Unable to find a virtual host listening on port 80

Having trouble getting a secure connection despite the port being open. I suspect apache and certbot are configured wrong, one or both of them.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
api.northviewweather.com

I ran this command:
sudo certbot renew

It produced this output:

My web server is (include version):
apache2

The operating system my web server runs on is (include version):
centos7

My hosting provider, if applicable, is:
Google

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.11.0

Welcome to the community @markehler

Can you show the failing output of the renew command?

Can you also explain a little more about the domain names? Because the most recent cert I see for your api subdomain is from 2019. I suppose you could renew that if you retained certbot all along but things have changed over time so that is unlikely to still be working.

I see there are many more recent certs for that domain and subdomains. But the api subdomain doesn't look recent (link here).

3 Likes

Please show:
netstat -pant | grep -E '\:80|\:443|apache|http'

3 Likes

Supplemental information:

$ nmap -Pn api.northviewweather.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-19 22:04 UTC
Nmap scan report for api.northviewweather.com (35.211.19.116)
Host is up (0.095s latency).
rDNS record for 35.211.19.116: 116.19.211.35.bc.googleusercontent.com
Not shown: 994 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  open   https
3306/tcp closed mysql
3389/tcp closed ms-wbt-server
5000/tcp open   upnp

Nmap done: 1 IP address (1 host up) scanned in 6.71 seconds

$ curl -k -Ii http://api.northviewweather.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Date: Thu, 19 Jan 2023 22:06:06 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Content-Type: text/html; charset=iso-8859-1

http://api.northviewweather.com/.well-known/acme-challenge/sometestfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
HTTP/1.1 404 Not Found
Date: Thu, 19 Jan 2023 22:06:29 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Content-Type: text/html; charset=iso-8859-1

$ curl -k -Ii https://api.northviewweather.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Date: Thu, 19 Jan 2023 22:09:57 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Content-Type: text/html; charset=iso-8859-1

$ curl -k -Ii https://api.northviewweather.com/.well-known/acme-challenge/sometestfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
HTTP/1.1 404 Not Found
Date: Thu, 19 Jan 2023 22:10:08 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Content-Type: text/html; charset=iso-8859-1

