Apache not listening on port 443
Solution 1
Port 443 is HTTPS. From your netstat
output:
tcp6 0 0 [::]:https [::]:* LISTEN
It is clear that a process is listening on port 443. To confirm whether the above is Apache (httpd) process, it is important to run the command as root. Use ss
instead as netstat
is deprecated:
# ss -tlnp
Solution 2
Did you enable mod_ssl
? Since you're running Debian, this is the way to do it (run as root, or via sudo):
a2enmod ssl
Related videos on Youtube
Yanipan
Updated on September 18, 2022Comments
-
Yanipan over 1 year
I've purchased an SSL and I'm trying to set it on a browser. The port is forwarded in the router to the server, and I believe that SSL certificate is installed correctly (the apache starts OK).
I opened the port in the IPtables firewall, but when I list the port listened - I don't see anything listening to port 443.
I went over my configuration (default debian 7 w/ with LAMP server) and I have the following in my ports.conf file:
# If you just change the port or add more ports here, you will likely also # have to change the VirtualHost statement in # /etc/apache2/sites-enabled/000-default # This is also true if you have upgraded from before 2.2.9-3 (i.e. from # Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and # README.Debian.gz NameVirtualHost *:80 Listen 80 <IfModule mod_ssl.c> # If you add NameVirtualHost *:443 here, you will also have to change # the VirtualHost statement in /etc/apache2/sites-available/default-ssl # to <VirtualHost *:443> # Server Name Indication for SSL named virtual hosts is currently not # supported by MSIE on Windows XP. NameVirtualHost *:443 Listen 443 </IfModule> <IfModule mod_gnutls.c> NameVirtualHost *:443 Listen 443 </IfModule>
And in the sites-enabled I have a file called default-ssl containing (it's quite long, i'll just add the host data, not the entire ssl file options unless someone can think it could help)
<IfModule mod_ssl.c> <VirtualHost _default_:443> ServerAdmin webmaster@localhost DocumentRoot /var/www <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride All # Order allow,deny # allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/ssl/dev.webmark.co.il/dev_webmark_co_il.pem SSLCertificateKeyFile /etc/ssl/dev.webmark.co.il/dev.webmark.co.il.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided
So I apologize for the very long post, just thought this is relevant information.
I think the ports.conf file enables the listener on 443, but I don't know why it doesn't.
When I list the ports listening:
netstat -a | egrep 'Proto|LISTEN'
I get
Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.0.0.10:mysql *:* LISTEN tcp 0 0 *:35563 *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 localhost:61619 *:* LISTEN tcp 0 0 *:61620 *:* LISTEN tcp 0 0 *:ftp *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 10.0.0.10:8888 *:* LISTEN tcp 0 0 localhost:smtp *:* LISTEN tcp 0 0 *:27017 *:* LISTEN tcp6 0 0 [::]:sunrpc [::]:* LISTEN tcp6 0 0 [::]:http [::]:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN tcp6 0 0 localhost:smtp [::]:* LISTEN tcp6 0 0 [::]:https [::]:* LISTEN tcp6 0 0 [::]:55644 [::]:* LISTEN Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 7400 /tmp/mongodb-27017.so ck unix 2 [ ACC ] STREAM LISTENING 7444 /var/run/dbus/system_ bus_socket unix 2 [ ACC ] STREAM LISTENING 7215 /var/run/rpcbind.sock unix 2 [ ACC ] SEQPACKET LISTENING 3434 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 7351 /var/run/acpid.socket unix 2 [ ACC ] STREAM LISTENING 7624 /var/run/mysqld/mysql
I'm pretty sure that the condition is true. I hope I gave all the relevant information and not too much of it. Thanks for your time reading this. Yan
Edit in order to make sure mod_ssl is running - I used
apache2ctl -M
Which resulted with:
Loaded Modules: core_module (static) log_config_module (static) logio_module (static) version_module (static) mpm_prefork_module (static) http_module (static) so_module (static) alias_module (shared) auth_basic_module (shared) authn_file_module (shared) authz_default_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_user_module (shared) autoindex_module (shared) cgi_module (shared) deflate_module (shared) dir_module (shared) env_module (shared) headers_module (shared) mime_module (shared) ssl_module (shared) negotiation_module (shared) php5_module (shared) reqtimeout_module (shared) rewrite_module (shared) setenvif_module (shared) status_module (shared) Syntax OK
/edit
-
yorkshiredev over 9 yearsWell... to me, Apache is carefully listening on
[::]:https
.
-
-
Yanipan over 9 yearsThanks Steven Monday, when I use "apache2ctl -M" I see it in the list. I'll edit the original question and add the full input I get.
-
Yanipan over 9 yearsSeems you are right - I'll have to go over the entire flow to see if the port is indeed forwarded to the server and opened in IP tables. Thank you.