Can't create an Apache cert?


#1

I am running Apache on an Ubuntu Server 14.04LTS with multiple vhosts. I’m trying to issue a certificate for my domain (example.com). What I did was first stop my Apache service (sudo service apache2 stop), then run LetsEncrypt through the CLI (./letsencrypt-auto --apache -d example.com).

However, upon running the command, I get the following output.

`Error while running apache2ctl -k graceful.
httpd not running, trying to start
Action ‘-k graceful’ failed.
The Apache error log may have more information.

AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs`

I’m quite sure I do not have anything listening on port 443 and the command was running as sudo. I can restart the Apache service just fine with the daemon. I currently have mod_ssl disabled, but if I enable it, I can’t get Apache to start at all. It just throws the same error about port binding.

Can anyone help me figure out what is going on?


#2

after stopping apache2, what’s the output of
lsof -iTCP:443
?


#3

If run as a sudo, it shows the following

python 14982 root 4u IPv4 3723939 0t0 TCP 192.168.1.33:https (LISTEN)

My server has 2 IP’s. 192.168.1.11 is the main one under which Apache (and everything else) should be running under. 192.168.1.33 should only be for my email firewall’s web interface.


#4

Great.

Seems like apache tried to start listening an all network interface
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443 (98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
Indeed, 0.0.0.0 means all interface.

Maybe you should bind apache to 192.168.1.11. You may edit your ports.conf file :
vim /etc/apache2/ports.conf
Hope that helps

More info here


#5

Thank you. That indeed removed the error when running barebones apache2ctl -k graceful.

However, when trying LetsEncrypt with Apache stopped, I still interestingly receive the same error. Does it have to do with Let’s Encrypt’s own Apache configuration that I should edit?


#6

What I suggest is you normally start you apache server, run letsencrypt with the --webroot option.
Then edit your /etc/apache2/sites-enabled/default-ssl.conf and change the path to your SSL certificates :
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem

Hope that helps


#7

Did you manage to make it work ?


#8

I sadly have not had a chance to test it out yet, as I’m on a small break. From what I understand, this creates a default SSL certificate for all virtual hosts? What if I have multiple domains and sub domains? Should I assign a different SSL certificate to each and forgo using the default SSL configuration?


#9

For multiple domains, you can request additional domains for the single certificate, up to 100 maximum including the primary, or request multiple certificates. For multiple domains, just use multiple “-d” options. The first one in the list will be the “primary” for the certificate and all requested will be added as subject alternate names.


#10

Well, I re-installed Ubuntu (due to some of my failed unrelated tinkering -__- ) and now, Let’s Encrypt is working perfectly! Thanks for your help! :smile:


#11

My case was rather rare. But if it helps anyone, here it is:

I didn’t have a problem with port 443 but I had been using non-standard ports like 82 and 83 for certain websites (apache configured as Listen 83, for example). I was installing LetsEncrypt for one of these sites.

The problem was when certbot-auto (the current installation script for LetsEncrypt) duplicated the HTTP-based site conf file, it had the non-standard Listen 83 which was not removed. So now there are two conf files with Listen 83 statement, causing Apache2 to refuse to start.

The simplest fix was to edit the new SSL site conf file and remove the line Listen 83. After that, try starting the service: sudo service apache2 start. (Though I do suggest revisiting your entire Apache2 configuration, to make sure it’s set up exactly how you want it.)

Note: If you chose the “Secure” option (redirect HTTP to HTTPS), you may want to investigate further and verify whether this is really applied. In my case, the HTTP site continues to function without redirect, hence I have to further amend the Apache2 config to make it redirect.