Wordress Stack & SSL - Apache will not start

Keywords: WordPress - AWS - Technical issue - Secure Connections (SSL/HTTPS)

bnsupport ID: 48ac0431-f7e4-b4e9-87ec-eae7370ac998

bndiagnostic output:

? Apache: Found possible issues
? Connectivity: Found possible issues
? Wordpress: Found possible issues
? Resources: Found possible issues
https://docs.bitnami.com/general/apps/wordpress/troubleshooting/debug-errors-apache/
https://docs.bitnami.com/general/faq/administration/use-firewall/

bndiagnostic failure reason: The documentation did not make any significant change

Description:
Have a successfully deployed WordPress stack. Was trying to implement SSL via BN CERT TOOL & Really Simple SSL Plugin and the website is unreachable now. I see the plugin is not really recommended at this point but unfortunately too late.

Now Apache won’t start. I think the paths for my Certs and Keys are incorrect or empty. I tried to revert everything and probably compounded the issue. The Plugins folder was disabled but it’s still looking for an SSL config that does not exist or is incorrect.

Also worth nothing that I I feel like I was close to getting it right but hit the rate limit on Let’s Encrypt. Tried to implement dummy certs but to no avail - this is where I think I goofed the paths up in the App conf and Bitnami conf.

Additionally I think there is an issue with the ports on my Lightsail instance. I believe Let’s Encrypt can’t run successfully because of a firewall issue. The following is a screenshot of my Lightsail instance however when I check for connections on port 80 they appear to be closed. At a loss here… will attach screenshot in a reply.

Any help is greatly appreciated.

Hello @typica1cat,

Your firewall configuration looks fine. I can see several errors related to Really Simple SSL Plugin. Please note that that we do not provide support for that plugin and we don’t know how it works. If you want to use it, please ask to the plugin’s developers to know what can be causing the issue. You can try to disable it using the wp binary in the command line:

sudo  wp plugin deactivate <PLUGIN>

I hope it helps

Hi David,

Understood. A few things:

Using https://www.yougetsignal.com/tools/open-ports/ the result puzzles me:
image

Also, I’ve already disabled the plugin by changing the folder name via SSH so I’m not sure how it’s still in effect?:

UPDATE: To anyone one else to runs into this issue:

Citing the following error from the BN SUPPORT TOOL:

AH00526: Syntax error on line 4 of
/opt/bitnami/apache/conf/vhosts/wordpress-https-vhost.conf: SSLCertificateFile:
file ‘/opt/bitnami/apache2/conf/bitnami/certs/server.crt’ does not exist or is
empty

I was able to get Apache running by editing the wordpress-vhost.conf file and removing all edits referencing SSL and Let’s Encrypt. Site is back online.

I am going to try to get SSL running using the BN CERT TOOL without any additional wordpress plugins.

So, since I do have CNAME records in my DNS (one for www.domain and one for mail.domain) I am using the “alternative approach” to BN CERT TOOL.

I installed Lego, Stopped Bitnami and ran the Let’s Encrypt Command which yields the following error:

So I think I had port 80 issues since Apache was down, now that it’s up and running the port is confirmed to be open, also my firewall is shown above. I am not sure why I am getting Firewall errors here? Is it possible that I need additional parameters on the Left’s Encrypt command?

These are both empty as well:

sudo crontab -e
sudo crontab -e -u bitnami

Ok, here’s where I am at…

Turns out I had an AAAA (IPV6) record in my DNS that was preventing Let’s Encrypt from working. This runs successfully after the record is removed.

Following this link:

https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach

I was able to successfully get to Step 4 - but this is where it now fails. When I test the https link for my domain I get the following chrome error:

DNS_PROBE_FINISHED_NXDOMAIN

Http links are still working perfectly. Is there any other diagnostic info that could be helpful?

I feel like I am so close to getting this wrapped up… thanks in advance!

Hi @typica1cat,

The error suggests an issue with the domain (DNS fails to resolve the domain name or address). Can you check that the domain of the certificate and the actual domain coincide? Does the domain point to the machine IP? You can check with https://www.whatsmydns.net.

Best regards,
Michiel

So my apologies the actual chrome error is:

ERR_CONNECTION_REFUSED

You can see the output of the link you requested here:

https://www.whatsmydns.net/#A/yourdomain.com

EDITED: removed mention to real domain.

So the site is 100% accessible via http, I believe the SSL certs and keys are all set up. My hunch is there is something wrong in my bitnami.conf or vhost file. I will attach them below.

Wordpress-https-vhost.conf:

<VirtualHost 127.0.0.1:443 _default_:443>
ServerAlias *
DocumentRoot /opt/bitnami/wordpress
SSLEngine on
  SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
<Directory "/opt/bitnami/wordpress">
Options -Indexes +FollowSymLinks -MultiViews
AllowOverride None
Require all granted
    # BEGIN WordPress fix for plugins and themes
    # Certain WordPress plugins and themes do not properly link to PHP files because of symbolic links
    # https://github.com/bitnami/bitnami-docker-wordpress-nginx/issues/43
RewriteEngine On
RewriteRule ^bitnami/wordpress(/.*) $1 [L]
    # END WordPress fix for plugins and themes
    # BEGIN WordPress
    # https://wordpress.org/support/article/htaccess/#basic-wp
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
    # END WordPress
</Directory>
Include "/opt/bitnami/apache/conf/vhosts/htaccess/wordpress-htaccess.conf"
</VirtualHost>

