Certbot Apache Plugin Unable to Confiugre TLS-SNI Challenge due to multiple Virutal Hosts in One File


#1

I call certbot with “-d” option. Below is the whole configuration.

For some strange reason I see errors messages and wildcard-domains. But the -d option does not contain any wildcard-domains.

What am I doing wrong?

The certbot call can be seen here: http://thomas-guettler.de/tmp/certbot.txt


#2

Hi @guettli,

The error messages that you saw indicate that there’s a problem in Certbot’s ability to understand and modify the Apache configuration on your system. In this case, Certbot tried to change your Apache server configuration in order to pass challenges to prove your control over these names, but it didn’t succeed.

The most common reason for this is having an existing Apache configuration with multiple VirtualHosts in a single file (often in /etc/apache2/sites-available). Do you know if that’s the case in your configuration? Or do you know anything else in the Apache configuration that might be unusual, complex, or difficult for Certbot to parse somehow?


#3

Yes, there are several VirtualHost entries per conf-file in sites-available.

What is the recommendation?

I think it should be possible to cut the file into several files.

Thank you for your fast reply.

Question: If certbot has problems with it (that’s ok). But why does certbot not tell me so? The error message I got was very confusing.


#4

Hi @guettli,

Probably splitting the virtual hosts out into individual files should fix the problem.

There is code in Certbot to warn users about this situation, but after looking at it, I think it’s only triggered when you specify -d, rather than for the automatic servername detection case.

While that is quite a severe bug that we don’t fail with a useful error in this situation, one of our developers is nearing completion of a fix to allow multiple VirtualHosts to coexist in a single file and be handled correctly by Certbot. So I think at this point we should wait for that fix in the next release rather than try to write additional code to improve detection of an error condition that’s about to be eliminated.

Sorry for the inconvenience!


#5

I cut my apache config into “one VirtualHost per config file” and now it works (at least for a single domain).

Thank you for your support.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.