--apache-bin is missing

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sobco.com

I ran this command: certbot renew

It produced this output:
Processing /etc/letsencrypt/renewal/www.sobco.com.conf

Cert is due for renewal, auto-renewing...
ssl_module is statically linked but --apache-bin is missing; not disabling session tickets.
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate for www.sobco.com
Performing the following challenges:
http-01 challenge for www.sobco.com
Cleaning up challenges
Failed to renew certificate www.sobco.com with error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

My web server is (include version): Apache/2.4.46 (Unix)

The operating system my web server runs on is (include version): Macos Big Sur

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.13.0

details:
This is on a working web server that has port 80 & 443 support
apachectl -S produces
VirtualHost configuration:
*:80 is a NameVirtualHost
default server www.sobco.com (/opt/www/configs/httpd-vhosts.conf:24)
port 80 namevhost www.sobco.com (/opt/www/configs/httpd-vhosts.conf:24)
port 80 namevhost sobco.com (/opt/www/configs/httpd-vhosts.conf:31)
port 80 namevhost www.kaybradner.com (/opt/www/configs/httpd-vhosts.conf:38)
port 80 namevhost kaybradner.com (/opt/www/configs/httpd-vhosts.conf:45)
port 80 namevhost www.scottbradner.com (/opt/www/configs/httpd-vhosts.conf:52)
port 80 namevhost scottbradner.com (/opt/www/configs/httpd-vhosts.conf:59)
*:443 is a NameVirtualHost
default server www.sobco.com (/opt/www/configs/httpd-vhosts.conf:77)
port 443 namevhost www.sobco.com (/opt/www/configs/httpd-vhosts.conf:77)
port 443 namevhost sobco.com (/opt/www/configs/httpd-vhosts.conf:90)
port 443 namevhost www.kaybradner.com (/opt/www/configs/httpd-vhosts.conf:101)
port 443 namevhost kaybradner.com (/opt/www/configs/httpd-vhosts.conf:112)
port 443 namevhost www.scottbradner.com (/opt/www/configs/httpd-vhosts.conf:124)
port 443 namevhost scottbradner.com (/opt/www/configs/httpd-vhosts.conf:136)
ServerRoot: "/usr/local/opt/httpd"
. . .

I see that others have asked about --apache-bin is missing error before but I could not find where anyone actually answered the question of how to fix that problem

this server used to renew just fine but I ported it to a new server and this is the first time I've tried to renew since - I assume I messed up a config or a link somewhere but I have compaired the configs before & after and as far as I can tell they are the same

thanks

1 Like
2

Welcome to the Let's Encrypt Community, Scott :slightly_smiling_face:

Typically you would want a separate configuration file for each vHost. Your current setup will likely greatly confuse certbot.

Please try the following and post the output:

certbot certonly --webroot -w /path/to/webroot/for/www.sobco.com -d "www.sobco.com" --dry-run

The path to the webroot is the absolute path to the base folder for the www.sobco.com website.

1 Like
3

that worked - thanks

Scott

1 Like
4

Keep in mind that's just a test run. You need to remove --dry-run to do a live run.

5

I did and got the certs

Scott

1 Like
6

Glad to hear it! :partying_face:

7

I got the new certs & they expire on June 29th (including one for www.kaybradner.com) but I just got a notice from the letsencrypt bot that said that the certs for www.kaybraner,com, wwwscottbradner.com & www.sobco.com all expire in 20 days (on 26 april) - I just checked them all with Firefox and it says they all expire on June 29 - any idea whats up?

1 Like
8

Have you read the documentation in total about expiration e-mails linked in the e-mail you've gotten?

1 Like
9

if you are referring to the following

" In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names"

if not, what documentation are you referring to?

I did not add or subtract names from the set of names I have certs for - I did use webroot rather than just "renew"
at the suggestion of this list but the new certs were for the same set of www.X domains

adding to the puzzlement - I have had & did get new certs for the non-www forms
at the same time but did not receive an expiration message for those

Scott

1 Like
10

The e-mail should also contain a link to: Expiration Emails - Let's Encrypt

Your certificate crt.sh | 3985941113 has not been renewed.

