0

I'm trying to access my website through https://. but all my efforts are in vain.

First I will explain how I did everything to get into the context.

The server hardware is a Raspberry PI2B. With software Ubuntu 22.04.2 LTS. I'm using apache as http server.

Everything went great until I started to secure the website, I did all the steps to have certificates with letsencrypt and certbot.

root@ubuntu:/etc/letsencrypt/keys# ls
0000_key-certbot.pem  0001_key-certbot.pem

root@ubuntu:/etc/letsencrypt/live/archivomental.com# ls
README  cert.pem  chain.pem  fullchain.pem  privkey.pem

Ok then I have problems with VirtualHost configuration I think... because i'm not sure. It seems like apache still using http over https.

If I do this anything works:

<VirtualHost *:443>
    ServerName www.archivomental.com
    ServerAlias archivomental.com
    
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/archivomental.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/archivomental.com/privkey.pem
</VirtualHost>

This one let me in on the web page but only over http.

<VirtualHost *:80>

ServerName www.archivomental.com
ServerAlias archivomental.com
DocumentRoot /var/www/archivomental

RewriteEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5
RewriteCond %{HTTPS} off
RewriteRule   "^/(.*)_SSL$"   "https://%{SERVER_NAME}/$1" [R,L]

</VirtualHost>


<VirtualHost *:443>

ServerName www.archivomental.com
ServerAlias archivomental.com
DocumentRoot /var/www/archivomental

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/archivomental.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/archivomental.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/archivomental.com/chain.pem

</VirtualHost>

Is there something else to do to make SSL work? If you can guide me in this matter I will be eternally grateful.

root@ubuntu:/var/log/apache2# curl -I https://www.archivomental.com
curl: (60) SSL: no alternative certificate subject name matches target host name 'www.archivomental.com'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
AlbertoRS
  • 3
  • 2
  • Why didn't you use certbot's own "apache" plugin which does all the necessary web server configuration for you? // Another question, why do you think it's web server problem? Do you have any *evidence*, I mean, server log records that relate to this problem, client-side transcripts (e.g. test the access with the `curl`)? We need it all [in the question](https://serverfault.com/posts/1133035/edit) to be able to help you. – Nikita Kipriyanov Jun 11 '23 at 11:51
  • what kind of error code do you get please ? – olivierg Jun 11 '23 at 11:54
  • Why didn't you use certbot's own "apache" plugin? because i'm new on this I dint know that. Another question, why do you think it's web server problem? Do you have any evidence? nop, again im not good on this im new with all this things – AlbertoRS Jun 11 '23 at 12:59
  • did you mean this: [Sun Jun 11 12:56:54.383901 2023] [mpm_prefork:notice] [pid 8729] AH00163: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 configured -- resuming normal operations [Sun Jun 11 12:56:54.384061 2023] [core:notice] [pid 8729] AH00094: Command line: '/usr/sbin/apache2' [Sun Jun 11 13:54:55.724859 2023] [php7:error] [pid 9537] [client 43.134.8.167:64019] script '/var/www/archivomental/xmlrpc.php' not found or unable to stat root@ubuntu:/var/log/apache2# ON error.log FILE – AlbertoRS Jun 11 '23 at 13:09
  • e.g. test the access with the curl - How can I do that? – AlbertoRS Jun 11 '23 at 13:12
  • Why didn't you use certbot's own "apache" plugin // can you tell me how to please. – AlbertoRS Jun 11 '23 at 13:16
  • for me it is a home and end-user computing questions which is off topic. more over a rasbian is not a qualified business environment – djdomi Jun 11 '23 at 17:24
  • I'm learning djdomi, it doesn't matter where i'm doing it – AlbertoRS Jun 11 '23 at 18:10

1 Answers1

0

SSL: no alternative certificate subject name matches target host name 'www.archivomental.com'

So SSL appears to be working, but there is a certificate validation issue. It would appear that you provisioned a certificate for archivomental.com but didn't specify that the certificate should also be valid for www.archivomental.com

If this is the case, and you need it to work with the www. prefix, delete the existing certificate and re-provision:

sudo certbot delete --cert-name archivomental.com
sudo certbot certonly --domain="archivomental.com,www.archivomental.com"
symcbean
  • 21,009
  • 1
  • 31
  • 52
  • thank you symcbean I did all you say me. now I got this problem. nmap is telling me that the port 443 is filtered so is not open. I check the UFW firewall and the problem is not there – AlbertoRS Jun 13 '23 at 23:14