Apache on Debian Bullseye

BulldogDrummond · December 3, 2019, 5:02am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

www.miim.com

I ran this command:

/usr/local/bin/certbot-auto --apache --apache-server-root /usr/local/apache2

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): ****************@miim.com

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory

(A)gree/©ancel: a

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: n

Which names would you like to activate HTTPS for?

1: www.miim.com
2: therenderingplant.com
3: www.therenderingplant.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1 3
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.miim.com
http-01 challenge for www.therenderingplant.com
Cleaning up challenges
File: /etc/apache2/le_http_01_challenge_pre.conf - Could not be found to be deleted

Certbot probably shut down unexpectedly
File: /etc/apache2/le_http_01_challenge_post.conf - Could not be found to be deleted
Certbot probably shut down unexpectedly
An unexpected error occurred:
IOError: [Errno 2] No such file or directory: ‘/etc/apache2/le_http_01_challenge_pre.conf’
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:

Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
root:/usr/src/certbot> ls /etc/letsencrypt
accounts cli.ini csr keys options-ssl-apache.conf renewal renewal-hooks
root:/usr/src/certbot> ls /etc/apache2
ls: cannot access ‘/etc/apache2’: No such file or directory

My web server is (include version):

Apache 2.4.41, built from distribution – NOT the Debian auto-installed one

The operating system my web server runs on is (include version):

Debian linux Bullseye

My hosting provider, if applicable, is:

n/a

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.40.1

Notes:

The Debian apt installation of Certbot cannot be used because this system has an Apache built from distribution. Attempting to install the Debian apt version would destroy the existing web server and configuration.
Despite having told Certbot that the Apache distribution is rooted at /usr/local/apache2/conf, it appears to be attempting to use config files located in what would be the Debian install config root, /etc/apache2.

Question: Before going forward with attempting to activate SSL, have I got a usable configuration or not; and how do I confirm that the configuration is usable?

_az · December 6, 2019, 3:03am

I tried reproducing this on Debian Bullseye and Apache httpd build from source with --prefix /usr/local/apache.

The cause of this appears to be a Debian platform default for --apache-challenge-location.

I was able to get past it and ultimately issue and install the certificate, by including that flag, along with others:

certbot-auto --apache \
--apache-ctl /usr/local/apache/bin/apachectl \
--apache-logs-root /usr/local/apache/logs/ \
--apache-server-root /usr/local/apache/conf/ \
--apache-challenge-location /etc/letsencrypt \
-d example.org

BulldogDrummond · December 4, 2019, 2:57am

Thank you for your prompt and detailed reply. I am restoring the system to the last backup before I started attempted the Certbot install so that I will have a clean platform to begin again. I’ll update after I get that done and attempt the new install.

BulldogDrummond · December 5, 2019, 1:57am

I am considerably further along, I think.

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <domain1>.com
http-01 challenge for <domain2>.com
http-01 challenge for www.<domain1>.com
http-01 challenge for www.<domain2>.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /usr/local/apache2/conf/miim-le-ssl.conf
Unsupported directory layout. You may try to enable mod socache_shmcb and try again.

IMPORTANT NOTES:
 - Unable to install the certificate
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.miim.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.miim.com/privkey.pem
   Your cert will expire on 2020-03-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

a) Why would enabling a caching module solve problems with the Apache directory structure?

b) The SSL vhost file was not actually created, but as it looks like I am very close, am I now at a point where I can enable the SSL module and create a vhost config file manually?

_az · December 5, 2019, 2:09am

It’s an optional dependency of mod_ssl. I believe Certbot wants it for SSLStaplingCache.

I got the same error as you - once I uncommented socache_shmcb in httpd.conf and re-ran Certbot, the new virtual SSL host was created.

Edit: You might be able to avoid it entirely with --no-staple-ocsp, but I haven’t tested it.

BulldogDrummond · December 6, 2019, 3:03am

With the command string you supplied above, I was able to get the necessary certificates and store them.

I am unable to connect to the server on port 443 even internally – connection times out and Apache logs nothing – but I believe this is due to misconfiguration in the default server and vhost configuration files, and that is certainly to be expected in this situation. I will chase that problem myself and see if I can discover the cause.

Many thanks for your assistance. The sparse documentation for some of the necessary command options made it unlikely I would ever have solved this issue without help.