Ubuntu 14.04 apache won't load https on 443, iptables blocking 443?

Question

On an Ubuntu 14.04 server I'm trying to get https running to get SSL for a website (server will be replaced in couple of weeks). Website works fine on http, but can't get it running on https. Webbrowser gives an "Unable to connect" so I'm thinking iptables is blocking the connection. I'm somewhat familiar with ufw but not with iptables.

When I do a iptables -L --line, I have the following output:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
38300 2312K fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
    0     0 ACCEPT     tcp  --  *      *       x.x.x.x              0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       x.x.x.x              0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       x.x.x.x              0.0.0.0/0            tcp dpt:22
  122  7916 ACCEPT     tcp  --  *      *       x.x.x.x              0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       x.x.x.x              0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       x.x.x.x              0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       x.x.x.x              0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       x.x.x.x              0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       x.x.x.x              0.0.0.0/0            tcp dpt:22
37010 2251K ACCEPT     tcp  --  *      *       x.x.x.x              0.0.0.0/0            tcp dpt:22
 162K 6486K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
  11M 4302M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
50298 3001K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 6998  431K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
 106K   26M UDP        udp  --  *      *       0.0.0.0/0            0.0.0.0/0
1057K   53M TCP        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
 106K   26M REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
 194K 8099K REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
 5553  178K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-proto-unreachable
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 ctstate NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 18270 packets, 6985K bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   120 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:443 ctstate ESTABLISHED
  714 80354 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 ctstate ESTABLISHED

Chain TCP (1 references)
 pkts bytes target     prot opt in     out     source               destination
59249 3411K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
 1200 64152 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3306
 498K   26M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:49152:49200
 305K   15M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21

Chain UDP (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination
38300 2312K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Some public IP addresses have been replaced with x.x.x.x.

Under Chain INPUT (policy DROP) rule #21-25 show https, but it's an ACCEPT in the policy DROP list. Does it mean the connection is dropped or allowed to pass through? There is no rule for http in this list.

Under Chain OUTPUT (policy ACCEPT) rule #1 shows https and #2 shows http and https. Looks like this is the accepting rule. However, if the previous one is the rule to drop the connection I'm assuming rule #1 doesn't get reached.

Under Chain TCP (1 references) rule #1 shows http, but no rule for https.

Do I need to delete the rules onder policy DROP? I've tried to add the rule with iptables -A INPUT -p tcp --dport 443 -j ACCEPT but I still can't connect.

Also in /etc/iptables/rules.v4 there is a rule for port 80 (-A TCP -p tcp -m tcp --dport 80 -j ACCEPT) but none for 443. Do I need to add it manually?

Update Added requested information, replaced some domain names with example.com

Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    38723 2341K fail2ban-ssh  tcp  --  any    any     anywhere             anywhere             multiport dports ssh
2        0     0 ACCEPT     tcp  --  any    any     example.com          anywhere             tcp dpt:ssh
3        0     0 ACCEPT     tcp  --  any    any     example.com          anywhere             tcp dpt:ssh
4        0     0 ACCEPT     tcp  --  any    any     example.com          anywhere             tcp dpt:ssh
5      122  7916 ACCEPT     tcp  --  any    any     example.com          anywhere             tcp dpt:ssh
6        0     0 ACCEPT     tcp  --  any    any     x.x.x.x/26           anywhere             tcp dpt:ssh
7        0     0 ACCEPT     tcp  --  any    any     example.com          anywhere             tcp dpt:ssh
8        0     0 ACCEPT     tcp  --  any    any     example.com          anywhere             tcp dpt:ssh
9        0     0 ACCEPT     tcp  --  any    any     example.com          anywhere             tcp dpt:ssh
10       0     0 ACCEPT     tcp  --  any    any     example.com          anywhere             tcp dpt:ssh
11   37418 2278K ACCEPT     tcp  --  any    any     example.com          anywhere             tcp dpt:ssh
12    168K 6750K DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
13     12M 4492M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
14   51339 3063K ACCEPT     all  --  lo     any     anywhere             anywhere
15    7249  445K ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
16    108K   27M UDP        udp  --  any    any     anywhere             anywhere
17   1084K   54M TCP        tcp  --  any    any     anywhere             anywhere
18    108K   27M REJECT     udp  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable
19    201K 8383K REJECT     tcp  --  any    any     anywhere             anywhere             reject-with tcp-reset
20    5669  181K REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-proto-unreachable
21       0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
22       0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https ctstate NEW,ESTABLISHED
23       0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             multiport dports http,https ctstate NEW,ESTABLISHED
24       0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
25       0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 381K packets, 210M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        2   120 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp spt:https ctstate ESTABLISHED
2      718 80790 ACCEPT     tcp  --  any    any     anywhere             anywhere             multiport dports http,https ctstate ESTABLISHED

