Can't renew expired certificate

zen15at · June 22, 2021, 5:49am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.uscovidtracker.net/covid

I ran this command: certbot certonly --force-renew -d www.uscovidtracker.net -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for www.uscovidtracker.net

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
** Domain: www.uscovidtracker.net**
** Type: unauthorized**
** Detail: Invalid response from http://www.uscovidtracker.net/.well-known/acme-challenge/eYb879jIMgDQ7FzDdYYVkRfyyQ6ovHOBaANsZItPaqw [98.232.147.26]: "\n\n400 Bad Request\n\n

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Raspbian GNU/Linux 10 (buster)

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.16.0

Hi, and thanks for reading. I serve this site via my Raspberry Pi. And it worked great until I ignorantly let my certificate expire (I mean, it still works great except for that part). I was hoping this would be easier, but I've gone around on it for some time now. Any insight would be appreciated. Thank you.

Osiris · June 22, 2021, 5:53am

Your setup is not good: your server, as seen from the world wide web, responds with HTTPS on port 80, which is usually only used for HTTP. Therefore, anything connecting to port 80 and expecting HTTP (every browser and webclient out there, including Let's Encrypts validation server), will refuse to connect to port 80.

This might be an Apache issue (or portmap issue as pointed out below). If it's an Apache issue, you should fix the port 80 virtualhost in Apache to use plain HTTP again and try again.

_az · June 22, 2021, 5:56am

It could also be a problem of port forwarding.

Port 80 on your router should forward to port 80 on your Raspberry Pi.

Likewise, port 443 on your router should forward to port 443 on your Raspberry Pi.

Osiris · June 22, 2021, 6:00am

Ah yes, port forwarding, forgot about that. That's even a more likely candidate as reason for this behaviour

zen15at · June 22, 2021, 6:56am

In my Apache configuration I had <VirtualHost *:80 *:443> for testing, but normally the *80 is omitted. When I removed the *80 just now, restarted Apache, and tried the certificate again, I got:

Renewing an existing certificate for www.uscovidtracker.net
Performing the following challenges:
http-01 challenge for www.uscovidtracker.net
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

I haven't done anything with my router settings in a long time, but for reference the ports are set up as external 8085 --> internal (R Pi) 80, and external 443 --> internal 443. Again, all of this worked fine (or at least seemed to) prior to certificate expiration.

_az · June 22, 2021, 7:42am

I don't think it's possible to have a correct configuration this way with Apache.

Apache will enable HTTPS on both or neither port. What you want is to have one of each.

I think the simplest thing you can do is just to add a separate virtualhost along the lines of:

<VirtualHost *:80>
    ServerName uscovidtracker.net
    ServerAlias www.uscovidtracker.net
    RewriteEngine on
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

and try again.

griffin · June 22, 2021, 5:31pm

Those two lines can be replaced with the far more efficient:

Redirect permanent / https://www.uscovidtracker.net/

This will also aid with establishing a canonical URL.

https://cwiki.apache.org/confluence/plugins/servlet/mobile?contentId=115522478#content/view/115522444

https://httpd.apache.org/docs/current/rewrite/avoid.html

zen15at · June 22, 2021, 6:14pm

I think the simplest thing you can do is just to add a separate virtualhost along the lines of:
<VirtualHost *:80>
    ServerName uscovidtracker.net
    ServerAlias www.uscovidtracker.net
    RewriteEngine on
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
and try again.

Thank you, this did it.

As a side note, maybe it's worth mentioning that in my Apache sites-enabled directory I've got two conf files: 000-default.conf and 000-default-le-ssl.conf. I made the suggested change in both files and restarted Apache. But I want to make sure that file setup is correct.

griffin · June 23, 2021, 4:34pm

Welcome to the Let's Encrypt Community

This configuration file:

is created by certbot from this configuration file:

Let's make sure things are clean.

