✓ Solved

Timeout on 443 after installing Let's Encrypt

Problem: curl -IL cloud.schmud.de:443: Failed to connect to cloud.schmud.de port 443: Connection timed out

Notes

  • I'm on Debian 10 Distribution/Apache
  • curl -IL cloud.schmud.de:80 returns HTTP/1.1 200 OK. So 80 works just fine.

Steps

Debugging

apachectl -S looks good:

AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/ports.conf:1
VirtualHost configuration:
*:80                   cloud.schmud.de (/etc/apache2/sites-enabled/000-default.conf:1)
*:443                  li1850-114.members.linode.com (/etc/apache2/sites-enabled/schmud.de-le-ssl.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

Here's my schmud.de-le-ssl.conf file:

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    SSLEngine on
      <Directory /var/www/nextcloud/>
        Options +FollowSymlinks
        AllowOverride All
      <IfModule mod_dav.c>
        Dav off
      </IfModule>
      SetEnv HOME /var/www/nextcloud
      SetEnv HTTP_HOME /var/www/nextcloud
      </Directory>
    ServerName cloud.schmud.de
    SSLCertificateFile /etc/letsencrypt/live/cloud.schmud.de/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/cloud.schmud.de/privkey.pem
    SSLCertificateChainFile  /etc/letsencrypt/live/cloud.schmud.de/chain.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
  </VirtualHost>
</IfModule>

The certificates themselves seem to have installed fine. certbot --apache

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/cloud.schmud.de/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/cloud.schmud.de/privkey.pem

Deploying certificate
Successfully deployed certificate for cloud.schmud.de to /etc/apache2/sites-available/schmud.de-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://cloud.schmud.de

What could possibly be creating this timeout? Thanks!

6 Replies

✓ Best Answer

@stevewi - thank you for your help every step of the way. After trying everything you recommended and failing to load https://cloud.schmud.de using a self-signed certificate, I discovered that it was a firewall problem. The default settings in Linode do not expose 443. It was as simple as ufw allow 443.

Everything works with Let's Encrypt as expected. Thanks again!

Is mod_ssl enabled? Your virtual host is undefined unless it is:

<IfModule mod_ssl.c>
  <VirtualHost *:443>
     ...
  </VirtualHost>
</IfModule>

You should probably change this to:

  <VirtualHost *:443>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    <IfModule mod_ssl.c>
    ...
    </IfModule>
  </VirtualHost>

-- sw

Thanks @stevewi, but it looks like mod_ssl is indeed enabled:

a2enmod ssl:

Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled

A few other sanity checks:

  • a2enmod headers -> Module headers already enabled
  • a2ensite schmud.de-le-ssl -> Site schmud.de-le-ssl already enabled
  • apache2ctl configtest - > AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/ports.conf:1, Syntax OK

I tried making the changes you suggested and resetting. No luck. :(

I think this is your problem:

*:443  li1850-114.members.linode.com (/etc/apache2/sites-enabled/schmud.de-le-ssl.conf:2)

I think you need to add a

ServerName cloud.schmud.de

to your virtual host. That will enable your server to be known as https://cloud.schmud.de .

-- sw

Thanks @stevewi. I had ServerName cloud.schmud.de within the mod_ssl block. I moved it out like this:

  <VirtualHost *:443>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ServerName cloud.schmud.de 
    <IfModule mod_ssl.c>
    ...
    </IfModule>
  </VirtualHost>

Restart. But no luck.

Well, I'll fall back to my original advice.

  • Disable all the VirtualHosts you have except the SSL one. See if that has any effect. It might.
  • Generate a self-signed certificate and use that for SSL instead of your LE one. Your testing browsers will all complain but at this point you don't care. If the self-signed cert works, then your LE cert is misconfigured (but not always).

Does your site work if you use:

https://li1850-114.members.linode.com or
https://insert_IP_address

FWIW… here's how mine is configured:

<VirtualHost _default_:443>

    # Admin email, Server Name (domain name), and any aliases
    #
    ServerAdmin postmaster@mydomain.com
    ServerName mydomain.com
    ServerSignature Off

    Include /usr/local/etc/letsencrypt/options-ssl-apache.conf

    SSLCertificateFile /usr/local/etc/letsencrypt/live/mydomain.com/cert.pem
    SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/mydomain.com/privkey.pem 
    SSLCACertificateFile /usr/local/etc/letsencrypt/live/mydomain.com/chain.pem

    # Index file and Document Root (where the public files are located)
    #
    DirectoryIndex index.php
    DocumentRoot /srv/home


    # Log file locations
    LogLevel warn
    ErrorLog  ...
    CustomLog ...

</VirtualHost>

-- sw

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct