Cannot issue cert for Mac Server

I need assistance. Here is what I have done so far.

-Installed letsencrypt with homebrew
-Installed certbot with homebrew
-Started the process on https://certbot.eff.org/lets-encrypt/osx-apache

When I run sudo certbot certonly --apache I get the following message
“No names were found in your configuration files. Please enter in your domain”
So I enter www.intdevices.com

This is when I receive the error
“Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80”

Upon reviewing this site and reading similar posts I have:
-Added an entry into httpd-vhosts.conf that reflects my site info
-Edited httpd-ssl.conf and commented out the default entry

I’d appreciate any help with this.

My domain is: intdevices.com

I ran this command: sudo certbot certonly --apache

It produced this output: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80

My web server is (include version): apache/ 2.4.16

The operating system my web server runs on is (include version): Mac os 10.10.5

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Certbot 0.35.1

Hi @TheGreatLandSquirrel

what says

apachectl -S

Checking your domain there is no older certificate, so it's your first certificate ( https://check-your-website.server-daten.de/?q=intdevices.com ).

But you have a 443 vHost and redirects http -> https.

Domainname Http-Status redirect Sec. G
http://intdevices.com/
96.83.121.155 302 https://intdevices.com/ 0.280 A
http://www.intdevices.com/
96.83.121.155 302 https://www.intdevices.com/ 0.257 A
https://intdevices.com/
96.83.121.155 200 1.190 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
small content:
| || |• https://www.intdevices.com/ 96.83.121.155|200||1.214|N| |Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors| |small content: | || |• http://intdevices.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 96.83.121.155|302|https://intdevices.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de|0.253|A| |Visible Content: Found The document has moved here . Apache Server at intdevices.com Port 80| || |• http://www.intdevices.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 96.83.121.155|302|https://www.intdevices.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de|0.260|A| |Visible Content: Found The document has moved here . Apache Server at www.intdevices.com Port 80| || |• https://intdevices.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de|404||1.060|N| |Not Found| |Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors| |Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache Server at intdevices.com Port 443| || |• https://www.intdevices.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de|404||1.080|N| |Not Found| |Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors|

Good: Port 80 is open and answers.

Perhaps share your 443 vHost configuration and use the DocumentRoot as webroot.

Apachectl -S says:

VirtualHost configuration:
ServerRoot: “/usr”
Main DocumentRoot: “/Library/Server/Web/Data/Sites/Default”
Main ErrorLog: “/private/var/log/apache2/error_log”
Mutex proxy:using_defaults
Mutex default: dir=/private/var/run/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex proxy-balancer-shm: using_defaults
PidFile: “/private/var/run/httpd.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="_www" id=70 not_used
Group: name=_www" id=70 not_used

We had a certificate for it previously through Rapid SSL but it has expired so for now it is self signed. I really would like to decommission this server but server is out of the country for a month so my plan was to use letsencrypt for the time being.

1 Like

There is no vHost listed. Did you use a2enconf to enable the config file?

The standard page:

apache2.conf is the main configuration file. It puts the pieces together by including all remaining configuration files when starting up the web server.
ports.conf is always included from the main configuration file. It is used to determine the listening ports for incoming connections, and this file can be customized anytime.
< Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ directories contain particular configuration snippets which manage modules, global configuration fragments, or virtual host configurations, respectively.
They are activated by symlinking available configuration files from their respective *-available/ counterparts. These should be managed by using our helpers a2enmod, a2dismod, a2ensite, a2dissite, and a2enconf, a2disconf . See their respective man pages for detailed information.

1 Like

Sorry, I didn’t see the last line. I actually don’t have any 443 entries in my vhosts file. Also please forgive me as I don’t have much experience configuring webservers. :frowning:

Where does the a2enconf entry go?

Hi @TheGreatLandSquirrel,

In order to autoconfigure your web server, Certbot expects to find an existing HTTP VirtualHost stanza referring to the specific domain name that you want a certificate for. It seems like your might be using Apache in a default mode where you didn’t configure individual VirtualHosts but are instead using the default VirtualHost for your site. Certbot can’t autoconfigure servers in this configuration.

Two options:

  • Read some more Apache documentation/tutorials to see about how to create VirtualHosts, then create one (for HTTP/port 80 only) for your existing site, and then Certbot should recognize and understand this and be able to work with it.
  • Alternatively, if you serve static files out of your webroot (DocumentRoot) directory, you can instead use certbot certonly --webroot and tell Certbot where that directory is. In that case, it won’t install the certificate into your Apache configuration for you, but it can at least automatically obtain the certificate and then you can install it yourself in much the way that you did with your RapidSSL certificate.

Thanks a ton sir! Option 2 did the trick. One thing to note, the location of the certs that certbot led me to were actually aliases. Navigating to the folder where the certs actually were, I had to paste them to the desktop before I could actually successfully import them. But once that was all said and done, it worked like a charm. I really appreciate your help with this!

1 Like

That's intentional because Certbot can renew certificates automatically (if certbot renew is run frequently); there should be a new version generated every 60 days. That alias (symlink) always points to the current version of each associated file.

Good to know, so every time I need to renew certs would I have to copy them back to the desktop and re-import them?

Yes, unless you can get your web server to look at the aliases (which is our intended design but might not work in your environment).

If you’re using the macOS Keychain thing, I believe there is a way to automate the integration between that and Certbot with respect to certificate renewals, but I’m not familiar with that; if so, you could try searching the forum or start a new topic about how to get them to work together more conveniently.

Okay got it. Thanks again for all of your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.