What are the outputs of these commands?

sudo certbot certificates
sudo ls -lRa /etc/letsencrypt
sudo apachectl -S
sudo ls -lRa /etc/apache2/sites-available
sudo ls -lRa /etc/apache2/sites-enabled
sudo cat /etc/apache2/sites-enabled/000-default.conf
sudo cat /etc/apache2/sites-enabled/000-default-le-ssl.conf

Please put 3 backticks above and below each output, like this:

```
output
```

zen15at · June 24, 2021, 10:07pm

sudo certbot certificates:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: www.uscovidtracker.net
    Serial Number: 323dce595339227866818f8cb5eab71df4a
    Key Type: RSA
    Domains: www.uscovidtracker.net
    Expiry Date: 2021-09-20 16:58:56+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/www.uscovidtracker.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.uscovidtracker.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

sudo ls -lRa /etc/letsencrypt

/etc/letsencrypt:
total 52
drwxr-xr-x   9 root root  4096 Jun 24 15:01 .
drwxr-xr-x 126 root root 12288 Jun 20 19:20 ..
drwx------   3 root root  4096 Mar 10 00:07 accounts
drwx------   3 root root  4096 Mar 10 22:56 archive
drwxr-xr-x   2 root root  4096 Jun 22 10:58 csr
drwx------   2 root root  4096 Jun 22 10:58 keys
drwx------   3 root root  4096 Mar 10 22:56 live
-rw-r--r--   1 root root   952 Mar 10 23:15 options-ssl-apache.conf
drwxr-xr-x   2 root root  4096 Jun 22 10:58 renewal
drwxr-xr-x   5 root root  4096 Mar 10 00:07 renewal-hooks
-rw-r--r--   1 root root    64 Mar 10 23:14 .updated-options-ssl-apache-conf-digest.txt

/etc/letsencrypt/accounts:
total 12
drwx------ 3 root root 4096 Mar 10 00:07 .
drwxr-xr-x 9 root root 4096 Jun 24 15:01 ..
drwx------ 3 root root 4096 Mar 10 00:07 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 12
drwx------ 3 root root 4096 Mar 10 00:07 .
drwx------ 3 root root 4096 Mar 10 00:07 ..
drwx------ 3 root root 4096 Mar 10 00:08 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 12
drwx------ 3 root root 4096 Mar 10 00:08 .
drwx------ 3 root root 4096 Mar 10 00:07 ..
drwx------ 2 root root 4096 Mar 10 00:08 f0a3fe4892842e6fad91392677eb07d5

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/f0a3fe4892842e6fad91392677eb07d5:
total 20
drwx------ 2 root root 4096 Mar 10 00:08 .
drwx------ 3 root root 4096 Mar 10 00:08 ..
-rw-r--r-- 1 root root   65 Mar 10 23:14 meta.json
-r-------- 1 root root 1632 Mar 10 00:08 private_key.json
-rw-r--r-- 1 root root   79 Mar 10 00:08 regr.json

/etc/letsencrypt/archive:
total 12
drwx------ 3 root root 4096 Mar 10 22:56 .
drwxr-xr-x 9 root root 4096 Jun 24 15:01 ..
drwxr-xr-x 2 root root 4096 Jun 22 10:58 www.uscovidtracker.net

/etc/letsencrypt/archive/www.uscovidtracker.net:
total 44
drwxr-xr-x 2 root root 4096 Jun 22 10:58 .
drwx------ 3 root root 4096 Mar 10 22:56 ..
-rw-r--r-- 1 root root 1862 Mar 10 22:56 cert1.pem
-rw-r--r-- 1 root root 1862 Jun 22 10:58 cert2.pem
-rw-r--r-- 1 root root 1586 Mar 10 22:56 chain1.pem
-rw-r--r-- 1 root root 3749 Jun 22 10:58 chain2.pem
-rw-r--r-- 1 root root 3448 Mar 10 22:56 fullchain1.pem
-rw-r--r-- 1 root root 5611 Jun 22 10:58 fullchain2.pem
-rw------- 1 root root 1708 Mar 10 22:56 privkey1.pem
-rw------- 1 root root 1704 Jun 22 10:58 privkey2.pem

