Can't rollback because certbot can't find the certificates

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
soccerdailynews.co (and 49 others across 3 servers)
note this site is in fact serving securely right now.

I ran this command:

 sudo certbot --apache rollback

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 36 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/soccerdailynews.co/fullchain.pem' does not exist or is empty

My web server is (include version):
Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is:
Amazon aws; it's an ec2 instance

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.18.0

This server has 17 virtual hosts, each serving up a wordpress site. Frankly, I did the apache config incorrectly at first, with all the vhosts in 000-default.conf, instead of each in its own conf file. Then (well many times) I ran certbot across all the extant domains as I built the server. By the time I moved on to the second (of three) servers, I realized the "right way" to do it , with individual conf files for each domain, and certbot cleanly added an le-ssl-conf for each virtual host file. I went back to reconfigure this one, but first I tried to rollback certbot with the above errors.

I tried just cleaning out sites-enabled/000-default-le-ssl.conf but certbot just rewrites it with lines pointing at non-existing or empty certs. So I tried deleting the certs with certbot --apache delete -d domainname.com with no joy; certbot still writes them into the 000-default-le-ssl.conf so apache bails (with an error similar to the certbot error above). Which I guess is actually an apache error, anyway.

Another way to put this q is: how do I get back to a blank slate, removing everything certbot has done so far (without just rebuilding the server).

1 Like
2

Welcome to the Let's Encrypt Community, Chris :slightly_smiling_face:

The correct way to delete certificates is to first use:

certbot certificates

to find the NAME of each certificate lineage you wish to delete then to use:

certbot delete --cert-name NAME

to delete each unwanted lineage.

1 Like
3 
 sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No certificates found.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ubuntu@ip-172-31-24-161:/etc/apache2/sites-available$

Hm, actually soccerdailynews.co is on the second server, which explains why it works. here's one on the server in question (showing the ubuntu default page at the moment): mlbdailynews.co. It was working yesterday, so i have probably screwed something up while attempting to roll back.

1 Like
4

No worries. We'll get this sorted. :gloves:

What are the outputs of:

sudo apachectl -S
sudo ls -lRa /etc/apache2
sudo ls -lRa /etc/letsencrypt

Please put 3 backticks above and below each output, like this:

```
output
```

If it's easier, you can instead simply dump the outputs to files by appending > output.txt to each command then upload the output files.

1 Like
5

I already knew this first one:

$ sudo apachectl -S
AH00526: Syntax error on line 36 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/soccerdailynews.co/fullchain.pem' does not exist or is empty
Action '-S' failed.
The Apache error log may have more information.

This one's kind of long. Note I have uploaded all the individual vhosts but have not yet ran a2ensite on them. Here's sudo ls -lRa /etc/apache2

$ sudo ls -lRa /etc/apache2
/etc/apache2:
total 88
drwxr-xr-x   8 root root  4096 Aug 25 22:47 .
drwxr-xr-x 101 root root  4096 Aug 25 06:17 ..
-rw-r--r--   1 root root  7224 Jul  5 07:16 apache2.conf
drwxr-xr-x   2 root root  4096 Aug 15 20:37 conf-available
drwxr-xr-x   2 root root  4096 Aug 15 20:37 conf-enabled
-rw-r--r--   1 root root  1782 Jul  5 07:11 envvars
-rw-r--r--   1 root root 31063 Jul  5 07:11 magic
drwxr-xr-x   2 root root 12288 Aug 15 20:37 mods-available
drwxr-xr-x   2 root root  4096 Aug 16 00:17 mods-enabled
-rw-r--r--   1 root root   320 Jul  5 07:11 ports.conf
drwxr-xr-x   2 root root  4096 Aug 25 22:14 sites-available
drwxr-xr-x   3 root root  4096 Aug 25 22:46 sites-enabled

/etc/apache2/conf-available:
total 28
drwxr-xr-x 2 root root 4096 Aug 15 20:37 .
drwxr-xr-x 8 root root 4096 Aug 25 22:47 ..
-rw-r--r-- 1 root root  315 Jul  5 07:11 charset.conf
-rw-r--r-- 1 root root 3224 Jul  5 07:11 localized-error-pages.conf
-rw-r--r-- 1 root root  189 Jul  5 07:11 other-vhosts-access-log.conf
-rw-r--r-- 1 root root 2174 Jul  5 07:11 security.conf
-rw-r--r-- 1 root root  455 Jul  5 07:11 serve-cgi-bin.conf

