Certbot can't find virtual host on port 80

MartijnF · March 1, 2019, 10:24am

I’m trying to renew a certificate, but I’m running into a problem. I hope you guys can help me out.

My domain is: dodistribute.com

I ran this command: sudo certbot renew

It produced this output:

Processing /etc/letsencrypt/renewal/dodistribute.com.conf

Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator apache, Installer apache

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for dodistribute.com

Cleaning up challenges

Attempting to renew cert (dodistribute.com) from /etc/letsencrypt/renewal/dodistribute.com.conf produced an unexpected error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80… Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/dodistribute.com/fullchain.pem (failure)

My web server is (include version): Apache/2.4.7 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 14.04.5 LTS

My hosting provider, if applicable, is: It’s a VPS from directvps.nl

I can login to a root shell on my machine: Yes

I’m using a control panel to manage my site: No

The version of my client is: certbot 0.28.0

MartijnF · March 1, 2019, 10:27am

There’s only 1 virtual host installed in /etc/apache2/sites-enabled. The file is called “000-default.conf” and its contents look like this:

<VirtualHost *:80>
DocumentRoot /var/www/distribute/web
ServerName dodistribute.com
       <Directory /var/www/distribute/web>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
                RewriteEngine On
        </Directory>
</VirtualHost>

<VirtualHost *:443>
DocumentRoot /var/www/distribute/web
ServerName dodistribute.com
        <Directory /var/www/distribute/web>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
                RewriteEngine On
        </Directory>

SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/letsencrypt/live/dodistribute.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dodistribute.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/dodistribute.com/chain.pem
</VirtualHost>

I tried removing the 2nd definition (so only keeping the first host on port 80), but still I get the error from certbot that it can’t find a virtualhost on port 80.

What’s also weird: when I run “sudo certbot --apache” it doesn’t list any domain names and when I enter it manually, it says it can’t find any virtualhosts for it??

_az · March 1, 2019, 10:30am

Does this show the port 80 virtualhost when you run it?

apachectl -t -D DUMP_VHOSTS

On another line of thinking, IIRC there was an issue at one time with multiple virtual hosts declared in a single file. Splitting them up may help, but check the above first.

MartijnF · March 1, 2019, 10:38am

Thanks for the reply!

When I run the above command, I do get them listed:

VirtualHost configuration:
*:80                   dodistribute.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:443                  dodistribute.com (/etc/apache2/sites-enabled/000-default.conf:13)

I’ve tried removing the 2nd definition (for port 443) but it still doesn’t work then, sadly.

The weirdest thing to me is how certbot can’t find any virtual hosts at all when I run “certbot --apache”. It’s like it’s not looking in the right location or something?

_az · March 1, 2019, 10:51am

. I tried copy pasting your .conf file verbatim and it found the virtualhost okay for me.

Do any of these files exist? Perhaps they contain some path overrides?

/etc/letsencrypt/cli.ini
$XDG_CONFIG_HOME/letsencrypt/cli.ini (or ~/.config/letsencrypt/cli.ini if $XDG_CONFIG_HOME is not set).

Is SELinux present?

You can try and be explicit about where Certbot looks (in particular, --apache-server-root):

apache:
  Apache Web Server plugin - Beta

  --apache-enmod APACHE_ENMOD
                        Path to the Apache 'a2enmod' binary (default: a2enmod)
  --apache-dismod APACHE_DISMOD
                        Path to the Apache 'a2dismod' binary (default:
                        a2dismod)
  --apache-le-vhost-ext APACHE_LE_VHOST_EXT
                        SSL vhost configuration extension (default: -le-
                        ssl.conf)
  --apache-server-root APACHE_SERVER_ROOT
                        Apache server root directory (default: /etc/apache2)
  --apache-vhost-root APACHE_VHOST_ROOT
                        Apache server VirtualHost configuration root (default:
                        None)
  --apache-logs-root APACHE_LOGS_ROOT
                        Apache server logs directory (default:
                        /var/log/apache2)
  --apache-challenge-location APACHE_CHALLENGE_LOCATION
                        Directory path for challenge configuration (default:
                        /etc/apache2)
  --apache-handle-modules APACHE_HANDLE_MODULES
                        Let installer handle enabling required modules for you
                        (Only Ubuntu/Debian currently) (default: True)
  --apache-handle-sites APACHE_HANDLE_SITES
                        Let installer handle enabling sites for you (Only
                        Ubuntu/Debian currently) (default: True)
  --apache-ctl APACHE_CTL
                        Full path to Apache control script (default:
                        apache2ctl)

MartijnF · March 1, 2019, 10:56am

The file /etc/letsencrypt/cli.ini does appear to exist, but it’s almost empty. It only contains this:

max-log-backups = 0

I’m not sure about SELinux. Can I check somehow?

These --apache-* options look very interesting indeed. Do I use them in combination with the certbot command?

_az · March 1, 2019, 11:00am

On second thought, SELinux doesn't usually ship on Ubuntu (you could check with sestatus if it exists).

Yes, you'd just stick it on the end of the command you were running, e.g.

sudo certbot --apache --apache-server-root /etc/apache2

MartijnF · March 1, 2019, 11:04am

Right. Well, sestatus is not available, so I guess that’s that.

I’ve tried running:

certbot --apache --apache-server-root /etc/apache2
certbot --apache --apache-server-root /etc/apache2 --apache-vhost-root /etc/apache2/sites-enabled

Sadly still no success. It keeps saying the same thing ;( Unable to find a virtual host listening on port 80

_az · March 1, 2019, 11:07am

It might be worth zipping up your entire /etc/apache2 directory and uploading it somewhere (if there’s nothing too sensitive in there). Might be a bug in Certbot (which should be reproducible on another machine), might be something in some other file …

MartijnF · March 1, 2019, 11:30am

There’s nothing sensitive in there, it’s mostly a default Apache2 installation. I’ve uploaded it here: http://dev.martijnfrazer.nl/dodistribute/apache2.zip

If you or anyone could take a look that would be much appreciated! The weird thing is that it worked fine the first time I installed the certificate (last December). But now that it’s time to renew, it doesn’t seem to work.

Maybe alternatively I could just manually install a new certificate? That would at least solve it for now, right?

_az · March 1, 2019, 11:36am

Sadly it still works for me:

root@2b13d67872ab:/etc/apache2# apachectl -t -D DUMP_VHOSTS
AH00112: Warning: DocumentRoot [/var/www/distribute/web] does not exist
AH00112: Warning: DocumentRoot [/var/www/distribute/web] does not exist
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80                   dodistribute.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:443                  dodistribute.com (/etc/apache2/sites-enabled/000-default.conf:13)
root@2b13d67872ab:/etc/apache2# certbot --apache --staging
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: dodistribute.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Yeah.

certbot certonly -d dodistribute.com --webroot -w /var/www/distribute/web

Osiris · March 1, 2019, 11:41am

Don’t forget the www subdomain, in both certbot as in the Apache configuration

MartijnF · March 1, 2019, 11:45am

Thanks a lot for the help. I managed to manually renew the certificate. No idea why the certbot apache module is borked for me, but at least the site will keep on working for now. Thanks!

rg305 · March 2, 2019, 5:49pm

--webroot is a good fallback

system · April 1, 2019, 5:49pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.