Certbot --apache starting over

certbot --version
certbot 0.31.0
admittedly old, but outer circumstances force me to stay with this for the moment.

I ran certbot delete
and deleted all certificates.
I had some VirtualHost :443 residues in the /etc/apache2/sites-enabled files.
I ran this command: certbot --apache -d <comma-separated-list of 44 domains>
and it gave a syntax error about non existing file in /etc/letsencrypt/live/mydomain/fullchain.pem

My questions:

1. Should I delete all VirtualHosts sections for port 443 first, before issuing the certbot --apache command?

2. Do have normal port 80 Virtualhosts have to exist for every domain prior to running the certbot command?

3. Does certbot automatically create command to do a redirection of http-> https ?

I had left all VirtualHost 443 sections in the .conf files and removed every SSL reference there. This way I was able to start apache2 again.

Now I'm getting:

...
http-01 challenge for zeitraum-reise.de
http-01 challenge for zeitraumreise.de
http-01 challenge for zeitundraumreise.de
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. zeitraumreise.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 78.47.186.167: Invalid response from http://zeitraumreise.de/.well-known/acme-challenge/ZBlPUvewS3R4IIV4KTf3MjLpeCjtwBXlTeRNXXoDQnA: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: zeitraumreise.de
   Type:   unauthorized
   Detail: 78.47.186.167: Invalid response from
   http://zeitraumreise.de/.well-known/acme-challenge/ZBlPUvewS3R4IIV4KTf3MjLpeXxXXXXlTeRNXXoXxXX:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

At this point in time there are not yet any certficate files created in /etc/letsencrypt/archive

First, here is the docs about safely deleting certs (link here). A key point which you now learned is also have to remove all references to those certs in web servers and such.

Well, assuming you used the --apache method again the 404 is a sign Certbot sees something incompatible in your Apache config. Newer certbots do much better with "messy" Apache configs so it is unfortunate you cannot update to the current snap version 2.6

But, can you show the exact Certbot command you used and the VirtualHost definition for it? I don't want to look at all 44 domain names right now. Just this failing one.

When posting the Apache config please put 3 backticks before and after to preserve all the tags:
```
apache config
```

I hope I did the certbot delete right. It worked recently in another configuration.
At least the /etc/lestencrypt

<VirtualHost *:80>
        ServerAdmin webmaster@zeitraumreise.de

        DocumentRoot /var/www/de.zeitraumreise.www
        ServerName www.zeitraumreise.de
        ServerAlias zeitraumreise.de 
        ServerSignature Off

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

I used:

certbot --apache -d buchabsatz.de,buchfischer.de,busch-reise.de,buschreise.de,deutsche-reise.de,ein-fach-regal.de,einfachregal.de,emser-depesche.de,erdreise.de,forschungsvorhaben.de,hoerschreiber.de,intellitel.de,iphon.de,kalender-im-netz.de,keltenwege.de,lindenthaler.eu,meine-lieder.de,raum-und-zeit-reise.de,raum-zeit-reise.de,raumundzeitreise.de,raumzeitreise.de,rechtschreiber.de,rechtschreibfrieden.de,rechtschreibreform-a.de,ruzr.de,urquell.de,volksmuseum.de,werkwelt.de,fms.werkwelt.de,db.werkwelt.de,wilhelm-busch-album.de,zahnhof.de,zahnphoto.de,zeit-raum-reise.de,zeit-und-raum-reise.de,zeitraum-reise.de,zeitraumreise.de,zeitundraumreise.de,imap.werkwelt.de,mail.werkwelt.de,post.werkwelt.de,smtp.werkwelt.de,www.werkwelt.de

To simplify debugging try

sudo certbot certonly --apache --dry-run -d zeitraumreise.de,www.zeitraumreise.de

The --dry-run uses the staging test system. And, --apache doesn't support --dry-run directly so we must use certonly for this kind of test.

Then, copy the resulting /var/log/letsencrypt/letsencrypt.log to a .txt file and use the upload button on this post menu.

letsencrypt.txt (26.6 KB)

I don't think that VirtualHost you showed me is the active one for that domain. It has server signature off but yet I see the server signature response header.

Because of your many domains I was hoping to avoid this but let's see the result of this:

apachectl -t -D DUMP_VHOSTS

Actually I'm a bit hesitant to post this long output.

But what I'm just noticing: The server runs on 116.203.159.167 while zeitraumreise.de is 78.47.186.167 (?). Well, I wasn't aware of this until just before and will have to check with the owner of that site what he did there. Will be back.

I come to the conclusion that the different IP is the problem. Will be going to fix this.

EDIT: solved! Fixed DNS and certificates were generated.

One question: when doing a

certbot delete

it looks like any traces of letsencrypt certs are being removed.
But the entries

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mydomain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain/privkey.pem

stay in the conf files. This results in an apache error when trying to run a new certbot --apache -d <list-of-domains>command.

Is there a way to easily remove the above ssl related lines from the conf file?

Guide to safely deleting certs (also post #2)
https://eff-certbot.readthedocs.io/en/stable/using.html#safely-deleting-certificates

Not really. You could replace the SSL lines with a self-signed cert rather than having to remove the VHosts. See above topic

That said, Certbot has a rollback option but I don't know how that works (the docs are sparse). And, now that you have already run certbot delete it wouldn't have any info to work with. Just something for the future maybe.

I wrote a little script that deletes the respective lines while leaving the vhost entries intact:

#!/bin/bash
for i in /etc/apache2/sites-enabled/*.conf
do
sed -i '/SSL/d;/letsencrypt/d'  $i
done

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.