An unexpected error occurred: augeas.AugeasValueError: Augeas.set() failed: Too many matches for path expression

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bfts.us and several others that use the same certificate

I ran this command: certbot --apache

It produced this output: An unexpected error occurred:

augeas.AugeasValueError: Augeas.set() failed: Too many matches for path expression ... this actually happens on other attempts when trying to (re)install the certificates

My web server is (include version): Apache/2.4.62

The operating system my web server runs on is (include version): aws al2023 Amazon Linux 2023.7.20250414

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 4.0.0

I have reviewed the older scenarios that appear to be similar and have tried the trouble shooting suggestions recommended for them. Any help would be appreciated.

Hello @oraclebear,

Please show the output of each of the following commands

• sudo certbot certificates
• sudo apachectl -t -D DUMP_VHOSTS

Here is a similar thread augeas.AugeasValueError: Augeas.set() failed: Too many matches for path expression

sudo certbot certificates

Found the following certs:
Certificate Name: bfts.us
Serial Number: 659c02963ab3ad03d073e2e86ddcfc4350b
Key Type: ECDSA
Domains: bfts.us bfts.twmccarty.com bmmr.net joesue.com lsng.org maint.bfts.us maint.bmmr.net maint.lsng.org msleake.com oraclebear.com orbr.us rainbowprod.com sonicmx.com twmccarty.com www.bfts.us www.bmmr.net www.joesue.com www.lsng.org www.msleake.com www.oraclebear.com www.orbr.us www.rainbowprod.com www.sonicmx.com www.twmccarty.com
Expiry Date: 2025-07-23 21:01:19+00:00 (VALID: 86 days)
Certificate Path: /etc/letsencrypt/live/bfts.us/fullchain.pem
Private Key Path: /etc/letsencrypt/live/bfts.us/privkey.pem

• `sudo apachectl -t -D DUMP_VHOSTS
• *:80 is a NameVirtualHost
  default server bmmr.net (/etc/httpd/conf.d/virt.conf:1)
  port 80 namevhost bmmr.net (/etc/httpd/conf.d/virt.conf:1)
  alias www.bmmr.net
  port 80 namevhost maint.bmmr.net (/etc/httpd/conf.d/virt.conf:12)
  port 80 namevhost bfts.us (/etc/httpd/conf.d/virt.conf:17)
  alias www.bfts.us
  port 80 namevhost bfts.twmccarty.com (/etc/httpd/conf.d/virt.conf:23)
  port 80 namevhost maint.bfts.us (/etc/httpd/conf.d/virt.conf:28)
  port 80 namevhost joesue.com (/etc/httpd/conf.d/virt.conf:33)
  alias www.joesue.com
  port 80 namevhost lsng.org (/etc/httpd/conf.d/virt.conf:39)
  alias www.lsng.org
  port 80 namevhost maint.lsng.org (/etc/httpd/conf.d/virt.conf:45)
  port 80 namevhost msleake.com (/etc/httpd/conf.d/virt.conf:50)
  alias www.msleake.com
  port 80 namevhost oraclebear.com (/etc/httpd/conf.d/virt.conf:56)
  alias www.oraclebear.com
  port 80 namevhost orbr.us (/etc/httpd/conf.d/virt.conf:62)
  alias www.orbr.us
  port 80 namevhost rainbowprod.com (/etc/httpd/conf.d/virt.conf:68)
  alias www.rainbowprod.com
  port 80 namevhost sonicmx.com (/etc/httpd/conf.d/virt.conf:74)
  alias www.sonicmx.com
  port 80 namevhost twmccarty.com (/etc/httpd/conf.d/virt.conf:80)
  alias www.twmccarty.com
  port 80 namevhost ip-172-31-11-27.us-east-2.compute.internal (/etc/httpd/conf.d/www.conf:1)

