■Background
trying to get SSL through Let's Encrypt
■Issue
As run the code below,
sudo certbot --apache -d hogehoge.com
I got the port 80 error
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
and unable to resolve this error
■What I have tried
have set up the port 80
vim /etc/httpd/conf/httpd.conf
add the description in the file.
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin root#hogehoge
DocumentRoot /var/www/html
ServerName hogehoge
</VirtualHost>
but I still got the same error.
would you kindly tell me the cause and how to make it work?
Default command "sudo certbot renew" error on localhost
(1)Uninstall certbot
(2)Reinstall certbot
(3)Sudo certbot certonly
(4)Select option 1, spin up temporary web server
(5)Ensure port 80 is accessible from outside, port forwarding in router
(6) Ensure all services using port 80 are stopped
Try
RewriteCond %{REQUEST_URI} !.well-known/acme-challenge
Enabling HTTPS on a Single Instance Beanstalk application: Unable to find a virtual host listening on port 80
-- Original post ---
I'd like to setup a dev env to play with some apache features. I'm running httpd on fedora.
I added to hosts local redirects
# cat /etc/hosts
127.0.0.1 example1.com
127.0.0.1 example2.com
# cmkdir /var/www/example1; echo "Hello from /var/www/example1/index.html" > /var/www/example1/index.html
# cmkdir /var/www/example2; echo "Hello from /var/www/example2/index.html" > /var/www/example2/index.html
# cmkdir /var/www/example2/sub ; echo "Hello from /var/www/example2/sub/index.html" > /var/www/example2/sub/index.html
# cvi /etc/httpd/conf/httpd.conf
<VirtualHost _default_:80>
DocumentRoot "/var//www/html"
</VirtualHost>
<VirtualHost 127.0.0.1:80>
DocumentRoot "/var/www/example1"
ServerName example1.com
</VirtualHost>
<VirtualHost 127.0.0.1:80>
DocumentRoot "/var/www/example2"
ServerName example2.com
</VirtualHost>
<VirtualHost 127.0.0.1:80>
DocumentRoot "/var/www/example2/sub"
ServerName sub.example2.com
ServerPath "/sub/"
RewriteEngine On
RewriteRule "^(/sub/.*)" "/var/www/example2$1"
</VirtualHost>
# capachectl -t ; apachectl restart
# curl localhost
Hello from /var/www/html/index.html
# curl example1.com
Hello from /var/www/example1/index.html
# curl example2.com
Hello from /var/www/example2/index.html
# curl sub.example2.com
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="Content-Script-Type" content="text/javascript">
<script type="text/javascript">
... ( lots of stuff different from the one i echoed) ...
If I do the same thing in local firefox - localhost works as expected, example1.com works as expected, but sub.example2.com redirects me to example2.com.
Can you please help me to figure out how to configure a local sub-domain? What is missing? Based on https://httpd.apache.org/docs/2.4/vhosts/examples.html I believe what I did is correct.
-- Edit / Update ---
If I follow the advice below from Newbie and change only the rewrite rule, without making any other changes from the setup above:
<VirtualHost 127.0.0.1:80>
DocumentRoot "/var/www/example2/sub"
ServerName sub.example2.com
ServerPath "/sub/"
# RewriteEngine On
# RewriteRule "^(/sub/.*)" "/var/www/example2$1"
</VirtualHost>
I get :
# curl sub.example2.com
curl: (6) Could not resolve host: sub.example2.com
If I
# cat /etc/hosts | grep sub
127.0.0.1 example2.com sub.example2.com
It works as expected
#curl example2.com
Hello from /var/www/example2/index.html
# curl sub.example2.com
Hello from /var/www/example2/sub/index.html
Still this seems to be strange setup. I don't want to create /etc/hosts record for each sub-domain... Shouldn't it be possible to handle this situation only via the httpd VirtualHost setting, without changing the DNS settings locally or even worse - adding C records in the DNS of a domain(if not localhost)? Any hint what I'm doing wrong? How can I get sub.example1.com to work without modifying the dns settings?
Regards,
Pavel
I believe I found out the answer to my question ...
