I'm trying to set up a web server on a raspberry pi, it's running a debian based system.
I installed and set up apache (following this guide), set up port forwaring on my router and created 3 html only websites to test things.
Since I only have one domain I wanted to try and use virtual hosts with subdomains:
main domain had ServerName domain.com and ServerAlias www.domain.com, the other 2 were ServerName x/y.domain.com ServerAlias www.x/y.domain.com.
Up to this point (http only) everything was working, I could reliably reach the server with the domains specified in their name / alias.
I then set out to use install certificates to enable https. I found out about certbot / letsencrypt and followed this guide.
On step 7 when I ran: sudo certbot --apache I decided to get a certificate for all the enabled domains (6, the main name and alias for each of the 3 prevoiusly mentioned).
The output was successful but when I tried connecting to my main domain (domain.com) I could not reach it, not with http nor with https. (I get the error:
To make things simpler I disabled my other 2 sites (that were now 4 because certbot created and enabled the https versions), I kept only my main domain on http / https.
I tried removing the certbot certificates and getting new ones following these commands. Another successful output
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/bravewonderer.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/bravewonderer.com/privkey.pem
This certificate expires on 2023-01-18.
I manually checked the certificate files and they exist and have data inside them.
But once again when I try to visit https://bravewonderer.com or http://www.bravewonderer.com I just get Secure Connection Failed ... Error code: SSL_ERROR_RX_RECORD_TOO_LONG
These are the full configuration files for the http and https version of the website, including the file that certbot generated and includes:
# /etc/apache2/sites-available/head.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/head/public_html
ServerName bravewonderer.com
ServerAlias www.bravewonderer.com
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.bravewonderer.com [OR]
RewriteCond %{SERVER_NAME} =bravewonderer.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
---------------------------------------------
# /etc/apache2/sites-available/head-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/head/public_html
ServerName bravewonderer.com
ServerAlias www.bravewonderer.com
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/bravewonderer.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bravewonderer.com/privkey.pem
</VirtualHost>
</IfModule>
---------------------------------------------
# /etc/letsencrypt/options-ssl-apache.conf
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
#SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
If someone could point in me in the right direction it'd be very helpful.
Edit.
Some additional notes:
sudo a2enmod ssl tells me that ssl is already enabled- When I try connecting to the server through my pc using
curl http://bravewonderer.com:443 I get 301 Moved Permanently, document has moved to https://bravewonderer.com, from my limited understanding it would seem that:
- the server is trying to redirect me to the https version but
- it ends up not being accessible because of the error
While trying to troubleshoot I also ran curl -v https://bravewonderer.com output is
* Trying 2.230.32.65:443...
* Connected to bravewonderer.com (2.230.32.65) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* (5454) (IN), , Unknown (72):
* error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) error:0A00010B:SSL routines::wrong version number
