SSL keeps waiting for response

1

I'm trying to configure an HTTPS but It doesn't work and I don't realy know what's wrong.

These are the steps I've followed:

  1. I have generated a .pem certificate (certificate + chain) with letsencrypt, by using the next command:

    sudo -H ./letsencrypt-auto certonly --server https://acme-v01.api.letsencrypt.org/directory

The response comes in this way:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/xxxx.com/fullchain.pem. Your cert
   will expire on 2016-03-07. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

  1. I have generated a private key

    sudo openssl req -new -x509 -days 365 -nodes -out /etc/letsencrypt/live/xxxx.com/fullchain.pem -keyout /etc/letsencrypt/live/xxxx.com/fullchain.key

Here bellow I paste the response:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:xxxx
Locality Name (eg, city) []:xxxx
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxxx
Organizational Unit Name (eg, section) []:xxxx.com
Common Name (e.g. server FQDN or YOUR name) []:test
Email Address []:test@gmail.com

  1. I have checked that the key returns the correct value I've set in the last step:

    sudo openssl x509 -in /etc/letsencrypt/live/xxxx.com/fullchain.pem -noout -subject

Here bellow I paste the response:

subject= /C=US/ST=xxxx/L=xxxx/O=xxxx/OU=xxxx.com/CN=test/
emailAddress=test@gmail.com

  1. I've set a new virtual host that I copy here bellow:

    <VirtualHost *:443>
  ServerAdmin test@gmail.com
  DocumentRoot /var/www/html/xxx1/public
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  ServerName xxxx.com
  SSLEngine on

  SSLCertificateFile      /etc/letsencrypt/live/xxxx.com/fullchain.pem
  SSLCertificateKeyFile      /etc/letsencrypt/live/xxxx.com/fullchain.key

  <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
  </FilesMatch>

  <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
  </Directory>

  BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

  2. I've opened 443 port on my /etc/apache2/ports.conf.

After all these steps, I've just do sudo service apache2 restart but the console is just waiting till I get:

Job for apache2.service failed because the control process exited with error code. See "systemctl status apache2.service" and "journalctl -xe" for details.

and when I debug it with journalctl -xe the result is what it comes:

-- Unit apache2.service has begun starting up.
Dec 08 19:12:20 devXxxx apache2[21637]: * Starting web server apache2
Dec 08 19:12:20 devXxxx apache2[21637]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 100.114.32.17. Set the 'ServerName' directive globally to suppress this mes
Dec 08 19:12:20 devXxxx apache2[21637]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
Dec 08 19:12:29 devXxxx sudo[21613]: pam_unix(sudo:session): session closed for user root
Dec 08 19:12:29 devXxxx polkitd(authority=local)[996]: Unregistered Authentication Agent for unix-process:21628:9475994 (system bus name :1.109, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, loca
Dec 08 19:12:40 devXxxx apache2[21637]: *
Dec 08 19:12:40 devXxxx apache2[21637]: * The apache2 instance did not start within 20 seconds. Please read the log files to discover problems
Dec 08 19:12:40 devXxxx systemd[1]: apache2.service: Control process exited, code=exited status=1
Dec 08 19:12:40 devXxxx systemd[1]: Failed to start LSB: Apache2 web server.
-- Subject: Unit apache2.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit apache2.service has failed.

After watching these 20 seconds that apache is trying to load, I've decided to test the certificate as I detail:

  1. Checking there is only 1 certificate:

    sudo ln -s /etc/letsencrypt/live/xxxx.com/fullchain.pemsudo openssl x509 -hash -noout -in /etc/letsencrypt/live/xxxx.com/fullchain.pem.0

  2. Verifying that the certificate works:

    openssl verify -CApath f6361f65.0

but surprise, it doesn't.... the terminal keeps trying to connect without response.

Can someone help me?

Thanks in advice.

DevStarlight

Posted 2015-12-08T19:25:13.617

Reputation: 115

Answers

3

First off, it looks like something is already bound to port 443:

Dec 08 19:12:20 devXxxx apache2[21637]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:443 D

Next, with Lets Encrypt, you don't need to setup your own private key, the script should generate one for you (unless you manually generate your own CSR).

When the letsencrypt-auto script completes you should have in your certificate directory 4 files.

  • cert.pem - This is your certificate. In Apache SSLCertificateFile should point to this file.
  • privkey.pem - This is your private key. KEEP IT SECRET. In Apache SSLCertificateKeyFile should point to this file.
  • chain.pem - This is the chain of certificates that establish your trust. In Apache you can point SSLCertificateChainFile to this file.
  • fullchain.pem - This is a combination of cert.pem and chain.pem, so it is your certificate and its full chain of trust. In Apache point SSLCACertificateFile to this file.

Let's Encrypt Documentation

heavyd

Posted 2015-12-08T19:25:13.617

Reputation: 54 755

1

The file usage is slightly outdated and slightly wrong. SSLCertificateChainFile is deprecated and Apache 2.4 would rather read the chain from the certificate file, like most other programs do. Thus SSLCertificateFile fullchain.pem. Meanwhile, SSLCACertificateFile has nothing to do with this at all – the documentation emphasizes that this option is only relevant for client authentication, so putting any LE cert there is wrong & useless.

– user1686 – 2015-12-09T06:12:42.213

Just adding that in Apache 2.4 is not necesary anymore in /etc/apache2/ports.conf the line: Listen 443. Instead just specify in the <VirtualHost *:443>. – DevStarlight – 2015-12-09T11:04:26.457

0

For letsencypt this command works for me without stopping the server

./letsencrypt-auto certonly --webroot -w /websitedir -d www.domain.com

after this process for nginx you can link the certificates.

ln -s privkey.pem /etc/ssl/domain.key
ln -s fullchain.pem /etc/ssl/domain.crt

Sami Onur Zaim

Posted 2015-12-08T19:25:13.617

Reputation: 1

Asked: 2015-12-08T19:25:13.617

Viewed: 343 times

Active: 2015-12-09T07:49:58.937