the actual virt.conf include file looks like this

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html
</VirtualHost>

[root@ip-172-31-11-27 conf.d]# cat virt.conf

<VirtualHost *:80>
    ServerName bmmr.net
    ServerAlias www.bmmr.net
    DocumentRoot "/var/www/html/bmmr.net"
    #Redirect permanent / https://bmmr.net/
</VirtualHost>
#<VirtualHost *:80>
#    ServerName blog.bmmr.net
#    DocumentRoot "/var/www/html/bmmr.net/wp"
#    #Redirect permanent / https://blog.bmmr.net/
#</VirtualHost>
<VirtualHost *:80>
    ServerName maint.bmmr.net
    DocumentRoot "/var/www/html/bmmr.net"
    #Redirect permanent / https://maint.bmmr.net/
</VirtualHost>
<VirtualHost *:80>
    ServerName bfts.us
    ServerAlias www.bfts.us
    DocumentRoot "/var/www/html/bfts.us"
    #Redirect permanent / https://bfts.us/
</VirtualHost>
<VirtualHost *:80>
    ServerName bfts.twmccarty.com
    DocumentRoot "/var/www/html/bfts.us"
    #Redirect permanent / https://bfts.twmccarty.com/
</VirtualHost>
<VirtualHost *:80>
    DocumentRoot "/var/www/html/bfts.us"
    ServerName maint.bfts.us
    #Redirect permanent / https://maint.bfts.us/
</VirtualHost>
<VirtualHost *:80>
    ServerName joesue.com
    ServerAlias www.joesue.com
    DocumentRoot "/var/www/html/joesue.com"
    #Redirect permanent / https://joesue.com/
</VirtualHost>
<VirtualHost *:80>
    ServerName lsng.org
    ServerAlias www.lsng.org
    DocumentRoot "/var/www/html/lsng.org"
    #Redirect permanent / https://lsng.org/
</VirtualHost>
<VirtualHost *:80>
    ServerName maint.lsng.org
    DocumentRoot "/var/www/html/lsng.org"
    #Redirect permanent / https://maint.lsng.org/
</VirtualHost>
<VirtualHost *:80>
    ServerName msleake.com
    ServerAlias www.msleake.com
    DocumentRoot "/var/www/html/msleake.com"
    #Redirect permanent / https://msleake.com/
</VirtualHost>
<VirtualHost *:80>
    ServerName oraclebear.com
    ServerAlias www.oraclebear.com 
    DocumentRoot "/var/www/html/oraclebear.com"
    #Redirect permanent / https://oraclebear.com/
</VirtualHost>
<VirtualHost *:80>
    ServerName orbr.us
    ServerAlias www.orbr.us 
    DocumentRoot "/var/www/html/oraclebear.com"
    #Redirect permanent / https://orbr.us/
</VirtualHost>
<VirtualHost *:80>
    ServerName rainbowprod.com
    ServerAlias www.rainbowprod.com
    DocumentRoot "/var/www/html/rainbowprod.com"
    #Redirect permanent / https://rainbowprod.com/
</VirtualHost>
<VirtualHost *:80>
    ServerName sonicmx.com
    ServerAlias www.sonicmx.com
    DocumentRoot "/var/www/html/sonicmx.com"
    #Redirect permanent / https://sonicmx.com/
</VirtualHost>
<VirtualHost *:80>
    ServerName twmccarty.com
    ServerAlias www.twmccarty.com
    DocumentRoot "/var/www/html/twmccarty.com"
    #Redirect permanent / https://twmccarty.com/
</VirtualHost>
<Directory "/var/www/html/bfts.us">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/html/drupal">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/html/bmmr.net">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/html/joesue.com">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/html/lsng.org">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/html/msleake.com">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/html/oraclebear.com">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/html/rainbowprod.com">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/html/sonicmx.com">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/html/twmccarty.com">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

Thanks for any help!

Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.
I don't deal with Apache much.

Hello @oraclebear Sorry no one has replied after you posted that extra info.

It is puzzling. The port 80 VirtualHosts you show all look fine. But, something is causing a parsing problem with the --apache plugin option of Certbot. We can try to find that but sometimes it is easier to switch to using the --webroot option. It doesn't require Certbot to parse your Apache config so wouldn't have this problem.

