Website hangs only on some iphones and ipads


#1

I have the following website secured using certbot. They work great everywhere except some iphones and ipads. The site just hangs when loading and hangs forever.

https://billmykids.com/test

I have stripped my code down to the bare bones and it still does not load. I am pretty sure it is the lets encrypt cert. I have looked through other replies similiar and have confirmed that my certs are valid.

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/billmykids.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/billmykids.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/billmykids.com/fullchain.pem

What other things can I try to fix the issue?


#2

Hi @slloyd88,

Pretty bizarre issue!

Can you share your full Apache configuration? That might help others diagnose the issue.


#3

Your certificate yes but the chain seams broken: https://www.ssllabs.com/ssltest/analyze.html?d=billmykids.com

Chain issues Incorrect order, Extra certs


#4

You chain: https://www.ssllabs.com/ssltest/getTestChain?d=billmykids.com&cid=ef7f1e310b1a444ff7a54320e4bbc18c3c27d54f5f9c500a04190d0cc17a0aa5&time=1537362073580

Sent:

Instead of

Did you generate fullchain.pem yourself or using a tool?


#5

I used a tool called autocert or something like that. I will look it up when I get home.


#6

Heyho,
just try the following:

Change the SSLCertificateFile to use the fullchain.pem
SSLCertificateFile /etc/letsencrypt/live/billmykids.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/billmykids.com/privkey.pem

Comment out this line:
SSLCertificateChainFile /etc/letsencrypt/live/billmykids.com/fullchain.pem

This setup works for me.

Regards,
Sebastian


#7

I used a program called certbot-auto. These certs are installed on a Raspberry Pi 3 B+ if that makes any difference.


#8

My config file looks like this now. Still the same problem. Just hangs forever on an iPad.

<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com
	ServerName billmykids.com
	ServerAdmin admin@gidgetgadget.com
	DocumentRoot /var/www/billmykids.com
	<Directory "/var/www/billmykids.com">
    		AllowOverride All
	</Directory>
	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/billmykids_error.log
	CustomLog ${APACHE_LOG_DIR}/billmykids_access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/billmykids.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/billmykids.com/privkey.pem
</VirtualHost>
</IfModule>

#9

Here is what certbot-auto generates when I run it. After running this the site works great on all but a iPad or iPhone.
root@nifd:/var/www# ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: billmykids.com
2: www.billmykids.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for billmykids.com
http-01 challenge for www.billmykids.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/billmykids-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/billmykids-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://billmykids.com and
https://www.billmykids.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=billmykids.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.billmykids.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/billmykids.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/billmykids.com-0001/privkey.pem
   Your cert will expire on 2018-12-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

#10

The certificate chain issue is fixed now.

Does it work now?


#11

Actually YES! Thanks so much for your help!


#12

Heyho,
additional check the included file created by the choosen auth method. Here is my full SSL setup i use for my hosts. This should work on IPHONE,IPAD too.

If u have some probs with the setup check: https://mozilla.github.io/server-side-tls/ssl-config-generator/
for more info.

<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/billmykids.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/billmykids.com/privkey.pem
SSLProtocol all -SSLv2 -SSLv3

# see (https://mozilla.github.io/server-side-tls/ssl-config-generator/) for more info
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>
</IfModule>

Hope i could help u :wink:

Regards,
Sebastian


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.