Join Log in
Score:0
AlbertoRS avatar Server

How to make my website SSL secure with Ubuntu 22.04.2 LTS server and Apache

gg flag
AlbertoRS

I'm trying to access my website through https://. but all my efforts are in vain.

First I will explain how I did everything to get into the context.

The server hardware is a Raspberry PI2B. With software Ubuntu 22.04.2 LTS. I'm using apache as http server.

Everything went great until I started to secure the website, I did all the steps to have certificates with letsencrypt and certbot.

root@ubuntu:/etc/letsencrypt/keys# ls
0000_key-certbot.pem  0001_key-certbot.pem

root@ubuntu:/etc/letsencrypt/live/archivomental.com# ls
README  cert.pem  chain.pem  fullchain.pem  privkey.pem

Ok then I have problems with VirtualHost configuration I think... because i'm not sure. It seems like apache still using http over https.

If I do this anything works:

<VirtualHost *:443>
    ServerName www.archivomental.com
    ServerAlias archivomental.com
    
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/archivomental.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/archivomental.com/privkey.pem
</VirtualHost>

This one let me in on the web page but only over http.

<VirtualHost *:80>

ServerName www.archivomental.com
ServerAlias archivomental.com
DocumentRoot /var/www/archivomental

RewriteEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5
RewriteCond %{HTTPS} off
RewriteRule   "^/(.*)_SSL$"   "https://%{SERVER_NAME}/$1" [R,L]

</VirtualHost>


<VirtualHost *:443>

ServerName www.archivomental.com
ServerAlias archivomental.com
DocumentRoot /var/www/archivomental

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/archivomental.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/archivomental.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/archivomental.com/chain.pem

</VirtualHost>

Is there something else to do to make SSL work? If you can guide me in this matter I will be eternally grateful.

root@ubuntu:/var/log/apache2# curl -I https://www.archivomental.com
curl: (60) SSL: no alternative certificate subject name matches target host name 'www.archivomental.com'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
209
1 + 8
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Why didn't you use certbot's own "apache" plugin which does all the necessary web server configuration for you? // Another question, why do you think it's web server problem? Do you have any *evidence*, I mean, server log records that relate to this problem, client-side transcripts (e.g. test the access with the `curl`)? We need it all [in the question](https://serverfault.com/posts/1133035/edit) to be able to help you.
0
Reply
olivierg avatar
us flag
olivierg
what kind of error code do you get please ?
0
Reply
AlbertoRS avatar
gg flag
AlbertoRS
Why didn't you use certbot's own "apache" plugin? because i'm new on this I dint know that. Another question, why do you think it's web server problem? Do you have any evidence? nop, again im not good on this im new with all this things
0
Reply
AlbertoRS avatar
gg flag
AlbertoRS
did you mean this: [Sun Jun 11 12:56:54.383901 2023] [mpm_prefork:notice] [pid 8729] AH00163: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 configured -- resuming normal operations [Sun Jun 11 12:56:54.384061 2023] [core:notice] [pid 8729] AH00094: Command line: '/usr/sbin/apache2' [Sun Jun 11 13:54:55.724859 2023] [php7:error] [pid 9537] [client 43.134.8.167:64019] script '/var/www/archivomental/xmlrpc.php' not found or unable to stat root@ubuntu:/var/log/apache2# ON error.log FILE
0
Reply
AlbertoRS avatar
gg flag
AlbertoRS
e.g. test the access with the curl - How can I do that?
0
Reply
AlbertoRS avatar
gg flag
AlbertoRS
Why didn't you use certbot's own "apache" plugin // can you tell me how to please.
0
Reply
djdomi avatar
za flag
djdomi
for me it is a home and end-user computing questions which is off topic. more over a rasbian is not a qualified business environment
0
Reply
AlbertoRS avatar
gg flag
AlbertoRS
I'm learning djdomi, it doesn't matter where i'm doing it
0
Reply
Score:0
avatar Server
ws flag
symcbean

SSL: no alternative certificate subject name matches target host name 'www.archivomental.com'

So SSL appears to be working, but there is a certificate validation issue. It would appear that you provisioned a certificate for archivomental.com but didn't specify that the certificate should also be valid for www.archivomental.com

If this is the case, and you need it to work with the www. prefix, delete the existing certificate and re-provision:

sudo certbot delete --cert-name archivomental.com
sudo certbot certonly --domain="archivomental.com,www.archivomental.com"
+ 1
AlbertoRS avatar
gg flag
AlbertoRS
thank you symcbean I did all you say me. now I got this problem. nmap is telling me that the port 443 is filtered so is not open. I check the UFW firewall and the problem is not there
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.