Bug: Could not reverse map the HTTPS VirtualHost to the original

I deleted all virtual host files and created them clean again because I had a redirection loop. I enabled all conf files using a2ensite www.kekschen.eu.conf for all domains. However I ran into a bug. I attached all conf files and the log: https://1drv.ms/u/s!ArWVG-HsH4lKkeBWd2Do5CeMOuc3Yw

My domain is: config.png.services, png.services, kekschen.eu, www.png.services, www.kekschen.eu

I ran this command:
certbot --apache -d png.services -d www.png.services -d kekschen.eu -d www.kekschen.eu -d config.png.services

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/png.services.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Could not reverse map the HTTPS VirtualHost to the original

IMPORTANT NOTES:
 - Unable to install the certificate
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/png.services/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/png.services/privkey.pem
   Your cert will expire on 2019-08-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
root@png:/etc/apache2/sites-available#

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 18.10

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Hi @Philipp97714

looks like you have changed your vHost configuration. So Certbot can’t find one vHost with these domain names.

What says

apachectl -S

If you have different vHosts (one per non-www and www-domain), create new different certificates.

I just deleted all conf files in sites-availble and all links in site-enabled. I thought certbot would create all virtualhosts for https again if I create those for port 80

root@png:/etc/apache2/sites-available# apachectl -S
VirtualHost configuration:
207.180.236.50:80      is a NameVirtualHost
         default server config.PNG.Services (/etc/apache2/sites-enabled/config.png.services.conf:1)
         port 80 namevhost config.PNG.Services (/etc/apache2/sites-enabled/config.png.services.conf:1)
                 alias config.PNG.Services
         port 80 namevhost kekschen.eu (/etc/apache2/sites-enabled/kekschen.eu.conf:1)
                 alias kekschen.eu
         port 80 namevhost PNG.Services (/etc/apache2/sites-enabled/png.services.conf:1)
                 alias PNG.Services
         port 80 namevhost www.kekschen.eu (/etc/apache2/sites-enabled/www.kekschen.eu.conf:1)
                 alias www.kekschen.eu
         port 80 namevhost www.PNG.Services (/etc/apache2/sites-enabled/www.png.services.conf:1)
                 alias www.PNG.Services
*:80                   vmd33584.contaboserver.net (/etc/apache2/sites-enabled/default.conf:1)
*:443                  vmd33584.contaboserver.net (/etc/apache2/sites-enabled/default.conf:32)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

Do you really have ServerName and ServerAlias with the same name?

Alias should be another name.

Typical:

ServerName kekschen.eu
ServerAlias www.kekschen.eu

then a certificate with both domain names.

So I just need one virtualhost for www.example.com and example.com? If I browse to any domain, will I always be redirected to its www. subdomain?

Yes, that’s the standard handling of a domain with non-www and www.

You have to create a correct redirect. But it’s easier to do such things if you have only one main domain name per vHost.

Okay I delete all www.*.conf files and change the remaining ones as you said, right? Do I have to change anything else because you said something of a correct redirect?

I did what you said and removed all www.*.conf files and added a “www.” to ServerAlias. This didn’t solve the issue.

root@png:/etc/apache2/sites-available# certbot --apache -d png.services -d kekschen.eu -d config.png.services
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/png.services-0001.conf)

It contains these names: png.services

You requested these names for the new certificate: png.services, kekschen.eu,
config.png.services.

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/©ancel: E
Renewing an existing certificate
Could not reverse map the HTTPS VirtualHost to the original

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/png.services-0001/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/png.services-0001/privkey.pem
    Your cert will expire on 2019-08-14. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

That’s completely wrong.

One vHost with domain and www.domain. One certificate with

-d domain -d www.domain.

Not different vHosts mixed.

certbot --apache -d kekschen.eu -d www.kekschen.eu

but only, if you have a vHost with

ServerName kekschen.eu
ServerAlias www.kekschen.eu

My kekschen.eu.conf has the following content:

<VirtualHost kekschen.eu:80>
ServerAdmin Philipp@PNG.Services
ServerName kekschen.eu
ServerAlias www.kekschen.eu

DocumentRoot /var/www/kekschen/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
 
<Directory /var/www/kekschen/html>
AllowOverride All
</Directory>
certbot --apache -d kekschen.eu -d www.kekschen.eu

produces the same error

What’s that?

This isn’t a place used with a domain name. Use

<VirtualHost *:80>

so this VirtualHost uses all ip addresses.

I changed it but it is still not working. I guess it is a bug in certbot

Here is the command I used:
certbot --apache -d kekschen.eu -d www.kekschen.eu
and
certbot --apache -d kekschen.eu
(both not working)

Here is my enabled conf:

<VirtualHost *:80>
ServerAdmin Philipp@PNG.Services
ServerName kekschen.eu
ServerAlias www.kekschen.eu

DocumentRoot /var/www/kekschen/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

<Directory /var/www/kekschen/html>
AllowOverride All

I have no idea what to do anymore. I deleted the folder /etc/letsencrypt because I thought it is releated to the problem but after running certbot I get the same error. It seems that there is a huge bug in certbot. My conf is like you said:

<VirtualHost *:80>
    ServerAdmin Philipp@PNG.Services
    ServerName kekschen.eu
    ServerAlias www.kekschen.eu

    DocumentRoot /var/www/kekschen/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
 
<Directory /var/www/kekschen/html>
    AllowOverride All
</Directory>

The command I try to execute
certbot --apache -d png.services -d www.png.services -d kekschen.eu -d www.kekschen.eu -d config.png.services

Hi Jürgen,
sorry that I reply again, but have you any ideas what I can do? The only idea I have is to reinstall Ubuntu which would take a long time.

Did you do this for all your virtual hosts, or just that one? I think certbot used to get confused if you mixed the two - not sure if that issue still exists in 0.31 but it might be worth changing to <VirtualHost *:80> everywhere, if you haven’t already.

That’s unfortunate, because while it wasn’t installed correctly, you had a certificate which you could have installed manually. Oh well - hopefully you can get another one :slight_smile:

I changed all virtual hosts to *:80 but it doesn’t solve the issue. I also got new certificates in the certbot dir but again they couldn’t be installed. I don’t understand the problem. I deleted everything: the certbot dir and I cleaned up all virtual host files but however it isn’t working. Somewhere there must be a broken file on my server remaining that confuses certbot. I don’t know why it isn’t working but I think the issue would be solved if I reinstalled ubuntu - but that sholdn’t be the only solution.

Rechecked your domain - https://check-your-website.server-daten.de/?q=kekschen.eu

port 443 answers, but sends http content.

But the content is very untypical:

http://kekschen.eu:443/

Not Implemented

The URL or IP you are trying to access is out of service.

So create a correct vHost port 443 manual -> documentation.

I thougt cerbot creates the vHost for SSL by its self?

But there is a working port 80 vHost required. So Certbot can use that as template.