/etc/apache2/conf-enabled:
total 8
drwxr-xr-x 2 root root 4096 Aug 15 20:37 .
drwxr-xr-x 8 root root 4096 Aug 25 22:47 ..
lrwxrwxrwx 1 root root   30 Aug 15 20:37 charset.conf -> ../conf-available/charset.conf
lrwxrwxrwx 1 root root   44 Aug 15 20:37 localized-error-pages.conf -> ../conf-available/localized-error-pages.conf
lrwxrwxrwx 1 root root   46 Aug 15 20:37 other-vhosts-access-log.conf -> ../conf-available/other-vhosts-access-log.conf
lrwxrwxrwx 1 root root   31 Aug 15 20:37 security.conf -> ../conf-available/security.conf
lrwxrwxrwx 1 root root   36 Aug 15 20:37 serve-cgi-bin.conf -> ../conf-available/serve-cgi-bin.conf

/etc/apache2/mods-available:
total 592
drwxr-xr-x 2 root root 12288 Aug 15 20:37 .
drwxr-xr-x 8 root root  4096 Aug 25 22:47 ..
-rw-r--r-- 1 root root   100 Jul  5 07:11 access_compat.load
-rw-r--r-- 1 root root   377 Jul  5 07:11 actions.conf
-rw-r--r-- 1 root root    66 Jul  5 07:11 actions.load
-rw-r--r-- 1 root root   843 Jul  5 07:11 alias.conf
-rw-r--r-- 1 root root    62 Jul  5 07:11 alias.load
-rw-r--r-- 1 root root    76 Jul  5 07:11 allowmethods.load
-rw-r--r-- 1 root root    76 Jul  5 07:11 asis.load
-rw-r--r-- 1 root root    94 Jul  5 07:11 auth_basic.load
-rw-r--r-- 1 root root    96 Jul  5 07:11 auth_digest.load
-rw-r--r-- 1 root root   100 Jul  5 07:11 auth_form.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 authn_anon.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 authn_core.load
-rw-r--r-- 1 root root    85 Jul  5 07:11 authn_dbd.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 authn_dbm.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 authn_file.load
-rw-r--r-- 1 root root    78 Jul  5 07:11 authn_socache.load
-rw-r--r-- 1 root root    74 Jul  5 07:11 authnz_fcgi.load
-rw-r--r-- 1 root root    90 Jul  5 07:11 authnz_ldap.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 authz_core.load
-rw-r--r-- 1 root root    96 Jul  5 07:11 authz_dbd.load
-rw-r--r-- 1 root root    92 Jul  5 07:11 authz_dbm.load
-rw-r--r-- 1 root root   104 Jul  5 07:11 authz_groupfile.load
-rw-r--r-- 1 root root    94 Jul  5 07:11 authz_host.load
-rw-r--r-- 1 root root    74 Jul  5 07:11 authz_owner.load
-rw-r--r-- 1 root root    94 Jul  5 07:11 authz_user.load
-rw-r--r-- 1 root root  3374 Jul  5 07:11 autoindex.conf
-rw-r--r-- 1 root root    70 Jul  5 07:11 autoindex.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 brotli.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 buffer.load
-rw-r--r-- 1 root root    62 Jul  5 07:11 cache.load
-rw-r--r-- 1 root root   889 Jul  5 07:11 cache_disk.conf
-rw-r--r-- 1 root root    89 Jul  5 07:11 cache_disk.load
-rw-r--r-- 1 root root    95 Jul  5 07:11 cache_socache.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 cern_meta.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 cgi.load
-rw-r--r-- 1 root root   115 Jul  5 07:11 cgid.conf
-rw-r--r-- 1 root root    60 Jul  5 07:11 cgid.load
-rw-r--r-- 1 root root    76 Jul  5 07:11 charset_lite.load
-rw-r--r-- 1 root root    60 Jul  5 07:11 data.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 dav.load
-rw-r--r-- 1 root root    83 Jul  5 07:11 dav_fs.conf
-rw-r--r-- 1 root root    79 Jul  5 07:11 dav_fs.load
-rw-r--r-- 1 root root    68 Jul  5 07:11 dav_lock.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 dbd.load
-rw-r--r-- 1 root root   395 Jul  5 07:11 deflate.conf
-rw-r--r-- 1 root root    84 Jul  5 07:11 deflate.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 dialup.load
-rw-r--r-- 1 root root   157 Jul  5 07:11 dir.conf
-rw-r--r-- 1 root root    58 Jul  5 07:11 dir.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 dump_io.load
-rw-r--r-- 1 root root    60 Jul  5 07:11 echo.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 env.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 expires.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 ext_filter.load
-rw-r--r-- 1 root root    89 Jul  5 07:11 file_cache.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 filter.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 headers.load
-rw-r--r-- 1 root root   176 Jul  5 07:11 heartbeat.load
-rw-r--r-- 1 root root   182 Jul  5 07:11 heartmonitor.load
-rw-r--r-- 1 root root  1240 Jul  5 07:11 http2.conf
-rw-r--r-- 1 root root    62 Jul  5 07:11 http2.load
-rw-r--r-- 1 root root    62 Jul  5 07:11 ident.load
-rw-r--r-- 1 root root    68 Jul  5 07:11 imagemap.load
-rw-r--r-- 1 root root    82 Jul  5 07:11 include.load
-rw-r--r-- 1 root root   402 Jul  5 07:11 info.conf
-rw-r--r-- 1 root root    60 Jul  5 07:11 info.load