/etc/letsencrypt/csr:
total 448
drwxr-xr-x 2 root root 4096 Jun 22 10:58 .
drwxr-xr-x 9 root root 4096 Jun 24 15:01 ..
-rw-r--r-- 1 root root  960 Mar 10 00:09 0000_csr-certbot.pem
-rw-r--r-- 1 root root  936 Mar 10 22:56 0001_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 10 08:30 0002_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 10 20:34 0003_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 11 08:29 0004_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 11 20:30 0005_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 12 07:16 0006_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 12 15:06 0007_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 13 07:18 0008_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 13 15:13 0009_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 14 07:19 0010_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 14 15:11 0011_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 15 07:18 0012_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 15 15:10 0013_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 16 07:17 0014_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 16 15:12 0015_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 17 07:17 0016_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 17 15:11 0017_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 18 07:21 0018_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 18 15:10 0019_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 19 07:16 0020_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 19 15:11 0021_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 20 07:21 0022_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 20 15:13 0023_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 21 07:19 0024_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 21 15:11 0025_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 22 07:17 0026_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 22 15:07 0027_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 23 07:19 0028_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 23 15:10 0029_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 24 07:19 0030_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 24 15:13 0031_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 25 07:23 0032_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 25 15:10 0033_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 26 07:20 0034_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 26 15:12 0035_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 27 07:23 0036_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 27 15:07 0037_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 28 07:16 0038_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 28 15:10 0039_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 29 07:16 0040_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 29 15:11 0041_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 30 07:22 0042_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 30 15:07 0043_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 31 07:21 0044_csr-certbot.pem
-rw-r--r-- 1 root root  936 May 31 15:09 0045_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  1 07:19 0046_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  1 15:07 0047_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  1 21:52 0048_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  2 04:44 0049_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  2 21:56 0050_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  3 04:45 0051_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  3 21:52 0052_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  4 04:37 0053_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  4 21:54 0054_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  5 04:41 0055_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  5 21:56 0056_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  6 04:43 0057_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  6 21:52 0058_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  7 04:40 0059_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  7 21:51 0060_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  8 04:40 0061_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  8 21:53 0062_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  9 04:39 0063_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  9 11:53 0064_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  9 11:53 0065_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  9 11:53 0066_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  9 12:01 0067_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun  9 21:57 0068_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 10 04:38 0069_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 10 14:01 0070_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 10 21:31 0071_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 10 21:50 0072_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 10 21:58 0073_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 10 22:17 0074_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 10 22:20 0075_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 10 22:28 0076_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 11 04:37 0077_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 11 21:54 0078_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 12 04:40 0079_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 12 21:56 0080_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 13 04:43 0081_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 13 21:58 0082_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 14 04:44 0083_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 14 21:52 0084_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 15 04:37 0085_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 15 21:53 0086_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 16 04:44 0087_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 16 21:51 0088_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 17 04:40 0089_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 17 21:52 0090_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 18 04:37 0091_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 18 11:08 0092_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 18 22:49 0093_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 19 08:47 0094_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 19 22:50 0095_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 20 08:47 0096_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 20 22:53 0097_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 21 08:23 0098_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 21 08:23 0099_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 21 08:44 0100_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 21 22:12 0101_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 21 22:12 0102_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 21 22:22 0103_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 21 22:50 0104_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 21 23:33 0105_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 21 23:48 0106_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 21 23:53 0107_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 22 08:42 0108_csr-certbot.pem
-rw-r--r-- 1 root root  936 Jun 22 10:58 0109_csr-certbot.pem