I'd like some more background if you would. You were using Let's Encrypt certs since 2022 in a consistent manner. Then it looks like you added the www subdomain for your certs (which is common). You got the cert with the added www domain name but got the error you show.

Is that correct? If not please explain more. If so, what happened to the VirtualHost statements for port 443 that you had previously? Do you still have them? (that would make converting to --webroot much easier).

In addition to above questions would you please show output of these

ls -l /etc/httpd
ls -l /etc/httpd/conf.d

More accurately I migrated to aws al2023. I’m pretty sure the wwws weee there already.

I think it may have created the certificates - even with the —Apache. I get that error if I just try to install them.

In any case how do I install them once I have them.

Thanks

"Installing" just means configuring Apache to use them. Did you start out with just this basic Apache config on AL2023? I would have thought you'd migrate your config from your old system to avoid having to recreate any customizations you did.

The --apache plugin should create a VirtualHost for port 443 using the cert. That is what it means by "installing". Certbot uses the existing VirtualHost for port 80 as a template. Yours are all very simple so the VirtualHost for port 443 would also be very simple. Any customization you did on your prior system would have to be redone.

Going forward we need to either find out why Certbot has that failure. Or, switch you to the --webroot method and manually create (re-create) the VirtualHosts for port 443.

If you want to try to find the syntax problem Certbot has with your Apache please show the output of this command. It is just a test. It will not affect your Apache config or existing certs

sudo certbot certonly --apache --dry-run --cert-name bfts.us

Sometimes these syntax / parsing problems can be hard to find. Which is why I asked if you still had the VirtualHosts for port 443 somewhere. Converting to --webroot might be easier if you did.

Please also show the output of these commands:

ls -l /etc/httpd
ls -l /etc/httpd/conf.d

i found this on my saved drive -

<IfModule mod_ssl.c>

<VirtualHost *:443>

DocumentRoot "/var/www/html/bfts.us"

ServerName bfts.us

SSLCertificateFile /root/.getssl/bfts.us/bfts.us.crt

SSLCertificateKeyFile /root/.getssl/bfts.us/bfts.us.key

SSLCertificateChainFile /root/.getssl/bfts.us/chain.crt

#Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>

</IfModule>

there is one of those for each of primary server names

and that is in the httpd-le-ssl.conf file ... and maybe that's a key - there is not one for the www.bfts.us but there is one for the maint.bfts.us even though the doucmentroot is the same for all of them. But i handled the www with an alias.

so yes, that would be reasonably easy enough to bring about - there were enough difference apparently in the al2 version of the apache file and the al2023 one, that it didn't like me very much - and at that point i had not followed the recommendation of the people helping the other person with their error that seemed to similar to mine to put their changes in files by themselves rather than in the main file.

anyway putting that file in the /etc/httpd/conf didn't seem to do anything - didn't make them work by itself - putting it in /etc/httpd/conf.d caused it to fail.

i'm attaching the letsencrypt.log message to this email - but i'm just replying to the email - so not sure if it will get processed into logs correctly. if not, let me know, and i'll login to the post and add it there.

appreciate the help - whichever way is the simplest to get me up and running. thanks so much.

(Attachment letsencrypt.log is missing)

ok - the log is WAY to long to attach here -

i threw it on my server - it is available by going to Index of /duh and then you can right-click and save it whereever you want ...

I get a 403 Forbidden accessing that link. I didn't need the whole log just the output shown on the console by Certbot.

I still want to see the output of these

ls -l /etc/httpd
ls -l /etc/httpd/conf.d

sudo certbot certonly --apache --dry-run --cert-name bfts.us
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating renewal of an existing certificate for bfts.us and 23 more domains
The dry run was successful.