** How to run locally sub-domains?**
/etc/hosts does not support wild cards(*.example2.com) and one needs to setup a local dns proxy server like dnsmasq for example. Otherwise for dev purposes you have to list (and then maintain :/ ) the sub-domains one-by-one in the /etc/hosts for local dev purposes.
How to run the sub-domains via official DNS records for domain ?
Seems laziest approach is to setup DNS settings having:
example2.com A the-server-IP
example2.com MX 0 example2.com
*.example2.com CNAME example2.com
Looking forward to your comments, if there is smarter approach.
If you agree this is the way to go - please accept the answer, so other members know it is the way to go.
Regards, Pavel
Remove the rewrite rule, it is used for redirecting so you have a loop.
<VirtualHost 127.0.0.1:80> DocumentRoot "/var/www/example2/sub" ServerName sub.example2.com ServerPath "/sub/"
Let me know if you run into problems.This dns would be able to work with your regular browsing since for all names it can't resolve it would check with googles dns and save it into its file.
install bind
apt-get install bind9 -y
cd /etc/bind
vim named.conf.options
And uncomment forwarders and two rows bellow and instead of 0.0.0.0 enter google's dns IP (8.8.8.8).
service bind9 restart
vim named.conf.options
zone "YOURDOMAIN NAME" {
type master;
file "db.site.com";
notify yes;
};
cp db.local /var/cache/bind/db.site.com
cd /var/cache/bind/
vim db.site.com
$TTL 604800
# IN SOA admin. admin.itlink.edu. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS ns.YOURDOMAINNAMEHERE.
IN A 192.168.1.10 replace this with the IP of your PC that has apache installed
ns A 192.168.1.10 replace this with the IP of your PC that has apache installed
www A 192.168.1.10 replace this with the IP of your PC that has
service bind9 restart
I'm trying to setup the ssl certificate with Letsencrypt but when i run :
./letsencrypt-auto --apache -d industriemedia.tv
It looks like my domain name cannot be found:
[root#ip-172-31-21-7 letsencrypt]# ./letsencrypt-auto --apache -d industriemedia.tv
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for industriemedia.tv
We were unable to find a vhost with a ServerName or Address of industriemedia.tv.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
-------------------------------------------------------------------------------
1: ssl.conf | | HTTPS | Enabled
-------------------------------------------------------------------------------
But i have added a virtualhost in /etc/httpd/conf/httpd.conf
<VirtualHost *:80>
ServerName www.industriemedia.tv
ServerAlias industriemedia.tv *.industriemedia.tv
DocumentRoot /var/www/html/
</VirtualHost>
I had to open the port 443 which haven't been opened.
Also doing a ./letsencrypt-auto reset my ssl certificate and my domain was recognized.
I've been banging my head against the wall trying to figure out how to setup multiple SSL certificates on an amazon VPC instance (I'm using amazon's standard linux AMI)
Here's what I did:
I setup a VPC instance
Added a secondary private IP address
Added 2 elastic IP addresses & "linked" them to the private ones
Went to my domain registrar & pointed two test domains to the elastic IP addresses
Waited until new IP addresses were propagated
I uploaded the SSL certificates to the VPC instance
Then I tried editing ssl.conf, see line 74 to 93 & httpd.conf, see line 1046 to 1086:
ssl.conf
<VirtualHost domain1.com:443>
ServerName www.domain1.com:443
DocumentRoot "/var/www/html"
SSLENGINE on
SSLCertificateFile /etc/ssl/domain1_com.crt
SSLCertificateKeyFile /etc/ssl/domain1_com.key
SSLCertificateChainFile /etc/ssl/domain1_com.ca-bundle
</VirtualHost>
<VirtualHost _default_:443>
...Default SSL certificate (domain1.com) here...
</VirtualHost>
httpd.conf
<VirtualHost *:80>
ServerName domain1.com
ServerAlias www.domain1.com
DocumentRoot /var/www/html
ServerAdmin webmaster#domain1.com
</VirtualHost>
<VirtualHost *:80>
ServerName domain2.com
ServerAlias www.domain2.com
DocumentRoot /var/www/html
ServerAdmin webmaster#domain2.com
</VirtualHost>
I also tried <VirtualHost *:443> and <VirtualHost IP.ADDRESS:443>, didn't work either.
