https not working again

[warpok]

Sometime in the last week, https has stopped at the Indonesian site. I tested to see if the certificates need to be renewed, and evidently not.

I have changed nothing in the config folder in the last months. I have installed all the updates. Something has broken https. What do I do to trouble shoot this problem?

This is for the abkiteliti.my.id site.

[teusbenschop]

Weird that renewal is not yet needed, because checking the certificate gives that it's nearly expired:

$ openssl x509 -in /etc/letsencrypt/live/timkita.xyz/cert.pem -text -noout
Certificate:
   ...
        Validity
            Not Before: Feb 21 19:22:04 2023 GMT
            Not After : May 22 19:22:03 2023 GMT

Although certbot says it not yet due for renewal, it better to renew it now.

Just to be sure, checking what certbot says, I ran the command too:

$ certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/timkita.xyz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for timkita.xyz
Failed to renew certificate timkita.xyz with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

[warpok]

I saw that the program could not bind TCP port 80. I had this note saved: CERTbot wants port 80 open: steps: sudo ufw allow 80/tcp sudo ufw status systemctl stop apache2.service certbot renew -v

But when I ran those steps, it still said: The following certificates are not due for renewal yet: /etc/letsencrypt/live/abkiteliti.my.id/fullchain.pem expires on 2023-07-13 (skipped) No renewals were attempted.

---

• - Yes. weird.

Pada tanggal Sab, 20 Mei 2023 pukul 10.46 Teus Benschop < @.***> menulis:

Weird that renewal is not yet needed, because checking the certificate gives that it's nearly expired:

$ openssl x509 -in /etc/letsencrypt/live/timkita.xyz/cert.pem -text -noout Certificate: ... Validity Not Before: Feb 21 19:22:04 2023 GMT Not After : May 22 19:22:03 2023 GMT

Although certbot says it not yet due for renewal, it better to renew it now.

Just to be sure, checking what certbot says, I ran the command too:

$ certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log

---

Processing /etc/letsencrypt/renewal/timkita.xyz.conf

---

Renewing an existing certificate for timkita.xyz Failed to renew certificate timkita.xyz with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

— Reply to this email directly, view it on GitHub https://github.com/bibledit/cloud/issues/899#issuecomment-1555939113, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDSIJKNASILURDETF54SKDXHDRL5ANCNFSM6AAAAAAYIG6P54 . You are receiving this because you authored the thread.Message ID: @.***>

[teusbenschop]

The reported issue is that "https has stopped" but this is unclear. More details are needed.

What is the exact error that is being reported on https?

[warpok]

Now is the 22nd. I did the procedure to update the certificates, but evidently it was not needed.

But unfortunately, the site is still giving the https error!!!! You can see that also in the screenshot above.

But even worse: Now our tim's Bibledit site is manifesting the same problem.j

[warpok]

Well guess what?! I ran the certificate renewal procedure at the timkita site and it worked!

But alas, as you can see from the page behind the terminal (which I renewed) the HTTPS is still broken!!!

[warpok]

Teus: Could this error siege have anything to do with the port forwarding issue that you addressed recently?

[teusbenschop]

Could this error siege have anything to do with the port forwarding issue that you addressed recently?

This is the issue: https://github.com/bibledit/cloud/issues/866 After this issue is fixed, it does not run the server at port 2027 at all. But in the screenshot the server at this port does run.

I ran the certificate renewal procedure at the timkita site and it worked! But alas, as you can see from the page behind the terminal (which I renewed) the HTTPS is still broken!!!

Here is the page with steps to take to renew the certificate: http://bibledit.org:8090/help/config Here is the issue that was kept open which refers to that too: https://github.com/bibledit/cloud/issues/862

The information mention step 1, step 2, and so on, till step 5. Which of those steps were taken?

[warpok]

You are SO Right!

I forgot to copy the certs and change their ownership.

The certs are definitely renewed.

How do I solve this: Error binding socket: Address already in use.

The *.pem file permissions seem right: (I didn't use MC to do the file permission change, just to check it.) I tried the steps twice.

In your help file, there are several singulars that should be plural. I will try to give you some suggestions on that.

So, bottom line: How do I solve this: Error binding socket: Address already in use.

[warpok]

I tried the missing steps in the Timkita site as well, and the results are the same.

I wonder if it matters that there are several early steps of the process (like stopping apache2) that I assume don't need to be done if I successfully get new certificates.

OK, checking the Journal: I have pages of this same error. 24 Mei 2023 04:11:57 | SSL - A fatal alert message was received from our peer (-30592)

I discovered that I copied this command wrong, so I executed chmod ogo+r /var/bibledit/bibledit-cloud/config/.pem instead of chmod ugo+r /var/bibledit/bibledit-cloud/config/.pem !!!

[warpok]

The command copied poorly above. It should end with *.pem.

Using the correct command (ugo+r) doesn't seem to change anything.

[warpok]

Evidently the error stops showing and things resume normally? (but still not change to https.)

[teusbenschop]

In your help file, there are several singulars that should be plural. I will try to give you some suggestions on that.

Thank you that would be great, it's good to improve the language.

So, bottom line: How do I solve this: Error binding socket: Address already in use.

Usually this is resolved through systemctl stop bibledit-cloud and then shortly after systemctl start bibledit-cloud

I tried the missing steps in the Timkita site as well, and the results are the same.