/etc/letsencrypt/keys:
total 448
drwx------ 2 root root 4096 Jun 22 10:58 .
drwxr-xr-x 9 root root 4096 Jun 24 15:01 ..
-rw------- 1 root root 1704 Mar 10 00:09 0000_key-certbot.pem
-rw------- 1 root root 1708 Mar 10 22:56 0001_key-certbot.pem
-rw------- 1 root root 1704 May 10 08:30 0002_key-certbot.pem
-rw------- 1 root root 1708 May 10 20:34 0003_key-certbot.pem
-rw------- 1 root root 1708 May 11 08:29 0004_key-certbot.pem
-rw------- 1 root root 1704 May 11 20:30 0005_key-certbot.pem
-rw------- 1 root root 1704 May 12 07:16 0006_key-certbot.pem
-rw------- 1 root root 1704 May 12 15:06 0007_key-certbot.pem
-rw------- 1 root root 1704 May 13 07:18 0008_key-certbot.pem
-rw------- 1 root root 1704 May 13 15:13 0009_key-certbot.pem
-rw------- 1 root root 1704 May 14 07:19 0010_key-certbot.pem
-rw------- 1 root root 1704 May 14 15:11 0011_key-certbot.pem
-rw------- 1 root root 1704 May 15 07:18 0012_key-certbot.pem
-rw------- 1 root root 1704 May 15 15:10 0013_key-certbot.pem
-rw------- 1 root root 1708 May 16 07:17 0014_key-certbot.pem
-rw------- 1 root root 1704 May 16 15:12 0015_key-certbot.pem
-rw------- 1 root root 1704 May 17 07:17 0016_key-certbot.pem
-rw------- 1 root root 1704 May 17 15:11 0017_key-certbot.pem
-rw------- 1 root root 1704 May 18 07:21 0018_key-certbot.pem
-rw------- 1 root root 1704 May 18 15:10 0019_key-certbot.pem
-rw------- 1 root root 1708 May 19 07:16 0020_key-certbot.pem
-rw------- 1 root root 1704 May 19 15:11 0021_key-certbot.pem
-rw------- 1 root root 1708 May 20 07:21 0022_key-certbot.pem
-rw------- 1 root root 1704 May 20 15:13 0023_key-certbot.pem
-rw------- 1 root root 1700 May 21 07:19 0024_key-certbot.pem
-rw------- 1 root root 1704 May 21 15:11 0025_key-certbot.pem
-rw------- 1 root root 1704 May 22 07:17 0026_key-certbot.pem
-rw------- 1 root root 1704 May 22 15:07 0027_key-certbot.pem
-rw------- 1 root root 1708 May 23 07:19 0028_key-certbot.pem
-rw------- 1 root root 1708 May 23 15:10 0029_key-certbot.pem
-rw------- 1 root root 1704 May 24 07:19 0030_key-certbot.pem
-rw------- 1 root root 1704 May 24 15:13 0031_key-certbot.pem
-rw------- 1 root root 1704 May 25 07:23 0032_key-certbot.pem
-rw------- 1 root root 1704 May 25 15:10 0033_key-certbot.pem
-rw------- 1 root root 1704 May 26 07:20 0034_key-certbot.pem
-rw------- 1 root root 1704 May 26 15:12 0035_key-certbot.pem
-rw------- 1 root root 1708 May 27 07:23 0036_key-certbot.pem
-rw------- 1 root root 1704 May 27 15:07 0037_key-certbot.pem
-rw------- 1 root root 1704 May 28 07:16 0038_key-certbot.pem
-rw------- 1 root root 1704 May 28 15:10 0039_key-certbot.pem
-rw------- 1 root root 1704 May 29 07:16 0040_key-certbot.pem
-rw------- 1 root root 1704 May 29 15:11 0041_key-certbot.pem
-rw------- 1 root root 1708 May 30 07:22 0042_key-certbot.pem
-rw------- 1 root root 1704 May 30 15:07 0043_key-certbot.pem
-rw------- 1 root root 1708 May 31 07:21 0044_key-certbot.pem
-rw------- 1 root root 1708 May 31 15:09 0045_key-certbot.pem
-rw------- 1 root root 1704 Jun  1 07:19 0046_key-certbot.pem
-rw------- 1 root root 1708 Jun  1 15:07 0047_key-certbot.pem
-rw------- 1 root root 1704 Jun  1 21:52 0048_key-certbot.pem
-rw------- 1 root root 1704 Jun  2 04:44 0049_key-certbot.pem
-rw------- 1 root root 1704 Jun  2 21:56 0050_key-certbot.pem
-rw------- 1 root root 1704 Jun  3 04:45 0051_key-certbot.pem
-rw------- 1 root root 1704 Jun  3 21:52 0052_key-certbot.pem
-rw------- 1 root root 1704 Jun  4 04:37 0053_key-certbot.pem
