unable to config certbot with nginx to accept https - ssl

When I tried to configure my nginx app with certboot following this tutorial and others like. I allways step with the same amswer from certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins
selected: Authenticator nginx, Installer nginx Obtaining a new
certificate Performing the following challenges: http-01 challenge for
sicocme.enterpriserealdomain.com http-01 challenge for
www.sicocme.enterpriserealdomain.com Waiting for verification...
Cleaning up challenges Failed authorization procedure.
sicocme.enterpriserealdomain.com (http-01):
urn:ietf:params:acme:error:connection :: The server could not connect
to the client to verify the domain :: dns :: DNS problem: NXDOMAIN
looking up A for sicocme.enterpriserealdomain.com,
www.sicocme.enterpriserealdomain.com (http-01):
urn:ietf:params:acme:error:connection :: The server could not connect
to the client to verify the domain :: dns :: DNS problem: NXDOMAIN
looking up A for www.sicocme.enterpriserealdomain.com
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: sicocme.enterpriserealdomain.com Type: connection
Detail: dns :: DNS problem: NXDOMAIN looking up A for
sicocme.enterpriserealdomain.com
Domain: www.sicocme.enterpriserealdomain.com Type: connection
Detail: dns :: DNS problem: NXDOMAIN looking up A for
www.sicocme.enterpriserealdomain.com
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
When I check my domain server the A record is there for both www and no-www with the correct IP address. The server has access to network and can access or be accessed by IP or domain name which proves that the DNS domain recognizes this machine and exists
Also I make shure to allow the proper ports with ufw
To Action From
-- ------ ----
443/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
22/tcp ALLOW Anywhere
5432/tcp ALLOW Anywhere
Nginx Full ALLOW Anywhere
443/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
5432/tcp (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
Why could this be happening?
Thanks in advance!

This is the same issue but with the Apache
check the A record has set with the server then
sudo certbot --apache -d DOMAIN_WOTHOUT_WWW -d DOMAIN_WITH_WWW
Then it will work fine.

The problem is that your DNS records are not propagated yet. See below url -
https://dnsmap.io/#A/sicocme.enterpriserealdomain.com
Make sure your DNS records are propagated all over than things should be fine.

You should add a new DNS record for www.yourdomain.com (for www).
I think you have added only DNS record for '#'
please check this:

Related

How do I troubleshoot this https problem?

The https of my website does not appear as secure when I use Google Chrome on my desktop, but it does when I use it on my phone.
This is for an Ubuntu server, running WordPress, Let's Encrypt, PHP5 and APache 2. I've tried to install NginX too, but the problem does not get solved. I have no idea what it is going on, plus the fact that this is the first website I am developing by myself.
This is my ufw status:
22/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
Apache Full ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
Also, everything seems alright when I check the certificates on https://www.ssllabs.com/
My website is www.floristeriarequena.es
Thanks in advance!
The https of my website does not appear as secure when I use Google Chrome on my desktop ...
I'm not sure what exactly you mean with this, but your site seem to include resources from https://68.183.217.125/..., i.e. you are using the IP address 68.183.217.125 in the URL instead of the hostname www.floristeriarequena.es. Only, the certificate is valid for www.floristeriarequena.es and not 68.183.217.125 which results in certificate errors. This results in a failure to load style sheets etc and can be in the developer console seen as:

Cannot connect to SSH after installing SSL cetificates through Certbot

Recently I installed SSL cetificates through Certbot on apache2 server, and my website can be accessed through HTTPS. I have also enabled redirect to HTTPS. But I can no longer connect to the server via SSH. What can I do now?
You should allow the 22/tcp while setting up the ssl certificates.
To do this, you have to check if ufw statusis active.
If it is inactive, then let you allow active.
sudo ufw enable
sudo ufw default deny
And then execute sudo ufw status command and you have to see following.
Status: active
To Action From
-- ------ ----
Apache Full ALLOW Anywhere
22/tcp ALLOW Anywhere
Apache Full (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
If you can't see the 22/tcp is allowed, then allow the ssh.
sudo ufw allow ssh
Then you will be able to connect to the server using SSH after installing ssl certificate.
While setting up, if the UFW is set to allow port 80(HTTP) and 443(HTTPS), but not 22(SSH), then HTTP and HTTPS would work fine but not SSH. This means that you can get locked out of your server if you don't allow connecting to it via port 22 (SSH).

Can't put WAMP online

UPD Provider's fault
I think I have read all the instructions and have done everything I could, but it still doesn't work :(
List of things I have done so far:
in httpd.conf file of the Apache server:
ServerName 192.168.0.102:8080
...
# onlineoffline tag - don't remove
Require all granted
...
Listen 0.0.0.0:8080
Listen [::0]:8080
Then I have the following result:
C:\Users\Sam>netstat -na | find ":8080"
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING
TCP [::]:8080 [::]:0 LISTENING
So, I guess, no firewall interruptions..
Then I have forwarded the thing in my TL-WR842ND router as follows:
In DHCP I set static local IP of 192.168.0.102 to my MAC and forwarded port 8080 to that IP. Then I rebooted the router but the port is still closed.
I can access WAMP though localhost:8080, through 192.168.0.102:8080, but cannot access remotely through the public IP. I also tried to set DMZ to 192.168.0.102 but that also had no impact. I called my provider and they said that they allow port forwarding and the problem must be on my side. pls help :(
Turns out, I have a common IP address with multiple other users and I have to pay extra to my provider in order to be able to expose services to the outside. I believe that is called a non-routable IP address.
You can read about it here

