What's wrong with my certificates?

My domain is:

weewx.qumran2.net

I ran this command:

sudo certbot --cert-name qumran2 -d weewx.qumran2.net

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/qumran2.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/apache2/sites-available/weewx.qumran2-le-ssl.conf

Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enhancement redirect was already set.

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://weewx.qumran2.net

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=weewx.qumran2.net
-------------------------------------------------------------------------------

My web server is (include version):

apache 2.4.10-10+deb8u10

The operating system my web server runs on is (include version):

debian jessie

My hosting provider, if applicable, is:

hetzner

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

However, https://www.ssllabs.com/ssltest/analyze.html?d=weewx.qumran2.net says “Assessment failed: No secure protocols supported”

The site config file is:

<IfModule mod_ssl.c>                                                                                                                                                                                                                                                                                                                                                       
<VirtualHost *:443>                                                                                                                                                                                                                                                                                                                                                        
    ServerAdmin paolobenve@gmail.com                                                                                                                                                                                                                                                                                                                                       
    ServerName weewx.qumran2.net                                                                                                                                                                                                                                                                                                                                           
                                                                                                                                                                                                                                                                                                                                                                           
    DocumentRoot /home/paolo/weewx/                                                                                                                                                                                                                                                                                                                                        
    <Directory /home/paolo/weewx/>                                                                                                                                                                                                                                                                                                                                         
        DirectoryIndex index.html                                                                                                                                                                                                                                                                                                                                          
        Options FollowSymLinks                                                                                                                                                                                                                                                                                                                                             
        AllowOverride All                                                                                                                                                                                                                                                                                                                                                  
        order allow,deny                                                                                                                                                                                                                                                                                                                                                   
        allow from all                                                                                                                                                                                                                                                                                                                                                     
    </Directory>                                                                                                                                                                                                                                                                                                                                                           
                                                                                                                                                                                                                                                                                                                                                                           
    ErrorLog /var/log/apache2/error.log                                                                                                                                                                                                                                                                                                                                    
                                                                                                                                                                                                                                                                                                                                                                           
    # Possible values include: debug, info, notice, warn, error, crit,                                                                                                                                                                                                                                                                                                     
    # alert, emerg.                                                                                                                                                                                                                                                                                                                                                        
    LogLevel warn                                                                                                                                                                                                                                                                                                                                                          
                                                                                                                                                                                                                                                                                                                                                                           
    # ErrorDocument 404 /index.html                                                                                                                                                                                                                                                                                                                                        
                                                                                                                                                                                                                                                                                                                                                                           
    CustomLog /var/log/apache2/access.log combined                                                                                                                                                                                                                                                                                                                         
                                                                                                                                                                                                                                                                                                                                                                           
    RewriteEngine on                                                                                                                                                                                                                                                                                                                                                       
    # Some rewrite rules in this file were disabled on your HTTPS site,                                                                                                                                                                                                                                                                                                    
    # because they have the potential to create redirection loops.                                                                                                                                                                                                                                                                                                         
    # RewriteCond %{SERVER_NAME} =weewx.qumran2.net                                                                                                                                                                                                                                                                                                                        
    # RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]                                                                                                                                                                                                                                                                                             
    Include /etc/letsencrypt/options-ssl-apache.conf                                                                                                                                                                                                                                                                                                                       
    SSLCertificateFile /etc/letsencrypt/live/qumran2/fullchain.pem                                                                                                                                                                                                                                                                                                         
    SSLCertificateKeyFile /etc/letsencrypt/live/qumran2/privkey.pem                                                                                                                                                                                                                                                                                                        
</VirtualHost>                                                                                                                                                                                                                                                                                                                                                             
</IfModule> 

Something is wrong, because I get:

$ openssl s_client -connect weewx.qumran2.net:443
CONNECTED(00000003)
139926165444248:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1507063630
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

What am I missing?

Hi @paolobenve,

Could you please show the output of these commands?.

