Unable to renew cert

I got a call yesterday that the website was down. I checked and noticed that the ssl was going to expire today, but I am not sure what precipitated the shut down. I have been messing with the ssl since. Hopefully, I didn’t make the matter worse.

There is also the following from /var/log/apache2/error.log.1
I don’t know if it is helpful

[Fri Sep 04 06:25:01.833445 2020] [mpm_prefork:notice] [pid 4436] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 06:25:01.833472 2020] [core:notice] [pid 4436] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:04:31.570099 2020] [ssl:error] [pid 28032] [client 64.41.200.108:56514] AH02042: rejecting client initiated renegotiation [Fri Sep 04 18:12:20.449765 2020] [mpm_prefork:notice] [pid 4436] AH00169: caught SIGTERM, shutting down [Fri Sep 04 18:12:51.427036 2020] [mpm_prefork:notice] [pid 1915] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:12:51.427112 2020] [core:notice] [pid 1915] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:14:05.461110 2020] [mpm_prefork:notice] [pid 1915] AH00169: caught SIGTERM, shutting down [Fri Sep 04 18:14:06.538136 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:14:06.538204 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:14:52.569888 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 18:14:52.639893 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:14:52.639908 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:14:58.914765 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 18:14:59.027222 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:14:59.027247 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:17:22.967331 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 18:17:23.038527 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:17:23.038550 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:17:29.457391 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 18:17:29.582570 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:17:29.582588 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:19:06.220047 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 18:19:06.339262 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:19:06.339280 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:30:46.948570 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 18:30:47.025540 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:30:47.025562 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 18:30:54.729589 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 18:30:54.855317 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 18:30:54.855337 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 19:01:53.832932 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 19:01:53.915623 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 19:01:53.915648 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 19:02:00.537451 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 19:02:00.656775 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 19:02:00.656791 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 19:22:11.766014 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 19:22:11.855241 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 19:22:11.855265 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 19:22:18.152427 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart [Fri Sep 04 19:22:18.278217 2020] [mpm_prefork:notice] [pid 12219] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Fri Sep 04 19:22:18.278234 2020] [core:notice] [pid 12219] AH00094: Command line: '/usr/sbin/apache2' [Fri Sep 04 19:36:15.942934 2020] [mpm_prefork:notice] [pid 12219] AH00171: Graceful restart requested, doing restart

What do you see with a command like this?

sudo ss -lpt

Also, is there any firewall that could be blocking HTTP connections?

1 Like
State      Recv-Q Send-Q                                     Local Address:Port                                                      Peer Address:Port
LISTEN     0      128                                                    *:ssh                                                                  *:*                     users:(("sshd",pid=3033,fd=3))
LISTEN     0      128                                                   :::http                                                                :::*                     users:(("apache2",pid=29838,fd=4),("apache2",pid=29837,fd=4),("apache2",pid=29836,fd=4),("apache2",pid=29833,fd=4),("apache2",pid=29348,fd=4),("apache2",pid=29068,fd=4),("apache2",pid=29067,fd=4),("apache2",pid=29066,fd=4),("apache2",pid=29065,fd=4),("apache2",pid=29064,fd=4),("apache2",pid=27157,fd=4))
LISTEN     0      128                                                   :::ssh                                                                 :::*                     users:(("sshd",pid=3033,fd=4))
LISTEN     0      128                                                   :::https                                                               :::*                     users:(("apache2",pid=29838,fd=6),("apache2",pid=29837,fd=6),("apache2",pid=29836,fd=6),("apache2",pid=29833,fd=6),("apache2",pid=29348,fd=6),("apache2",pid=29068,fd=6),("apache2",pid=29067,fd=6),("apache2",pid=29066,fd=6),("apache2",pid=29065,fd=6),("apache2",pid=29064,fd=6),("apache2",pid=27157,fd=6))

I can't think of a firewall blocking the HTTP or HTTPS connections. I checked the security groups of the AWS EC2 and all outbound ports are open.

1 Like

It looks like you can disable the 000-default.conf file.
sudo a2dissite 000-default

The sankofakids.org.conf has lines for ssl certs in the http section - not needed there.

1 Like

done

Site 000-default disabled.
To activate the new configuration, you need to run:
  service apache2 reload
1 Like

show the current out put of:

And have you restarted the web server?
sudo service apache2 reload
OR
sudo systemctl reload apache2

VirtualHost configuration:
*:80                   sankofakids.org (/etc/apache2/sites-enabled/sankofakids.org.conf:1)
*:443                  is a NameVirtualHost
         default server sankofakids.org (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost sankofakids.org (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost sankofakids.org (/etc/apache2/sites-enabled/sankofakids.org.conf:37)
                 alias www.sankofakids.org
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

Yes, I have restarted it

Can you see it locally? Like

curl -v http://sankofakids.org/

curl -v http://localhost/

on the server itself

curl -v http://sankofakids.org/

root@ip-172-31-32-223:/home/ubuntu# curl -v http://sankofakids.org/

*   Trying 18.234.71.95...
* Connected to sankofakids.org (18.234.71.95) port 80 (#0)
> GET / HTTP/1.1
> Host: sankofakids.org
> User-Agent: curl/7.47.0
> Accept: */*
>
* Empty reply from server
* Connection #0 to host sankofakids.org left intact
curl: (52) Empty reply from server

You seem to have TLS enabled on your port 80 virtualhost.

2 Likes

Thanks! Can you expand on that? I am a newbie.

I can, but I don't like handing out fishes to hungry people, I'm more enclined to teach hungry people to fish, so they can catch fish on their own.

Also, if you look at your output of apachectl -S like you posted above, I can see multiple things not correct either:

  1. there are two "port 443 namevhost sankofakids.org" configured in two different files, that's not good. There should only be one;
  2. your "port 443 namevhost sankofakids.org" virtualhost in /etc/apache2/sites-enabled/sankofakids.org.conf has an alias for www.sankofakids.org configured. Configuring an alias for your www subdomain is good and perhaps even recommended. However, one could argue if that file is the correct location for the port 443 virtualhost, see item 1)
  3. your port 80 virtualhost does not have an alias for the www subdomain. I recommend adding that.

The apachectl -S output as posted above should also give you a hint where to look for any error for your site on port 80.

2 Likes

current version

VirtualHost configuration:
*:80                   sankofakids.org (/etc/apache2/sites-enabled/sankofakids.org.conf:1)
*:443                  sankofakids.org (/etc/apache2/sites-enabled/sankofakids.org.conf:39)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

Your port 80 still has TLS enabled… Did you already review the contents of /etc/apache2/sites-enabled/sankofakids.org.conf?

Also, I would (again) suggest adding the www subdomain as an alias.

2 Likes

Thanks, I reviewed the contents of 'xxx/sankofakids.org.conf' and I have added
SSLProtocol -all +TLSv1.2

Also I added www subdomains in both 80 and 443 virtual hosts

plus current status is below:

VirtualHost configuration:
*:80                   sankofakids.org (/etc/apache2/sites-enabled/sankofakids.org.conf:1)
*:443                  sankofakids.org (/etc/apache2/sites-enabled/sankofakids.org.conf:39)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

There has been no change what so ever, as far as I can see, did you reload your webserver?

Also:

I'm not sure how that would fix your "speaking HTTPS in stead of speaking HTTP on port 80" issue?

1 Like

Thanks @Osiris, I need to remember to check that in both directions. (I'm more used to HTTP on port 443 causing problems than HTTPS on port 80!)

1 Like

I used the following to restart

sudo service apache2 restart

Is that the correct command?

1 Like