10-20. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the “certonly” option. To non-interactively renew all
of your certificates, run “certbot-auto renew”

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le
    `

    Unable to connect

Firefox can’t establish a connection to the server at meschakras.com.

My web server is (include version):CentOS release 6.10 (Final)

The operating system my web server runs on is (include version):httpd-2.2.15-69.el6.centos.x86_64

My hosting provider, if applicable, is: ArubaCloud.fr

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No its SSH connection


#2

What does this show:

sudo ss -tlnp | grep httpd

#3

Hi @kkwetsukre

your certificate is created:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:meschakras.com&lu=cert_search

Three yesterday, one today. So this part works. But your webserver may not run or a firewall blocks.

But: You have two very old Letsencrypt-certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:true;include_subdomains:false;domain:meschakras.com&lu=cert_search

One from 31.10.2016, next from 30.12.2016, the next yesterday - 21.07.2018. So your webserver configuration may have changed.

Which is your certbot version (certbot --version)


#4

[root@kkwetsukre ~]# sudo ss -tlnp | grep httpd
LISTEN 0 128 *:80 : users:((“httpd”,7870,3),(“httpd”,56879,3),(“httpd”,56880,3),(“httpd”,56881,3),(“httpd”,56882,3),(“httpd”,56883,3),(“httpd”,56884,3),(“httpd”,56885,3),(“httpd”,56886,3),(“httpd”,56887,3),(“httpd”,56894,3),(“httpd”,56895,3))
LISTEN 0 128 *:443 : users:((“httpd”,7870,4),(“httpd”,56879,4),(“httpd”,56880,4),(“httpd”,56881,4),(“httpd”,56882,4),(“httpd”,56883,4),(“httpd”,56884,4),(“httpd”,56885,4),(“httpd”,56886,4),(“httpd”,56887,4),(“httpd”,56894,4),(“httpd”,56895,4))


#5

I don’t undersant. I got this server since ont month maximum. Maybe it was the last owner ?

[root@kkwetsukre ~]# ./certbot-auto --version

certbot 0.26.1


#6

Thanks. I thought there is a “very old installation”. But then this isn’t a problem.


#7

It does appear to be a firewalling issue.

iptables -L -n | grep -E "(80|443)"
firewall-cmd --list-all

Also check any firewall rules that are external to your operating system. For example, your VPS host may have a firewall that applies at a VPS management level (similar to AWS).


#8

[root@kkwetsukre ~]# iptables -L -n | grep -E “(80|443)”

ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80

root@kkwetsukre ~]# firewall-cmd --list-all
-bash: firewall-cmd : commande introuvable
(commande introuvable means command not found)


#9

OK well, that’s fairly straightforward. Whoever setup the firewall rules on your server didn’t add port 443 to be permitted.

You’ll need to update those rules to allow tcp/443. However, since you are using CentOS 6, I am not sure what the source of your iptables rules is.

You may be able to locate the rules file with something like:

find /etc -type f 2>/dev/null | grep -E "(iptables|firewall)"

#10

[root@kkwetsukre ~]# find /etc -type f 2>/dev/null | grep -E “(iptables|firewall)”
/etc/rc.d/init.d/iptables
/etc/sysconfig/system-config-firewall.old
/etc/sysconfig/iptables-config
/etc/sysconfig/system-config-firewall
/etc/sysconfig/iptables.old
/etc/sysconfig/iptables
/etc/sysconfig/iptables-config.rpmnew
/etc/fail2ban/action.d/iptables-ipset-proto4.conf
/etc/fail2ban/action.d/iptables-ipset-proto6-allports.conf
/etc/fail2ban/action.d/iptables-new.conf
/etc/fail2ban/action.d/iptables-ipset-proto6.conf
/etc/fail2ban/action.d/iptables-common.conf
/etc/fail2ban/action.d/firewallcmd-multiport.conf
/etc/fail2ban/action.d/firewallcmd-rich-rules.conf
/etc/fail2ban/action.d/iptables-multiport.conf
/etc/fail2ban/action.d/firewallcmd-allports.conf
/etc/fail2ban/action.d/firewallcmd-ipset.conf
/etc/fail2ban/action.d/iptables-allports.conf
/etc/fail2ban/action.d/iptables.conf
/etc/fail2ban/action.d/iptables-multiport-log.conf
/etc/fail2ban/action.d/iptables-xt_recent-echo.conf
/etc/fail2ban/action.d/firewallcmd-rich-logging.conf
/etc/fail2ban/action.d/firewallcmd-new.conf
/etc/selinux/targeted/modules/active/modules/firewallgui.pp
/etc/webmin/firewalld/config
/etc/webmin/firewall6/config
/etc/webmin/firewall/config

If I understand, I need to autorize trafic on port 443 ?


#11

Yes. From that output, it looks like webmin may have been used to configure the firewall. If you’re using webmin, maybe check that out.

Otherwise, I would check:


#12

I don’t know if I use it. Im just a noob. :frowning:
Can you please help me ?


#13

Here’s a general iptables how-to for CentOS: https://wiki.centos.org/HowTos/Network/IPTables

You’ll need to open port 443.


#14

I did this but it still doesnt work:
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

edit : I did :slight_smile:
iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT

and it works now

So thank you for your help :slight_smile:


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.