Bitnami.conf:

# Default Virtual Host configuration.

# Let Apache know we're behind a SSL reverse proxy
SetEnvIf X-Forwarded-Proto https HTTPS=on

SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"

<VirtualHost _default_:80>
DocumentRoot "/opt/bitnami/apache/htdocs"
<IfModule mod_proxy.c>
ProxyPass /.well-known !
</IfModule>
  # END: Support domain renewal when using mod_proxy without Location
<Directory "/opt/bitnami/apache/htdocs">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
  # Error Documents
ErrorDocument 503 /503.html
  # BEGIN: Support domain renewal when using mod_proxy within Location
<Location /.well-known>
<IfModule mod_proxy.c>
ProxyPass !
</IfModule>
</Location>
  # END: Support domain renewal when using mod_proxy within Location
</VirtualHost>

Hi @typica1cat,

Can you run the bndiagnostic tool again so we can check your latest configuration?

Best regards,
Michiel

@michiel,

As requested: 07dae024-8b48-5091-d9e8-0b0fd6789c99

Hello @typica1cat,

There are several things that may be causing issues. In your Apache’s config you have the following paths pointing to your SSL files:

$ cat apache2//conf/vhosts/wordpress-https-vhost.conf
...
  SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
  SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
...

Looking at your files at /opt/bitnami/apache2/conf:

$ ls -la /opt/bitnami/apache2/conf
...
lrwxrwxrwx  1 root    root     55 Sep  1 17:53 yourdomain.com.crt -> /opt/bitnami/letsencrypt/certificates/yourdomain.com.crt
lrwxrwxrwx  1 root    root     55 Sep  1 17:53 yourdomain.com.key -> /opt/bitnami/letsencrypt/certificates/yourdomain.com.key
...
-rw-r--r--  1 root    root   1204 Dec 29 16:32 server.crt
-rw-------  1 root    root   1679 Dec 29 16:31 server.key

From this, server.crt and server.key do not have any symlinks as our alternative approach guide suggests. Did you manually create these two files? Besides that, you have a couple of symlinks (yourdomain.com.key and yourdomain.com.crt) pointing to some files at /opt/bitnami/letsencrypt/certificates/ that I’m not sure if they are still valid.

I recommend you to first check whether you have any certificate at /opt/bitnami/letsencrypt/certificates. To do so, please share the output of the following command:

$ ls -la /opt/bitnami/letsencrypt/certificates

Regards,
Francisco de Paz

@fdepaz,

Thanks so much for the reply.

Per your instruction, I am not actually able to run this command. “LS” yields “Permission Denied”.

Additionally, I cannot CD into the this directory either. I’ve not encountered this problem before so I am not sure what to do. Assuming there is a CHMOD with some parameters that would give me access?

@fdepaz,

Embarrassed to say I forgot to sudo. Here is the output:

bitnami@ip-172-26-8-218:~$ sudo ls -la /opt/bitnami/letsencrypt/certificates
total 8
drwx------ 2 root root 4096 Dec 29 16:24 .
drwxr-xr-x 4 root root 4096 Dec 29 16:24 ..

Hi @typica1cat,

In the Apache configuration the SSLCertificateFile and SSLCertificateKeyFile are pointing to the server.crt and server.key files in the /opt/bitnami/apache2/conf/ directory. My guess is that the server.crt and server.key files are not valid. Did you create or rename those files? Also, from the output of the ls command it seems that /opt/bitnami/letsencrypt/certificates is empty. Did you run the lego command that creates the certificate and did you use the correct path (/opt/bitnami/letsencrypt)?

sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/opt/bitnami/letsencrypt" run

Best regards,
Michiel

@michiel,

I’ve re-run the Lego command which was successful - the original run may have had the wrong path as you’ve suggested.

Command: ls -la /opt/bitnami/letsencrypt/certificates:

Output (edited for MYDOMAIN):

total 28
drwx------ 2 root root 4096 Jan 10 18:09 .
drwxr-xr-x 4 root root 4096 Dec 29 16:24 ..
-rw------- 1 root root 5341 Jan 10 18:09 MYDOMAIN.com.crt
-rw------- 1 root root 3751 Jan 10 18:09 MYDOMAIN.issuer.crt
-rw------- 1 root root  234 Jan 10 18:09 MYDOMAIN.json
-rw------- 1 root root  227 Jan 10 18:09 MYDOMAIN.key

Here is an updated Diagnostic Code which shows new apache errors. Perhaps issues with WordPress index paths?

Code: 29bd1c18-17f7-0fc8-ebe4-be200afe76c4

Hi @typica1cat,

Is seems port 443 (HTTPS) refuses to connect. Do you have it open in the firewall? Can you check:

https://docs.bitnami.com/aws/faq/administration/use-firewall/

Regards,
Michiel

Hi @michiel,

This is partly where this thread started, reply #2 shows a screenshot of Lightsail’s Firewall settings.

Attached screenshot from this morning again here:

I am only using AWS & LightSail and the firewall appears to be correct yet the port is still closed??

Is there any port configurations for Apache or Bitnami that I need to change?

Hi @typica1cat,

Weird. Can you run the following command to check it?

sudo netstat -tulpn | grep :443

If it doesn’t output anything the port is not open.

Best regards,
Michiel

@michiel,

There is no output following that command. I guess my instance may have some sort of fault?

This is really bizarre… I’ve filed a support case with AWS and will follow back up here.