$ openssl s_client -showcerts -servername api.northviewweather.com -connect api.northviewweather.com:443 < /dev/null
CONNECTED(00000003)
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = api, emailAddress = root@api
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = api, emailAddress = root@api
verify error:num=10:certificate has expired
notAfter=Oct 10 17:55:02 2020 GMT
verify return:1
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = api, emailAddress = root@api
notAfter=Oct 10 17:55:02 2020 GMT
verify return:1
---
Certificate chain
 0 s:C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = api, emailAddress = root@api
   i:C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = api, emailAddress = root@api
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct 11 17:55:02 2019 GMT; NotAfter: Oct 10 17:55:02 2020 GMT
-----BEGIN CERTIFICATE-----
MIIDxjCCAq6gAwIBAgICRM0wDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAi0t
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
bml0MQwwCgYDVQQDDANhcGkxFzAVBgkqhkiG9w0BCQEWCHJvb3RAYXBpMB4XDTE5
MTAxMTE3NTUwMloXDTIwMTAxMDE3NTUwMlowgZcxCzAJBgNVBAYTAi0tMRIwEAYD
VQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQKDBBTb21l
T3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxVbml0MQww
CgYDVQQDDANhcGkxFzAVBgkqhkiG9w0BCQEWCHJvb3RAYXBpMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvhM2XrCxklhaMePN8RY50B/2oFvk4gEy6Slp
EADBQu3meYHNRZAyrBtyJkAeAzeFfYNeRguzufzMGtBretseTFwk35qIni8/wKTq
fCiVNz1FoyIkdpfFGfTYpeOjaB8V8BcDAY0BfXrvU8r/M7SyuZ5HjGoP9CxPhwQu
4C5Zc6bkrvLVm5cv+OI0ED4LAdpqSIq4LIYVJd9wb30qXoURmewsNcDCsKAgDccX
RoB4XLPJ9sx/PIaLlV5uRsKbha2a3C73C0nW3U+H7eS+AgnDRy1lpZRv54W2YKLU
1uoENu/S97Sln9FrT/rKNQSDn1n3u2p5Eok+eHLEdJUsfGh6LQIDAQABoxowGDAJ
BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQsFAAOCAQEABtQ1NNY8
3JmbFfAEJQqz+7wYWoADc35nFjSTvAZM34rcB+04r85ORKVjRbNfxMWCx+MqftN2
ibcX59Ydr7FnGTAbIPTepHtkyRsjuvEaLI/pxH6X87dqtVrjp0v5aEY0xjj0dFjK
l8AUETtHBmjaGn8GnJn7TKjpcrZTaW7j5w3w7avvPjqGpi9g2Hn+if0aFGOzBjLn
qh/GYYL9JO3GYy+1OiMHOXv5YY4o28ojwYSX3xFQVHCvu8ah2pi4FL9AaKIGQ1rU
YbKDyqMtf5zeZh2pZu1vJM2Poo5ZqlfO8+YRZCL3+/LKKxkln7NrROGOFRWDiWdw
Iz58PRb8MwMFQA==
-----END CERTIFICATE-----
---
Server certificate
subject=C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = api, emailAddress = root@api
issuer=C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = api, emailAddress = root@api
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1688 bytes and written 452 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: BF7826480E4C2967A38FC8E59175C44DAF258208ABFD8980AAD87951A20B1124
    Session-ID-ctx:
    Master-Key: 50C3F5FBC1FD81457E2CC851117068AED4B114B953DD45A2CF5230594CFFB0FAEB6519FF09EDD97DCB8E7D46964A4C80
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 53 05 de 77 9f 55 37 e3-8e 80 e5 cb 09 0c 83 cb   S..w.U7.........
    0010 - 9c 8e a4 03 c2 c4 61 a0-d9 2f 88 69 ab e0 d7 e5   ......a../.i....
    0020 - e5 d0 86 59 ed f3 74 1a-57 dd c8 85 0e a5 04 d9   ...Y..t.W.......
    0030 - d1 1e 2c 27 4e cc c8 c5-e9 01 51 fd d3 f3 af 7b   ..,'N.....Q....{
    0040 - 44 f4 6b 7a 73 07 77 de-37 77 19 1d 99 e0 88 0a   D.kzs.w.7w......
    0050 - bd 61 b0 31 e5 d4 0f 17-c9 c2 41 8a fc dc d7 65   .a.1......A....e
    0060 - f4 d2 1e 7f fd 4a 8f 69-5a c0 8e 1a ca 7c 3e d9   .....J.iZ....|>.
    0070 - 74 cd 81 35 7b 80 ed 8a-c1 65 94 67 5a 25 da 1f   t..5{....e.gZ%..
    0080 - d2 f9 ce 4a 36 50 71 9d-c0 d6 0e 35 01 b8 3b 01   ...J6Pq....5..;.
    0090 - 2d d1 75 f5 28 2f cf 37-dc f4 76 ab fc 07 6a 75   -.u.(/.7..v...ju
    00a0 - c1 ce e2 b5 02 a7 c2 ec-f4 58 37 01 26 08 f8 e6   .........X7.&...
    00b0 - c0 f7 28 ec 50 b8 43 67-9f 36 38 46 6e 5e 7f 3d   ..(.P.Cg.68Fn^.=
    00c0 - 40 c6 cb f9 98 52 63 c9-d4 a3 8f 22 15 af ab 84   @....Rc...."....
    00d0 - 71 dc a5 c6 fa b2 ee 18-54 71 a6 bb c7 8a 5f 56   q.......Tq...._V

    Start Time: 1674166031
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
---
DONE

DNS look good from here DNS Spy report for northviewweather.com
and northviewweather.com | DNSViz

$ nslookup
> server ns55.domaincontrol.com.
Default server: ns55.domaincontrol.com.
Address: 97.74.107.28#53
Default server: ns55.domaincontrol.com.
Address: 2603:5:21b2::1c#53
> api.northviewweather.com
Server:         ns55.domaincontrol.com.
Address:        97.74.107.28#53

Name:   api.northviewweather.com
Address: 35.211.19.116
> northviewweather.com
Server:         ns55.domaincontrol.com.
Address:        97.74.107.28#53

Name:   northviewweather.com
Address: 198.71.233.76
> set q=caa
> api.northviewweather.com
Server:         ns55.domaincontrol.com.
Address:        97.74.107.28#53

*** Can't find api.northviewweather.com: No answer
> northviewweather.com
Server:         ns55.domaincontrol.com.
Address:        97.74.107.28#53

*** Can't find northviewweather.com: No answer
>