0

I'm trying to set up Let's Encrypt certificates on my server, but so far everything that can go wrong has gone wrong. I downloaded the certificates without having the script mess with my Apache config files, so it's up to me to manually mess with them.

Edit: The site config has been enabled with a2ensite and the server is listening on port 443. The ssl module has been enabled as well.

One config file for the HTTPS version of the site looks like this:

<VirtualHost *:443>
    ServerName example.com

    DocumentRoot /var/www/example.com/www
    <Directory /var/www/example.com/www/>
        Options FollowSymLinks
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>
    <Directory /var/www/example.com/www/files/>
        AllowOverride All
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/example.com.error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/example.com.access.log combined

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>

<VirtualHost *:443>
    ServerName plan.example.com

    DocumentRoot /var/www/example.com/plan
    <Directory /var/www/example.com/plan/>
        Options -Indexes
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>

Fairly standard. Still, every time I open the HTTPS version of my site in Chrome, I get this: Chrome showing an SSL error message

What's wrong with my config file?

Peter W.
  • 101
  • 4
  • Run an SSL connection checker over it. Google found this one https://www.sslshopper.com/ssl-checker.html – Tim Jun 22 '16 at 01:02
  • "No SSL certificates were found on example.com. Make sure that the name resolves to the correct server and that the SSL port (default is 443) is open on your server's firewall." But according to `netstat -tuplen`, the server's listening on port 443. – Peter W. Jun 22 '16 at 06:12
  • Well, it looks like a configuration error, unfortunately I can't help as I'm more familar with Nginx. I have found the Let's Encrypt tools pretty poor, I use ACME instead. – Tim Jun 22 '16 at 09:06

1 Answers1

1

It looks like your server does not send any SSL certificate on port 443, even if your config seems OK. Here is a list of things you should check (I suppose you're using debian or ubuntu because of your use of a2ensite) :

  • Check that the permissions on /etc/letsencrypt/live/example.com/ let the user apache2 read them (including the rights of each directory level). As you manually downloaded those files, the permissions might be wrong
  • Check the server logs (usually in /var/log/apache2 : access.log, error.log, example.com.access.log and example.com.error.log : there might be relevant information there
  • Check that you restarted (or reloaded) the apache2 server after enabling your virtualhost
  • Check that there is not another enabled VirtualHost (in /etc/apache2/sites-enabled) configured for the same ServerName and port. When it's the case, Apache uses the first one in alphabetic order

  • Check that your fullchain.pem matches the private key from pivkey.pem (you might have copied the wrong files). Both command-lines below should give the same result :

    openssl x509 -noout -modulus -in /etc/letsencrypt/live/example.com/fullchain.pem | openssl md5 openssl rsa -noout -modulus -in /etc/letsencrypt/live/example.com/privkey.pem | openssl md5

(source : https://www.digicert.com/ssl-support/apache-fix-common-ssl-errors.htm)

Mossroy
  • 121
  • 3
  • Suggestions for diagnosing problem and requests for information are NOT answers. You should not post these as answers, and instead wait until you have enough rep to post comments – Colt Jun 28 '16 at 13:13