-rw------- 1 root root 1704 Jun  4 21:54 0054_key-certbot.pem
-rw------- 1 root root 1704 Jun  5 04:41 0055_key-certbot.pem
-rw------- 1 root root 1704 Jun  5 21:56 0056_key-certbot.pem
-rw------- 1 root root 1704 Jun  6 04:43 0057_key-certbot.pem
-rw------- 1 root root 1704 Jun  6 21:52 0058_key-certbot.pem
-rw------- 1 root root 1704 Jun  7 04:40 0059_key-certbot.pem
-rw------- 1 root root 1704 Jun  7 21:51 0060_key-certbot.pem
-rw------- 1 root root 1708 Jun  8 04:40 0061_key-certbot.pem
-rw------- 1 root root 1704 Jun  8 21:53 0062_key-certbot.pem
-rw------- 1 root root 1704 Jun  9 04:39 0063_key-certbot.pem
-rw------- 1 root root 1704 Jun  9 11:53 0064_key-certbot.pem
-rw------- 1 root root 1704 Jun  9 11:53 0065_key-certbot.pem
-rw------- 1 root root 1704 Jun  9 11:53 0066_key-certbot.pem
-rw------- 1 root root 1704 Jun  9 12:01 0067_key-certbot.pem
-rw------- 1 root root 1704 Jun  9 21:57 0068_key-certbot.pem
-rw------- 1 root root 1704 Jun 10 04:38 0069_key-certbot.pem
-rw------- 1 root root 1704 Jun 10 14:01 0070_key-certbot.pem
-rw------- 1 root root 1704 Jun 10 21:31 0071_key-certbot.pem
-rw------- 1 root root 1704 Jun 10 21:50 0072_key-certbot.pem
-rw------- 1 root root 1708 Jun 10 21:58 0073_key-certbot.pem
-rw------- 1 root root 1704 Jun 10 22:17 0074_key-certbot.pem
-rw------- 1 root root 1704 Jun 10 22:20 0075_key-certbot.pem
-rw------- 1 root root 1704 Jun 10 22:28 0076_key-certbot.pem
-rw------- 1 root root 1704 Jun 11 04:37 0077_key-certbot.pem
-rw------- 1 root root 1704 Jun 11 21:54 0078_key-certbot.pem
-rw------- 1 root root 1708 Jun 12 04:40 0079_key-certbot.pem
-rw------- 1 root root 1704 Jun 12 21:56 0080_key-certbot.pem
-rw------- 1 root root 1704 Jun 13 04:43 0081_key-certbot.pem
-rw------- 1 root root 1708 Jun 13 21:58 0082_key-certbot.pem
-rw------- 1 root root 1704 Jun 14 04:44 0083_key-certbot.pem
-rw------- 1 root root 1704 Jun 14 21:52 0084_key-certbot.pem
-rw------- 1 root root 1708 Jun 15 04:37 0085_key-certbot.pem
-rw------- 1 root root 1704 Jun 15 21:53 0086_key-certbot.pem
-rw------- 1 root root 1704 Jun 16 04:44 0087_key-certbot.pem
-rw------- 1 root root 1704 Jun 16 21:51 0088_key-certbot.pem
-rw------- 1 root root 1704 Jun 17 04:40 0089_key-certbot.pem
-rw------- 1 root root 1704 Jun 17 21:52 0090_key-certbot.pem
-rw------- 1 root root 1708 Jun 18 04:37 0091_key-certbot.pem
-rw------- 1 root root 1704 Jun 18 11:08 0092_key-certbot.pem
-rw------- 1 root root 1704 Jun 18 22:49 0093_key-certbot.pem
-rw------- 1 root root 1704 Jun 19 08:47 0094_key-certbot.pem
-rw------- 1 root root 1708 Jun 19 22:50 0095_key-certbot.pem
-rw------- 1 root root 1708 Jun 20 08:47 0096_key-certbot.pem
-rw------- 1 root root 1704 Jun 20 22:53 0097_key-certbot.pem
-rw------- 1 root root 1704 Jun 21 08:23 0098_key-certbot.pem
-rw------- 1 root root 1704 Jun 21 08:23 0099_key-certbot.pem
-rw------- 1 root root 1704 Jun 21 08:44 0100_key-certbot.pem
-rw------- 1 root root 1704 Jun 21 22:12 0101_key-certbot.pem
-rw------- 1 root root 1704 Jun 21 22:12 0102_key-certbot.pem
-rw------- 1 root root 1704 Jun 21 22:22 0103_key-certbot.pem
-rw------- 1 root root 1704 Jun 21 22:50 0104_key-certbot.pem
-rw------- 1 root root 1704 Jun 21 23:33 0105_key-certbot.pem
-rw------- 1 root root 1704 Jun 21 23:48 0106_key-certbot.pem
-rw------- 1 root root 1704 Jun 21 23:53 0107_key-certbot.pem
-rw------- 1 root root 1708 Jun 22 08:42 0108_key-certbot.pem
-rw------- 1 root root 1704 Jun 22 10:58 0109_key-certbot.pem