The result is basically this:
domain1.com (which is the default SSL certificate) works just fine (resolve fine, green bar)
domain2.com: doesn't even resolve to anything, even though when I do ping www.domain2.com, I get the correct elastic IP
My question is: Any idea how to make domain2.com resolve & use the correct SSL certificate?
EDIT / Additional Info:
I also tried this:
Temporarily stopped firewall as suggested, ie. sudo service iptables stop
From outside of EC2, curl --connect-timeout 10 https://domain2.com gave me this curl: (28) connect() timed out!
wget https://www.domain2.com/ gave me this: --2013-10-03 15:57:22-- domain2.com Resolving www.domain2.com... 54.229.111.22 Connecting to www.domain2.com|54.229.111.22|:443... failed: Connection timed out. Retrying.
EDIT (2):
I noticed 2 things:
If I use 2 network interfaces (each NIC with one private IP) sudo ifconfig doesn't show the 2nd NIC (ie. eth1), and wether I use one or two NICs, sudo ifconfig always return the 1st private IP (10.0.0.10), never the 2nd one (10.0.0.183)
Unsurprisingly, the unreachable website domain2.com corresponds to the 2nd IP (which is missing): 10.0.0.183
This command curl --interface 10.0.0.10 ifconfig.me correctly retuns the elastic IP address associated to domain1.com while
This command curl --interface 10.0.0.183 ifconfig.me retuns:
curl: (45) bind failed with errno 99: Cannot assign requested address
I followed this guid, I can see eth1, but domain2.com is still unreachable
And curl --interface 10.0.0.183 ifconfig.me now returns this:
curl: (7) Failed connect to ifconfig.me:80; Connection timed out
You will need to use ip based virtual hosting for SSL. The IP address you are going to listen will be the private, not public IP.
Your sites on port 80 can use name based virtual hosting. But you need to make sure you are using this directive: NameVirtualHost *:80
This tutorial fixed it for me
One small (but important) note:
Instead of typing this command (step #5):
echo "1 admin" >> /etc/iproute2/rt_tables
You should do this instead:
sudo vi /etc/iproute2/rt_tables
then add 1 admin at the end of the file
I think you need to follow a troubleshooting methodology for this.
Start by simplifying your configuration and verifying the basic components, then gradually build it up to the complete solution. For example:
Map the elastic IP for domain2 to a new EC2 server.
On the new server, start by making domain2.com available over HTTP
Once it is working over HTTP, set it up to work over HTTPS
Once it is working over HTTPS map the elastic IP back to the original server and make it work on the original server using HTTP
Once it is working over HTTP take the final step of getting it to work over HTTPS on the original server.
The aim here is to validate each step and isolate exactly where it is going wrong. This will then enable you to best direct your energies for solving the root cause.
I'm trying to configure Apache on my server to work with ssl, but everytime I visit my site, I get the following message in my browser:
SSL connection error.
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
The error message above seems to be native to Google Chrome. However, even though the messages are different, ssl for the site is not working on any browser.
Just some background on the situation: I am using Ubuntu 10.04 desktop edition.
I installed apache by installing zend server (it installed apache automatically).
I then installed openssl. Non-https pages work fine on the site.
I tried getting trial certificates from multiple certificate sites but nothing is working (same error).
I was previously hosting my site on another server on which ssl worked just fine. I also tried using the key and cert file from that server, but I got the same error.
The domain name and IP are still the same though. My SSLCertificateFile and SSLCertificateKeyFile are pointing to the correct directory and files.
I also do not have SSLVerifyClient enabled.
If anyone has any suggestions, it would be most appreciated.
