I have the following website secured using certbot. They work great everywhere except some iphones and ipads. The site just hangs when loading and hangs forever.
I have stripped my code down to the bare bones and it still does not load. I am pretty sure it is the lets encrypt cert. I have looked through other replies similiar and have confirmed that my certs are valid.
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/billmykids.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/billmykids.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/billmykids.com/fullchain.pem
Change the SSLCertificateFile to use the fullchain.pem
SSLCertificateFile /etc/letsencrypt/live/billmykids.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/billmykids.com/privkey.pem
Comment out this line:
SSLCertificateChainFile /etc/letsencrypt/live/billmykids.com/fullchain.pem
My config file looks like this now. Still the same problem. Just hangs forever on an iPad.
<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerName billmykids.com
ServerAdmin admin@gidgetgadget.com
DocumentRoot /var/www/billmykids.com
<Directory "/var/www/billmykids.com">
AllowOverride All
</Directory>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/billmykids_error.log
CustomLog ${APACHE_LOG_DIR}/billmykids_access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/billmykids.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/billmykids.com/privkey.pem
</VirtualHost>
</IfModule>
Here is what certbot-auto generates when I run it. After running this the site works great on all but a iPad or iPhone.
root@nifd:/var/www# ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: billmykids.com
2: www.billmykids.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for billmykids.com
http-01 challenge for www.billmykids.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/billmykids-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/billmykids-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://billmykids.com and
https://www.billmykids.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=billmykids.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.billmykids.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/billmykids.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/billmykids.com-0001/privkey.pem
Your cert will expire on 2018-12-19. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the "certonly" option. To non-interactively renew *all*
of your certificates, run "certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Heyho,
additional check the included file created by the choosen auth method. Here is my full SSL setup i use for my hosts. This should work on IPHONE,IPAD too.
<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/billmykids.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/billmykids.com/privkey.pem
SSLProtocol all -SSLv2 -SSLv3
# see (https://mozilla.github.io/server-side-tls/ssl-config-generator/) for more info
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>
</IfModule>