Timeout on 443 after installing Let's Encrypt
Problem: curl -IL cloud.schmud.de:443
: Failed to connect to cloud.schmud.de port 443: Connection timed out
Notes
- I'm on Debian 10 Distribution/Apache
curl -IL cloud.schmud.de:80
returnsHTTP/1.1 200 OK
. So 80 works just fine.
Steps
- Let's Encrypt creates
schmud.de-le-ssl.conf
(by following Securing Web Traffic Using Certbot with Apache on Debian 10 and 9) a2ensite schmud.de-le-ssl
systemctl reload apache2
Debugging
apachectl -S
looks good:
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/ports.conf:1
VirtualHost configuration:
*:80 cloud.schmud.de (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 li1850-114.members.linode.com (/etc/apache2/sites-enabled/schmud.de-le-ssl.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
Here's my schmud.de-le-ssl.conf
file:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
SSLEngine on
<Directory /var/www/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
</Directory>
ServerName cloud.schmud.de
SSLCertificateFile /etc/letsencrypt/live/cloud.schmud.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.schmud.de/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/cloud.schmud.de/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
The certificates themselves seem to have installed fine. certbot --apache
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/cloud.schmud.de/fullchain.pem
Key is saved at: /etc/letsencrypt/live/cloud.schmud.de/privkey.pem
Deploying certificate
Successfully deployed certificate for cloud.schmud.de to /etc/apache2/sites-available/schmud.de-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://cloud.schmud.de
What could possibly be creating this timeout? Thanks!
6 Replies
✓ Best Answer
@stevewi - thank you for your help every step of the way. After trying everything you recommended and failing to load https://cloud.schmud.de using a self-signed certificate, I discovered that it was a firewall problem. The default settings in Linode do not expose 443. It was as simple as ufw allow 443
.
Everything works with Let's Encrypt as expected. Thanks again!
Is mod_ssl enabled? Your virtual host is undefined unless it is:
<IfModule mod_ssl.c>
<VirtualHost *:443>
...
</VirtualHost>
</IfModule>
You should probably change this to:
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
<IfModule mod_ssl.c>
...
</IfModule>
</VirtualHost>
-- sw
Thanks @stevewi, but it looks like mod_ssl
is indeed enabled:
a2enmod ssl
:
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled
A few other sanity checks:
a2enmod headers
-> Module headers already enableda2ensite schmud.de-le-ssl
-> Site schmud.de-le-ssl already enabledapache2ctl configtest
- > AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/ports.conf:1, Syntax OK
I tried making the changes you suggested and resetting. No luck. :(
I think this is your problem:
*:443 li1850-114.members.linode.com (/etc/apache2/sites-enabled/schmud.de-le-ssl.conf:2)
I think you need to add a
ServerName cloud.schmud.de
to your virtual host. That will enable your server to be known as https://cloud.schmud.de .
-- sw
Thanks @stevewi. I had ServerName cloud.schmud.de
within the mod_ssl
block. I moved it out like this:
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ServerName cloud.schmud.de
<IfModule mod_ssl.c>
...
</IfModule>
</VirtualHost>
Restart. But no luck.
Well, I'll fall back to my original advice.
- Disable all the VirtualHosts you have except the SSL one. See if that has any effect. It might.
- Generate a self-signed certificate and use that for SSL instead of your LE one. Your testing browsers will all complain but at this point you don't care. If the self-signed cert works, then your LE cert is misconfigured (but not always).
Does your site work if you use:
https://li1850-114.members.linode.com or
https://insert_IP_address
FWIW… here's how mine is configured:
<VirtualHost _default_:443>
# Admin email, Server Name (domain name), and any aliases
#
ServerAdmin postmaster@mydomain.com
ServerName mydomain.com
ServerSignature Off
Include /usr/local/etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /usr/local/etc/letsencrypt/live/mydomain.com/cert.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/mydomain.com/privkey.pem
SSLCACertificateFile /usr/local/etc/letsencrypt/live/mydomain.com/chain.pem
# Index file and Document Root (where the public files are located)
#
DirectoryIndex index.php
DocumentRoot /srv/home
# Log file locations
LogLevel warn
ErrorLog ...
CustomLog ...
</VirtualHost>
-- sw