Certbot-auto --apache | Failed on Amazon Linux ... possible issue?


#1

Hello,

Great stuff! I was able to get one of my virtual hosts working last night, but with a little bit of manual effort. I was hoping to ask a few questions, and see if I can learn about the process, how things might have failed, and maybe contribute some input to the people maintaining the certbot-auto code.

As a “post-mortem” I did some investigation, and maybe found a few reasons why the process failed … it was SO close!

I fully understand that I was warned at first that Amazon Linux (NOT Amazon Linux 2) was going to be a questionable install … I went ahead after reading other peoples posts, via Google, and did get things working. Again … my goal is to assist here, and understand what might have failed to maybe contribute a fix.

When I ran the command to get things going, I used:

sudo ./certbot-auto --apache -d {myDomain}.com -d www.{myDomain}.com --debug

Everything seemed to work perfectly, right up until the “certbot_apache.configurator” The errors began at this point.

2018-11-06 02:30:04,041:INFO:certbot_apache.configurator:Created an SSL vhost at /etc/httpd/conf.d/www.wovyn.com-le-ssl.conf
2018-11-06 02:30:04,051:DEBUG:certbot.reverter:Creating backup of /etc/httpd/conf.d/www.wovyn.com-le-ssl.conf
2018-11-06 02:30:04,206:DEBUG:certbot.reverter:Creating backup of /etc/httpd/conf/httpd.conf
2018-11-06 02:30:04,267:WARNING:certbot_apache.configurator:Cannot find an SSLCertificateFile directive in /files/etc/httpd/conf.d/www.wovyn.com-le-ssl.conf/IfModule/VirtualHost. VirtualHost was not modified
2018-11-06 02:30:04,268:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 497, in deploy_certificate
    fullchain_path=fullchain_path)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_apache/configurator.py", line 336, in deploy_cert
    self._deploy_cert(vhost, cert_path, key_path, chain_path, fullchain_path)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_apache/configurator.py", line 465, in _deploy_cert
    "Unable to find an SSLCertificateFile directive")
PluginError: Unable to find an SSLCertificateFile directive

What I realized at this point is that mod24_ssl was NOT installed … I’m not sure if this was the issue or not. I discovered this after I manually created the /etc/httpd/conf.d/www.wovyn.com-le-ssl.conf file, and restarted Apache.

Once I had installed this module, then the restart of Apache worked.

My two questions are:

  1. Is there a check in the current code for the mod24_ssl module? If not, this might be a good thing to add.
  2. The INFO line is incorrect: 2018-11-06 02:30:04,041:INFO:certbot_apache.configurator:Created an SSL vhost at /etc/httpd/conf.d/www.wovyn.com-le-ssl.conf This file was never actually created, and I’m not sure why. Again, it seems there is a bug in the code that did not detect this fact, yet still printed the INFO message that it was created. Looking in the Python code is what led me to believe that maybe the “configurator” is actually using the template from mod24_ssl to create the file … but didn’t realize it failed?

Anyhow … just wanting to learn and understand the code a little more, and hopefully provide some insight into improvements that could be made to the error handling.

I’ll be trying with a few more virtual hosts, and now that mod24_ssl is installed maybe it will work better.

Thanks for all of the great work!


Do not close threads without possibility of appeal
Do not close threads without possibility of appeal
#2

Hi! Glad you’ve found Let’s Encrypt valuable. Could you post the full log from your run, plus your Apache config?

I believe Certbot tries to enable mod_ssl and will generate a useful error if it fails.

My guess is that this file was actually created, but reverted when Certbot didn’t successfully complete its mission. The full logs will tell us more.


#3

Hello,

Thank you for the reply, and I do want to say that I do appreciate your efforts in maintaining and supporting this community.

Per your request to “post the full log”, I’m curious where exactly you were thinking that I would post it? I’m not comfortable posting it publicly as it contains identifiable information that is not ok for public release. In that case we’d have to take the time to scrub the log, and remove all sorts of details we question handing over to anyone. How do you normally handle this?

When you state about checks for mod24_ssl, you said:

I believe Certbot tries to enable mod_ssl and will generate a useful error if it fails.

I’ve gone through the python code and have not found these checks. Could you point me at the code module or .py file that you think has these checks?

You also suggested:

My guess is that this file was actually created, but reverted when Certbot didn’t successfully complete its mission.

This line appears to originate on line #1145 of /certbot-apache/configurator.py (https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/configurator.py#L1145) - logger.info("Created an SSL vhost at %s", ssl_fp) - and is not followed by any code that appears to “undo” any of this … and in fact returns the supposed ssl_vhost which - IMHO - was not successfully created.

The function make_vhost_ssl in fact takes a pair of parameters, and looking at the code I’m not sure that I see the returned value ever being checked, until far later when it fails to find the SSLCertificateFile directive within the object that was returned.

As I’ve only looked at the code for about an hour, I could be completely mistaken … which is why I was hoping that someone would point out where I’ve misidentified these issues.

Thanks again!


#4

If I’m recalling correctly (I’m not a Certbot engineer), this reversion happens in an “except” block.

Regarding scrubbing your log file: I believe the only sensitive data in it is your email address and your domain name. A find-and-replace should do you just fine there. You can even choose to skip redacting the domain name since it winds up in Certificate Transparency (and is in the filename you shared earlier).


#5

Here is the scrubbed log file.

Also, that particular function does not appear to have an “except” block. I’m still reviewing the code looking for where the test for mod24_ssl exists.

Again … I’ve got things working, but am hoping that these two issues might assist in improving the code, and allowing Amazon Linux users an easy time at getting Let’s Encrypt to work on their instances.letsencrypt.log.scrubbed.txt (38.6 KB)


#6

I was curious … you asked me to upload the log … has anyone looked at it?

I still do not see any checks for the mod_ssl being present, and install failure is still not handling the situation cleanly. The failure still exists, and I’m not clear why?


#7

Hi,

The log you uploaded to this community seems to state that the file is created, then deleted (reverted) because the file is not working… (2018-11-06 02:30:04,267) I’m not sure if it’s correct to print the “created” message before making the virtual host though…

Thank you