Cannot generate cert for 2nd domain/vhost on apache2

My domain is:

nullminimal.com / www.nullminimal.com

I ran this command:

sudo certbot --apache

It produced this output:

zack@zs-com-01:/var/www/zacksjodencom$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.


1: nullminimal.com
2: www.nullminimal.com
3: zacksjoden.com
4: www.zacksjoden.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2
Requesting a certificate for nullminimal.com and www.nullminimal.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: nullminimal.com
Type: unauthorized
Detail: 137.184.44.71: Invalid response from http://nullminimal.com/.well-known/acme-challenge/7N-KYsR5HhiUV16XzKSUeztRvnr663wB5YnbaRu_r_0: 404

Domain: www.nullminimal.com
Type: unauthorized
Detail: 137.184.44.71: Invalid response from http://www.nullminimal.com/.well-known/acme-challenge/8oBi8-zFm5JXaPQbLbKfKIeRO-GixWK7R36KMmmgWRA: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

Server version: Apache/2.4.52 (Ubuntu)
Server built: 2023-10-26T13:44:44

The operating system my web server runs on is (include version):

Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy

My hosting provider, if applicable, is:

DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot --version
certbot 2.8.0

I was able to initially generate a certificate for zacksjoden.com and www.zacksjoden.com. I then added a new virtualhost, and am unable to generate a cert for that one, nullminimal.com/www.nullminimal.com.

I made no apache2 config changes. I setup the vhost file exactly the same way as the first one. I can serve the index.html file from http://nullminimal.com with no issue. https://nullminimal.com is trying to use the cert for zacksjoden.com. I don't know if that is related to the issue, normal, or will be resolved when I get a cert successfully generated for this second website.

The letsdebug site indicates no issues:

Test result for nullminimal.com using http-01

All OK!

OK

No issues were found with nullminimal.com. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

1 Like

Welcome to the community @sjodenzack

Let's start by checking your Apache VirtualHosts. Please show output of this

sudo apache2ctl -t -D DUMP_VHOSTS
3 Likes

That would seem to be (at least part of) "the problem".

2 Likes

@MikeMcQ, here is the output:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
137.184.44.71:80 137.184.44.71 (/etc/apache2/sites-enabled/137_184_44_71.conf:1)
*:443           zacksjoden.com (/etc/apache2/sites-enabled/zacksjodencom-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server nullminimal.com (/etc/apache2/sites-enabled/nullminimalcom.conf:1)
port 80 namevhost nullminimal.com (/etc/apache2/sites-enabled/nullminimalcom.conf:1)
        alias www.nullminimal.com
port 80 namevhost zacksjoden.com (/etc/apache2/sites-enabled/zacksjodencom.conf:1)
        alias www.zacksjoden.com

@rg305 I figured as much, but I can't figure out how/why.

Edit: Surely adding new virtualhost(s) and wanting a cert for them would be "normal" after setting up an initial site. I can't imagine it should be that complicated to add a new site and get another cert for that domain as well.

1 Like

Let's have a look at these files.

2 Likes

@rg305

I created this one as I wanted to control what people saw when/if someone put in the IP directly. Also, both this and the nullminimal.com domains/vhosts were added after I successfully got a cert for the zacksjoden.com vhost:
zack@zs-com-01:~$ cat /etc/apache2/sites-enabled/137_184_44_71.conf

<VirtualHost 137.184.44.71:80>
        ServerAdmin webmaster@localhost
        ServerName 137.184.44.71
        DocumentRoot /var/www/137_184_44_71
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

This was auto-generated(I didn't create it) after running cert-bot successfully for my first domain/vhost.
zack@zs-com-01:~$ cat /etc/apache2/sites-enabled/zacksjodencom-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName zacksjoden.com
        ServerAlias www.zacksjoden.com
        DocumentRoot /var/www/zacksjodencom
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/zacksjoden.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/zacksjoden.com/privkey.pem
</VirtualHost>
</IfModule>

Let me know if you need to see anything else. Appreciate the help.

Edit: Fixed formatting.

(It's better to use the </> button or three backticks (```) above and below the code instead of using quotes.)

2 Likes

@Osiris Thank you. I will do that going forward if that makes things easier/more readable.

Yeah, that's now how Apache works when you specify an IP address in the VirtualHost statement. Doing that creates an IP based VirtualHost which takes priority for any request for that IP and port. This is why proper HTTP requests are not going to the correct VirtualHost (your name-based ones)

It is fine to setup a default VirtualHost but just use a "fake" ServerName and have a VirtualHost like your others (with *:80). Place it as your first VirtualHost in the series. This will then catch any non-SNI request and SNI requests with the wrong domain names.

https://httpd.apache.org/docs/2.4/vhosts/name-based.html

4 Likes

@MikeMcQ Should I then remove that virtual host config, reload apache, and try to get the cert again using cert-bot?

You can. Or, another option to make that a proper default vhost is
https://httpd.apache.org/docs/2.4/vhosts/examples.html#default
That first example catches any port but usually people set it to an explicit port like

<VirtualHost _default_:80>
2 Likes

@MikeMcQ Disabling that site's config and reloading apache fixed the issue. I feel dumb.

Thank you @MikeMcQ and @rg305 for your help this morning, on a holiday no less. Very much appreciated.

3 Likes

No worries. Seems like a case of a little knowledge being a dangerous thing :slight_smile:

3 Likes

@MikeMcQ

Yeah. I've been out of the web dev game for a few years. And even then it was just hobby LAMP based sites. Just started up a couple weeks ago trying to get back into it and this is my first time using LetsEncrypt.

Thank you again.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.