[root@ip-172-31-11-27 ec2-user]# ls -l /etc/httpd
total 16
drwxr-xr-x. 2 root root 55 May 3 03:49 conf
drwxr-xr-x. 2 root root 174 May 4 05:28 conf.d
drwxr-xr-x. 2 root root 16384 Apr 22 21:19 conf.modules.d
lrwxrwxrwx. 1 root root 19 Jul 30 2024 logs -> ../../var/log/httpd
lrwxrwxrwx. 1 root root 29 Jul 30 2024 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx. 1 root root 10 Jul 30 2024 run -> /run/httpd
lrwxrwxrwx. 1 root root 19 Jul 30 2024 state -> ../../var/lib/httpd

ls -l /etc/httpd/conf.d
total 48
-rw-r--r--. 1 root root 400 Jul 30 2024 README
-rw-r--r--. 1 root root 2916 Jul 30 2024 autoindex.conf
-rw-r--r--. 1 root root 4477 May 3 04:09 httpd-le-ssl.saveme
-rw-r--r--. 1 root root 1577 Mar 21 18:32 php.conf
-rw-r--r--. 1 root root 9556 Jul 30 2024 ssl.conf
-rw-r--r--. 1 root root 1252 Jul 30 2024 userdir.conf
-rw-r--r--. 1 root root 3968 Apr 25 06:44 virt.conf
-rw-r--r--. 1 root root 653 Jul 30 2024 welcome.conf
-rw-r--r--. 1 root root 97 Apr 24 16:57 www.conf

hope that helps. Thanks. Bruce

Excellent. We will build on that success.

Now, please show output of these two commands.

sudo certbot certificates

ls -l /etc/letsencrypt

And the contents of this file

/etc/httpd/conf.d/httpd-le-ssl.saveme

thanks again for all your help mike.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:

Certificate Name: bfts.us

Serial Number: 65b7fd0e1437dd5d210178f9b673a3eaa74

Key Type: ECDSA

Domains: bfts.us bfts.twmccarty.com bmmr.net joesue.com lsng.org maint.bfts.us maint.bmmr.net maint.lsng.org msleake.com oraclebear.com orbr.us rainbowprod.com sonicmx.com twmccarty.com www.bfts.us www.bmmr.net www.joesue.com www.lsng.org www.msleake.com www.oraclebear.com www.orbr.us www.rainbowprod.com www.sonicmx.com www.twmccarty.com

Expiry Date: 2025-08-01 01:53:11+00:00 (VALID: 87 days)

Certificate Path: /etc/letsencrypt/live/bfts.us/fullchain.pem

Private Key Path: /etc/letsencrypt/live/bfts.us/privkey.pem

[ec2-user@ip-172-31-11-27 ~]$ ls -l /etc/letsencrypt

total 4

drwx------. 4 root root 86 May 3 03:54 accounts

drwx------. 3 root root 21 Apr 24 21:59 archive

drwx------. 3 root root 35 Apr 24 21:59 live

-rw-r--r--. 1 root root 1005 Apr 24 21:59 options-ssl-apache.conf

drwxr-xr-x. 2 root root 26 May 3 02:51 renewal

drwxr-xr-x. 5 root root 43 Apr 24 21:59 renewal-hooks

out of curiousity i checked the contents of that conf

cat /etc/letsencrypt/options-ssl-apache.conf

# This file contains important security parameters. If you modify this file

# manually, Certbot will be unable to automatically provide future security

# updates. Instead, Certbot will print and log an error message with a path to

# the up-to-date file that you will need to refer to when manually updating

# this file. Contents are based on [https://ssl-config.mozilla.org](https://ssl-config.mozilla.org)

SSLEngine on

# Intermediate configuration, tweak to your needs

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

SSLHonorCipherOrder off

SSLSessionTickets off

SSLOptions +StrictRequire

# Add vhost name to log entries:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined

LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

this httpd-le-ssl.saveme is the conf file i found on the old server. i removed the host that is no longer included in the certificate, but when i tried to bring the server back up it complained about the certiciate/s not bring where it expected them to be - if memory serves anyway

cat /etc/httpd/conf.d/httpd-le-ssl.saveme

<IfModule mod_ssl.c>

<VirtualHost *:443>

DocumentRoot "/var/www/html/[bfts.us](http://bfts.us)"