/etc/letsencrypt/live:
total 16
drwx------ 3 root root 4096 Mar 10 22:56 .
drwxr-xr-x 9 root root 4096 Jun 24 15:01 ..
-rw-r--r-- 1 root root  740 Mar 10 22:56 README
drwxr-xr-x 2 root root 4096 Jun 22 10:58 www.uscovidtracker.net

/etc/letsencrypt/live/www.uscovidtracker.net:
total 12
drwxr-xr-x 2 root root 4096 Jun 22 10:58 .
drwx------ 3 root root 4096 Mar 10 22:56 ..
lrwxrwxrwx 1 root root   46 Jun 22 10:58 cert.pem -> ../../archive/www.uscovidtracker.net/cert2.pem
lrwxrwxrwx 1 root root   47 Jun 22 10:58 chain.pem -> ../../archive/www.uscovidtracker.net/chain2.pem
lrwxrwxrwx 1 root root   51 Jun 22 10:58 fullchain.pem -> ../../archive/www.uscovidtracker.net/fullchain2.pem
lrwxrwxrwx 1 root root   49 Jun 22 10:58 privkey.pem -> ../../archive/www.uscovidtracker.net/privkey2.pem
-rw-r--r-- 1 root root  692 Mar 10 22:56 README

/etc/letsencrypt/renewal:
total 12
drwxr-xr-x 2 root root 4096 Jun 22 10:58 .
drwxr-xr-x 9 root root 4096 Jun 24 15:01 ..
-rw-r--r-- 1 root root  550 Jun 22 10:58 www.uscovidtracker.net.conf

/etc/letsencrypt/renewal-hooks:
total 20
drwxr-xr-x 5 root root 4096 Mar 10 00:07 .
drwxr-xr-x 9 root root 4096 Jun 24 15:01 ..
drwxr-xr-x 2 root root 4096 Mar 10 00:07 deploy
drwxr-xr-x 2 root root 4096 Mar 10 00:07 post
drwxr-xr-x 2 root root 4096 Mar 10 00:07 pre

/etc/letsencrypt/renewal-hooks/deploy:
total 8
drwxr-xr-x 2 root root 4096 Mar 10 00:07 .
drwxr-xr-x 5 root root 4096 Mar 10 00:07 ..

/etc/letsencrypt/renewal-hooks/post:
total 8
drwxr-xr-x 2 root root 4096 Mar 10 00:07 .
drwxr-xr-x 5 root root 4096 Mar 10 00:07 ..

/etc/letsencrypt/renewal-hooks/pre:
total 8
drwxr-xr-x 2 root root 4096 Mar 10 00:07 .
drwxr-xr-x 5 root root 4096 Mar 10 00:07 ..

sudo apachectl -S

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server www.uscovidtracker.net (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost www.uscovidtracker.net (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost zenpi (/etc/apache2/sites-enabled/000-default.conf:1)
*:80                   is a NameVirtualHost
         default server uscovidtracker.net (/etc/apache2/sites-enabled/000-default-le-ssl.conf:53)
         port 80 namevhost uscovidtracker.net (/etc/apache2/sites-enabled/000-default-le-ssl.conf:53)
                 alias www.uscovidtracker.net
         port 80 namevhost uscovidtracker.net (/etc/apache2/sites-enabled/000-default.conf:51)
                 alias www.uscovidtracker.net
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

sudo ls -lRa /etc/apache2/sites-available

/etc/apache2/sites-available:
total 24
drwxr-xr-x 2 root root 4096 Jun 22 10:58 .
drwxr-xr-x 8 root root 4096 Jun 22 10:58 ..
-rw-r--r-- 1 root root 2289 Jun 22 10:57 000-default.conf
-rw-r--r-- 1 root root 2375 Jun 22 10:58 000-default-le-ssl.conf
-rw-r--r-- 1 root root 6338 Apr  2  2019 default-ssl.conf

sudo ls -lRa /etc/apache2/sites-enabled

/etc/apache2/sites-enabled:
total 8
drwxr-xr-x 2 root root 4096 Jun 22 10:58 .
drwxr-xr-x 8 root root 4096 Jun 22 10:58 ..
lrwxrwxrwx 1 root root   35 Jun  8  2020 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root   52 Mar 10 23:14 000-default-le-ssl.conf -> /etc/apache2/sites-available/000-default-le-ssl.conf

sudo cat /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	Alias /covid/static /home/pi/python_3/covid/covid_webapp/covid_nyt/us_tracker/static/
	<Directory /home/pi/python_3/covid/covid_webapp/covid_nyt/us_tracker/static/>
	    Require all granted
	</Directory>

