logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: [Solved]No https connection possible from outside my LAN
Author
Luxed



Joined: 15 May 2017
Posts: 3

PostPosted: Mon 15 May '17 20:12    Post subject: [Solved]No https connection possible from outside my LAN Reply with quote

EDIT: Read the answers to find out what was causing the problem. In short my ISP is doing something on port 443 with their router/modem, I can't do anything about it, so I use another port.

Hey everyone,

I am trying to configure my Apache 2 site ( version 2.4.18 ) to have a secured connection, my server is in my house and it is running Ubuntu Server 16.04.
I use the Certbot program to get my certificates. I know they work because I can connect locally (from another computer on my network) to my server and the connection is secured.

This is my VirtualHost config:
Code:
<VirtualHost *:80>
    ServerName corentinbrunel.ca
    DocumentRoot /home/ftp
</VirtualHost>
<IfModule mod_ssl.c>
   <VirtualHost _default_:443>
      ServerAdmin devildead13@gmail.com
        ServerName corentinbrunel.ca
        ServerAlias www.corentinbrunel.ca
      DocumentRoot /home/ftp
      ErrorLog ${APACHE_LOG_DIR}/error.log
      CustomLog ${APACHE_LOG_DIR}/access.log combined
   
      SSLCertificateKeyFile /etc/letsencrypt/live/corentinbrunel.ca/privkey.pem
      SSLCertificateFile /etc/letsencrypt/live/corentinbrunel.ca/fullchain.pem
      SSLEngine on
   
      SSLProtocol             all -SSLv3 -TLSv1
      SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
      SSLHonorCipherOrder     on
      SSLCompression          off
      SSLSessionTickets off
   
      SSLOptions +StrictRequire
      SSLVerifyClient none
      <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
      </FilesMatch>
      <Directory /usr/lib/cgi-bin>
            SSLOptions +StdEnvVars
      </Directory>
   </VirtualHost>
</IfModule>


I have tried this command to see if my ssl certificate is alright:
Code:
openssl s_client -connect www.corentinbrunel.ca:443

When I do it locally, no problem.

But when I do it outside of my network:
Code:
CONNECTED(00000003)
140191931301760:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1494871258
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

And I don't understand what's going on.

Yes I can join my server and go on my website with http, my ssh is working, my ftps is working, my ports are open (80 for http and 443 for https), http://www.yougetsignal.com/tools/open-ports/ this site says that my port 443 is open, but yet, it doesn't work.

I need help for this problem, I hope I gave enough informations, if not, I will give you what you need.


Last edited by Luxed on Tue 16 May '17 6:11; edited 1 time in total
Back to top
Luxed



Joined: 15 May 2017
Posts: 3

PostPosted: Tue 16 May '17 1:47    Post subject: Solution? Reply with quote

The solution I found is to change the port to 444.
It works, but isn't what I want, I don't want to see a port.
Can my ISP be the one blocking the 443 port ?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Tue 16 May '17 5:43    Post subject: Reply with quote

error log say anything about your attempts to connect
if not, it may be getting intercepted by your isp which seems odd if 80 is open.

Shaw? I've seen folks on Shaw having this problem.

http://www.corentinbrunel.ca:443 gives a 404, meaning whatever server is answering port 443 it's answering with http not https.

Are there any other vhosts for 443 w/o SSLEngine On set in them?

Try forcing 443 to https:
Listen 443 https

Have also seen folks claiming this worked for them
Quote:
The solution for me was that default-ssl was not enabled in apache 2.... just putting SSLEngine On
I had to execute a2ensite default-ssl and everything worked.


It's a tough one to debug for sure.
Back to top
Luxed



Joined: 15 May 2017
Posts: 3

PostPosted: Tue 16 May '17 6:10    Post subject: Reply with quote

As I said in my response earlier, I actually found the problem.
Upon further investigation, it seems like my Router/Modem is listening on that port, because no forward to port 443 is present now, so nothing should be listening, yet something IS listening on that port. What ? I don't know.

My quick and dirty solution is to redirect everything from port 80 (http) to https port 444 like this:
Code:
Redirect permanent / https://www.corentinbrunel.ca:444/


My website is now working almost as intended, unfortunately, Bell is doing something with their router on port 443 and I can't do anything about it (no, I cannot change my router :/)

Quote:
The solution for me was that default-ssl was not enabled in apache 2.... just putting SSLEngine On
I had to execute a2ensite default-ssl and everything worked.

I tried this. It was the first thing I did, but it worked on my LAN, just not outside, I knew it wasn't my config but something else.
Back to top
williamj12



Joined: 04 Sep 2019
Posts: 1
Location: USA

PostPosted: Wed 04 Sep '19 9:47    Post subject: Reply with quote

This issue may be related to firmware update, updating the firmware generally resolves such kind of issues if you are using netgear or similar routers, proper reconfiguration after the update is important at the same time.
Back to top


Reply to topic   Topic: [Solved]No https connection possible from outside my LAN View previous topic :: View next topic
Post new topic   Forum Index -> Apache