Erreur de configuration et connexion SSL (apache2)

Suite à un problème de configuration de services apache2 , apache2 ne fonctionne plus avec SSL sachant que j’ai tous les modules apache2 et openSSL d’installés.
l’erreur du navigateur quand je recherche le nom de domaine ou le nom d’hôte de mon vps :

# Ce site ne peut pas fournir de connexion sécurisée

(le domaine) a envoyé une réponse incorrecte.

* [Essayez d'exécuter les diagnostics réseau de Windows](javascript:diagnoseErrors()).

ERR_SSL_PROTOCOL_ERROR

le contenue du fichier /etc/apache2/ports.conf :

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
Listen 443
</IfModule>
 
<IfModule mod_gnutls.c>
Listen 443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
# NameVirtualHost *:80 
# NameVirtualHost *:443

le contenue du fichier /etc/apache2/site-enabled/000-apps.vhost :

######################################################
# This virtual host contains the configuration
# for the ISPConfig apps vhost
######################################################

 Listen MON IP:8080
# NameVirtualHost *:

<VirtualHost _default_:>
  ServerAdmin webmaster@localhost
  
 
  <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
  </FilesMatch>

  # SSL Configuration
  SSLEngine On
  SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
  SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
  #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle

  SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  SSLHonorCipherOrder On
    
  <IfModule mod_headers.c>
    # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
    Header set X-Content-Type-Options: nosniff
    Header set X-Frame-Options: SAMEORIGIN
    Header set X-XSS-Protection: "1; mode=block"
    Header always edit Set-Cookie (.*) "$1; HTTPOnly"
    Header always edit Set-Cookie (.*) "$1; Secure"
    <IfVersion >= 2.4.7>
        Header setifempty Strict-Transport-Security "max-age=15768000"
    </IfVersion>
    <IfVersion < 2.4.7>
        Header set Strict-Transport-Security "max-age=15768000"
    </IfVersion>
    RequestHeader unset Proxy early
  </IfModule>

  SSLUseStapling On
  SSLStaplingResponderTimeout 5
  SSLStaplingReturnResponderErrors Off
  
  <IfModule mod_headers.c>
	RequestHeader unset Proxy early
  </IfModule>

  <IfModule mod_php5.c>
    DocumentRoot /var/www/apps
    AddType application/x-httpd-php .php
    <Directory /var/www/apps>
		Options FollowSymLinks
		AllowOverride None
				Require all granted
		    </Directory>
  </IfModule>

  <IfModule mod_php7.c>
    DocumentRoot /var/www/apps
    AddType application/x-httpd-php .php
    <Directory /var/www/apps>
		Options FollowSymLinks
		AllowOverride None
				Require all granted
		    </Directory>
  </IfModule>

  <IfModule mod_fcgid.c>
    DocumentRoot /var/www/apps
    SuexecUserGroup ispapps ispapps
    <Directory /var/www/apps>
		Options +Indexes +FollowSymLinks +MultiViews +ExecCGI
		AllowOverride AuthConfig Indexes Limit Options FileInfo
	    <FilesMatch "\.php$">
		  SetHandler fcgid-script
	    </FilesMatch>
		FCGIWrapper /var/www/php-fcgi-scripts/apps/.php-fcgi-starter .php
				Require all granted
		    </Directory>
  </IfModule>

  <Location /rspamd>
        Order allow,deny
        Allow from all
  </Location>
  RewriteEngine On
  RewriteRule ^/rspamd$ /rspamd/ [R,L]
  RewriteRule ^/rspamd/(.*) 127.0.0.1:11334/$1 [P]

</VirtualHost>

<IfModule mod_ssl.c>
  SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>

le contenue du fichier /etc/apache2/apache2.conf :

# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See  for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
# hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.

# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
#	/etc/apache2/
#	|-- apache2.conf
#	|	`--  ports.conf
#	|-- mods-enabled
#	|	|-- *.load
#	|	`-- *.conf
#	|-- conf-enabled
#	|	`-- *.conf
# 	`-- sites-enabled
#	 	`-- *.conf
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
#   together by including all remaining configuration files when starting up the
#   web server.
#
# * ports.conf is always included from the main configuration file. It is
#   supposed to determine listening ports for incoming connections which can be
#   customized anytime.
#
# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
#   directories contain particular configuration snippets which manage modules,
#   global configuration fragments, or virtual host configurations,
#   respectively.
#
#   They are activated by symlinking available configuration files from their
#   respective *-available/ counterparts. These should be managed by using our
#   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
#   their respective man pages for detailed information.
#
# * The binary is called apache2. Due to the use of environment variables, in
#   the default configuration, apache2 needs to be started/stopped with
#   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
#   work with the default configuration.


# Global configuration
#

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the Mutex documentation (available
# at ...
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#Mutex file:${APACHE_LOCK_DIR} default

#
# The directory where shm and other runtime files will be stored.
#

DefaultRuntimeDir ${APACHE_RUN_DIR}

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5


# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g.,  (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log

#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn

# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

# Include list of ports to listen on
Include ports.conf


# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
</Directory>

<Directory /usr/share>
	AllowOverride None
	Require all granted
</Directory>

<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
</Directory>

#<Directory /srv/>
#	Options Indexes FollowSymLinks
#	AllowOverride None
#	Require all granted
#</Directory>




# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
	Require all denied
</FilesMatch>


#
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
#
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.

# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf

# Include the virtual host configurations:
IncludeOptional sites-enabled/

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Merci pour votre aide

C’est illisible. Le contenu des fichiers texte doit être mis en format texte préformaté.

le voilà sur hastebin et dsl : hastebin

Je viens de repasser sur le message pour remettre les balises et préformater le message de _pabloff.

Il suffisait de mettre des triple back quotes en chaque bloc, je te laisse éditer ton message pour voir par toi même et revérifier que l’indentation n’ai pas sauté sur tes vhosts.

Au passage tes vhosts sont surchargés d’information, plus ce sera concis et commenté de façon minimal plus ce sera facile à relire et effectue du debug/modification dessus.

1 J'aime

Listen n’a en principe rien à faire dans un fichier d’hôte virtuel.
Je ne comprends pas l’usage du port 8080. Tu veux faire du HTTPS sur ce port ?
Je ne vois pas comment cela peut fonctionner sans directive ServerName.
Il manque forcément des bouts de configuration…

Même si on veut qu’un vhost écoute sur un port ou une adresse spécifique ?

C’est une directive globale. Elle s’applique donc au serveur pas à un hôte virtuel spécifique.
https://httpd.apache.org/docs/2.4/bind.html

Pour un hôte virtuel on utilise :

<VirtualHost adresse IP[:port]>

Sous Debian les IP et ports en écoute sont définis dans le fichier ports.conf. C’est donc logiquement à cet endroit que l’on devrait faire des modifications si nécessaire. Par exemple pour que le serveur soit en écoute sur l’IP 192.168.1.21 sur le port 8080 (non standard) pour faire du HTTPS :

Listen 192.168.1.21:8080 https

Sauf si on veut que le fichier de configuration du vhost soit autosuffisant, non ?

Si tu veux, il n’y a rien d’obligatoire. Mais si la configuration d’Apache est répartie dans plusieurs fichiers : apache2.conf, ports.conf, sites-available, conf-vailable et ainsi de suite, autant en respecter la logique. Par ailleurs on a rarement un seul hôte virtuel sur un serveur web et tout mettre dans le même fichier revient à se priver d’une certaine souplesse de gestion (a2ensite /a2dissite, a2encon/a2disonf).

3 J'aime

Pas tout dans un même fichier, mais seulement ce qui concerne un site particulier, si seul ce site utilise un port particulier.

Je ne comprends pas… J’ai expliqué au message n°7 que listen est une directive globale. Donc avec listen 8080 (peu importe dans quel fichier), potentiellemnt tous les sites peuvent répondre sur le port 8080.
Pour être sûr qu’un seul site utilise soit accessible via le port 8080, il faut que le(s) numéro(s) de ports soit précisé et dans tous les autres hôtes virtuels au niveau des la directives VirtualHost.

Mettre listen 8080 dans un fichier d’hôte virtuel c’est un bon moyen pour oublier ou ne pas comprendre que le serveur est en écoute sur le port 8080.

donc qu’est ce que je dois faire svp ?

La discussion a un peu dévié, je reprends donc :