Chain TCP (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1    60377 3478K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
2     1202 64232 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:mysql
3     510K   26M ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpts:49152:49200
4     311K   16M ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ftp

Chain UDP (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-ssh (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1    38723 2341K RETURN     all  --  any    any     anywhere             anywhere

ports.conf from apache:

Listen 80
Listen 443 http

I have to add http to the 443 port otherwise Apache won't start (based on this answer). This error then happens:

 AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)

Host configuration:

<VirtualHost *:443>
        ServerName www.example.com

        #ServerAdmin webmaster@example.com
        DocumentRoot /var/www/test

        ErrorLog /var/log/apache2/www.example.com-ssl-error.log
        CustomLog /var/log/apache2/www.example.com-ssl-access.log combined

        <Directory /var/www/test >
               Options Indexes FollowSymLinks
               AllowOverride All
               Order allow,deny
               allow from all
         </Directory>

         SSLEngine On
         SSLCertificateFile /etc/ssl/cert/www_example_com.crt
         SSLCertificateKeyFile /etc/ssl/cert/www_example_com_com.key
         SSLCertificateChainFile /etc/ssl/cert/www_example_com_com.ca-bundle
</VirtualHost>

There are no log entries for www.example.com-ssl*.log

perhaps "iptables -L -v --line-numbers" would provide something worthwile investigating. — Gerard H. Pille, Jul 16 '20 at 11:44
Is your webserver even listening on Port 443? `Unable to connect` does not sound like a firewall issue. — Gerald Schneider, Jul 16 '20 at 13:33
It looks like you've "added" rules for https, but you should have inserted them before the reject lines. That's where the line-numbers come in handy. You can't move lines, you'll need to delete them or the rejects, and respectively insert or add them. — Gerard H. Pille, Jul 16 '20 at 14:40
That makes sense, the REJECT rules are the last ones that will be matched? And http is being accepted, because it's in the TCP group? Would it be better to add 443 also to the TCP group? — Stefan, Jul 16 '20 at 14:51
You could indeed add just one accept https rule to the TCP chain, and delete everything from the INPUT chain from line 18 onwards - since the default policy is DROP. You'd better set the default policy for the TCP chain to DROP too. — Gerard H. Pille, Jul 16 '20 at 15:53

NuTTyX · Answer 1 · 2020-07-16T22:46:37.450

All your iptables rules for the https port are below 3 REJECT rules for UDP, TCP and ALL, so they match your https traffic and reject the connection.

Move the https rules above those (inserting them at least at the 18th position) or move the REJECT rules below the https ones.

NOTE: if Gerard H. Pille creates a similar answer as me, please, give him the credit.

EDIT: To clean all that up:

this would add the https port to the already defined http port on the TCP group:

iptables -R TCP 1 -p tcp -m multiport --dports 80,443 -j ACCEPT

this would delete all the unnecesary rules you appended into the INPUT chain (order of commands is important):

iptables -D INPUT 25
iptables -D INPUT 24
iptables -D INPUT 23
iptables -D INPUT 22
iptables -D INPUT 21

OUTPUT chain does not need any of those rules since it has a default policy of ACCEPT (ssh works and you do not have any OUTPUT rule for ssh, do you?), so you could delete both of them safely:

iptables -D OUTPUT 2
iptables -D OUTPUT 1

I won't do that, first come, first served. Besides, you're more in need of credits than I am ;-) — Gerard H. Pille, Jul 16 '20 at 14:36

score 0 · Answer 2 · answered Jul 16 '20 at 13:44

ports.conf should be

Listen 0.0.0.0:80
Listen 0.0.0.0:443 https

but it is not necessary to define those ports at all in the ports.conf because:

You only need to set the protocol if you are running on non-standard ports. For example, running an https site on port 8443

https://httpd.apache.org/docs/2.4/bind.html#protocol

Ubuntu 14.04 apache won't load https on 443, iptables blocking 443?

2 Answers2