Apache Won't restart - Certificate Deleted


#1

HI
I followed this thread closely to delete a certificate.

I entered all the commands. It’s deleted.

But as the thread mentions for some users Apache won’t restart.
There is no followup thread. I have tried the solutions posted.

I am on Ubuntu 18.

Is there a simple way to delete the files that Apache refers to so there is no conflict and will allow Apache to restart?

Thanks


#2

BTW here is the error code"

apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: failed (Result: exit-code) since Fri 2019-01-25 15:56:00 EST; 26min ago
Process: 8199 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
Main PID: 805 (code=exited, status=0/SUCCESS)


#3
  1. Identify where your Apache configuration is referencing non-existent certificates:

    apachectl -t
    
  2. Replace those references with self-signed certificates temporarily so that Apache can start.


#4

Thank you for the reply.

So here is the output:

AH00526:
Syntax error on line 18 of /etc/apache2/sites-enabled/chosem.work-le-ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/chosem.work/fullchain.pem’ does not exist or is empty
Action ‘-t’ failed.

I tried to enter:
sudo a2dissite chosem.work.lv.conf
(as in the second post on that page).

But that produce anything.

I must be missing something.


#5

My suggestion was to use the snakeoil approach, not the a2dissite approach.

But the a2dissite command that makes sense for you (if it works at all) is probably:

sudo a2dissite chosem.work-le-ssl

#6

Thank you for the help! That worked to get the server up.

Can I ask though what exactly is that command doing? Did it just stop the certificate from loading or was the ssl rendered inoperable?

Also, for the future, rather than delete a certificate again, is there any harm to leave an expired certificate on the server?

Thank you.


#7

The command removes the configuration file containing that virtualhost, from the active Apache configuration. (More precisely, it looks for a file matching that name as /etc/apache2/sites-enabled/{}.conf, and removes it).

The problem with deleting a certificate is that you first need to ensure that your active webserver configuration doesn’t rely on that certificate existing. Of course, since Certbot does not actually warn you about this, many users probably run afoul of this issue.

It’s better to delete it, so that your server doesn’t keep trying to renew it pointlessly.


#8

Well thank you again. Appreciated.

Surprised more people don’t run into this issue. I guess there are a lot of expired certificates on servers when domains lapse.
I assume if since the server is up and the other websites are operable then the following isn’t an issue?
need to ensure that your active webserver configuration doesn’t rely on that certificate existing

Hopefully.


#9

An expired certificate doesn’t prevent Apache from starting—only a deleted certificate that’s still referred to in the Apache configuration.


#10

Ok thanks. So if future certificates expires sound easier to just leave them on the server, but as AZ mentioned there will be a call for renewal every 90 days I guess.


#11

When an expired certificate is found:
Q: Is the site still in use?
YES: Why did the cert NOT auto-renew? [something has failed]
NO: Just move that site config file out from the “active” sites-available folder (or delete it). [and restart web service]


#12

With common automatic renewal settings, there will be an attempt to renew it twice a day, every day, starting 30 days before it expired. That’s 240 attempts to renew it by the time you reach 90 days after it expired.

Edit: I undercounted.


#14

Right… I hope…

I wrote 210 the first time! I did 180 + 30 instead of 180 + 60.

I should go back to bed.


#15

Hi
Thanks for the update.
In my case the domain expired and the site was not in use any longer.
This is why I tried to delete rather than let expire.

rg305

NO: Just move that site config file out from the “active” sites-available folder (or delete it). [and restart web service]

I only have basic skills in this, but is what you suggest in the above line the same as what AZ suggested? ( The “sudo a2dissite chosem.work-le-ssl” command? )

Thanks


#16

In essence, yes; But the removal may depend on how it was included.
If the site (file) was enabled using “a2ensite” then “a2dissite” would work.
If the site (file) was included as a result of the its “location”, then moving it out or deleting would work.
(as an example of such a possible inclusion “IncludeOptional sites-enabled/*.conf”)


#17

That’s great to know. I can look those up for the sites.
Thanks a lot.