-rw-r--r-- 1 root root   116 Jul  5 07:11 lbmethod_bybusyness.load
-rw-r--r-- 1 root root   116 Jul  5 07:11 lbmethod_byrequests.load
-rw-r--r-- 1 root root   114 Jul  5 07:11 lbmethod_bytraffic.load
-rw-r--r-- 1 root root   114 Jul  5 07:11 lbmethod_heartbeat.load
-rw-r--r-- 1 root root   121 Jul  5 07:11 ldap.conf
-rw-r--r-- 1 root root    60 Jul  5 07:11 ldap.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 log_debug.load
-rw-r--r-- 1 root root    76 Jul  5 07:11 log_forensic.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 lua.load
-rw-r--r-- 1 root root    62 Jul  5 07:11 macro.load
-rw-r--r-- 1 root root    56 Jul  5 07:11 md.load
-rw-r--r-- 1 root root  7676 Jul  5 07:11 mime.conf
-rw-r--r-- 1 root root    60 Jul  5 07:11 mime.load
-rw-r--r-- 1 root root   120 Jul  5 07:11 mime_magic.conf
-rw-r--r-- 1 root root    72 Jul  5 07:11 mime_magic.load
-rw-r--r-- 1 root root   668 Jul  5 07:11 mpm_event.conf
-rw-r--r-- 1 root root   106 Jul  5 07:11 mpm_event.load
-rw-r--r-- 1 root root   571 Jul  5 07:11 mpm_prefork.conf
-rw-r--r-- 1 root root   108 Jul  5 07:11 mpm_prefork.load
-rw-r--r-- 1 root root   836 Jul  5 07:11 mpm_worker.conf
-rw-r--r-- 1 root root   107 Jul  5 07:11 mpm_worker.load
-rw-r--r-- 1 root root   724 Jul  5 07:11 negotiation.conf
-rw-r--r-- 1 root root    74 Jul  5 07:11 negotiation.load
-rw-r--r-- 1 root root   855 Jul  5 15:13 php7.4.conf
-rw-r--r-- 1 root root   102 Jul  5 15:13 php7.4.load
-rw-r--r-- 1 root root   822 Jul  5 07:11 proxy.conf
-rw-r--r-- 1 root root    62 Jul  5 07:11 proxy.load
-rw-r--r-- 1 root root    87 Jul  5 07:11 proxy_ajp.load
-rw-r--r-- 1 root root   347 Jul  5 07:11 proxy_balancer.conf
-rw-r--r-- 1 root root   115 Jul  5 07:11 proxy_balancer.load
-rw-r--r-- 1 root root    95 Jul  5 07:11 proxy_connect.load
-rw-r--r-- 1 root root    95 Jul  5 07:11 proxy_express.load
-rw-r--r-- 1 root root    89 Jul  5 07:11 proxy_fcgi.load
-rw-r--r-- 1 root root    93 Jul  5 07:11 proxy_fdpass.load
-rw-r--r-- 1 root root   189 Jul  5 07:11 proxy_ftp.conf
-rw-r--r-- 1 root root    87 Jul  5 07:11 proxy_ftp.load
-rw-r--r-- 1 root root    93 Jul  5 07:11 proxy_hcheck.load
-rw-r--r-- 1 root root  2511 Jul  5 07:11 proxy_html.conf
-rw-r--r-- 1 root root    97 Jul  5 07:11 proxy_html.load
-rw-r--r-- 1 root root    89 Jul  5 07:11 proxy_http.load
-rw-r--r-- 1 root root    97 Jul  5 07:11 proxy_http2.load
-rw-r--r-- 1 root root    89 Jul  5 07:11 proxy_scgi.load
-rw-r--r-- 1 root root    91 Jul  5 07:11 proxy_uwsgi.load
-rw-r--r-- 1 root root    97 Jul  5 07:11 proxy_wstunnel.load
-rw-r--r-- 1 root root    85 Jul  5 07:11 ratelimit.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 reflector.load
-rw-r--r-- 1 root root    68 Jul  5 07:11 remoteip.load
-rw-r--r-- 1 root root  1190 Jul  5 07:11 reqtimeout.conf
-rw-r--r-- 1 root root    72 Jul  5 07:11 reqtimeout.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 request.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 rewrite.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 sed.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 session.load
-rw-r--r-- 1 root root    99 Jul  5 07:11 session_cookie.load
-rw-r--r-- 1 root root    99 Jul  5 07:11 session_crypto.load
-rw-r--r-- 1 root root    93 Jul  5 07:11 session_dbd.load
-rw-r--r-- 1 root root  1280 Jul  5 07:11 setenvif.conf
-rw-r--r-- 1 root root    68 Jul  5 07:11 setenvif.load
-rw-r--r-- 1 root root    78 Jul  5 07:11 slotmem_plain.load
-rw-r--r-- 1 root root    74 Jul  5 07:11 slotmem_shm.load
-rw-r--r-- 1 root root    74 Jul  5 07:11 socache_dbm.load
-rw-r--r-- 1 root root    84 Jul  5 07:11 socache_memcache.load
-rw-r--r-- 1 root root    78 Jul  5 07:11 socache_redis.load
-rw-r--r-- 1 root root    78 Jul  5 07:11 socache_shmcb.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 speling.load
-rw-r--r-- 1 root root  3110 Jul  5 07:11 ssl.conf
-rw-r--r-- 1 root root    97 Jul  5 07:11 ssl.load
-rw-r--r-- 1 root root   749 Jul  5 07:11 status.conf
-rw-r--r-- 1 root root    64 Jul  5 07:11 status.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 substitute.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 suexec.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 unique_id.load
-rw-r--r-- 1 root root   324 Jul  5 07:11 userdir.conf
-rw-r--r-- 1 root root    66 Jul  5 07:11 userdir.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 usertrack.load
-rw-r--r-- 1 root root    74 Jul  5 07:11 vhost_alias.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 xml2enc.load

