Apache | Installing Problem 443

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
cc-sw.de
I ran this command:
Installing Instructions
It produced this output:
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-available/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-d efault-le-ssl.conf
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ā€˜gracefulā€™ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs

Rolling back to previous server configurationā€¦
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ā€˜gracefulā€™ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs

Encountered exception during recovery
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ā€˜gracefulā€™ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs
Traceback (most recent call last):
File ā€œ/usr/lib/python2.7/dist-packages/certbot/error_handler.pyā€, line 99, in _call_registered
self.funcs-1
File ā€œ/usr/lib/python2.7/dist-packages/certbot/client.pyā€, line 495, in _rollback_and_restart
self.installer.restart()
File ā€œ/usr/lib/python2.7/dist-packages/certbot_apache/configurator.pyā€, line 1658, in restart
self._reload()
File ā€œ/usr/lib/python2.7/dist-packages/certbot_apache/configurator.pyā€, line 1669, in _reload
raise errors.MisconfigurationError(str(err))
MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ā€˜gracefulā€™ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs

Error while running apache2ctl graceful.
httpd not running, trying to start
Action ā€˜gracefulā€™ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs

IMPORTANT NOTES:

  • An error occurred and we failed to restore your config and restart
    your server. Please submit a bug report to
    https://github.com/letsencrypt/letsencrypt
    My web server is (include version):
    Apache2
    The operating system my web server runs on is (include version):
    Debian Jessie
    My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I donā€™t know):
yes
Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The Problem that I have that nothing works anymore! Please Help!

2

Hi,

Can you show us the command you entered?
Also, please check if your apache server is able to restart

Thank you

3

Command:
$ sudo certbot --authenticator webroot --installer apache
and or:
$ sudo certbot certonly --authenticator standalone --pre-hook ā€œapachectl -k stopā€ --post-hook ā€œapachectl -k startā€
Apache I have restarted. Not working

4

Okay so I have repaired all!

Can someone help me with this Problem? The Port 443
What I need to do?

5

So what error or problem are you having now?

6

You seem to have successfully obtained a certificate; I guess it just failed to install into Apache, because Apache apparently couldnā€™t bind to port 443. Do you have something else besides Apache listening on port 443?

sudo lsof -i :443 | grep LISTEN

(Aside: your site seems to be working over HTTPS because itā€™s behind Cloudflareā€™s CDN, so I assume you want to use Letā€™s Encrypt to encrypt the connection from Cloudflare back to your origin server. Of course you can also use Cloudflareā€™s Origin CA for that, but you would still have to figure out how to install the certificate to Apache anyway.)

1 Like
7

Heey,
thanks for the answer!

I have dont itā€¦ It says
docker-pr 2682 root 4u IPv6 21209 0t0 TCP *:https (LISTEN)

But itĀ“s right I have Cloudflare and it protects but I also want to have a ssl encript besides Domain/Cloudflare to server
You say I can do it if a think from Cloudflareā€¦
I look at this but donĀ“t know if it works

8

I have done it with Lets Encryptā€¦

But is this normal?

Screenshot%20(35)
Screenshot (35).png1920Ɨ996 89.6 KB

9

You can not use a certificate directly on an IP.
https://37.114.96.47/ will always fail that way.
Use the domain name instead:
https://www.cc-sw.de/

But since you are using CloudFlare, you are probably trying to force the https connection to your server to check if it is actually encrypted.

For that you will have to temporarily force the domain name (www.cc-sw.de) to resolve to your real IP.
You can do that in the HOSTS file.
In windows it can normally be found in the /windows/system32/drivers/etc folder.
In Linux, it is normally the /etc/hosts file.
Simply add an entry:
37.114.96.47 www.cc-sw.de

One final thought, since the site IP also can be resolved by the base domain name (cc-sw.de), you might want to include both names (cc-sw.de, www.cc-sw.de) in the certificate and in your vhost config block.

10

I have done it for www.cc-sw.de
Where I can add this for cc-sw.de?

11

Hi,

Iā€™m just curiousā€¦ why not use both hostnames in one certificateā€¦

Thank you

12

I have forgot to add it at installig process
Can I add them at later time?

13

Youā€™d just need to issue a new certificate that includes both of the names you want it to cover - certificates are immutable once issued.

14

But then I must completly reinstall certbotā€¦

Or what?
Can someone give me instructions

15

you donā€™t need to reinstall certbot each time to get a certificate.

Just run sudo certbot -d your domain -d your second hostname -d your third hostname (replace ā€œdomainā€ ā€œx hostnameā€ with your real hostname)

Thank you

16

certbot -d cc-sw.de -d www.cc-sw.de
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/www.cc-sw.de.conf)

It contains these names: www.cc-sw.de

You requested these names for the new certificate: cc-sw.de, www.cc-sw.de.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/Ā©ancel: E
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

It is saying this!
Can you help?

17

Please see

This might result in needing to install a new version of Certbot after all, not because you're obtaining a new certificate, but because of the issue about ACME challenge implementations.

18

I would try adding:
--preferred-challenges http
or
--preferred-challenges tls-sni

19

This is not strictly true. Let's Encrypt does not currently issue certificates for IP addresses, but some CAs do, and it's a valid type of certificate.

For the purpose of this thread, it's close enough, but I think it's important that we be strictly correct here since people come to us for trusted advice. :slight_smile:

1 Like
20

I thought that those IP certificates are now only under ā€œprivate CAā€ (public not trusted CAs)ā€¦

Isnā€™t issue trusted certificates from public trusted CA a violation of CA policies?