ServerName [bfts.us](http://bfts.us)

SSLCertificateFile /root/.getssl/[bfts.us/bfts.us.crt](http://bfts.us/bfts.us.crt)

SSLCertificateKeyFile /root/.getssl/[bfts.us/bfts.us.key](http://bfts.us/bfts.us.key)

SSLCertificateChainFile /root/.getssl/[bfts.us/chain.crt](http://bfts.us/chain.crt)

#Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>

</IfModule>

<IfModule mod_ssl.c>

<VirtualHost *:443>

DocumentRoot "/var/www/html/[bfts.us](http://bfts.us)"

ServerName [maint.bfts.us](http://maint.bfts.us)

SSLCertificateFile /root/.getssl/[bfts.us/bfts.us.crt](http://bfts.us/bfts.us.crt)

SSLCertificateKeyFile /root/.getssl/[bfts.us/bfts.us.key](http://bfts.us/bfts.us.key)

SSLCertificateChainFile /root/.getssl/[bfts.us/chain.crt](http://bfts.us/chain.crt)

</VirtualHost>

</IfModule>

<IfModule mod_ssl.c>

<VirtualHost *:443>

DocumentRoot "/var/www/html/[bmmr.net](http://bmmr.net)"

ServerName [bmmr.net](http://bmmr.net)

SSLCertificateFile /root/.getssl/[bfts.us/bfts.us.crt](http://bfts.us/bfts.us.crt)

SSLCertificateKeyFile /root/.getssl/[bfts.us/bfts.us.key](http://bfts.us/bfts.us.key)

SSLCertificateChainFile /root/.getssl/[bfts.us/chain.crt](http://bfts.us/chain.crt)

</VirtualHost>

</IfModule>

<IfModule mod_ssl.c>

<VirtualHost *:443>

DocumentRoot "/var/www/html/[bmmr.net](http://bmmr.net)"

ServerName [maint.bmmr.net](http://maint.bmmr.net)

SSLCertificateFile /root/.getssl/[bfts.us/bfts.us.crt](http://bfts.us/bfts.us.crt)

SSLCertificateKeyFile /root/.getssl/[bfts.us/bfts.us.key](http://bfts.us/bfts.us.key)

SSLCertificateChainFile /root/.getssl/[bfts.us/chain.crt](http://bfts.us/chain.crt)

</VirtualHost>

</IfModule>

<IfModule mod_ssl.c>

<VirtualHost *:443>

DocumentRoot "/var/www/html/[joesue.com](http://joesue.com)"

ServerName [joesue.com](http://joesue.com)

SSLCertificateFile /root/.getssl/[bfts.us/bfts.us.crt](http://bfts.us/bfts.us.crt)

SSLCertificateKeyFile /root/.getssl/[bfts.us/bfts.us.key](http://bfts.us/bfts.us.key)

SSLCertificateChainFile /root/.getssl/[bfts.us/chain.crt](http://bfts.us/chain.crt)

</VirtualHost>

</IfModule>

<IfModule mod_ssl.c>

<VirtualHost *:443>

DocumentRoot "/var/www/html/[lsng.org](http://lsng.org)"

ServerName [maint.lsng.org](http://maint.lsng.org)

SSLCertificateFile /root/.getssl/[bfts.us/bfts.us.crt](http://bfts.us/bfts.us.crt)

SSLCertificateKeyFile /root/.getssl/[bfts.us/bfts.us.key](http://bfts.us/bfts.us.key)

SSLCertificateChainFile /root/.getssl/[bfts.us/chain.crt](http://bfts.us/chain.crt)

</VirtualHost>

</IfModule>

<IfModule mod_ssl.c>

<VirtualHost *:443>

DocumentRoot "/var/www/html/[lsng.org](http://lsng.org)"

ServerName [lsng.org](http://lsng.org)

