Apache plugin fails to parse subdomain configuration

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: justsudoit.com

I ran this command: sudo certbot renew --dry-run --apache

It produced this output:

	Saving debug log to /var/log/letsencrypt/letsencrypt.log
	
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	Processing /etc/letsencrypt/renewal/justsudoit.com.conf
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	Cert not due for renewal, but simulating renewal for dry run
	Could not choose appropriate plugin: The apache plugin is not working; there may be problems with your existing configuration.
	The error was: PluginError('There has been an error in parsing the file /etc/apache2/sites-enabled/pfix.conf on line 16: Syntax error',)
	Attempting to renew cert (justsudoit.com) from /etc/letsencrypt/renewal/justsudoit.com.conf produced an unexpected error: The apache plugin is not working; there may be problems with your existing configuration.
	The error was: PluginError('There has been an error in parsing the file /etc/apache2/sites-enabled/pfix.conf on line 16: Syntax error',). Skipping.
	All renewal attempts failed. The following certs could not be renewed:
	  /etc/letsencrypt/live/justsudoit.com/fullchain.pem (failure)
	
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	** DRY RUN: simulating 'certbot renew' close to cert expiry
	**          (The test certificates below have not been saved.)
	
	All renewal attempts failed. The following certs could not be renewed:
	  /etc/letsencrypt/live/justsudoit.com/fullchain.pem (failure)
	** DRY RUN: simulating 'certbot renew' close to cert expiry
	**          (The test certificates above have not been saved.)
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	1 renew failure(s), 0 parse failure(s)

My web server is (include version):
Package: apache2
Version: 2.4.29-1ubuntu4.12

The operating system my web server runs on is (include version):
Ubuntu 18.04.4

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.27.0

You will note that the error message says there is a syntax error on line 16, but the config is only 15 lines long. I have multiple subdomains, all of them with identical conf files in the /etc/apache2/sites-enabled directory (except for “ServerName” and “DocumentRoot”). When renewing without the apache plugin (ie., stopping the webserver, then running sudo certbot renew works fine.) I would prefer to not have to stop the apache server in order to renew if possible.

What’s the contents of /etc/apache2/sites-enabled/pfix.conf? Please paste the contents as “Preformatted text” (with the </> logo in the text editor bar above).

/etc/apache2/sites-enabled/pfix.conf

<IfModule mod_ssl.c>
 <VirtualHost *:80>
    ServerName pfix.justsudoit.com
    Redirect / https://pfix.justsudoit.com
 </VirtualHost>
 <VirtualHost _default_:443>
    ServerAdmin mattlloyd37@gmail.com
    DocumentRoot /var/www/pfix/public
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLEngine on
    ServerName      pfix.justsudoit.com
    SSLCertificateFile /etc/letsencrypt/live/justsudoit.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/justsudoit.com/privkey.pem
 </VirtualHost>

Certbot might be unhappy that there’s no </IfModule> at the end.

2 Likes

Adding </IfModule> to the end made no difference. After reloading apache, and rerunning sudo certbot renew --dry-run --apache it throws the same error message, only now complaining about line 17 (the config is now 16 lines long with the addition). I don’t know where his phantom line is coming from.

Are there definitely no trailing bytes?

tail -c 8 /etc/apache2/sites-enabled/pfix.conf | xxd

Okay, I tried using the config from your post, and got the same error:

root@a42173caeee4:/# certbot --apache -d pfix.justsudoit.com --staging --register-unsafely-without-email --agree-tos
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('There has been an error in parsing the file /etc/apache2/sites-enabled/000-default.conf on line 16: Syntax error')

(There’s only 15 lines in the file).

Adding the terminating </IfModule> as suggested by @mnordhoff did fix it.

You might have to make the same change to any other files with the same problem as well …

What line did you place </IfModule> at?

Just at the end.

<IfModule mod_ssl.c>
<VirtualHost *:80>
    ServerName pfix.justsudoit.com
    Redirect / https://pfix.justsudoit.com
</VirtualHost>
<VirtualHost _default_:443>
    ServerAdmin mattlloyd37@gmail.com
    DocumentRoot /var/www/pfix/public
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLEngine on
    ServerName      pfix.justsudoit.com
    SSLCertificateFile /etc/letsencrypt/live/justsudoit.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/justsudoit.com/privkey.pem
</VirtualHost>
</IfModule>

You mentioned:

If they have the identical mistake, then you might need to fix each of them individually.

Okay, I think I figured out why it didn’t work the first time I tried adding that line. I believe it had to do with the indentation level. Anyway, I added the line to all my subdomain configs and all is working now. Thank you to everyone who assisted with this, much appreciated!