Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:loweoak.net
I ran this command:certbot certonly --force-renew --standalone -d loweoak.net -d *.loweoak.net
It produced this output:I completed successfully. But when I tried to restart the server, i got this:
[Sat Apr 27 08:46:42.380282 2024] [suexec:notice] [pid 434396:tid 434396] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Apr 27 08:46:42.432754 2024] [ssl:emerg] [pid 434396:tid 434396] AH02572: Failed to configure at least one certificate and key for loweoak.net:443
[Sat Apr 27 08:46:42.432929 2024] [ssl:emerg] [pid 434396:tid 434396] SSL Library Error: error:1E08010C:DECODER routines::unsupported (No supported data to decode. Input type: PEM)
[Sat Apr 27 08:46:42.432983 2024] [ssl:emerg] [pid 434396:tid 434396] SSL Library Error: error:0480006C:PEM routines::no start line -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Sat Apr 27 08:46:42.433020 2024] [ssl:emerg] [pid 434396:tid 434396] SSL Library Error: error:0A0000B1:SSL routines::no certificate assigned
[Sat Apr 27 08:46:42.433043 2024] [ssl:emerg] [pid 434396:tid 434396] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed
My web server is (include version)
The operating system my web server runs on is (include version): Fedora 40
My hosting provider, if applicable, is:N/A
I can login to a root shell on my machine (yes or no, or I don't know):yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0
That command could not be successful. The --standalone option only supports the HTTP Challenge and you requested a wildcard cert (*.loweoak.net). A wildcard cert requires a DNS Challenge.
I see you you did get a wildcard cert so I assume you used a manual method to satisfy the DNS Challenge. Is that possible?
Also, I see you have gotten many certs already. You should quit using --force-renew or you will soon be rate limited on your non-wildcard cert the same as you are on that wildcard cert (since you got 5 in last two days already). The --force-renew should only be used in very rare cases and then only once. Not over and over. It will not force something to work that is not working already.
Those look like Apache error messages. If you switch to a non-wildcard it would be easier to use the --apache method. Although, it looks like your apache has faulty configuration. What instructions did you follow to configure Apache?
I am signing off for the night but you should probably wait for another expert volunteer to help you parse your problems.
You should use the Let's Encrypt staging system while testing. Be careful about making other attempts against production or you will get further rate limited and make things even more difficult.
The problem I have is with openssl, I believe. It doesn't seem to recognize the cert file structure of the .pem file. This is a very new upgrade to version 40 of Fedora Linux. I'm wondering if there is not some versioning issue?
To be honest, I haven't done anything with this serve for quite a while. I got on it a couple of days ago and upgraded it. Then I noticed the certs had expired, so I renewed them and have not been able to get the server to start since. Thank you for your help.
in troubleshooting this, I've tried an RSA cert. I had the same results. What I get from the error messages is openssl doesn't want to open a .pem file. I've reinstalled openssl and it's libraries. I've disabled SELinux.
VirtualHost configuration:
*:80 is a NameVirtualHost
default server awstats.loweoak.net (/etc/httpd/conf.d/awstats.loweoak.net.conf:1)
port 80 namevhost awstats.loweoak.net (/etc/httpd/conf.d/awstats.loweoak.net.conf:1)
port 80 namevhost loweoak.net (/etc/httpd/conf.d/com.conf:1)
alias loweoak.net
*:443 is a NameVirtualHost
default server loweoak.net (/etc/httpd/conf.d/com_SSL.conf:2)
port 443 namevhost loweoak.net (/etc/httpd/conf.d/com_SSL.conf:2)
port 443 namevhost loweoak.net (/etc/httpd/conf.d/ssl.conf:56)
=======================================
certbot certificates:
VirtualHost configuration:
*:80 is a NameVirtualHost
default server awstats.loweoak.net (/etc/httpd/conf.d/awstats.loweoak.net.conf:1)
port 80 namevhost awstats.loweoak.net (/etc/httpd/conf.d/awstats.loweoak.net.conf:1)
port 80 namevhost loweoak.net (/etc/httpd/conf.d/com.conf:1)
alias loweoak.net
*:443 is a NameVirtualHost
default server loweoak.net (/etc/httpd/conf.d/com_SSL.conf:2)
port 443 namevhost loweoak.net (/etc/httpd/conf.d/com_SSL.conf:2)
port 443 namevhost loweoak.net (/etc/httpd/conf.d/ssl.conf:56)
[root@www will]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
Certificate Name: loweoak.net
Serial Number: 3cf75f973a76c61982d6e44979b4c67593c
Key Type: ECDSA
Domains: loweoak.net *.loweoak.net
Expiry Date: 2024-07-27 00:05:35+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/loweoak.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/loweoak.net/privkey.pem
Looks like you have two VirtualHosts for the same domain name. That shouldn't be.
Please show both and note the file names. Place 3 backticks before and after the output otherwise some tags will be lost to forum formatting. Like this:
```
contents of com_SSL.conf
```
and
```
contents of ssl.conf
```