4

I have a fully updated Arch Linux server running Apache 2.4.23.

In the past I've successfully used StartSSL to enable HTTPS on my Apache web server. But now I'd like to switch to Let's Encrypt.

Using certbot standalone, I've produced these files:

/etc/letsencrypt/live/[my domain]/cert.pem
/etc/letsencrypt/live/[my domain]/chain.pem
/etc/letsencrypt/live/[my domain]/fullchain.pem
/etc/letsencrypt/live/[my domain]/privkey.pem

And here are my Apache SSL directives:

SSLEngine on
SSLCertificateKeyFile /etc/letsencrypt/live/[my domain]/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/[my domain]/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/[my domain]/chain.pem

# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
SSLProtocol +TLSv1.2

I double checked that [my domain] is correct, and restarting Apache didn't produce any errors, but trying to reach my server now gives me "Unable to connect" errors from my web browser.

Am I missing something? Thanks!

hpy
  • 845
  • 3
  • 18
  • 28
  • 1
    With apache 2.4 it should be enough to specify `SSLCertificateFile` with the fullchain certificate as parameter. The separate chain file is not needed. – rda Dec 24 '16 at 22:06

1 Answers1

1

You only need the following for Apache 2.4:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/{domain}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/{domain}/privkey.pem

No need to split it up the way you have done.

Moving onto your cannot connect message. That suggests to me that your server perhaps isn't listening on port:443. Use netstat, or something similar, and verify that Apache is actually listening on :443. You can also test connectivity to :443 on your server with netcat like this:

$ nc -v localhost 443
Connection to localhost 443 port [tcp/https] succeeded!

If that is the case, the logs should be able to tell you more.

ColtonCat
  • 738
  • 3
  • 7