/etc/apache2/mods-enabled:
total 8
drwxr-xr-x 2 root root 4096 Aug 16 00:17 .
drwxr-xr-x 8 root root 4096 Aug 25 22:47 ..
lrwxrwxrwx 1 root root   36 Aug 15 20:37 access_compat.load -> ../mods-available/access_compat.load
lrwxrwxrwx 1 root root   28 Aug 15 20:37 alias.conf -> ../mods-available/alias.conf
lrwxrwxrwx 1 root root   28 Aug 15 20:37 alias.load -> ../mods-available/alias.load
lrwxrwxrwx 1 root root   33 Aug 15 20:37 auth_basic.load -> ../mods-available/auth_basic.load
lrwxrwxrwx 1 root root   33 Aug 15 20:37 authn_core.load -> ../mods-available/authn_core.load
lrwxrwxrwx 1 root root   33 Aug 15 20:37 authn_file.load -> ../mods-available/authn_file.load
lrwxrwxrwx 1 root root   33 Aug 15 20:37 authz_core.load -> ../mods-available/authz_core.load
lrwxrwxrwx 1 root root   33 Aug 15 20:37 authz_host.load -> ../mods-available/authz_host.load
lrwxrwxrwx 1 root root   33 Aug 15 20:37 authz_user.load -> ../mods-available/authz_user.load
lrwxrwxrwx 1 root root   32 Aug 15 20:37 autoindex.conf -> ../mods-available/autoindex.conf
lrwxrwxrwx 1 root root   32 Aug 15 20:37 autoindex.load -> ../mods-available/autoindex.load
lrwxrwxrwx 1 root root   30 Aug 15 20:37 deflate.conf -> ../mods-available/deflate.conf
lrwxrwxrwx 1 root root   30 Aug 15 20:37 deflate.load -> ../mods-available/deflate.load
lrwxrwxrwx 1 root root   26 Aug 15 20:37 dir.conf -> ../mods-available/dir.conf
lrwxrwxrwx 1 root root   26 Aug 15 20:37 dir.load -> ../mods-available/dir.load
lrwxrwxrwx 1 root root   26 Aug 15 20:37 env.load -> ../mods-available/env.load
lrwxrwxrwx 1 root root   29 Aug 15 20:37 filter.load -> ../mods-available/filter.load
lrwxrwxrwx 1 root root   27 Aug 15 20:37 mime.conf -> ../mods-available/mime.conf
lrwxrwxrwx 1 root root   27 Aug 15 20:37 mime.load -> ../mods-available/mime.load
lrwxrwxrwx 1 root root   34 Aug 15 20:37 mpm_prefork.conf -> ../mods-available/mpm_prefork.conf
lrwxrwxrwx 1 root root   34 Aug 15 20:37 mpm_prefork.load -> ../mods-available/mpm_prefork.load
lrwxrwxrwx 1 root root   34 Aug 15 20:37 negotiation.conf -> ../mods-available/negotiation.conf
lrwxrwxrwx 1 root root   34 Aug 15 20:37 negotiation.load -> ../mods-available/negotiation.load
lrwxrwxrwx 1 root root   29 Aug 15 20:37 php7.4.conf -> ../mods-available/php7.4.conf
lrwxrwxrwx 1 root root   29 Aug 15 20:37 php7.4.load -> ../mods-available/php7.4.load
lrwxrwxrwx 1 root root   33 Aug 15 20:37 reqtimeout.conf -> ../mods-available/reqtimeout.conf
lrwxrwxrwx 1 root root   33 Aug 15 20:37 reqtimeout.load -> ../mods-available/reqtimeout.load
lrwxrwxrwx 1 root root   30 Aug 15 23:00 rewrite.load -> ../mods-available/rewrite.load
lrwxrwxrwx 1 root root   31 Aug 15 20:37 setenvif.conf -> ../mods-available/setenvif.conf
lrwxrwxrwx 1 root root   31 Aug 15 20:37 setenvif.load -> ../mods-available/setenvif.load
lrwxrwxrwx 1 root root   36 Aug 16 00:17 socache_shmcb.load -> ../mods-available/socache_shmcb.load
lrwxrwxrwx 1 root root   26 Aug 16 00:17 ssl.conf -> ../mods-available/ssl.conf
lrwxrwxrwx 1 root root   26 Aug 16 00:17 ssl.load -> ../mods-available/ssl.load
lrwxrwxrwx 1 root root   29 Aug 15 20:37 status.conf -> ../mods-available/status.conf
lrwxrwxrwx 1 root root   29 Aug 15 20:37 status.load -> ../mods-available/status.load

