Certbot breaking apache on renewal adding SSLCertificateChainFile config

I have a file for all my hosts /etc/apache2/conf.d/core2-jxn-certs.conf which is suddenly getting nightly modifications, adding a SSLCertificateChainFile line which is causing apache to not work.

My domain is: connectware.olebrook.com (this was the last renewal)

I ran this command: it was a certbot renewal

It produced this output: ??

My web server is (include version): Apache/2.4.48

The operating system my web server runs on is (include version): Ubuntu 18.04.6 LTS

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

A Certbot renew command does not modify the Apache config. Well, it is not designed to at least.

And, your connectware.olebrook.com cert is not yet due for renewal so I'm not sure why that should do anything. It still has 48 days remaining before expiry.

Can you upload the /var/log/letsencrypt/letsencrypt.log file? You will need to copy it to a .txt file to use the upload button on this forum post menu.

Last, what do you mean by Apache "not working". It is responding to requests to that domain for me.

5 Likes

Sorry I think a correction it was connectware.inn-cloud.net that renewed two nights ago, but it was the connectware.olebrook.com block that was modified with the SSLCertificateChainFile. It happened last night without a renewal, so maybe renewal isn't the trigger.

So if certbot isn't modifying that file what else would?

Even if Certbot would modify the Apache files, it wouldn't add that directive with your Apache version:

As you can see above, Certbot only adds the chain file directive when Apache is older than 2.4.8, which your Apache is not.

4 Likes

I am seeing a normal cert chain for our inn-cloud domain. (SSL Checker link)

That SSLCertificateChainFile is deprecated in your Apache version but Apache would not "break". It would just send more cert intermediates than needed and perhaps this would confuse certain browsers. Since the above SSL Checker sees the correct chain I don't understand what you mean by Apache "not working"

4 Likes

I believe the situation is apache is running but browsers can't load content.

Should it be failing now? Because I see that home page just fine using Edge on Windows

4 Likes

I replicated the problem on my sandbox instead, cloudbeta.phonesuite.com.

No, that domain does not have any intermediate chain files (not too many). Different cause

5 Likes

Okay, I see, working this out. Thanks!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.