I had the same problem as #User39604, and had to follow VARIOUS advices. Since he doesnt remember the precise path he followed, let me list my path:
check if you have SSL YES using <?php echo phpinfo();?>
if necessary
A. enable ssl on apache sudo a2enmod ssl
B. install openssl sudo apt-get install openssl
C. check if port 443 is open sudo netstat -lp
D. if necessary, change /etc/apache2/ports.conf, this works
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
NameVirtualHost *:443
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
acquire a key and a certificate by
A. paying a Certificating Authority (Comodo, GoDaddy, Verisign) for a pair
B. generating your own* - see below (testing purposes ONLY)
change your configuration (in ubuntu12 /etc/apache2/httpd.conf - default is an empty file) to include a proper <VirtualHost>
(replace MYSITE.COM as well as key and cert path/name to point to your certificate and key):
<VirtualHost _default_:443>
ServerName MYSITE.COM:443
SSLEngine on
SSLCertificateKeyFile /etc/apache2/ssl/MYSITE.COM.key
SSLCertificateFile /etc/apache2/ssl/MYSITE.COM.cert
ServerAdmin MYWEBGUY#localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/errorSSL.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/accessSSL.log combined
</VirtualHost>
while many other virtualhost configs wil be available in /etc/apache2/sites-enabled/ and in /etc/apache2/sites-available/ it was /etc/apache2/httpd.conf that was CRUCIAL to solving all problems.
for further info:
http://wiki.vpslink.com/Enable_SSL_on_Apache2
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert
*generating your own certificate (self-signed) will result in a certificate whose authority the user's browser will not recognize. therefore, the browser will scream bloody murder and the user will have to "understand the risks" a dozen times before the browser actually opens up the page. so, it only works for testing purposes. having said that, this is the HOW-TO:
goto the apache folder (in ubuntu12 /etc/apache2/)
create a folder like ssl (or anything that works for you, the name is not a system requirement)
goto chosen directory /etc/apache2/ssl
run sudo openssl req -new -x509 -nodes -out MYSITE.COM.crt -keyout MYSITE.COM.key
use MYSITE.COM.crt and MYSITE.COM.key in your <VirtualHost> tag
name format is NOT under a strict system requirement, must be the same as the file :)
- names like 212-MYSITE.COM.crt, june2014-Godaddy-MYSITE.COM.crt should work.
I was getting the same error in chrome (and different one in Firefox, IE).
Also in error.log i was getting [error] [client cli.ent.ip.add] Invalid method in request \x16\x03
Following the instructions form this site I changed my configuration FROM:
<VirtualHost subdomain.domain.com:443>
ServerAdmin admin#domain.com
ServerName subdomain.domain.com
SSLEngine On
SSLCertificateFile conf/ssl/ssl.crt
SSLCertificateKeyFile conf/ssl/ssl.key
</VirtualHost>
TO:
<VirtualHost _default_:443>
ServerAdmin admin#domain.com
ServerName subdomain.domain.com
SSLEngine On
SSLCertificateFile conf/ssl/ssl.crt
SSLCertificateKeyFile conf/ssl/ssl.key
</VirtualHost>
Now it's working fine :)
Step to enable SSL correctly.
sudo a2enmod ssl
sudo apt-get install openssl
Configure the path of SSL certificates in your SSL config file (default-ssl.conf) that might be located in /etc/apache2/sites-available. I have stored certificates under /etc/apache2/ssl/
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/certificate.crt
SSLCertificateChainFile /etc/apache2/ssl/ca_bundle.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
Enable SSL config file
sudo a2ensite default-ssl.conf
A common cause I wanted to suggest for this situation:
Sometimes a customer is running Skype, which is using port 443 without their realizing it. When they go to start Tomcat or Apache, it appears to start but cannot bind with port 443. This is the exact message that the user would receive in the browser. The fix is to stop what was running on port 443 and re-start the webserver so it can bind with port 443.
The customer can re-start Skype after starting the webserver, and Skype will detect that port 443 is in use and choose a different port to use.
#Make sure that you specify the port for both http and https ie.
NameVirtualHost:80
NameVirtualHost:443
#and
<VirtualHost *:80>
<VirtualHost *:443>
#mixing * and *:443 does not work it has to be *:80 and *:443
I got this problem and the solution was a bit silly.
