I got a call yesterday that the website was down. I checked and noticed that the ssl was going to expire today, but I am not sure what precipitated the shut down. I have been messing with the ssl since. Hopefully, I didn’t make the matter worse.
There is also the following from /var/log/apache2/error.log.1
I don’t know if it is helpful
[Fri Sep 04 06:25:01.833445 2020] [mpm_prefork:notice] [pid 4436] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 06:25:01.833472 2020] [core:notice] [pid 4436] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:04:31.570099 2020] [ssl:error] [pid 28032] [client 64.41.200.108:56514] AH02042: rejecting client initiated renegotiation [Fri Sep 04 18:12:20.449765 2020] [mpm_prefork:notice] [pid 4436] AH00169: caught SIGTERM, shutting down [Fri Sep 04 18:12:51.427036 2020] [mpm_prefork:notice] [pid 1915] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:12:51.427112 2020] [core:notice] [pid 1915] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:14:05.461110 2020] [mpm_prefork:notice] [pid 1915] AH00169: caught SIGTERM, shutting down [Fri Sep 04 18:14:06.538136 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:14:06.538204 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:14:52.569888 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 18:14:52.639893 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:14:52.639908 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:14:58.914765 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 18:14:59.027222 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:14:59.027247 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:17:22.967331 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 18:17:23.038527 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:17:23.038550 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:17:29.457391 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 18:17:29.582570 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:17:29.582588 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:19:06.220047 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 18:19:06.339262 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:19:06.339280 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:30:46.948570 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 18:30:47.025540 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:30:47.025562 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:30:54.729589 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 18:30:54.855317 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:30:54.855337 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 19:01:53.832932 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 19:01:53.915623 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 19:01:53.915648 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 19:02:00.537451 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 19:02:00.656775 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 19:02:00.656791 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 19:22:11.766014 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 19:22:11.855241 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 19:22:11.855265 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 19:22:18.152427 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 19:22:18.278217 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 19:22:18.278234 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 19:36:15.942934 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart
What do you see with a command like this?
sudo ss -lpt
Also, is there any firewall that could be blocking HTTP connections?
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:ssh *:* users:(("sshd",pid=3033,fd=3))
LISTEN 0 128 :::http :::* users:(("apache2",pid=29838,fd=4),("apache2",pid=29837,fd=4),("apache2",pid=29836,fd=4),("apache2",pid=29833,fd=4),("apache2",pid=29348,fd=4),("apache2",pid=29068,fd=4),("apache2",pid=29067,fd=4),("apache2",pid=29066,fd=4),("apache2",pid=29065,fd=4),("apache2",pid=29064,fd=4),("apache2",pid=27157,fd=4))
LISTEN 0 128 :::ssh :::* users:(("sshd",pid=3033,fd=4))
LISTEN 0 128 :::https :::* users:(("apache2",pid=29838,fd=6),("apache2",pid=29837,fd=6),("apache2",pid=29836,fd=6),("apache2",pid=29833,fd=6),("apache2",pid=29348,fd=6),("apache2",pid=29068,fd=6),("apache2",pid=29067,fd=6),("apache2",pid=29066,fd=6),("apache2",pid=29065,fd=6),("apache2",pid=29064,fd=6),("apache2",pid=27157,fd=6))
I can't think of a firewall blocking the HTTP or HTTPS connections. I checked the security groups of the AWS EC2 and all outbound ports are open.
It looks like you can disable the 000-default.conf
file.
sudo a2dissite 000-default
The sankofakids.org.conf
has lines for ssl certs in the http section - not needed there.
done
Site 000-default disabled.
To activate the new configuration, you need to run:
service apache2 reload
show the current out put of:
And have you restarted the web server?
sudo service apache2 reload
OR
sudo systemctl reload apache2
VirtualHost configuration:
*:80 sankofakids.org (/etc/apache2/sites-enabled/sankofakids.org.conf:1)
*:443 is a NameVirtualHost
default server sankofakids.org (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost sankofakids.org (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost sankofakids.org (/etc/apache2/sites-enabled/sankofakids.org.conf:37)
alias www.sankofakids.org
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
Yes, I have restarted it
Can you see it locally? Like
curl -v http://sankofakids.org/
curl -v http://localhost/
on the server itself
curl -v http://sankofakids.org/
root@ip-172-31-32-223:/home/ubuntu# curl -v http://sankofakids.org/
* Trying 18.234.71.95...
* Connected to sankofakids.org (18.234.71.95) port 80 (#0)
> GET / HTTP/1.1
> Host: sankofakids.org
> User-Agent: curl/7.47.0
> Accept: */*
>
* Empty reply from server
* Connection #0 to host sankofakids.org left intact
curl: (52) Empty reply from server
You seem to have TLS enabled on your port 80 virtualhost.
Thanks! Can you expand on that? I am a newbie.
I can, but I don't like handing out fishes to hungry people, I'm more enclined to teach hungry people to fish, so they can catch fish on their own.
Also, if you look at your output of apachectl -S
like you posted above, I can see multiple things not correct either:
- there are two "
port 443 namevhost sankofakids.org
" configured in two different files, that's not good. There should only be one; - your "
port 443 namevhost sankofakids.org
" virtualhost in/etc/apache2/sites-enabled/sankofakids.org.conf
has an alias forwww.sankofakids.org
configured. Configuring an alias for yourwww
subdomain is good and perhaps even recommended. However, one could argue if that file is the correct location for the port 443 virtualhost, see item 1) - your port 80 virtualhost does not have an alias for the
www
subdomain. I recommend adding that.
The apachectl -S
output as posted above should also give you a hint where to look for any error for your site on port 80.
current version
VirtualHost configuration:
*:80 sankofakids.org (/etc/apache2/sites-enabled/sankofakids.org.conf:1)
*:443 sankofakids.org (/etc/apache2/sites-enabled/sankofakids.org.conf:39)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
Your port 80 still has TLS enabled… Did you already review the contents of /etc/apache2/sites-enabled/sankofakids.org.conf
?
Also, I would (again) suggest adding the www
subdomain as an alias.
Thanks, I reviewed the contents of 'xxx/sankofakids.org.conf' and I have added
SSLProtocol -all +TLSv1.2
Also I added www subdomains in both 80 and 443 virtual hosts
plus current status is below:
VirtualHost configuration:
*:80 sankofakids.org (/etc/apache2/sites-enabled/sankofakids.org.conf:1)
*:443 sankofakids.org (/etc/apache2/sites-enabled/sankofakids.org.conf:39)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
There has been no change what so ever, as far as I can see, did you reload your webserver?
Also:
I'm not sure how that would fix your "speaking HTTPS in stead of speaking HTTP on port 80" issue?
Thanks @Osiris, I need to remember to check that in both directions. (I'm more used to HTTP on port 443 causing problems than HTTPS on port 80!)
I used the following to restart
sudo service apache2 restart
Is that the correct command?