Apachectl -S says fullchain.pem does not exist or is empty but certbot says it has been saved

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: peerpowerinc.com

I ran this command:
sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: peerpowerinc.com
2: www.peerpowerinc.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/peerpowerinc.com.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for peerpowerinc.com
http-01 challenge for www.peerpowerinc.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://peerpowerinc.com and
https://www.peerpowerinc.com

You should test your configuration at:
SSL Server Test: peerpowerinc.com (Powered by Qualys SSL Labs)
SSL Server Test (Powered by Qualys SSL Labs)

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/peerpowerinc.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/peerpowerinc.com/privkey.pem
  Your cert will expire on 2018-09-02. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot again
  with the "certonly" option. To non-interactively renew all of
  your certificates, run "certbot renew"

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
  Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

ubuntu@ip-172-30-0-154:/var/www/html/sites/default$ apachectl -S
AH00526: Syntax error on line 38 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/peerpowerinc.com/fullchain.pem' does not exist or is empty
Action '-S' failed.
The Apache error log may have more information.
ubuntu@ip-172-30-0-154:/var/www/html/sites/default$

My web server is (include version):
Server version: Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):
Description: Ubuntu 16.04.4 LTS
Release: 16.04
Codename: xenial

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Hi-
Thanks for letsencrypt and for this support site.
I have tried many different steps, following many different tutorials to make my site 100% https.
Very possible I did not do correct setup ahead of time and may still not have correct setup.
This post was helpful:

I thought i had successfully installed cert due to above success message.
But then when I ran

apachectl -S

I got:

SSLCertificateFile: file '/etc/letsencrypt/live/peerpowerinc.com/fullchain.pem' does not exist or is empty
Action '-S' failed.
The Apache error log may have more information.

So I looked in Apache2 error log and saw this:

[Mon Jun 04 13:39:31.720436 2018] [ssl:warn] [pid 26899] AH01909: ip-172-30-0-154.ec2.internal:443:0 server certificate does NOT include an ID which matches the server name

What started me down this whole path was after original success installing cert (according to output of certbot), I went to

https://www.ssllabs.com/ssltest/analyze.html?d=www.peerpowerinc.com

and

https://www.ssllabs.com/ssltest/analyze.html?d=peerpowerinc.com

and got

Assessment failed: Unable to connect to the server

Any help would be appreciated.

Thanks in advance.

Try with sudo
sudo apachectl -S

Hi @luckydad,

You get this error because you are running the command as a normal user, use sudo or directly the user root:

Also, are you sure your firewall is not blocking port 443?.

Cheers,
sahsanu

Hi sahsanu-

Thanks for the quick reply, I really appreciate it.

1. I ran sudo apachectl -S and got the following output:

ubuntu@ip-172-30-0-154:/var/www/html/sites/default$ sudo apachectl -S
VirtualHost configuration:
*:80 peerpowerinc.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 is a NameVirtualHost
default server peerpowerinc.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost peerpowerinc.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
alias www.peerpowerinc.com
alias www.peerpowerinc.com
alias peerpowerinc.com
port 443 namevhost peerpowerinc.com (/etc/apache2/sites-enabled/000-default.conf:10)
alias www.peerpowerinc.com
port 443 namevhost ip-172-30-0-154.ec2.internal (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

2. I am not sure my firewall is not blocking port 443

Does this help:

ubuntu@ip-172-30-0-154:/var/www/html/sites/default$ netstat -tuplen
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 15428 -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 112 44338 -
tcp6 0 0 :::22 :::* LISTEN 0 15430 -
tcp6 0 0 :::443 :::* LISTEN 0 223693 -
tcp6 0 0 :::80 :::* LISTEN 0 223689 -
udp 0 0 0.0.0.0:68 0.0.0.0:* 0 12230 -

Cheers,
luckydad

@luckydad, show the output of this command:

sudo ufw status

thanks, @sahsanu
here it is:

ubuntu@ip-172-30-0-154:/var/www/html/sites/default$ sudo ufw status
Status: active

To Action From

Apache Full ALLOW Anywhere
OpenSSH ALLOW Anywhere
Apache Full (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)

-luckydad

Show the output of:

sudo iptables --list-rules

and the output of:

sudo cat /etc/apache2/sites-enabled/default-ssl.conf

You can use some service like pastebin.com to paste the outputs.

Hi @sahsanu-

I shared output from iptables and default-ssl in this pastebin:

https://pastebin.com/0S0utCY0

Thanks.

Regarding this:

Forget it, I realized you allow Apache Full so that covers ports 80 and 443.

I don't use AWS but maybe there is an external firewall that you need to configure...?. Just a test, try to connect to your domain from the same machine:

curl -ikL https://peerpowerinc.com
curl -ikL https://127.0.0.1 -H "Host: peerpowerinc.com"
echo | openssl s_client -connect 127.0.0.1:443 -servername peerpowerinc.com 2>/dev/null | openssl x509 -noout -text | grep -E '(Issuer:|Not After|DNS:)'

ubuntu@ip-172-30-0-154:/var/www/html/sites/default$ curl -ikL https://peerpowerinc.com
curl: (7) Failed to connect to peerpowerinc.com port 443: Connection timed out

ubuntu@ip-172-30-0-154:/var/www/html/sites/default$ curl -ikL https://127.0.0.1 -H “Host: peerpowerinc.com”
HTTP/1.1 301 Moved Permanently
Date: Mon, 04 Jun 2018 16:41:21 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: https://www.peerpowerinc.com/
Content-Length: 320
Content-Type: text/html; charset=iso-8859-1

ubuntu@ip-172-30-0-154:/var/www/html/sites/default$ echo | openssl s_client -connect 127.0.0.1:443 -servername peerpowerinc.com 2>/dev/null | openssl x509 -noout -text | grep -E ‘(Issuer:|Not After|DNS:)’
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Not After : Sep 2 13:10:11 2018 GMT
DNS:peerpowerinc.com, DNS:www.peerpowerinc.com

You firewall rules allow connections to ports 80 and 443, your web server is listening on ports 80 and 443 and it is serving the right site with the right certificate, double check whether there is some external firewall blocking connections to port 443.

Hi @sahsanu-

Looks like it was an EC2 thing. Found another post where person solved it by:

“…I hadn’t opened up port 443 in my EC2 instance Security Group.”

Once I did that in AWS dashboard I was able to load https. Getting mixed http and https content but when I did Qualys check finally passed!
Thank you SO MUCH.
-luckydad

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.