I am using Cloudflare which acts as a proxy to my website. In order to be able to login via SSH, I added an entry to my /etc/hosts file so I didn't need to remember my server's IP address.
xxx.xx.xx.xxx example.com
So in my browser when I went to https://www.example.com, I was using the Cloudflare proxy, and when I went to to https://example.com I was going directly to the server. Because the Cloudflare setup doesn't require you to add the intermediate certificates, I was seeing this security exception in my browser when I went to https://example.com, but https://www.example.com was working.
The solution: remove the entry from my laptop's /etc/hosts file.
If this isn't your problem, I recommend using one of the many online SSL checker tools to try diagnose your problem.
I also recommend using ping to check the IP address being reported and check it against the IP address expected.
ping https://www.example.com/
Another very helpful SSL resource is the Mozilla SSL Configuration Generator. It can generate SSL configuration for you.
I didn't know what I was doing when I started changing the Apache configuration. I picked up bits and pieces thought it was working until I ran into the same problem you encountered, specifically Chrome having this error.
What I did was comment out all the site-specific directives that are used to configure SSL verification, confirmed that Chrome let me in, reviewed the documentation before directive before re-enabling one, and restarted Apache. By carefully going through these you ought to be able to figure out which one(s) are causing your problem.
In my case, I went from this:
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +StrictRequire
SSLRequireSSL On
to this
<Location /sessions>
SSLRequireSSL
SSLVerifyClient require
</Location>
As you can see I had a fair number of changes to get there.
I had this error when I first followed instructions to set up the default apache2 ssl configuration, by putting a symlink for /etc/apache2/sites-available/default-ssl in /etc/apache2/sites-enabled. I then subsequently tried to add another NameVirtualHost on port 443 in another configuration file, and started getting this error.
I fixed it by deleting the /etc/apache2/sites-enabled/default-ssl symlink, and then just having these lines in another config file (httpd.conf, which probably isn't good form, but worked):
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine on
SSLCertificateChainFile /etc/apache2/ssl/chain_file.crt
SSLCertificateFile /etc/apache2/ssl/site_certificate.crt
SSLCertificateKeyFile /etc/apache2/ssl/site_key.key
ServerName www.mywebsite.com
ServerAlias www.mywebsite.com
DocumentRoot /var/www/mywebsite_root/
</VirtualHost>
I encounter this problem, because I have <VirtualHost> defined both in httpd.conf and httpd-ssl.conf.
in httpd.conf, it's defined as
<VirtualHost localhost>
in httpd-ssl.conf, it's defined as
<VirtualHost _default_:443>
The following change solved this problem, add :80 in httpd.conf
<VirtualHost localhost:80>
This is what fixed it for me on Ubuntu.
Enabled the module: a2enmod ssl
Moved all cert related files to a folder /usr/local/ssl and made it world readable: chmod -R +r /usr/local/ssl
Changed <VirtualHost *:80> to <VirtualHost *:*> in my virtual host.
Added SSLEngine On before all other SSL directives in my virtual host.
If you set a pass phrase on the cert, Apache should prompt you for it on restart.
Similar to other answers, this error can be experienced when there are no sites configured to use SSL.
I had the error when I upgraded from Debian Wheezy to Debian Jessie. The new version of Apache requires a site configuration file ending in .conf. Because my configuration file didn't, it was being ignored, and there were no others configured to serve SSL connections.
I encountered this issue, also due to misconfiguration. I was using tomcat and in the server.xml had specified my connector as such:
<Connector port="17443" SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keyAlias="wrong" keystorePass="secret"
keystoreFile="/ssl/right.jks" />
When i fixed it thusly:
<Connector port="17443" SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keyAlias="right" keystorePass="secret"
keystoreFile="/ssl/right.jks" />
It worked as expected. In other words, verify that you not only have the right keystore, but that you have specified the correct alias underneath it. Thanks for the invaluable hint user396404.
I solved it by commenting out:
AcceptFilter https none
in httpd.conf
according to:
http://www.apachelounge.com/viewtopic.php?t=4461
It turns out that the SSL certificate was installed improperly. Re-installing it properly fixed the problem