Can´t install certificates, no vhost exists

Help
1

Hi all,

I am trying to set up an reverse proxy. The certificates for my domain are already generated. But when I try to install them, it can´t seem to find my vhost:

certbot --apache -d mydomain

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate

We were unable to find a vhost with a ServerName or Address of mydomain
Which virtual host would you like to choose?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: 000-default-le-ssl.conf        | seconddomain    | HTTPS | Enabled
2: 000-default.conf               |                       |       | Enabled
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No vhost exists with servername or alias of mydomain. No vhost was selected. Please specify ServerName or ServerAlias in the Apache config.
No vhost selected

IMPORTANT NOTES:
 - Unable to install the certificate
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain/privkey.pem
   Your cert will expire on 2021-02-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

I am running apache 2.25 on raspian 10 with LE 0.31. Seconddomain is the domain already running on the server. Vhost configuration:

<VirtualHost *:80>

        ServerName  mydomain
        ProxyPreserveHost On
        DocumentRoot /var/www/nextcloud
        ProxyPass / .well-known !
        ProxyPass / http://internal_ip

        ProxyPassReverse / http://internal_ip

</VirtualHost>
2

Hi @CountOmega

if Certbot can't find your vHost, your vHost isn't used.

What says

apachectl -S

The unedited result is required.

2 Likes
3

What does that do?
If it doesn't proxy when .well-known, then what does it do when it is?

4 
apachectl -S


VirtualHost configuration:
*:443                  fgeiger.dnshome.de (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
1 Like
5

This seems to block all external access.
Unless, since it is the only thing on port 80, it is the default and would be served to all unmatched requests.
Either way it seems to NOT be doing what you would expect.

1 Like
6

For this device there is only port 443 opened on the router.

7

Then I don't know how you obtained a cert nor how you can renew it without port 80 access.

But if you do have a valid cert, then you can always just install it manually.
[you can check what certs you have with: certbot certificates]

Please show this file:
/etc/apache2/sites-enabled/000-default-le-ssl.conf

1 Like
8 
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/


    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    ServerName fgeiger.dnshome.de
    SSLCertificateFile /etc/letsencrypt/live/fgeiger.dnshome.de/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/fgeiger.dnshome.de/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
1 Like
9

Ok so the certificate is already in use.
Can we see:
certbot certificates

1 Like
10 
Found the following certs:
  Certificate Name: argoniannextcloud.dnshome.de
    Domains: argoniannextcloud.dnshome.de
    Expiry Date: 2021-02-24 16:21:40+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/argoniannextcloud.dnshome.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/argoniannextcloud.dnshome.de/privkey.pem
  Certificate Name: fgeiger.dnshome.de
    Domains: fgeiger.dnshome.de
    Expiry Date: 2021-01-16 10:57:45+00:00 (VALID: 50 days)
    Certificate Path: /etc/letsencrypt/live/fgeiger.dnshome.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/fgeiger.dnshome.de/privkey.pem
1 Like
11

Ok so the only thing failing is when you try to reinstall a cert that is already installed.
Yes, that should work and it doesn't - but is it really needed?
Something must have changed in your config since certbot first installed the cert and now it doesn't know how to.
But do you really even need that? NO.
You only need to renew the cert when it comes time.
You could change from:
certbot --apache -d domain
to just
certbot renew
and see how that goes.

1 Like
12

I never installed the certs for argoniannextcloud because it couldn´t find my vHost. That is my problem here. There is nothing wrong with the certs per se, I think.

13

OK but there is nothing for certbot to work with on that domain:

That name isn't included in there.
You need to have a working HTTP vhost config for certbot to create a working HTTPS config for it.

1 Like
14

This is one of the reasons hiding the name only wastes time.

1 Like
15

Sorry about that. The created certificates should be installed into the reverse proxy shown at the top.

2 Likes
16

So the title should read more like: Problems installing a reverse proxy using certbot.

In the simplest design, the reverse proxy needs one vhost config per unique internal destination.
You only show one vhost config.

You could try a more complicated approach but unless you are experienced with proxies, I would not recommend going down any such path.

1 Like
17

The proxy should redirect the argoniannextcloud... domain to the correspoding server in the internal network. Config:

<VirtualHost *:80>

        ServerName  argoniannextcloud.dnshome.de
        ProxyPreserveHost On
        DocumentRoot /var/www/nextcloud
        ProxyPass / .well-known !
        ProxyPass / http://192.168.178.68

        ProxyPassReverse / http://192.168.178.68



</VirtualHost>
18

That file is not in use.
That servername is not listed by apachectl -S:

Where is that file?

1 Like
19

It´s in /etc/apache2/sites-available

1 Like
20

Then you need to enable it.
a2ensite {filename}

And restart Apache.

Then show [to confirm]:
apachectl -S

2 Likes