Cannot create wildcard certificates


#1

I do have valid certificates (not created by certbot, but by a script called dehydrated.
I want to switch to certbot.
There are many topics on the web, but none of them seem to help fixing my problem
My domain is: wo-lar.com

I ran this command: certboot --apache

It produced this output:
The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘There has been an error in parsing the file /etc/httpd/conf/httpd.conf on line 371: Syntax error’,)

My web server is (include version): httpd-2.4.6-88
The operating system my web server runs on is (include version): centos-release-7-6.1810.2.el7.centos.x86_64

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No, CLI only

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot-0.29.1-1.el7.noarch

Thanks for your help. Wolfgang


#2

Hi @wp.rauchholz

what’s the content of this row?


#3

That is the thing. The file has 370 lines.

“/etc/httpd/conf/httpd.conf” 370L, 12504C


#4

I just added some blank lines at the end of the file. I says now :
The error was: PluginError(‘There has been an error in parsing the file /etc/httpd/conf/httpd.conf on line 371: Syntax error’,:

The system tries to add a line at the end of the file httod.conf, but fails.

Wolfgang


#5

Then share the content.

There are some elements like IfModule or Directory, they require two elements:

<Directory "C:/www/phpMyAdmin">
     Options None
     AllowOverride None
     order deny,allow
     deny from all
     allow from 127.0.0.1
</Directory>

Perhaps another row has something like

so the </Directory> element is missing.

PS: Share the file


#6

Doe letsencrypt require a directory structure of
sites-available and sites-enabled structure to work?


#7

I don’t know.

But it’s not a Letsencrypt-question, it’s a Certbot question.

Certbot doesn’t understand your configuration file, because the file is buggy.


#8

What says

apachectl configtest

or

apache2 -t

#9

[root@home wp.rauchholz]# apachectl configtest
Syntax OK

Config is ok.

Not sure whether the issue is related to the fact that in ssl.conf points to letsencrypt certificates that were created by the other script.

I will de-activate them and try again

Wolfgang


#10

Try running certbot as root.


#11

I tried running as root. Same error appears.
I re-set the ssl.conf to original file. Restarted httpd.service, but still gives me the same error. I find this error message in the log file:

2019-01-23 14:13:59,100:DEBUG:certbot.main:certbot version: 0.29.1

2019-01-23 14:13:59,100:DEBUG:certbot.main:Arguments: [’–apache’]

2019-01-23 14:13:59,100:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)

2019-01-23 14:13:59,122:DEBUG:certbot.log:Root logging level set at 20

2019-01-23 14:13:59,122:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log

2019-01-23 14:13:59,123:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache

2019-01-23 14:13:59,213:DEBUG:certbot_apache.configurator:Apache version is 2.4.6

2019-01-23 14:13:59,388:DEBUG:certbot.plugins.disco:Other error:(PluginEntryPoint#apache): There has been an error in parsing the file /etc/httpd/conf/httpd.conf on line 371: Syntax error

Traceback (most recent call last):

File “/usr/lib/python2.7/site-packages/certbot/plugins/disco.py”, line 132, in prepare

self._initialized.prepare()

File “/usr/lib/python2.7/site-packages/certbot_apache/configurator.py”, line 255, in prepare

self.check_parsing_errors("httpd.aug")

File “/usr/lib/python2.7/site-packages/certbot_apache/augeas_configurator.py”, line 77, in check_parsing_errors

raise errors.PluginError(msg)

PluginError: There has been an error in parsing the file /etc/httpd/conf/httpd.conf on line 371: Syntax error

2019-01-23 14:13:59,390:DEBUG:certbot.plugins.selection:No candidate plugin

2019-01-23 14:13:59,390:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None


#12

Can you upload this file here (or directly to me)?


#13

Here we go.

Wolfgsng

(Attachment httpd.conf is missing)


#14

Do you have this file?:
/etc/httpd/conf/httpd.conf

if yes, can you upload it?
image


#15

Now, hopefully with right file extension.

Wolfgang

httpd.txt (12.6 KB)


#16

That file looks OK.
I’m thinking either Apache isn’t showing the correct location in the file or the file looks differently on your disk than what you uploaded…

Assuming the file contains some bad bits, I would first try to trapping and deleting them.
Store a safe copy of the file first.
Then append some harmless text to it.
Like:
echo "###########" >> /etc/httpd/conf/httpd.conf
Then edit the file and look at the last couple of lines for anything out of place and delete it.
Or edit it and break everything after the previously visible ending IncludeOptional conf.d/*.conf
(I would insert a line break or carriage return and then delete all the lines below that last line)

If the error continues, then I don’t think the Apache error message is correct.


#17

Or:
Move the file to a safe place first.
Then recreate it from the text in your uploaded txt file.
or from only the lines that don’t start with '#`
Like:

ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@wo-lar.com 
ServerName www.wo-lar.com:80
<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>
<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
<IfModule dir_module>
    DirectoryIndex index.htm index.html
</IfModule>
<Files ".ht*">
    Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_proxypass
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    <IfModule deflate_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %b (%{ratio}n)" combined_deflate
      LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %b (%{ratio}n)" combined_proxypass_deflate
    CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<IfModule mime_module>
    TypesConfig /etc/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
IncludeOptional conf.d/*.conf

#18

There is actually a mistake in the file. Surprised that apachectl configtest did not complain. The (in red) was missing

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %b (%{ratio}n)" combined_deflate LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %b (%{ratio}n)" combined_proxypass_deflate

Thanks for helping.

Wolfgang


#19

You shouldn’t be too surprised Apache is very forgiving; it tries to run “at all cost”.
[even when the user makes mistakes other web servers would not allow]
So, sometimes (like here), it is too forgiving.

That is one of the reasons I prefer nginx :slight_smile:

Very glad to hear you got it figured out.


#20

If I pieced it together properly…
I now see the conf file was missing a closing IfModule statement:

    </IfModule deflate_module>