Certbot 0.28.0 Error while running apachectl configtest


#1

My domain is: osiris.com.au

I ran this command: certbot-auto renew

It produced this output:
Error while running apachectl configtest.
then usage message from httpd

My web server is (include version)
Apache/2.2.15 (Unix)

The operating system my web server runs on is (include version):
vanilla up to date centos6.9

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Tried tracking back but got lost. Not a python programmer. Replaced httpd to find what args were being passed, got: “httpd LINUX_MOTIF -t”
Thanks!


#2

Hi,

This is a Apache error, please try to run apachectl configtest and share us some outputs…

Thank you


#3

As mentioned - just a usage message:

apachectl configtest

Usage: ./httpd [-D name] [-d directory] [-f file]
[-C “directive”] [-c “directive”]
[-k start|restart|graceful|graceful-stop|stop]
[-v] [-V] [-h] [-l] [-L] [-t] [-S]
Options:
-D name : define a name for use in directives
-d directory : specify an alternate initial ServerRoot
-f file : specify an alternate ServerConfigFile
-C “directive” : process directive before reading config files
-c “directive” : process directive after reading config files
-e level : show startup errors of level (see LogLevel)
-E file : log startup errors to file
-v : show version number
-V : show compile settings
-h : list available command line options (this page)
-l : list compiled in modules
-L : list available configuration directives
-t -D DUMP_VHOSTS : show parsed settings (currently only vhost settings)
-S : a synonym for -t -D DUMP_VHOSTS
-t -D DUMP_MODULES : show all loaded modules
-M : a synonym for -t -D DUMP_MODULES
-t : run syntax check for config files

Thanks


#4

Problem was there was something in the OPTIONS env variable that was interfering with your scripts. Perhaps raise a ticket for a warning to the user or filter it out from a front door entry.
“renew” now works.
Thanks


#5

Hi @lxq

renew works, you have a new Letsencrypt certificate. But your configuration isn’t complete.

http://osiris.com.au/ 301 https://osiris.com.au/ 3.603 A
http://www.osiris.com.au/ 301 https://osiris.com.au/ 0.967 E
https://osiris.com.au/ 200 4.887 B
https://www.osiris.com.au/ 200 1.750 N
Certificate error: RemoteCertificateNameMismatch

You have a dns entry www.osiris.com.au, but your certificate has only osiris.com.au as domain name. So if someone tries to go to your www version, there is a certificate mismatch.

So create a new certificate with two domain names:

certbot --apache -d www.osiris.com.au -d osiris.com.au

and use that.


#6

Yeah, never advertised that URL.

One other problem: certbot created a publicly readable private key file (!!!) which sendmail refused to accept.


#7

The directory isn’t world readable, so it’s weird but not insecure, FWIW.

There’s an issue open about changing the file permissions, but fixing it wasn’t a high priority in the past.


#8

0440 is no good - you need to turn on the “DON’T BLAME SENDMAIL” option for it accept even that!
I do remember getting caught 3 months ago by the same issue… pretty slack for it to be outstanding for 3 years.