3

I have a web server running on a Raspberry Pi. I am running stunnel on port 443, so I have been working to move my web server to port 8443. I use Let's Encrypt (Certbot) for my SSL certificates, and previously they had been working perfectly.

I have learned how to obtain certificates using the DNS challenge, so having port 443 for authentication is no longer necessary. I believe that I have all of my configuration files set up properly, but I'll insert them below.

Apache is running, and nothing should conflict with it, but whenever I attempt to access my site over HTTPS, Chrome says that the site unexpectedly closed the connection, while Edge says that it uses outdated or unsafe TLS settings.

I've been trying to figure this out for myself but at this point I have no idea what to do. 

# If you just change the port or add more ports here, you will likely also'
# have to change the VirtualHost statement in'
# /etc/apache2/sites-enabled/000-default.conf'
Listen 80
#<IfModule ssl_module>'
#       Listen 8443'
#</IfModule>'
#<IfModule mod_gnutls.c>'
#       Listen 8443'
#</IfModule>'
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet'
<IfModule mod_ssl.c>
Listen 8443
</Ifmodule>

Sample VHost Config

<IfModule mod_ssl.c>
<VirtualHost *:8443>
        ServerName mysite.tld
        ServerAdmin myemail@provider.com
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/mysite.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mysite.tld/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Default HTTP Configuration, for reference

<VirtualHost *:80>
        ServerName mysite.tld
        ServerAdmin myemail@provider.com
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
Redirect permanent / https://mysite.tld/
RewriteEngine on
RewriteCond %{SERVER_NAME} =mysite.tld
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
FlyingHazard
  • 31
  • 4

1 Answers1

3

Confirm that you are connecting with your browser to port 8443.

Confirm that it is actually handled by apache and not some other process listening on that port not providing SSL.

Confirm SSL is running and listening on port 8443.

I don't see SSLEngine On in your snippet. This could also be causing you problems.

Bill
  • 136
  • 12
user228505
  • 156
  • 3
  • I added `SSLEngine On` to the SSL VHost, but it didn't do anything. I can access the site when I go to https://mysite.tld:8443, although it doesn't go to the DocumentRoot, but when I try to visit https://mysite.tld I get an error. – FlyingHazard Nov 08 '17 at 15:26
  • 1
    If you just visit `http://mysite.tld` it will redirect you to port 443 (https) where nothing is listening. This explains your error. – user228505 Nov 08 '17 at 15:28
  • How would I fix that? I tried to remove the rewrite to HTTPS arguments, renewed my certificate, and told certbot not to redirect to HTTPS, this should have worked, but now I get an SSL protocol error. I can still visit at `mysite.tld:8443`, but not at the DocumentRoot. – FlyingHazard Nov 08 '17 at 19:15
  • Probably best way is to split up your quite complex scenario in smaller parts which are easier to handle and get them to work. Then start combining the working smaller parts to your desired setup. I suggest to first get your SSL site working. Having it on port 8443 is fine as long as you keep specifying this when opening the site. So you would specify https as protocol and port 8443. Check what config you are including with options-ssl-apache.conf. Maybe directly place them during test. Check the log file for errors, ensure your environment expands or specify path directly. Reduce complexity – user228505 Nov 10 '17 at 17:07