1 Like
11

I looked at that - but I guess from your mail that the explanation is not as clear as it could be - it actually
is trying to say that "if you make any changes to the list of certs you get or in the way you get them you may get
extraneous expiration messages - you should ignore them"

or maybe "you may get extraneous expiration messages but if the actual certs are not due to expire soon you can
ignore the expiration message"

Scott

1 Like
12

No, both statements are incorrect:

Where you say "list of certs" you should say "list of hostnames inside a cert". That's the only thing that matters: a new certificate with the exact set of hostname in the SAN field of a cert (order doesn't matter) is a renewal. If a more recent cert has a different set of hostnames in the SAN, it is not a renewal.

1 Like
13

all my certs have a single name in them (as far as I can tell) and always have - specifically I have
a cert in /etc/letsencryp for each of the domain names and that has not changed

Scott

1 Like
14

Please see the link to one of your certs above. It contains three hostnames in its SAN:

It has not been renewed.

Also, it would make a lot more sense (logically speaking) if you'd combine the apex domain and www subdomain of a single domain name into a single certificate.

2 Likes
15

Osiris Community leader
April 6
Please see the link to one of your certs above. It contains three hostnames in its SAN:

I have no idea how to find that out and no idea how that happened

when I first set things up I just gave a list of 6 names (www and non-ww versions of the 3 domains) and
letsencrypit created 6 folders in the /etc/letsencrypt directory - from then on until last week
I just used "renew" to renew them, then that stopped working and, at your suggestion, I use webroot
(6 times) to update the certs and that seemed to work

www.kaybradner.com
www.scottbradner.com
www.sobco.com
It has not been renewed.

  • same for the other 5
    if I go to www.kaybradner.com the cert I get expires in june - the same for each of the other 5 domains

bottom line- I do not know what, if anything, I need to do in response to the expiration message
(and your statement that I have 3 hostnames in a SAN and it has not been renewed

Scott

1 Like
16

I don't say you have to do anything, I'm trying to make you understand why Let's Encrypt send you the e-mail, even when you seem to have everything working.

In trying to make you understand this, I've showed you a certificate containing a specific set of hostnames which has not been renewed. Let's Encrypt send you an e-mail regarding that specific certificate.

If you do not require said certificate any longer (because you've got other certificates containing different sets of hostnames), you can ignore the e-mail.

I hope it makes more sense now.

2 Likes
17

I can not figure out how to find that cert - and how do I find out that it includes more than one name?

Scott

18

It might not be active on your server any longer. However, every certificate issued has been logged in a certificate log, which can be searched on sites such as crt.sh.

For example, you can find all certificates including the domain name kaybradner.com with: crt.sh | kaybradner.com

On that page you'll see two certificates logged and issued on 2021-01-26, valid until 2021-04-26 and containing the hostname www.kaybradner.com. However, if you click on the link in front of those certificates, you'll see that the certificate with number 3985941113 contains the aformentioned three domains included.

All other fairly recent certificates (since 2021-01-26) don't include those other two domains, but only some variant of kaybradner.com.

1 Like
19

ok - thanks - I will explore

1 Like
20

Hello again, Scott :slightly_smiling_face:

I see that @Osiris has been helping you through the confusion of the expiry email system. There is an active discussion and effort underway to improve this system. The rule of thumb is to see what certificates you actually have installed. This can usually be accomplished by clicking on the padlock icon next to the address bar in your web browser when you visit your website. The list of certificates given by sudo certbot certificates will indicate what certificates actually exist (but not whether they are actually installed). You can also use https://crt.sh to list all of the certificates that you have been issued (which includes certificates that you might not actually still have). You can use the Advanced link from the main https://crt.sh screen to check the Deduplicate box before searching for your domain name. This will filter the "precertificates" out of the list. Without doing this, it will look like you have been issued twice as many certificates as you actually have!

1 Like