SSLCertificateFile /root/.getssl/[bfts.us/bfts.us.crt](http://bfts.us/bfts.us.crt)

SSLCertificateKeyFile /root/.getssl/[bfts.us/bfts.us.key](http://bfts.us/bfts.us.key)

SSLCertificateChainFile /root/.getssl/[bfts.us/chain.crt](http://bfts.us/chain.crt)

</VirtualHost>

</IfModule>

<IfModule mod_ssl.c>

<VirtualHost *:443>

DocumentRoot "/var/www/html/[msleake.com](http://msleake.com)"

ServerName [msleake.com](http://msleake.com)

SSLCertificateFile /root/.getssl/[bfts.us/bfts.us.crt](http://bfts.us/bfts.us.crt)

SSLCertificateKeyFile /root/.getssl/[bfts.us/bfts.us.key](http://bfts.us/bfts.us.key)

SSLCertificateChainFile /root/.getssl/[bfts.us/chain.crt](http://bfts.us/chain.crt)

</VirtualHost>

</IfModule>

<IfModule mod_ssl.c>

<VirtualHost *:443>

DocumentRoot "/var/www/html/[orbr.us](http://orbr.us)"

ServerName [orbr.us](http://orbr.us)

SSLCertificateFile /root/.getssl/[bfts.us/bfts.us.crt](http://bfts.us/bfts.us.crt)

SSLCertificateKeyFile /root/.getssl/[bfts.us/bfts.us.key](http://bfts.us/bfts.us.key)

SSLCertificateChainFile /root/.getssl/[bfts.us/chain.crt](http://bfts.us/chain.crt)

</VirtualHost>

</IfModule>

<IfModule mod_ssl.c>

<VirtualHost *:443>

DocumentRoot "/var/www/html/[oraclebear.com](http://oraclebear.com)"

ServerName [oraclebear.com](http://oraclebear.com)

SSLCertificateFile /root/.getssl/[bfts.us/bfts.us.crt](http://bfts.us/bfts.us.crt)

SSLCertificateKeyFile /root/.getssl/[bfts.us/bfts.us.key](http://bfts.us/bfts.us.key)

SSLCertificateChainFile /root/.getssl/[bfts.us/chain.crt](http://bfts.us/chain.crt)

</VirtualHost>

</IfModule>

<IfModule mod_ssl.c>

<VirtualHost *:443>

DocumentRoot "/var/www/html/[rainbowprod.com](http://rainbowprod.com)"

ServerName [rainbowprod.com](http://rainbowprod.com)

SSLCertificateFile /root/.getssl/[bfts.us/bfts.us.crt](http://bfts.us/bfts.us.crt)

SSLCertificateKeyFile /root/.getssl/[bfts.us/bfts.us.key](http://bfts.us/bfts.us.key)

SSLCertificateChainFile /root/.getssl/[bfts.us/chain.crt](http://bfts.us/chain.crt)

</VirtualHost>

</IfModule>

<IfModule mod_ssl.c>

<VirtualHost *:443>

DocumentRoot "/var/www/html/[sonicmx.com](http://sonicmx.com)"

ServerName [sonicmx.com](http://sonicmx.com)

SSLCertificateFile /root/.getssl/[bfts.us/bfts.us.crt](http://bfts.us/bfts.us.crt)

SSLCertificateKeyFile /root/.getssl/[bfts.us/bfts.us.key](http://bfts.us/bfts.us.key)

SSLCertificateChainFile /root/.getssl/[bfts.us/chain.crt](http://bfts.us/chain.crt)

</VirtualHost>

</IfModule>

<IfModule mod_ssl.c>

<VirtualHost *:443>

DocumentRoot "/var/www/html/[twmccarty.com](http://twmccarty.com)"

ServerName [twmccarty.com](http://twmccarty.com)

SSLCertificateFile /root/.getssl/[bfts.us/bfts.us.crt](http://bfts.us/bfts.us.crt)

SSLCertificateKeyFile /root/.getssl/[bfts.us/bfts.us.key](http://bfts.us/bfts.us.key)