/etc/apache2/sites-available:
total 112
drwxr-xr-x 2 root   root    4096 Aug 25 22:14 .
drwxr-xr-x 8 root   root    4096 Aug 25 22:47 ..
-rw-r--r-- 1 root   root       1 Aug 18 22:20 000-default-le-ssl.conf
-rw-r--r-- 1 root   root   18892 Aug 18 22:17 000-default-le-ssl.conf.orig
-rw-r--r-- 1 ubuntu ubuntu  1486 Aug 25 21:55 000-default.conf
-rw-r--r-- 1 root   root    6338 Jul  5 07:11 default-ssl.conf
-rw-r--r-- 1 root   root     444 Aug 25 22:15 electriccarsdaily.co.conf
-rw-r--r-- 1 root   root     450 Aug 25 22:15 entertainmentdaily.co.conf
-rw-r--r-- 1 root   root     446 Aug 25 22:15 finanacedailynews.co.conf
-rw-r--r-- 1 root   root     435 Aug 25 22:15 gadgetdailynews.co.conf
-rw-r--r-- 1 root   root     436 Aug 25 22:15 globaldailynews.co.conf
-rw-r--r-- 1 root   root     424 Aug 25 22:15 golfdailynews.co.conf
-rw-r--r-- 1 root   root     422 Aug 25 22:15 gymdailynews.com.conf
-rw-r--r-- 1 root   root     426 Aug 25 22:15 healthdailynews.co.conf
-rw-r--r-- 1 root   root     430 Aug 25 22:15 hockeydailynews.com.conf
-rw-r--r-- 1 root   root     445 Aug 25 22:15 investingdailynews.co.conf
-rw-r--r-- 1 root   root     400 Aug 25 22:15 luxlane.com.conf
-rw-r--r-- 1 root   root     418 Aug 25 22:15 mlbdailynews.co.conf
-rw-r--r-- 1 root   root     419 Aug 25 22:15 ncaadailynews.com.conf
-rw-r--r-- 1 root   root     413 Aug 25 22:15 nfldailynews.com.conf
-rw-r--r-- 1 root   root     437 Aug 25 22:15 parentsdailynews.com.conf
-rw-r--r-- 1 root   root     437 Aug 25 22:15 photographynews.co.conf
-rw-r--r-- 1 root   root     427 Aug 25 22:15 racingdailynews.co.conf

/etc/apache2/sites-enabled:
total 32
drwxr-xr-x 3 root root  4096 Aug 25 22:46 .
drwxr-xr-x 8 root root  4096 Aug 25 22:47 ..
-rw-r--r-- 1 root root 18888 Aug 18 00:51 000-default-le-ssl.conf
lrwxrwxrwx 1 root root    35 Aug 15 20:37 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root    44 Aug 22 23:48 electriccarsdaily.co.conf -> ../sites-available/electriccarsdaily.co.conf
lrwxrwxrwx 1 root root    45 Aug 22 23:49 entertainmentdaily.co.conf -> ../sites-available/entertainmentdaily.co.conf
drwxr-xr-x 2 root root  4096 Aug 22 23:33 wp2-vhosts

