Apache not listening on port 443

debian apache-httpd ssl

38,152

Solution 1

Port 443 is HTTPS. From your netstat output:

tcp6       0      0 [::]:https              [::]:*                  LISTEN

It is clear that a process is listening on port 443. To confirm whether the above is Apache (httpd) process, it is important to run the command as root. Use ss instead as netstat is deprecated:

# ss -tlnp

Solution 2

Did you enable mod_ssl? Since you're running Debian, this is the way to do it (run as root, or via sudo):

a2enmod ssl

38,152

Yanipan

Updated on September 18, 2022

Comments

Yanipan over 1 year

I've purchased an SSL and I'm trying to set it on a browser. The port is forwarded in the router to the server, and I believe that SSL certificate is installed correctly (the apache starts OK).

I opened the port in the IPtables firewall, but when I list the port listened - I don't see anything listening to port 443.

I went over my configuration (default debian 7 w/ with LAMP server) and I have the following in my ports.conf file:

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz

NameVirtualHost *:80
Listen 80


<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
     NameVirtualHost *:443
     Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    NameVirtualHost *:443
    Listen 443
</IfModule>

And in the sites-enabled I have a file called default-ssl containing (it's quite long, i'll just add the host data, not the entire ssl file options unless someone can think it could help)

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
#               Order allow,deny
#               allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on


    #   A self-signed (snakeoil) certificate can be created by installing
    #   the ssl-cert package. See
    #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
    #   If both key and certificate are stored in the same file, only the
    #   SSLCertificateFile directive is needed.
    SSLCertificateFile    /etc/ssl/dev.webmark.co.il/dev_webmark_co_il.pem
    SSLCertificateKeyFile /etc/ssl/dev.webmark.co.il/dev.webmark.co.il.key

    #   Server Certificate Chain:
    #   Point SSLCertificateChainFile at a file containing the
    #   concatenation of PEM encoded CA certificates which form the
    #   certificate chain for the server certificate. Alternatively
    #   the referenced file can be the same as SSLCertificateFile
    #   when the CA certificates are directly appended to the server
    #   certificate for convinience.
    #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

    #   Certificate Authority (CA):
    #   Set the CA certificate verification path where to find CA
    #   certificates for client authentication or alternatively one
    #   huge file containing all of them (file must be PEM encoded)
    #   Note: Inside SSLCACertificatePath you need hash symlinks
    #         to point to the certificate files. Use the provided

So I apologize for the very long post, just thought this is relevant information.

I think the ports.conf file enables the listener on 443, but I don't know why it doesn't.

When I list the ports listening:

netstat -a | egrep 'Proto|LISTEN'

I get

Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 10.0.0.10:mysql         *:*                     LISTEN
tcp        0      0 *:35563                 *:*                     LISTEN
tcp        0      0 *:sunrpc                *:*                     LISTEN
tcp        0      0 localhost:61619         *:*                     LISTEN
tcp        0      0 *:61620                 *:*                     LISTEN
tcp        0      0 *:ftp                   *:*                     LISTEN
tcp        0      0 *:ssh                   *:*                     LISTEN
tcp        0      0 10.0.0.10:8888          *:*                     LISTEN
tcp        0      0 localhost:smtp          *:*                     LISTEN
tcp        0      0 *:27017                 *:*                     LISTEN
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN
tcp6       0      0 [::]:http               [::]:*                  LISTEN
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN
tcp6       0      0 [::]:https              [::]:*                  LISTEN
tcp6       0      0 [::]:55644              [::]:*                  LISTEN
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     7400     /tmp/mongodb-27017.so                                                                                        ck
unix  2      [ ACC ]     STREAM     LISTENING     7444     /var/run/dbus/system_                                                                                        bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     7215     /var/run/rpcbind.sock
unix  2      [ ACC ]     SEQPACKET  LISTENING     3434     /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     7351     /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     7624     /var/run/mysqld/mysql

I'm pretty sure that the condition is true. I hope I gave all the relevant information and not too much of it. Thanks for your time reading this. Yan

Edit in order to make sure mod_ssl is running - I used

apache2ctl -M

Which resulted with:

Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 alias_module (shared)
 auth_basic_module (shared)
 authn_file_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 headers_module (shared)
 mime_module (shared)
 ssl_module (shared)
 negotiation_module (shared)
 php5_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 status_module (shared)
Syntax OK

/edit

yorkshiredev over 9 years

Well... to me, Apache is carefully listening on [::]:https.

Yanipan over 9 years

Thanks Steven Monday, when I use "apache2ctl -M" I see it in the list. I'll edit the original question and add the full input I get.
Yanipan over 9 years

Seems you are right - I'll have to go over the entire flow to see if the port is indeed forwarded to the server and opened in IP tables. Thank you.