Certbot auto reports syntax error, but apache doesn't think so

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sandbox-v01.mc.edu

I ran this command: certbot renew

It produced this output:
Processing /etc/letsencrypt/renewal/sandbox-v01.mc.edu.conf

Failed to renew certificate sandbox-v01.mc.edu with error: The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('There has been an error in parsing the file /etc/httpd/conf/httpd.conf on line 443: Syntax error')

My web server is (include version): Apache, Red Hat distro install, httpd-2.4.62-2.fc40.x86_64

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Fedora release 40

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

I have been able to renew my cert using certbot certonly, so nothing is on fire right now. But the auto is referencing a syntax error. The line number is at the end of the file, and there is no obvious error. But the big thing is this:

[root@sandbox bennet]# apachectl configtest
[Fri Nov 15 14:22:53.984361 2024] [so:warn] [pid 286308:tid 286308] AH01574: module ssl_module is already loaded, skipping
[Fri Nov 15 14:22:54.034475 2024] [alias:warn] [pid 286308:tid 286308] AH00671: The Alias directive in /etc/httpd/conf.d/autoindex.conf at line 21 will probably never match because it overlaps an earlier Alias.
Syntax OK

Apache thinks the syntax is fine. It's running fine. Does certbot do its own config parsing? I don't really know what to look for.

Not really. Have you tried repairing this and retrying Certbot?

Apache is very tolerant of config glitches.

Yes. When using the --apache plugin it parses and makes temp changes to your Apache config to handle the HTTP Challenge. The first time you run it there are (likely) permanent changes to your config to "install" the cert in Apache.

Problems like this occur occasionally. Usually for people using extensions or "nearly" Apache configs like TomCat. I think certain non UTF characters might cause that too. It usually takes a line-by-line analysis to find the cause. If it is some odd but correct syntax for an extension using --webroot is a viable alternate.

If you need help switching to that let us know. Or, review sudo certbot help reconfigure command

The message seems pretty clear.

What shows?:
sudo apachectl -t -D DUMP_VHOSTS

It's not a syntax error. And commenting it out didn't help.

What shows?:

sudo apachectl -t -D DUMP_VHOSTS|

It says:|

apachectl -t -D DUMP_VHOSTS
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
To pass extra arguments to httpd, see the httpd.service(8)
man page.

Some sort of "we converted to it systemd, and don't bother anymore"
seems like.

Commenting out the line it complains about doesn't help. And, it's not
a syntax error anyway.

I know certbox works with certonly, which asked for a webroot. Will
setting --webroot with reconfigure avoid the parse? That sounds easier
than finding some obscure something which one parser thinks is fine, and
the other doesn't seem to report in a way I can easily use.

My vhost configuration uses an Apache config macro. Might that be a
sufficiently obscure feature to cause problems? Or is it more widely
used than I think.

Thank you.

Maybe. But if the macro is convenient it would be easier to switch to certonly --webroot.

The certonly webroot will not parse your Apache. It just places a file in the folder you give in the --webroot-path/-w option. This path must match the DocumentRoot for the respective VirtualHost. Sounds like you already know this part at least.

One key difference with that is it will not reload Apache after getting a fresh cert. For that use a --deploy-hook (cmd) where (cmd) is the command used to reload Apache on your system.

You could do that by just redoing the cert request like

sudo certbot certonly --dry-run --webroot -w (folder) -d sandbox-v01.mc.edu --deploy-hook (cmd)

Once the --dry-run succeeds remove it to re-get a production cert.

PS: Your distro probably uses this format for that apachectl command instead

sudo httpd -t -D DUMP_VHOSTS

That is just to list your config files so we could request to look at them. If you plan to switch to webroot we don't need to bother. But we would if you want.

Found this older thread. We don't see Apache macros used much here. Not that it isn't "in the wild". We just don't see it much. Maybe related to your issue?

They posted a bug report on EFF's github for Certbot but never got a reply. The post even got marked "bug" and "significant".

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.