ls -la etc/apache2/sites-enabled/

apache2ctl -t -D DUMP_MODULES

Cheers,
sahsanu

$ ls -la /etc/apache2/sites-enabled/
totale 16
drwxr-xr-x  2 root root 4096 ott  3 23:14 .
drwxr-xr-x 10 root root 4096 ott  3 23:15 ..
lrwxrwxrwx  1 root root   44 ott  3 20:50 benvenuto.cathopedia.conf -> ../sites-available/benvenuto.cathopedia.conf
lrwxrwxrwx  1 root root   43 ott  3 20:50 bibbianuova.qumran2.conf -> ../sites-available/bibbianuova.qumran2.conf
lrwxrwxrwx  1 root root   60 ott  3 20:51 bibbianuova.qumran2-le-ssl.conf -> /etc/apache2/sites-available/bibbianuova.qumran2-le-ssl.conf
lrwxrwxrwx  1 root root   38 ott  3 20:50 bibbia.qumran2.conf -> ../sites-available/bibbia.qumran2.conf
lrwxrwxrwx  1 root root   36 ott  3 20:51 blog.qumran2.conf -> ../sites-available/blog.qumran2.conf
lrwxrwxrwx  1 root root   57 set 30 17:20 blog.qumran2.net-le-ssl.conf -> /etc/apache2/sites-available/blog.qumran2.net-le-ssl.conf
lrwxrwxrwx  1 root root   37 ott  3 20:51 cathopedia_it.conf -> ../sites-available/cathopedia_it.conf
lrwxrwxrwx  1 root root   54 set 30 17:20 cathopedia_it-le-ssl.conf -> /etc/apache2/sites-available/cathopedia_it-le-ssl.conf
lrwxrwxrwx  1 root root   39 ott  3 20:51 cathopedia_next -> ../sites-available/cathopedia_next.conf
lrwxrwxrwx  1 root root   38 set 30 23:01 cathopedia.org.conf -> ../sites-available/cathopedia.org.conf
lrwxrwxrwx  1 root root   45 set 30 23:01 cathopedia.org-le-ssl.conf -> ../sites-available/cathopedia.org-le-ssl.conf
lrwxrwxrwx  1 root root   41 ott  3 20:52 chiesamissionaria -> ../sites-available/chiesamissionaria.conf
lrwxrwxrwx  1 root root   58 set 30 17:20 chiesamissionaria-le-ssl.conf -> /etc/apache2/sites-available/chiesamissionaria-le-ssl.conf
lrwxrwxrwx  1 root root   51 ott  3 20:52 guaricano.chiesamissionaria.conf -> ../sites-available/guaricano.chiesamissionaria.conf
lrwxrwxrwx  1 root root   38 ott  3 20:52 infonuoviculti.conf -> ../sites-available/infonuoviculti.conf
lrwxrwxrwx  1 root root   36 ott  3 20:52 movimentofac.conf -> ../sites-available/movimentofac.conf
lrwxrwxrwx  1 root root   49 ott  3 20:52 palmarophotofloat.qumran2.conf -> ../sites-available/palmarophotofloat.qumran2.conf
lrwxrwxrwx  1 root root   42 ott  2 23:03 parrocchialagaccio.conf -> ../sites-available/parrocchialagaccio.conf
lrwxrwxrwx  1 root root   31 ott  3 20:53 phpinfo.conf -> ../sites-available/phpinfo.conf
lrwxrwxrwx  1 root root   31 feb 24  2017 phplist.conf -> ../sites-available/phplist.conf
lrwxrwxrwx  1 root root   49 ott  3 20:53 pretimyphotoshare.qumran2.conf -> ../sites-available/pretimyphotoshare.qumran2.conf
lrwxrwxrwx  1 root root   66 ott  3 20:53 pretimyphotoshare.qumran2-le-ssl.conf -> /etc/apache2/sites-available/pretimyphotoshare.qumran2-le-ssl.conf
lrwxrwxrwx  1 root root   35 ott  3 20:53 pretionline.it -> ../sites-available/pretionline.conf
lrwxrwxrwx  1 root root   32 apr  3  2017 proposta.conf -> ../sites-available/proposta.conf
lrwxrwxrwx  1 root root   38 lug 13 11:27 propostagenova.conf -> ../sites-available/propostagenova.conf
lrwxrwxrwx  1 root root   31 ott  3 20:54 qumran2.conf -> ../sites-available/qumran2.conf
lrwxrwxrwx  1 root root   41 ott  3 20:54 sanmartinodalbaro.conf -> ../sites-available/sanmartinodalbaro.conf
lrwxrwxrwx  1 root root   37 ott  3 20:54 weewx.qumran2.conf -> ../sites-available/weewx.qumran2.conf
lrwxrwxrwx  1 root root   54 ott  3 20:54 weewx.qumran2-le-ssl.conf -> /etc/apache2/sites-available/weewx.qumran2-le-ssl.conf
lrwxrwxrwx  1 root root   42 ago 16  2012 www.sguardocattolico.it -> ../sites-available/www.sguardocattolico.it
lrwxrwxrwx  1 root root   30 feb 20  2017 zzz-default -> ../sites-available/zzz-default
lrwxrwxrwx  1 root root   42 ott  3 23:14 zzz-default-le-ssl.conf -> ../sites-available/zzz-default-le-ssl.conf


$ sudo apache2ctl -t -D DUMP_MODULES
Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 actions_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 dav_module (shared)
 dav_fs_module (shared)
 deflate_module (shared)
 dir_module (shared)
 dnssd_module (shared)
 env_module (shared)
 expires_module (shared)
 fcgid_module (shared)
 filter_module (shared)
 geoip_module (shared)
 headers_module (shared)
 include_module (shared)
 info_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 perl_module (shared)
 php5_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 rpaf_module (shared)
 security2_module (shared)
 setenvif_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)
 suexec_module (shared)
 unique_id_module (shared)

Hi @paolobenve,

I would encourage you to continue the investigation that you started with @sahsanu. I just have two things to point out:

(1) It’s possible that the problem is elsewhere in your Apache configuration (in terms of a separate misconfigured virtual host listening on port 443). It’s also possible that there’s some information in your Apache logs either at startup or at the time of an inbound connection that might help in diagnosing this.

(2)

A more realistic test would be

openssl s_client -connect weewx.qumran2.net:443 -servername weewx.qumran2.net

which sends the SNI data that a browser would send and that is necessary for the web server to choose which certificate to send in reply. In many cases, this would make a difference for the outcome of the test. But here, it doesn’t appear to make a difference at the moment.

1 Like

thank you @schoen, I deactivated all the other ssl sites, and now weewx.qumran2.net works!

1 Like

That should not normally be necessary, but it suggests that one of them probably does have a misconfiguration of some kind. You could also try adding them back one at a time (or binary search!) to figure out which one was broken.

1 Like

yes, more than likely one of them has
ServerName *
or something similar that overlaps with
ServerName weewx.qumran2.net

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.