Web browsers not connecting to https


#1

Hi,
I’m using version 0.5.0 and needed to use the standalone installation as my ISP blocks port 80. I ran the following command: sudo ./letsencrypt-auto --authenticator standalone --installer apache
The script ran perfectly and installed certificates to:
/etc/letsencrypt/live/my.domain/fullchain.pem and
/etc/letsencrypt/live/my.domain/privkey.pem
After restarting Apache2, no browser will accept the https page.
Chrome gives
"This site can’t be reached

business2.business refused to connect.
ERR_CONNECTION_REFUSED"

IE11 Gives
"This page can’t be displayed

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://my.domain again. If this error persists, contact your site administrator."
(TLS 1, 1.1 and 1.2 are all turned on already)

Firefox gives a different error message again about the “The website does not supply ownership information” and “The website does not support encryption for the page you are viewing”

Looking at the Apache2 configuration in Webmin, it appears to be set up OK by the standalone function:
SSL protocols TLSv1 TLSv1.1 TLSv1.2
Certificate/private key file
/etc/letsencrypt/live/my.domain/fullchain.pem

Private key file
/etc/letsencrypt/live/my.domain/privkey.pem

Is there some other task that needs to be done so that Apache2 serves the pem files to the web clients after running the standalone installer?


#2

if your isp blocks port 80 they normally block port 443 as well
but you should check your setup of iptable/ipchains or other firewalls /routers between your server and inbound connections also
oh and of course restart/reload apache like after any config change


#3

Many thanks for taking the time to review and respond. Port 443 isn’t blocked by the ISP, and I’d be getting a different error message if that was the case. As it turns out, I was just going to post an update to this as I have resolved the issue. The root cause of the issue being configuration of Apache2, and specifically that the default server settings are, for some reason, ‘over-writing’ the specific virtual host settings. By updating the default server settings, I can now connect and the browsers give me the green padlock which is great. I now just have to work out why Apache2 is not serving the virtual hosts correctly, but that is another post in another support community :wink:


#4

well if each vhost is on the one ip you need a single SAN cert (one with all the names)
as the server can only return 1 cert per ip usually the first configured on the ip
all later ones causing an error on startup


#5

Yes, the standalone certificate installer picked up all the vhosts I had on the system at the time, (eg test.my.domain, support.my.domain and my.domain) and a valid certificate is provided to the browsers for each. However Apache (2.4.10) is pointing all the the default document root, regardless of what is specified in the config files, so I’m furiously googling to work out why I’m not getting the name based separation I’d expect.


#6

Update - so the VHosts had been mis-configured with the ‘Address’ setting specified to the host name. Setting the Address to ‘any’ now results in Apache2 serving the respective host named in the browser.


#7

good to hear
yup vhost *:443 or ip.ad.res.ss:443
but not name :wink:
btw best to use * or ip but not mix as if like mine it has multiple ips you can actually have

name1 defined on ip1 (browsable if connectinng to ip 1 using name1)
name1 defined on ip2 (browsable if connectinng to ip 2 using name1)
name1 defined on * (browsable on loopback or any other ip using name 1)

all three with different sites , for no good reason
for most * is the best
ip only makes sense when you hit the SAN limit on one ip and have to split your sites between 2 ips half on each with 2 san certs one for each ip

also any name not defined on the matching vhost ip1 ip2 or * will hit the first vhost for the closest match regardless of name

thus in most you have (not actual apache but pseudocode)
(vhost *)
name bogus
docroot /a root with no content but a robots.txt (containing deny: /
errordoc 404 /a custom 404 to say this is not a valid name
logfile /a logfile you watch to see what silly names others try against your server
(/vhost)
(vhost *)
name ip.add.re.ss
docroot /a root with no content but a robots.txt (containing deny: /
errordoc 404 /a custom 404 to say browsing to the ip is not allowed
logfile /a logfile to watch as 99% of these will be hack attempts
(/vhost)
(vhost *)
name first-name
config for firstname
(/vhost)
(vhost *)
name second-name
config for second
(/vhost)
(vhost *)
etc
(/vhost)
(vhost *)
etc

and of course
(vhost *)
name example.com
redirectpermanent https://www.example.com

for any aliases that should only repoint users at the right name
(/vhost)