/etc/apache2/sites-enabled/wp2-vhosts:
total 76
drwxr-xr-x 2 root root 4096 Aug 22 23:33 .
drwxr-xr-x 3 root root 4096 Aug 25 22:46 ..
-rw-r--r-- 1 root root  444 Aug 22 23:33 electriccarsdaily.co.conf
-rw-r--r-- 1 root root  450 Aug 22 22:11 entertainmentdaily.co.conf
-rw-r--r-- 1 root root  446 Aug 22 22:11 finanacedailynews.co.conf
-rw-r--r-- 1 root root  435 Aug 22 22:11 gadgetdailynews.co.conf
-rw-r--r-- 1 root root  436 Aug 22 22:11 globaldailynews.co.conf
-rw-r--r-- 1 root root  424 Aug 22 22:11 golfdailynews.co.conf
-rw-r--r-- 1 root root  422 Aug 22 22:11 gymdailynews.com.conf
-rw-r--r-- 1 root root  562 Aug 22 22:11 healthdailynews.co.conf
-rw-r--r-- 1 root root  430 Aug 22 22:11 hockeydailynews.com.conf
-rw-r--r-- 1 root root  445 Aug 22 22:11 investingdailynews.co.conf
-rw-r--r-- 1 root root  400 Aug 22 22:11 luxlane.com.conf
-rw-r--r-- 1 root root  432 Aug 22 22:11 mlbdailynews.co.conf
-rw-r--r-- 1 root root  435 Aug 22 22:11 ncaadailynews.com.conf
-rw-r--r-- 1 root root  428 Aug 22 22:11 nfldailynews.com.conf
-rw-r--r-- 1 root root  456 Aug 22 22:11 parentsdailynews.com.conf
-rw-r--r-- 1 root root  454 Aug 22 22:11 photographynews.co.conf
-rw-r--r-- 1 root root  444 Aug 22 22:11 racingdailynews.co.conf
ubuntu@ip-172-31-24-161:/etc/apache2/sites-available$

Here's sudo ls -lRa /etc/letsencrypt

$ sudo ls -lRa /etc/letsencrypt
/etc/letsencrypt:
total 40
drwxr-xr-x   9 root root 4096 Aug 25 23:26 .
drwxr-xr-x 101 root root 4096 Aug 25 06:17 ..
drwx------   3 root root 4096 Aug 19 00:02 accounts
drwx------   2 root root 4096 Aug 25 22:43 archive
drwxr-xr-x   2 root root 4096 Aug 23 21:34 csr
drwx------   2 root root 4096 Aug 23 21:34 keys
drwx------   2 root root 4096 Aug 25 22:43 live
-rw-r--r--   1 root root  952 Aug 19 00:00 options-ssl-apache.conf
drwxr-xr-x   2 root root 4096 Aug 25 22:43 renewal
drwxr-xr-x   5 root root 4096 Aug 18 23:44 renewal-hooks

/etc/letsencrypt/accounts:
total 12
drwx------ 3 root root 4096 Aug 19 00:02 .
drwxr-xr-x 9 root root 4096 Aug 25 23:26 ..
drwx------ 3 root root 4096 Aug 19 00:02 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 12
drwx------ 3 root root 4096 Aug 19 00:02 .
drwx------ 3 root root 4096 Aug 19 00:02 ..
drwx------ 3 root root 4096 Aug 19 00:02 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 12
drwx------ 3 root root 4096 Aug 19 00:02 .
drwx------ 3 root root 4096 Aug 19 00:02 ..
drwx------ 2 root root 4096 Aug 19 00:02 17b6864724f2ecb3ea5344938ec3b6b2

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/17b6864724f2ecb3ea5344938ec3b6b2:
total 20
drwx------ 2 root root 4096 Aug 19 00:02 .
drwx------ 3 root root 4096 Aug 19 00:02 ..
-rw-r--r-- 1 root root  103 Aug 22 21:09 meta.json
-r-------- 1 root root 1632 Aug 19 00:02 private_key.json
-rw-r--r-- 1 root root   79 Aug 19 00:02 regr.json

/etc/letsencrypt/archive:
total 8
drwx------ 2 root root 4096 Aug 25 22:43 .
drwxr-xr-x 9 root root 4096 Aug 25 23:26 ..

