Re: My site has become unreachable when I've implemented SSL
Thank you for answering!
I'm really sorry but it seems not to be a SSL or Apache problem, today,
while I was away from home and I was using my laptop, I tried to open
my site and I was successful!
So I can open "mysite. com" from outside my Lan but if I try to
connect to "mysite. com" from a Lan computer, the connection is
refused.
I think it is a "ufw" problem but I do not know what to check.
Thank you anyway,
Aldo :-)
Il giorno Mon, 19 Feb 2018 21:08:34 -0500
Bob Weber <bobrweber@gmail.com> ha scritto:
> On 2/19/18 2:54 PM, Aldo Maggi wrote:
> > Thank you for your fast answer!
> >
> > root@Casa-mia-1:~# lsof -i :443
> > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> > apache2 879 root 6u IPv6 20270 0t0 TCP *:https
> > (LISTEN) apache2 948 www-data 6u IPv6 20270 0t0 TCP
> > *:https (LISTEN) apache2 949 www-data 6u IPv6 20270 0t0
> > TCP *:https (LISTEN) apache2 950 www-data 6u IPv6 20270
> > 0t0 TCP *:https (LISTEN) apache2 951 www-data 6u IPv6
> > 20270 0t0 TCP *:https (LISTEN) apache2 952 www-data 6u
> > IPv6 20270 0t0 TCP *:https (LISTEN) apache2 1385 www-data
> > 6u IPv6 20270 0t0 TCP *:https (LISTEN) apache2 1386
> > www-data 6u IPv6 20270 0t0 TCP *:https (LISTEN) apache2
> > 3386 www-data 6u IPv6 20270 0t0 TCP *:https (LISTEN)
> >
> > As for ufw, indeed port 443 was not enabled and I had problems in
> > doing it (bad port!!!!), at the end I wrote:
> > ufw allow https
> > Rule added
> > Rule added (v6)
> >
> > now I have:
> >
> > root@Casa-mia-1:~# ufw status
> > Status: active
> >
> > To Action From
> > -- ------ ----
> > 22/tcp ALLOW Anywhere
> > CUPS ALLOW Anywhere
> > ......
> > Telnet ALLOW Anywhere
> > VNC ALLOW Anywhere
> > WWW ALLOW Anywhere
> > Anywhere ALLOW 192.168.3.100
> > Anywhere ALLOW 192.168.3.0/24
> > 2222/tcp ALLOW Anywhere
> > 5900:5910/tcp ALLOW Anywhere
> > 2049 ALLOW 192.168.3.100
> > 80/tcp ALLOW Anywhere
> > 443/tcp ALLOW Anywhere
> > 22/tcp (v6) ALLOW Anywhere (v6)
> > CUPS (v6) ALLOW Anywhere (v6)
> > .......
> > WWW (v6) ALLOW Anywhere (v6)
> > 2222/tcp (v6) ALLOW Anywhere (v6)
> > 5900:5910/tcp (v6) ALLOW Anywhere (v6)
> > 80/tcp (v6) ALLOW Anywhere (v6)
> > 443/tcp (v6) ALLOW Anywhere (v6)
> >
> > root@Casa-mia-1:~# systemctl restart apache2
> >
> > but ... no avail, still "connection refused"
> >
> > What else could be the culprit!!!! :-D
> >
> > Thanks for your time!
> >
> > Aldo :-)
> >
> > P.S. Furthermore in ..../apache2/error.log I find:
> > PHP Warning: PHP Startup: Unable to load dynamic library
> > '/usr/lib/php/20151012/apc.so' - /usr/lib/php/20151012/apc.so:
> > cannot open shared object file: No such file or directory in
> > Unknown on line 0
> >
> > Il giorno Mon, 19 Feb 2018 12:48:25 -0500
> > Greg Wooledge <wooledg@eeg.ccf.org> ha scritto:
> >
> >> On Mon, Feb 19, 2018 at 06:36:01PM +0100, Aldo Maggi wrote:
> >>> Anyway, now if I browse writing my IP I get the Apache default
> >>> page (the browser tells me, anyway, that the site is unsecure),
> >>> if I write the name of the site I get (traslated from Italian):
> >>> Unable to reach the site
> >>> Connection denied by mysite.com
> >> "Connection refused" (the correct English translation) means that
> >> either the service is not listening to that port, or the packets
> >> were rejected by a firewall.
> >>
> >> You will need to examine both of those possibilities.
> >>
> >> Making sure the service is listening on :443 should be fairly easy.
> >> You can use "lsof -i :443" for example, or some ss or netstat
> >> command.
> >>
> >> Checking whether you have a firewall blocking incoming 443 will be
> >> a bit harder.
> >>
> >
> Looks like apache is only listening to IPV6 (see above lsof output).
> So if the domain that you used in the command:
>
> letsencrypt --apache -d mysite.com
>
> resolves to an IPV4 address you need to tell apache to listen to your
> IPV4 address. Your firewall looks like it has opened IPV4 and IPV6.
> I also assume that you try to access the site with that domain name
> in the url in your browser. Check the file /etc/apache2/ports.conf.
> It might be useful to run the command "ip a" to see what addresses
> are assigned to your ethernet ports so you can properly set up the
> ports.conf file.
>
Reply to: