0

Wanting to "join the modern age" of enabling https on established Apache-server based virtual hosts (some 54 of them!) I finally got around to trying "Let's Encrypt" (by EFF.org), which, by the way, now seems to be renamed "certbot". As I have so many domains, I decided to be conservative and start with just one domain. I installed certbot and then ran:

$ certbot run -d mydomain.com

It ran, selected the right authenticator (apache), obtained a new certificate, performed challenges, verified the challenge, cleaned up, created a new conf file, deployed certificates and then asked if I wanted permanent re-direct to the encrypted version. I said yes (option 2). It then claimed it was successful and gave a testing URL that goes to SSLLabs.com.

I tried the site myself and the site did not come up. So, I tried the testing URL and it ran lots of test and concluded an overall rating of B. So, I tried to bring up the site myself and Firefox again claimed "Problem loading page" and "The connection has timed out" (just as it had previously done). I tried the not-encrypted http:// approach and it also failed.

I edited the appropriate conf file to remove the redirect and the site then came up with the non-encrypted protocol.

So, I edited the conf file again and added for this domain:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem

Oh, and in the opening line for this domain's config grouping I added the 443 bit as follows here:

<VirtualHost *:80 *:443>

Running apachectl configtest responded with "Syntax OK", so I then tried both protocols and got nothing from Firefox. And then tried the SSLLab.com URL and it again gave a B rating...

OK, I'm puzzled; what do I do next?

Note that I'd like to be able to serve both encrypted and non-encrypted protocols, I just tried the permanent redirect to see how certbot would do it.

Insofar as it might matter, I'm running Fedora Core Server 30 from the summer of 2019, with current updates, Apache 2.4.42 for Fedora built October 3, 2019, and certbot 1.0.0. ... Also note that the Apache httpd server is from an ancient installation, maybe 20 years old, which has been updated many times; it may contain some old directives that no longer matter / function as intended, etc.

Richard T
  • 1,130
  • 11
  • 26
  • 1
    The `` for port `80` and port `443` should be distinct, unless tricks are used. Can you edit your question and add an excerpt of your `` configuration (the `SSL*`, `Rewrite*` and `ServerName` directives are the most important)? – Piotr P. Karwasz Feb 28 '20 at 18:28
  • @PiotrP.Karwasz Thanks Piotr, but as it happens, I asked a friend of mine about this (while still configured to do both and with SSL Labs saying it was a B rating), and he tried it and IT WORKED?! Amazingly, I seem to be the victim of browser cache or something, though how that can be I don't know since it went back and forth for http working or not depending on the config, while https never responded. Hmmm... IDK, but my friend browsed the site and I can see it in the access logs! YAY. So the config above looks to be perfectly valid. ...I'll "answer this myself", pointing out the cache issue. – Richard T Feb 28 '20 at 20:38

1 Answers1

0

It turns out there was nothing wrong with the configuration!

I had a friend try it and he got the encrypted site just fine, and I could see his accesses in the log. Therefore...

Most probably this was a browser cache issue! Don't YOU, TOO become a victim of the dreaded browser-cache!

Richard T
  • 1,130
  • 11
  • 26