Certbot --apache stops apache from starting

Hi there,

I think I’ve managed to fetch a certificate correctly, but when certbot tries to install it for apache, my configuration seems to break. I ran this interactively using “certbot --apache” - I’m not going to go through the full series of steps as I’ve been fiddling around for a little while and running this from scratch takes my server down til I disable the SSL vhosts. That said:

I’m running this on Ubuntu Xenial, recently upgraded from Precise (via Trusty). Server Version: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g. I’m running this for v21.io and a bunch of alternate domains (https://www.v21.zone,
https://www.v21.club, https://georgebuckenham.co.uk,
https://hellisotherpeople.co.uk, https://www.hellisotherpeople.co.uk,
https://nottheinternet.co.uk, https://georgebuckenham.com,
https://nottheinternet.com, https://www.nottheinternet.com, https://v21.zone,
https://v21.toys, https://v21.juegos, https://v21.io, https://v21.club,
https://www.v21.io, https://www.v21.toys, and https://www.v21.juegos is the full list - this spans 2 different vhosts)

After running certbot --apache, I get a successful message, but apache2 has stopped running. Attempting to restart:

root@v21:/etc/apache2/sites-enabled# apache2ctl graceful
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

Looking in the apache error log I see:

[Sun Oct 08 13:28:41.079804 2017] [ssl:emerg] [pid 24674] AH02572: Failed to configure at least one certificate and key for www.nottheinternet.com:443
[Sun Oct 08 13:28:41.079847 2017] [ssl:emerg] [pid 24674] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Sun Oct 08 13:28:41.079855 2017] [ssl:emerg] [pid 24674] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Sun Oct 08 13:28:41.079868 2017] [ssl:emerg] [pid 24674] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Oct 08 13:28:41.079872 2017] [ssl:emerg] [pid 24674] AH02312: Fatal error initialising mod_ssl, exiting.
[Sun Oct 08 13:28:41.079874 2017] [:emerg] [pid 24674] AH00020: Configuration Failed, exiting
[Sun Oct 08 13:29:31.764084 2017] [ssl:emerg] [pid 26737] AH02572: Failed to configure at least one certificate and key for www.nottheinternet.com:443
[Sun Oct 08 13:29:31.764157 2017] [ssl:emerg] [pid 26737] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Sun Oct 08 13:29:31.764166 2017] [ssl:emerg] [pid 26737] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Sun Oct 08 13:29:31.764207 2017] [ssl:emerg] [pid 26737] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Oct 08 13:29:31.764210 2017] [ssl:emerg] [pid 26737] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed
[Sun Oct 08 13:29:54.123535 2017] [ssl:emerg] [pid 26761] AH02572: Failed to configure at least one certificate and key for www.nottheinternet.com:443
[Sun Oct 08 13:29:54.123604 2017] [ssl:emerg] [pid 26761] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Sun Oct 08 13:29:54.123613 2017] [ssl:emerg] [pid 26761] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Sun Oct 08 13:29:54.123622 2017] [ssl:emerg] [pid 26761] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Oct 08 13:29:54.123626 2017] [ssl:emerg] [pid 26761] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed

here’s nottheinternet.com-le-ssl.conf, created by certbot from nottheinternet.com.conf:

<IfModule mod_ssl.c>
<VirtualHost *:443>
	# Admin email, Server Name (domain name), and any aliases
	ServerName  www.nottheinternet.com
	ServerAlias nottheinternet.com
	ServerAlias nottheinternet.co.uk
	ServerAlias georgebuckenham.com
	ServerAlias georgebuckenham.co.uk
	ServerAlias prettyqr.com
	ServerAlias tinyturing.co.uk
	ServerAlias tinyturing.com
	ServerAlias tinyturingtest.co.uk
	ServerAlias tinyturingtest.com
	ServerAlias imnotmadeofdomainnames.com
	ServerAlias v21.club
	ServerAlias v21.zone
	ServerAlias v21.juegos
	ServerAlias v21.toys
	ServerAlias www.v21.io
	ServerAlias www.v21.club
	ServerAlias www.v21.zone
	ServerAlias www.v21.juegos
	ServerAlias www.v21.toys

	Redirect / http://v21.io/
	
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>

	ServerAdmin vtwentyone@gmail.com
	ServerName v21.io



	# Index file and Document Root (where the public files are located)
	DirectoryIndex index.html index.php
	DocumentRoot /var/www/nottheinternet.com/public/
	
	<Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/nottheinternet.com/public/>
                Options FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>


	# Log file locations
	LogLevel warn
	ErrorLog  /var/www/nottheinternet.com/log/error.log
	CustomLog /var/www/nottheinternet.com/log/access.log combined
SSLCertificateFile /etc/letsencrypt/live/www.v21.zone/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.v21.zone/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Removing this from sites-enabled and restarting apache gets apache started again, but obviously HTTPS is not working.

Any ideas?

oh, and the certificates are there:

root@v21:/home/v21# ls -alh /etc/letsencrypt/live/www.v21.zone/
total 12K
drwxr-xr-x 2 root root 4.0K Oct  8 12:23 .
drwx------ 3 root root 4.0K Oct  8 12:23 ..
lrwxrwxrwx 1 root root   36 Oct  8 12:23 cert.pem -> ../../archive/www.v21.zone/cert1.pem
lrwxrwxrwx 1 root root   37 Oct  8 12:23 chain.pem -> ../../archive/www.v21.zone/chain1.pem
lrwxrwxrwx 1 root root   41 Oct  8 12:23 fullchain.pem -> ../../archive/www.v21.zone/fullchain1.pem
lrwxrwxrwx 1 root root   39 Oct  8 12:23 privkey.pem -> ../../archive/www.v21.zone/privkey1.pem
-rw-r--r-- 1 root root  543 Oct  8 12:23 README

Even the “redirect” VirtualHost for port 443 will need the SSLCertificateFile and SSLCertificateKeyFile directives for TLS to work. Now it only has the Include part, but missing the other two.

You might also consider directly redirecting to https://v21.io/ in stead of the http:// site.

Hoorah! That was it, thank you.

Is there a place I should report this? I don’t think my setup is particularly unusual, and it took a fair bit of work (as someone who doesn’t do web stuff very often) to even understand the problem enough to gather together the info above.

You might open an issue on the certbot Github page, but it would require some in-depth information on how to reproduce the problem. Perhaps the certbot developers can reproduce the issue if you provide enough information

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.