	<Directory /home/pi/python_3/covid/covid_webapp/covid_nyt/covid_nyt>
	    <Files wsgi.py>
		Require all granted
	    </Files>
	</Directory>

	#WSGIDaemonProcess covid_nyt python-path=/home/pi/python_3/covid/covid_webapp/covid_nyt python-home=/home/pi/python_3/covid/covid_webapp
	#WSGIScriptAlias /covid /home/pi/python_3/covid/covid_webapp/covid_nyt/covid_nyt/wsgi.py
	#WSGIProcessGroup covid_nyt

	RewriteEngine on
	RewriteCond %{SERVER_NAME} =www.uscovidtracker.net
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

<VirtualHost *:80>
    ServerName uscovidtracker.net
    ServerAlias www.uscovidtracker.net
    RewriteEngine on
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

sudo cat /etc/apache2/sites-enabled/000-default-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	Alias /covid/static /home/pi/python_3/covid/covid_webapp/covid_nyt/us_tracker/static/
	<Directory /home/pi/python_3/covid/covid_webapp/covid_nyt/us_tracker/static/>
	    Require all granted
	</Directory>

	<Directory /home/pi/python_3/covid/covid_webapp/covid_nyt/covid_nyt>
	    <Files wsgi.py>
		Require all granted
	    </Files>
	</Directory>

	WSGIDaemonProcess covid_nyt python-path=/home/pi/python_3/covid/covid_webapp/covid_nyt python-home=/home/pi/python_3/covid/covid_webapp
	WSGIScriptAlias /covid /home/pi/python_3/covid/covid_webapp/covid_nyt/covid_nyt/wsgi.py
	WSGIProcessGroup covid_nyt

	ServerName www.uscovidtracker.net
	SSLCertificateFile /etc/letsencrypt/live/www.uscovidtracker.net/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/www.uscovidtracker.net/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>

<VirtualHost *:80>
    ServerName uscovidtracker.net
    ServerAlias www.uscovidtracker.net
    RewriteEngine on
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

</IfModule>

zen15at · June 24, 2021, 10:09pm

Thank you for having a look. I'm not very experienced with configuring HTTPS so always happy to learn.

griffin · June 24, 2021, 11:29pm

Clear out the cruft.

sudo a2dissite 000-default.conf

sudo a2dissite 000-default-le-ssl.conf

sudo rm /etc/apache2/sites-available/000-default.conf

sudo rm /etc/apache2/sites-available/000-default-le-ssl.conf

sudo certbot delete --cert-name www.uscovidtracker.net

Get the correct configuration file.

Download the following file, remove the .txt from the end of its name, and put it in your /etc/apache2/sites-available directory.

uscovidtracker.net.conf.txt (2.0 KB)

Enable the correct configuration file.

sudo a2ensite uscovidtracker.net.conf

Reload Apache.

sudo apachectl -k graceful

Get the correct certificate.

sudo certbot --apache -d "uscovidtracker.net,www.uscovidtracker.net"

zen15at · June 25, 2021, 4:20pm

Excellent, that worked great. Thank you. I merely had to uncomment the lines for WSGI configuration so that URL routing to my Django app works.

So what exactly did we do here?

griffin · June 25, 2021, 4:52pm

Wonderful!

Basically, we created a properly-named configuration file for maintenance purposes then copied the contents of 000-default.conf as a starting point. From there, we cleaned-up the real port 80 configuration that was incorrectly configured to be port 443 and removed the then-unnecessary port 80 that was added afterwards. Since certbot uses the port 80 configuration file to generate the port 443 configuration file, it was completely unnecessary to manually do so at this point. Since all the previous remnants had been properly cleared, we were at a fresh start point, so all that was needed was to reload apache to shut down the old configuration and start up the new then run certbot properly to take care of the rest.

Theoretically, your certificate should now autorenew every 60 days without any issues.

system · July 25, 2021, 4:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.