/etc/letsencrypt/csr:
total 60
drwxr-xr-x 2 root root 4096 Aug 23 21:34 .
drwxr-xr-x 9 root root 4096 Aug 25 23:26 ..
-rw-r--r-- 1 root root  952 Aug 19 00:02 0000_csr-certbot.pem
-rw-r--r-- 1 root root  924 Aug 19 00:03 0001_csr-certbot.pem
-rw-r--r-- 1 root root  924 Aug 19 01:21 0002_csr-certbot.pem
-rw-r--r-- 1 root root  920 Aug 22 21:09 0003_csr-certbot.pem
-rw-r--r-- 1 root root  932 Aug 22 21:10 0004_csr-certbot.pem
-rw-r--r-- 1 root root  932 Aug 22 21:12 0005_csr-certbot.pem
-rw-r--r-- 1 root root  928 Aug 23 01:26 0006_csr-certbot.pem
-rw-r--r-- 1 root root  928 Aug 23 01:34 0007_csr-certbot.pem
-rw-r--r-- 1 root root  928 Aug 23 20:42 0008_csr-certbot.pem
-rw-r--r-- 1 root root  928 Aug 23 20:44 0009_csr-certbot.pem
-rw-r--r-- 1 root root  928 Aug 23 21:30 0010_csr-certbot.pem
-rw-r--r-- 1 root root  932 Aug 23 21:31 0011_csr-certbot.pem
-rw-r--r-- 1 root root  928 Aug 23 21:34 0012_csr-certbot.pem

/etc/letsencrypt/keys:
total 60
drwx------ 2 root root 4096 Aug 23 21:34 .
drwxr-xr-x 9 root root 4096 Aug 25 23:26 ..
-rw------- 1 root root 1704 Aug 19 00:02 0000_key-certbot.pem
-rw------- 1 root root 1704 Aug 19 00:03 0001_key-certbot.pem
-rw------- 1 root root 1704 Aug 19 01:21 0002_key-certbot.pem
-rw------- 1 root root 1704 Aug 22 21:09 0003_key-certbot.pem
-rw------- 1 root root 1704 Aug 22 21:10 0004_key-certbot.pem
-rw------- 1 root root 1708 Aug 22 21:12 0005_key-certbot.pem
-rw------- 1 root root 1704 Aug 23 01:26 0006_key-certbot.pem
-rw------- 1 root root 1704 Aug 23 01:34 0007_key-certbot.pem
-rw------- 1 root root 1704 Aug 23 20:42 0008_key-certbot.pem
-rw------- 1 root root 1704 Aug 23 20:44 0009_key-certbot.pem
-rw------- 1 root root 1708 Aug 23 21:30 0010_key-certbot.pem
-rw------- 1 root root 1704 Aug 23 21:31 0011_key-certbot.pem
-rw------- 1 root root 1704 Aug 23 21:34 0012_key-certbot.pem

/etc/letsencrypt/live:
total 12
drwx------ 2 root root 4096 Aug 25 22:43 .
drwxr-xr-x 9 root root 4096 Aug 25 23:26 ..
-rw-r--r-- 1 root root  740 Aug 22 21:09 README

/etc/letsencrypt/renewal:
total 8
drwxr-xr-x 2 root root 4096 Aug 25 22:43 .
drwxr-xr-x 9 root root 4096 Aug 25 23:26 ..

/etc/letsencrypt/renewal-hooks:
total 20
drwxr-xr-x 5 root root 4096 Aug 18 23:44 .
drwxr-xr-x 9 root root 4096 Aug 25 23:26 ..
drwxr-xr-x 2 root root 4096 Aug 18 23:44 deploy
drwxr-xr-x 2 root root 4096 Aug 18 23:44 post
drwxr-xr-x 2 root root 4096 Aug 18 23:44 pre

/etc/letsencrypt/renewal-hooks/deploy:
total 8
drwxr-xr-x 2 root root 4096 Aug 18 23:44 .
drwxr-xr-x 5 root root 4096 Aug 18 23:44 ..

/etc/letsencrypt/renewal-hooks/post:
total 8
drwxr-xr-x 2 root root 4096 Aug 18 23:44 .
drwxr-xr-x 5 root root 4096 Aug 18 23:44 ..

/etc/letsencrypt/renewal-hooks/pre:
total 8
drwxr-xr-x 2 root root 4096 Aug 18 23:44 .
drwxr-xr-x 5 root root 4096 Aug 18 23:44 ..
ubuntu@ip-172-31-24-161:/etc/apache2/sites-available$
1 Like
6

Looking pretty good. Your certbot directory structure is clean. Your apache directory structure is fairly clean, but the configuration files need some help.

This:

is an actual configuration file and should not be in sites-enabled. Only symlinks should be added-to/removed-from sites-enabled using a2ensite/a2dissite. That said, the problems are likely in the individual configuration files themselves.

I'm also curious as to the duplication of configuration files here:

and here:

The latter directory is where all of your vHost configuration files should be located.

The group/owner of this file:

should be root.

Let's take a look at one pair of vHost files.

If you would, please make a copy of these two files with a .txt extension then upload them:

1 Like
7

I'm thinking that all of your woes are in here:

This file contains port 443 vHosts that require certificate files that don't even exist on this server. Simply moving that whole file to sites-available then running sudo apachectl -k graceful will likely upright the ship immediately. It should only contain port 443 vHosts. If it contains duplicated material from 000-default.conf, that shouldn't be there anyhow.

