0

I am using a basic OVH VPS with Apache2.4 to host my website. Currently, the root index is just a test page, but the result is the same. Whenever I try to load it from my iPhone, I get the message, "Safari cannot open the page because it could not establish a secure connection to the server," despite the fact that I am using HTTPS and SSL. Also, it works fine when my phone has WiFi, and I have no problems loading the website from my laptop. Web emulators also say that it is running correctly. I reset my iPhone's browsing information and the page was mostly working--a Font Awesome icon was not showing up, nor was a gif image--but after a few minutes, it stopped loading again.

Does this sound like an Apache problem? SSL problem? Any advice would be greatly appreciated. I tried the SSLlabs.com test as suggested in a similar post and received an A+, though there were some errors. Please let me know if additional information would be helpful.

I've made limited edits to the apache2 configuration files (trying not to screw anything up) and am not using .htaccess for rewrites, etc. Here is my ssl .conf file:

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    ServerAdmin webmaster@***.com
    ServerName www.***.com

    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    ErrorDocument 400 /errors/400.php
    ErrorDocument 401 /errors/401.php
    ErrorDocument 403 /errors/403.php
    ErrorDocument 404 /errors/404.php
    ErrorDocument 500 /errors/500.php

    <Files "custom_404.html:>
      <If "-z %{ENV:REDIRECT_STATUS}">
        RedirectMatch 404 ^/custom_404.html$
      </If>
    </Files>

    <Files "custom_50x.html:>
      <If "-z %{ENV:REDIRECT_STATUS}">
        RedirectMatch 404 ^/custom_50x.html$
      </If>
    </Files>

    SSLEngine on

    SSLCertificateFile      /etc/ssl/certs/***.crt
    SSLCertificateKeyFile   /etc/ssl/private/***.key
    SSLCertificateChainFile /etc/ssl/***.ca-bundle

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
            SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
  </VirtualHost>
</IfModule>
Alex
  • 1
  • 1
  • Check your error log. Also, it is more likely you will get an answer if you include your actual domain name. [Read why we request real unobfuscated data in questions.](https://meta.serverfault.com/q/963/126632) – Michael Hampton Jan 20 '18 at 21:26
  • I added a link to my domain. After removing all my website's data, and substituting a plain test page, I'm pretty confident this is an issue with Apache and my SSL cert. (I looked at my log and found a recurring php error; however, it was an easy fix and is not relevant to the test page). I'm baffled because according to ssllabs, everything is correct. Is there any additional information I could provide that might be helpful? Thanks for your advice and time. – Alex Jan 20 '18 at 23:05
  • I see two problems on ssllabs: First, your site isn't accessible via the IPv6 address. Apple really doesn't like this. Second, your certificate chain contains a root certificate; it should contain only your server certificate and intermediates. – Michael Hampton Jan 20 '18 at 23:31
  • In the OVH control panel for my VPS, there is a status bar that shows DNS service as disabled. I haven't been able to understand this from the beginning. In the end, I was able to solve my problem by removing the AAAA record. That being said, I am mostly unfamiliar with how IPv6 works and could not seem to correctly configure Apache to accept IPv6 traffic, as it seems it's not as simple as IPv4. Could you also possibly elaborate more on the root certificate? – Alex Jan 21 '18 at 04:32

1 Answers1

0

I was unable to configure Apache to accept IPv6 traffic; http://ipv6-test.com confirmed this for me. It occurred to me to test other websites, and it was clear that many others that worked on Safari did not even have AAAA records.

I solved the problem (temporarily, and for all reasonable purposes) by simply removing the AAAA record. Go figure.

Alex
  • 1
  • 1