This website is fine when opening it over here. It gives the secure lock in the browser address bar.

[warpok]

At the other site, abkiteliti, after I ran those two commands, I get pages of this in the journal: 25 Mei 2023 01:32:55 | SSL - A fatal alert message was received from our peer (-30592) 25 Mei 2023 01:32:57 | SSL - A fatal alert message was received from our peer (-30592) 25 Mei 2023 01:33:00 | SSL - A fatal alert message was received from our peer (-30592)

Note that this is not the same message as before, which was the Error binding socket: Address already in use.

Aren't the two commands you gave (stop and start) the same as systemctl restart bibledit-cloud ? I did the restart command repeatedly!

Your message makes me wonder if the USA connection I have has some fault that you don't have in Holland! Could you access https://abkiteliti.my.id:8083/ or http://abkiteliti.my.id:8082/ to see whether the transition to https happens? And if it doesn't, please help me at the abkiteliti site.

Thanks so much for fixing the timkita site.

[teusbenschop]

At the other site, abkiteliti, after I ran those two commands, I get pages of this in the journal: 25 Mei 2023 01:32:55 | SSL - A fatal alert message was received from our peer (-30592) 25 Mei 2023 01:32:57 | SSL - A fatal alert message was received from our peer (-30592) 25 Mei 2023 01:33:00 | SSL - A fatal alert message was received from our peer (-30592)

Note that this is not the same message as before, which was the Error binding socket: Address already in use.

Yes, they are different, the messages mean that now the https server is running, and that someone is messing with it, but the server handles this messing gracefully.

Aren't the two commands you gave (stop and start) the same as systemctl restart bibledit-cloud ? I did the restart command repeatedly!

Yes, they are essentially the same, but the difference is that the restart does a quick "stop" and "start" in succession, but when doing the "stop" and "start" manually there would be more time for this port to be released.

Your message makes me wonder if the USA connection I have has some fault that you don't have in Holland! Could you access https://abkiteliti.my.id:8083/ or http://abkiteliti.my.id:8082/ to see whether the transition to https happens? And if it doesn't, please help me at the abkiteliti site.

The transition does happen, but it gives an expired certificate, in other words, the certificate is just expired somehow.

Yes, I can help but do not have the credentials to access it, could I receive them by email offline?

[warpok]

What do you mean by "someone is messing with it"? I will first make sure I have renewed the certificates (even though I am sure I did), and I will send an email to you. Thanks, Phil

[teusbenschop]

What do you mean by "someone is messing with it"?

The "messing" looks like someone, perhaps even unknowingly, tries to connect to the https server in an incorrect way. Perhaps it's benign.

I will first make sure I have renewed the certificates (even though I am sure I did), and I will send an email to you.

Thanks, and I received it.

Checking your server out, it appears there are three instances of Bibledit running in parallel.

Here is the list of them:

ps ax | grep bible
   1735 ?        Ssl   17:05 /home/p8082/8082/bibleditserver <-- Bibledit #1
   1758 ?        S      0:00 /bin/sh ./bibledit
   1773 ?        S      0:00 /bin/sh ./bibledit
  10045 ?        Sl     4:53 ./bibleditserver <-- Bibledit #2
  16153 ?        Sl     1:26 ./bibleditserver <-- Bibledit #3
  16992 pts/0    S+     0:00 grep --color=auto bible

Someone has started multiple instances, and I don't know which instance is the one you work with.

Likely the solution for you would be to stop the two extra Bibledit instances and only keep the one you want. And then to refresh the certificates in the instance you you want.

[warpok]

I thought that I knew what to do! So I did it, and messed things up royally! All my fault. I should have asked for help.

I easily found the other instances of Bibledit-cloud and deleted the folders. But I didn't realize that the material in Home/8080 needed to stay there. So I deleted that also. (I thought that the only folder I needed was in /var/bibledit/bibledit-cloud.) The 2-3 extra Bibledit-cloud folders were from when Aranggi installed things initially.

When I realized that Bibledit would not run anymore, with the complaint that it needed Home/8080, then I tried to undelete the folder using a program (named something like TestDisk). This resulted in me running out of space in the 2GB server. When I ran out of space, it would no longer run anything at all, not even mc.

So I am going through the learning process once again of reinstalling everything. And it may actually be a blessing in disguise. I have a good back up of the /var/bibledit/bibledit-cloud folder. But I will need to reinstall all the certificates and the Google Translate stuff.

More bulletins as events warrant. :-(

[warpok]

The correct chmod command for the copied certificates starts with chmod ogo+r or chmod ugo+r

My certificates did not change as the ones previously did.

[teusbenschop]

Sorry for the situation of erasing the data, and good to hear there's a good backup of the stuff, and good luck getting the server back online.

The chmod ugo+r is the one that is in the instructions at http://bibledit.org:8090/help/config and thanks for observation. Thanks too for the spelling corrections to get it up to standard for having good English, instead of Pidgin English. :)

[teusbenschop]

I have studied the instructions you wrote about https. The instructions are so useful, but I think they are more suited to a kind of informative article online, than for technical instructions included in Bibledit. If you were able to write an article online, then I would be so happy to be able to link to it from the main bibledit.org website.

[warpok]

https works now.