0

Rekeyed SSL for new host Using same site.conf file just new *.crt (verified pointing correctly) apache restarts no errors error log shows no errors (timeouts) port 443 is open

netstat -a | grep https
tcp6       0      0 [::]:https              [::]:*                  LISTEN   

netstat -lnp|grep 443
tcp6       0      0 :::443                  :::*                    LISTEN      1644/apache2

ps waux |grep 1644
root      1644  0.0  0.4 418960 35564 ?        Ss   23:32   0:00 /usr/sbin/apache2 -k start

and after editing my ports.conf file to show IPv4:

<IfModule ssl_module>
        Listen my.server.ip.add:443
</IfModule>

<IfModule mod_gnutls.c>
        Listen my.server.ip.add:443
</IfModule>

netstat -lnp|grep 443 

tcp        0      0 my.server.ip.add:443      0.0.0.0:*               LISTEN      24821/apache2

ps waux |grep 24821

root     24821  0.0  0.4 418960 35896 ?        Ss   18:50   0:00 /usr/sbin/apache2 -k start

nmap example ip

Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-19 16:49 EDT
    Nmap scan report for example.exampleserver.com (example ip)
    Host is up (0.000032s latency).
    Not shown: 996 closed ports
    PORT    STATE SERVICE
    22/tcp  open  ssh
    25/tcp  open  smtp
    80/tcp  open  http
    443/tcp open  https

here is my file

<IfModule mod_ssl.c>
<VirtualHost my.ip:443>
       ServerAdmin webmaster@example.com
        ServerName example.com
        ServerAlias www.example.com
        DirectoryIndex index.html
        DocumentRoot /path/to/my/site
        ErrorLog /var/log/apache2/example.log
        CustomLog /var/log/apache2/example-access.log combined


SSLEngine on
        SSLCertificateFile /path/to/ssl/example.crt
        SSLCertificateKeyFile /path/to/ssl/examaple.com.key
        SSLCertificateChainFile /path/to/ssl/gd_bundle-g2-g1.crt

<FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

<Directory /path/to/my/site>
         Options Indexes FollowSymLinks

         AllowOverride All
         Require all granted
        AddDefaultCharset On
        AddDefaultCharset utf-8

<Files *.html>
ForceType text/html;charset=utf-8
</Files>
</Directory>
</VirtualHost>
</IfModule>

here are my enabled mods

    ls /etc/apache2/mods-e*
access_compat.load  authn_core.load  authz_user.load  deflate.load  expires.load  mime.load         negotiation.load  setenvif.conf       ssl.load
alias.conf          authn_file.load  autoindex.conf   dir.conf      filter.load   mpm_prefork.conf  php7.0.conf       setenvif.load       status.conf
alias.load          authz_core.load  autoindex.load   dir.load      headers.load  mpm_prefork.load  php7.0.load       socache_shmcb.load  status.load
auth_basic.load     authz_host.load  deflate.conf     env.load      mime.conf     negotiation.conf  rewrite.load      ssl.conf

perms for cert files are -rw-rw-r-- –

nslookup example.com
Server:     2001:578:3f::30
Address:    2001:578:3f::30#53

Non-authoritative answer:
Name:   example.com
Address: my.v4.ip.add

edited my /etc/host file nslookup now shows IPv4 

nslookup example.com
    Server:     some.v4..add
    Address:    some.v4..add#53

    Non-authoritative answer:
    Name:   example.com
    Address: my.v4.ip.add

iptables -n -L

Chain INPUT (policy DROP)
target     prot opt source               destination         
ufw-before-logging-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-input  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-forward  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-output  all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:137
ufw-skip-to-policy-input  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:138
ufw-skip-to-policy-input  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:139
ufw-skip-to-policy-input  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:445
ufw-skip-to-policy-input  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
ufw-skip-to-policy-input  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:68
ufw-skip-to-policy-input  all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 4
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 12
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ufw-user-forward  all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 4
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 12
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
ufw-not-local  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251          udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            239.255.255.250      udp dpt:1900
ufw-user-input  all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-input (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:80

Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-output (1 references)
target     prot opt source               destination

log file when Apache2 service is restarted

[Sun Aug 20 18:50:55.777189 2017] [core:notice] [pid 1644] AH00051: child pid 23072 exit signal Segmentation fault (11), possible coredump in /etc/apache2
[Sun Aug 20 18:50:55.777276 2017] [mpm_prefork:notice] [pid 1644] AH00169: caught SIGTERM, shutting down
[Sun Aug 20 18:50:56.802691 2017] [mpm_prefork:notice] [pid 24821] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Sun Aug 20 18:50:56.802777 2017] [core:notice] [pid 24821] AH00094: Command line: '/usr/sbin/apache2'

site still loads fine without https on http since I create a nonSSL.conf file as well pointing to the same location

Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79
jmituzas
  • 503
  • 1
  • 5
  • 12
  • I'd check permission/ownership of the cert files. Then please return back this informations: what does exactly happens when you go https to one of those sites? Timeout? How long? Does the browser shows an error? Which one? Also, are you sure there is no nginx installed? The netstat command you've pasted just shows that something is listening on 443, confirm it's apache with netstat -lnp|grep 443. Take the pid and ps waux |grep pid. Return al these please in order to get further help. – Marco Aug 20 '17 at 01:32
  • After about 45-60 seconds Chrome incognito shows: This site can’t be reached example.com took too long to respond. Try: Checking the connection Checking the proxy and the firewall Running Network Diagnostics ERR_CONNECTION_TIMED_OUT – jmituzas Aug 20 '17 at 02:21
  • Also edited post with addition info as well – jmituzas Aug 20 '17 at 02:32
  • Do you use IPv4? Please show nslookup of your host. – Mikhail Khirgiy Aug 20 '17 at 03:19
  • nslookup just reports the IP of the host as it should, but edited main post to show. But yes was wodering what the tcp6 is when i use primarily ipV4? Shouldnt it show tcp4 as well? Could that be the issue if so how do I get it to work? – jmituzas Aug 20 '17 at 03:44
  • ok edited my /etc/hosts file wrote changes in main post all other commands still show same tcp6 – jmituzas Aug 20 '17 at 04:00
  • Is your nmap from client or from server's local host? Can you nmap from client as well? Can you surf site2 right from server with lynx or links2? – Marco Aug 20 '17 at 10:10
  • Can you paste iptables -n -L ? – Marco Aug 20 '17 at 10:11
  • I can only use nmap on local host the server, and included iptables to main post, which I don't see anything for port 443; so that maybe the issue. – jmituzas Aug 20 '17 at 23:19

2 Answers2

2

You have a firewall issue. Please type ufw allow proto tcp port 443 and have good https serving. Also, check out that you have IPV6=yes into your /etc/default/ufw if you want to allow port 443 proto tcp for both IPV4 and IPV6.

Marco
  • 1,679
  • 3
  • 17
  • 31
0

netstat command shows you that apache listen only IPv6 address, not IPv4. That is why you have connection error. Check httpd config file to enable IPv4.

Mikhail Khirgiy
  • 2,003
  • 9
  • 7