1 Like
8

As a rule of thumb, I often have people blast 000-default to prevent bad habits.

:grin:

1 Like
9

chowned that one file (actually everything in /etc/apache2). it was world-readable, but yeah, i noticed that too.

here's sites-enabled/000-default-le-ssl.conf. ```sites-available/000-
default-le-ssl.conf is empty. because i emptied it.

000-default-le-ssl.conf.txt (18.6 KB)

here's electriccars' conf file:

$ sudo cat electriccarsdaily.co.conf
<VirtualHost *:80>
        DocumentRoot /var/www/ebs/electriccarsdaily.co
        ServerName electriccarsdaily.co
        ServerAlias www.electriccarsdaily.co
        <Directory /var/www/ebs/electriccarsdaily.co>
              AllowOverride All
              Require all granted  

        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/electriccars.error.log
       CustomLog ${APACHE_LOG_DIR}/electriccars.access.log combined

</VirtualHost>

(the others are identical except where they would obiously differ - paths, domains, etc)

1 Like
10

That second vHost file is great. Let me take a look at its port 443 partner in the monster file...

1 Like
11

Do note that that giant default-le-ssl.conf reflects the poor design of the original apache installation)

1 Like
12

Yeah...

you're going to want to delete that entire monster file. It contains duplicated port 80 vHosts in addition to a convolution of port 443 vHosts. I'm 99.99% certain all the correct port 80 definitions already exist in individual port 80 configuration files. Having certbot just create individual port 443 configuration files from the individual port 80 configuration files will be a snap.

1 Like
13

Please upload this one too:

1 Like
14

I have a strong feeling that you originally had one giant SAN certificate with all the domain names on it since this appears in every port 443 vHost:

SSLCertificateFile /etc/letsencrypt/live/mlbdailynews.co/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mlbdailynews.co/privkey.pem
1 Like
15

I see a lot of domains with port 80 vHosts in there that don't have separate vHost files. I'm guessing those moved to the second server?

1 Like
16

First I would like to thank you for the amazingly quick reply. I was expecting to post this and then come back after a day or two :slight_smile:

  1. yes I moved those to the second server.
  2. I emptied sites-available/000-default-le-ssl.conf and deleted the one in sites-enabled, replacing it with a link to the one in sites-available (which was empty at the time).
  3. tried to re-run certbot rollback. it re-populated sites-available/000-default-le-ssl.conf (from where I do not know) and then died with the same apache error. (I had restarted apache first)
ubuntu@ip-172-31-24-161:/etc/apache2/sites-available$ sudo cat 000-default.conf 
#hello there updated wp-2


<VirtualHost *:80>
       # The ServerName directive sets the request scheme, hostname and port that
       # the server uses to identify itself. This is used when creating
       # redirection URLs. In the context of virtual hosts, the ServerName
       # specifies what hostname must appear in the request's Host: header to
       # match this virtual host. For the default virtual host (this file) this
       # value is not decisive as it is used as a last resort host regardless.
       # However, you must set it for any further virtual host explicitly.
       #ServerName www.example.com

      ServerAdmin webmaster@localhost
      DocumentRoot /var/www/html
#      ServerName vendorheaven.io


       # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
       # error, crit, alert, emerg.
       # It is also possible to configure the loglevel for particular
       # modules, e.g.
       LogLevel info ssl:warn

      ErrorLog ${APACHE_LOG_DIR}/error.log
      CustomLog ${APACHE_LOG_DIR}/access.log combined

       # For most configuration files from conf-available/, which are
       # enabled or disabled at a global level, it is possible to
       # include a line for only one particular virtual host. For example the
       # following line enables the CGI configuration for this host only
       # after it has been globally disabled with "a2disconf".
       #Include conf-available/serve-cgi-bin.conf


</VirtualHost>

Here is what certbot wrote into sites-available/000-default-le-ssl.conf just now. I think it's identical to the one i sent earlier as a file.
000-default-le-ssl.conf.txt (18.6 KB)

1 Like
17

Do these all have their own individual content or are they placeholders/forsale/etc? If its the latter, there are easy ways to collect things together.

1 Like
18

We have a reputation to uphold. :grin:

1 Like
19

They all have their own content. I am migrating them from wp-engine for a client. Rebuilding them from scratch or using multi-site would have been a nightmare because not all plugins export their settings in wp-export. In fact most don't. So I just zipped them up and put them on another server. (and imported all the db's into mysql/aurora on aws). It'll still save like $600/mo for him.

1 Like
20

The 000-default has no ServerName and has a default DocumentRoot. I suspect it can just be blasted (as always).

1 Like