Certbot Apache Plugin Unable to Confiugre TLS-SNI Challenge due to multiple Virutal Hosts in One File

guettli · March 21, 2017, 7:36pm

I call certbot with “-d” option. Below is the whole configuration.

For some strange reason I see errors messages and wildcard-domains. But the -d option does not contain any wildcard-domains.

What am I doing wrong?

The certbot call can be seen here: http://thomas-guettler.de/tmp/certbot.txt

schoen · March 21, 2017, 9:05pm

Hi @guettli,

The error messages that you saw indicate that there’s a problem in Certbot’s ability to understand and modify the Apache configuration on your system. In this case, Certbot tried to change your Apache server configuration in order to pass challenges to prove your control over these names, but it didn’t succeed.

The most common reason for this is having an existing Apache configuration with multiple VirtualHosts in a single file (often in /etc/apache2/sites-available). Do you know if that’s the case in your configuration? Or do you know anything else in the Apache configuration that might be unusual, complex, or difficult for Certbot to parse somehow?

guettli · March 22, 2017, 6:56am

Yes, there are several VirtualHost entries per conf-file in sites-available.

What is the recommendation?

I think it should be possible to cut the file into several files.

Thank you for your fast reply.

Question: If certbot has problems with it (that’s ok). But why does certbot not tell me so? The error message I got was very confusing.

schoen · March 22, 2017, 9:25pm

Hi @guettli,

Probably splitting the virtual hosts out into individual files should fix the problem.

There is code in Certbot to warn users about this situation, but after looking at it, I think it’s only triggered when you specify -d, rather than for the automatic servername detection case.

github.com

certbot/certbot/blob/master/certbot-apache/certbot_apache/configurator.py#L339


               raise errors.PluginError("Please provide the --fullchain-path\
option pointing to your full chain file")
           set_cert_path = fullchain_path
           self.aug.set(path["cert_path"][-1], fullchain_path)
           self.aug.set(path["cert_key"][-1], key_path)


       # Enable the new vhost if needed
       if not vhost.enabled:
           self.enable_site(vhost)


       # Save notes about the transaction that took place
       self.save_notes += ("Changed vhost at %s with addresses of %s\n"
                           "\tSSLCertificateFile %s\n"
                           "\tSSLCertificateKeyFile %s\n" %
                           (vhost.filep,
                            ", ".join(str(addr) for addr in vhost.addrs),
                            set_cert_path, key_path))
       if chain_path is not None:
           self.save_notes += "\tSSLCertificateChainFile %s\n" % chain_path


   def choose_vhost(self, target_name, temp=False):

While that is quite a severe bug that we don’t fail with a useful error in this situation, one of our developers is nearing completion of a fix to allow multiple VirtualHosts to coexist in a single file and be handled correctly by Certbot. So I think at this point we should wait for that fix in the next release rather than try to write additional code to improve detection of an error condition that’s about to be eliminated.

Sorry for the inconvenience!

guettli · March 27, 2017, 5:30am

I cut my apache config into “one VirtualHost per config file” and now it works (at least for a single domain).

Thank you for your support.

system · April 26, 2017, 5:30am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot keeps asking for Virtualhost Help	11	44	November 23, 2024
Certbot: Not getting separate certificates Help	6	2099	September 7, 2016
Can't create certs using Apache virtual hosts Help	3	1260	October 22, 2017
Cerbot unable to find ServerNames on Apache Due to Multiple VHOSTS in Config File Help	3	6523	July 14, 2016
Certbot on Apache - Unable to Parse Multiple VHOSTS in one File Help	12	7832	June 15, 2017

Certbot Apache Plugin Unable to Confiugre TLS-SNI Challenge due to multiple Virutal Hosts in One File

Related topics