Cert renewal dry run kills apache

I'm running OpenSuse with Apache and have just installed certbot to get SSL running on my web server.

NAME=openSUSE
VERSION="13.2 (Harlequin)"

First installation failed and I got this error:

Cannot find a cert or key directive in /files/etc/apache2/vhosts.d/vhost-ssl.conf/IfDefine/IfDefine/VirtualHost. VirtualHost was not modified
Unable to find cert and/or key directives

I then manually edited the vhost-ssl.conf file and added:
SSLCertificateFile, SSLCertificateKeyFile,SSLCertificateChainFile to point to the files certbot generated.

Saved and restarted apache and SSL is now working.

Now trying the

certbot-auto renew --dry-run

But this causes apache2 to fail and I have to start it up manually.

Feb 25 16:09:37 suse systemd[1]: apache2.service: main process exited, code=exited, status=1/FAILURE
Feb 25 16:09:38 suse start_apache2[14704]: AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
Feb 25 16:09:38 suse start_apache2[14704]: AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
Feb 25 16:09:38 suse start_apache2[14704]: httpd (pid 14550?) not running
Feb 25 16:09:38 suse systemd[1]: Unit apache2.service entered failed state.

vhost-ssl.conf:

<IfDefine SSL>
<IfDefine !NOSSL>

<VirtualHost _default_:443>

    #  General setup for the virtual host
    DocumentRoot "/srv/www/vhosts/blog"
    ServerName blog.gjmccarthy.co.uk
    ErrorLog /var/log/apache2/blog.gjmccarthy.co.uk-ssl-error_log
    TransferLog /var/log/apache2/blog.gjmccarthy.co.uk-ssl-access_log

    SSLProtocol             all -SSLv2 -SSLv3

    SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    SSLHonorCipherOrder     on
    SSLCompression          off

    SSLOptions +StrictRequire
    SSLEngine on

    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

    SSLCertificateFile /etc/letsencrypt/live/blog.gjmccarthy.co.uk/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/blog.gjmccarthy.co.uk/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/blog.gjmccarthy.co.uk/chain.pem
 <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/srv/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-5]" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0

    CustomLog /var/log/apache2/ssl_request_log   ssl_combined

</VirtualHost>

</IfDefine>
</IfDefine>

Any ideas why this is happening? Let me know what other info I should provide.

looks like the culprit

1 Like

Thanks. Didnt thnk the fix would be that easy. I’ve created the folder and the dry run is now working.
tls_sni_01_page folder didn’t exist. Maybe wasn’t created when the original installation failed.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.