configuring reverse proxy https with multiple certificates with Apache

I have the following setup:
one public IP
2 different domain names pointing to the same IP above: domain1.com and domain2.com
2 different ssl certificates: one for domain1.com and one for domain2.com
2 physical machines on the same LAN (192.168.1.10 and 192.168.1.20) running Apache2 and debian 8.5
I tested both servers indipendently forwarding the 443 port traffic to either of the machines. They work nicely.
Now, I am forwarding all port 443 requests arriving to the public IP to the first server at 192.168.1.10 and I would like this server to act as a https server for https://domain1.com and redirect the requests for https://domain2.com to address 192.168.1.20
I have tried to configure a reverse proxy in the first machine. It does redirect the requests for domain2 to the machine at 192.168.1.20 BUT it serves the certificate for domain1.
How can I configure reverse proxy as to present the right certificate for each one of my servers?
thank you in advance.
julia
Easiest "solution" (well, workaround) would be to use a single certificate that contains both hostnames. If you cannot do that, then you need to configure Apache SNI, like so: SSL with Virtual Hosts Using SNI
As some suggested I tried to use the Apache2 reverse proxy.
This somehow works but you have to install all the certificates on the machine running Apache2. Thus the trafic on the lan is no longer https which does not satisfy my requirement.
The solution is to use haproxy. This package can be set up as a pass through for https. There are many examples of such applications on the internet. It does exactly what I am asking for: I can host many https servers on a lan behind a nat router with one single public IP. The trafic is sent by haproxy as https to the indicated server on the LAN. If anyone is interested, I will be glad to share my config file solving precisely the problem I set out in my question.
To Robert M:
here is my configuration to be added at the end of the default haproxy.cfg file:
frontend ft_https
mode tcp
option tcplog
bind *:443
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
acl domain1_com req.ssl_sni -m end domain1.com # all url ending with domain1.com
acl domain2_com req.ssl_sni -i www.domain2.com # exactly www.domain2.com
use_backend b_domain1_com if domain1_com
use_backend b_domain2_com if domain2_com
default_backend b_default
backend b_default
mode tcp
option tcplog
server srv_default 127.0.0.1:1443
backend b_domain1_com
mode tcp
option tcplog
server srv_domain1 192.168.1.10:1443
backend b_domain2_com
mode tcp
option tcplog
server srv_domain2 192.168.1.20:443
I had to change the https port for apache on the first server to 1443 because both haproxy and apache cannot bind to the same 443 port as they reside on the same machine, but it is transparent to the user.

SSL installed on Apache2 but HTTPS not working

I recently installed an SSL certificate on my Amazon EC2 Ubuntu 12.04(32bit) server running Apache 2.
When I attempt to access my site via https, it does not load. When I perform an nmap scan, i see that port 443 is not open.
I tried to open port 443 in my ip tables to no avail. iptables -L yeilds
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Here's how I installed ssl
I modified /etc/init.d/apache2.conf to include ssl.conf and modified ssl.conf to include the requisite
paths of my certificate files, ie
SSLCertificateFile /path/file
SSLCertificateKeyFile /path/file
SSLCertificateChainFile /path/file
I configured my security group to allow inbound requests from port 443 (TCP source:0.0.0.0/0)
When I perform the following test with php
if (!extension_loaded('openssl'))
{
echo "not loaded";
}
else
{
echo "loaded" ;
}
I get "loaded".
Any ideas?
In httpd-ssl.conf, do you have
Listen 443
If not, try adding that, and restarting apache.
First check if mod_ssl is enabled. If not, enable it by running a2enmod ssl. Then check if Apache is listening on port 443 for https. Then check if the firewall is not blocking port 443.
If anyone else finds this and is using Amazon Lightsail (like me), you have to use their web UI to explicitly open port 443.
I spent hours pouring over my server config files before I discovered that :/
In httpd.conf the following is disabled by default:
# Secure (SSL/TLS) connections
# Include conf/extra/httpd-ssl.conf
Simply remove the # from the Include and restart Apache.
If you can connect locally (e.g. with telnet localhost 443 as mti suggests), check if the firewall is configured properly.
In my case, ufw was blocking everything, so I had to ufw allow 443 which fixed the underlying problem to the same symptom.
I just ran into a situation where there was a process listening on port 443, the firewall was completely open, SELinux was disabled, and I still couldn't telnet to port 443. Not even from the localhost. I kept getting:
telnet 127.0.0.1 443
telnet: connect to address 127.0.0.1: Connection refused`
It turns out the iptables NAT table had some rules redirect traffic coming in on port 443 to a different port (8443). Nothing was listening on port 8443.
# iptables --table nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 8443
Removing the relevant NAT entries fixed the problem for me.
For me it's the stupid Chrome cache. Ctrl + Shift + Del to clear the cache, restart Chrome, and SSL is correctly working now.
If the SSL keys are not set (or were inexplicably commented out by gremlins), Apache 2.2 SSL will silently fail. There will be no error in the log, and it will not be listening to 443. The http:80 sites will work.
First, Check processes on port "80" and "443" sudo netstat -peanut | grep ':80' and *sudo netstat -peanut | grep ':443'* .If 443 is has no process then this would help:
Editing the Apache configuration file to serve the cert works well.
Use the command sudo certbot --apache
You are good
Sometimes an iptables -F works. I had the port 443 open for inbound in Amazon, but still the site was not opening in my browser.
Logged on to the site, gave an iptables -F and immediately the site was accessible.