Apache is munged by uninstalling Certbot


#1

SSL via Certbot was working on one of my domains quite well for the last two months. I decide to install on my other domain and started having problems. So I deleted those domains using Certbot -delete Things got worse. It kept redirecting from http to https. Anyway, to cut a long story short, I uninstalled Certbot and Apache stoped working. It had problems because the .conf file was referring to a letsencrypt directory and it could not find a file there. So I reinstalled Certbot and I am getting all kinds of errors and Apache is not bringing up my domains (it still redirects to https).
I got the error:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

Since this is a new install and even the old install was fairly new (i.e. after Jan 2018) I didn’t think I need to update Certbot but I did it anyway, using:

certbot --authenticator standalone --installer apache -d podronestech.com --pre-hook “systemctl stop apache2” --post-hook “systemctl start apache2”

However, even this is giving me an error:

Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 11 of /etc/apache2/sites-enabled/podrones.com-le-ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/www.podrones.com/fullchain.pem’ does not exist or is empty

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(“Error while running apache2ctl configtest.\nAction ‘configtest’ failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 11 of /etc/apache2/sites-enabled/podrones.com-le-ssl.conf:\nSSLCertificateFile: file ‘/etc/letsencrypt/live/www.podrones.com/fullchain.pem’ does not exist or is empty\n”,)

Note that it is using a different domain from the one in the command.

Please help! Our site is down and people are upset!

P.S. I can start Apache by commenting out the line:
IncludeOptional sites-enabled/*.conf
in /etc/apache2/apache2.conf
but that still doesn’t start my sites.


#2

Hi @agupte

instead of the global comment out, check this file.

There the ssl vHost (port 443) of your site.


#3

Thanx, but what do I do there? I tried commenting out the lines:
#SSLCertificateFile /etc/letsencrypt/live/www.podrones.com/fullchain.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/www.podrones.com/privkey.pem
But that doesn’t help


#4

You must remove / comment out your complete vHost.

A ssl-vHost needs a certificate, but if you have deleted your certificate, a ssl-vHost must crash.


#5

Thanx, that helped. I also had to remove the redirect rule from my /etc/apache2/sites-enabled/*.conf and it works…

Thanx for your help.


#6

So how do I get it to work now and prevent these problems in the future?


#7

Don’t delete certificates that are actively in use with certbot delete (this command does not have a way of checking whether software on your system is still using those certificates, even if Certbot was originally responsible for configuring the software to do so), and don’t manually delete anything in /etc/letsencrypt. Different versions of Certbot can use the same data in /etc/letsencrypt, so if you uninstall an old version of Certbot and install a newer one, it will continue to understand the information that the previous version put there.

In general, you should only delete a certificate if that certificate was issued in error and is no longer being used at all. If you have a specific problem with your HTTPS site after running Certbot (for example, incorrect redirects or failed validation), you can ask on this forum and people can help debug it—but deleting the certificate is probably not the solution.


#8

Wow! You would expect certbot to at least warn you, if not prevent you from deleting if the consequences are so severe. I can understand problems created by deleting at the command prompt, but from within the certbot command it would be trivial to put in a warning.


#9

Now, question is, how do I reconfigure my sites to have ssl? Given that some old files (such as *.conf) still exist (and some such as the *.pem files don’t)


#10

You should delete any -le-ssl.conf file in /etc/apache2/sites-available and /etc/apache2/sites-enabled if the corresponding certificate no longer exist on your system. (You can run certbot certificates to see whether any still exist.)

Then you can start from the beginning by requesting a certificate with Certbot and allowing it to create a corresponding HTTPS virtual host again.


#11

The consequence of “automating things” is the expectation that it should be automated (fully).
Which anyone versed in this art can see that it is nearly impossible; given the number of variables and limitless (unpredictable) scenarios posed…

Still “progress is progress” and albeit slow, at times, progress is steady and moving in the right direction. [Which never comes soon enough but will eventually get here… ]

One day we will have programed things to cover all possible scenarios and completely overcome all possible doings/un-doings - but, until then, we muddle through it as best we can.
Like tiny little ants building a skyscraper… one grain of sand at a time.


#12

Thanx! I think I will create a separate Virtual Server on my cloud and test all this first. Appreciate your help.


#13

Let me not underrate your work, and I want to state that I am grateful for teams like yours who are creating FOSS utilities and platforms. Keep up the good work! And thanx many times!


closed #14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.