SSLCertificateChainFile /root/.getssl/[bfts.us/chain.crt](http://bfts.us/chain.crt)

</VirtualHost>

</IfModule>

<IfModule mod_ssl.c>

<VirtualHost *:443>

DocumentRoot "/var/www/html/[bfts.us](http://bfts.us)"

ServerName [bfts.twmccarty.com](http://bfts.twmccarty.com)

SSLCertificateFile /root/.getssl/[bfts.us/bfts.us.crt](http://bfts.us/bfts.us.crt)

SSLCertificateKeyFile /root/.getssl/[bfts.us/bfts.us.key](http://bfts.us/bfts.us.key)

SSLCertificateChainFile /root/.getssl/[bfts.us/chain.crt](http://bfts.us/chain.crt)

</VirtualHost>

</IfModule>

Yeah, the path is for .../getssl/... which probably came from a different ACME Client. Certbot uses, by default, a different path as shown from the certbot certificates command.

If you replace each occurrence of these 3 lines

SSLCertificateFile /root/.getssl/bfts.us/bfts.us.crt
SSLCertificateKeyFile /root/.getssl/bfts.us/bfts.us.key
SSLCertificateChainFile /root/.getssl/bfts.us/chain.crt

With these two (just two lines needed in modern Apache versions)

SSLCertificateFile /etc/letsencrypt/live/bfts.us/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bfts.us/privkey.pem

It should resolve that problem. I don't have time right now to look at any other issues from your recent post(s) but this is necessary and might be sufficient.

That seems to have fixed the issues and my site is now secure. Thanks. I appreciate the help.

Excellent. It would be good to test the Certbot renewal before it happens

Show output of this

sudo certbot renew --dry-run

It will not change your existing certs nor your Apache config. It is just a test

Better to know any problems now while it is all fresh.

it got one error.

sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/bfts.us.conf

Simulating renewal of an existing certificate for bfts.us and 23 more domains

Failed to renew certificate bfts.us with error: Missing command line flag or config entry for this setting:

Input the webroot for bfts.twmccarty.com:

All simulated renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/bfts.us/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The lines in the httpd-le-ssl.conf relating to bfts.twmccarty.com are:

<VirtualHost *:443>

DocumentRoot "/var/www/html/bfts.us"

ServerName bfts.twmccarty.com

SSLCertificateFile /etc/letsencrypt/live/bfts.us/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/bfts.us/privkey.pem

The lines in the virt.conf relatingn to bfts.twmccarty.com are:

<VirtualHost *:80>

ServerName bfts.twmccarty.com

DocumentRoot "/var/www/html/bfts.us"

Redirect permanent / https://bfts.twmccarty.com/

Thanks again so much for your help.

Hmm. Bummer.

I think this is possibly related to the webroot map in the Certbot renewal config. Would you show the contents of this?

/etc/letsencrypt/renewal/bfts.us.conf

cat /etc/letsencrypt/renewal/bfts.us.conf

# renew_before_expiry = 30 days
version = 4.0.0
archive_dir = /etc/letsencrypt/archive/bfts.us
cert = /etc/letsencrypt/live/bfts.us/cert.pem
privkey = /etc/letsencrypt/live/bfts.us/privkey.pem
chain = /etc/letsencrypt/live/bfts.us/chain.pem
fullchain = /etc/letsencrypt/live/bfts.us/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 161079b51[...]44
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

Oh, sorry, I missed a step.

I had you test with --apache option using --dry-run (test system) earlier and that worked. But, I never had you re-issue your cert using that with production system. That is needed to update the renewal config file.

Your renewal config file has you using --webroot and not the --apache option. I'm not sure how you ever got a config file to look like that but oh well. A webroot should always have webroot paths with it but nevermind. The --apache will work much better for you.

Do this

sudo certbot reconfigure --cert-name bfts.us -a apache

If that fails please show error message. If that worked, then try

sudo certbot renew --dry-run