Certbot error instead of ssl

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sthlmcity.eu

I ran this command:
certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): myemail@outlook.com

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory

(A)gree/(C)ancel: a

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: y
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): sthlmcity.eu
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sthlmcity.eu
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

Unable to restart apache using ['apache2ctl', 'graceful']
Rolling back to previous server configuration...
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

Unable to restart apache using ['apache2ctl', 'graceful']
Encountered exception during recovery:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2185, in _reload
util.run_script(self.option("restart_cmd"))
File "/usr/lib/python3/dist-packages/certbot/util.py", line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/client.py", line 569, in enhance_config
self.installer.restart()
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2175, in restart
self._reload()
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2203, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2185, in _reload
util.run_script(self.option("restart_cmd"))
File "/usr/lib/python3/dist-packages/certbot/util.py", line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/error_handler.py", line 108, in _call_registered
self.funcs-1
File "/usr/lib/python3/dist-packages/certbot/client.py", line 626, in _rollback_and_restart
self.installer.restart()
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2175, in restart
self._reload()
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2203, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

IMPORTANT NOTES:

  • An error occurred and we failed to restore your config and restart
    your server. Please post to
    https://community.letsencrypt.org/c/server-config with details
    about your configuration and this error you received.
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/sthlmcity.eu/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/sthlmcity.eu/privkey.pem
    Your cert will expire on 2021-02-20. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew all of
    your certificates, run "certbot renew"
  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My web server is (include version):
Apache/2.4.38 (Debian)

The operating system my web server runs on is (include version):
Debian 10.6.0
My hosting provider, if applicable, is:
Not applicable.

I can login to a root shell on my machine (yes or no, or I don't know):
Yes.
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

So I followed this guide: https://linuxhint.com/setup_free_ssl_cert_apache_debian/

Can you please help me to get https working?

2

Hi @Mieczyslaw

a working port 80 vHost is required to use that authenticator. But your domain doesn't answer.

Why?

The error looks like a blocking firewall.

What says

apachectl -S
3

I have opened the port 80 and 443 in the Debian firewall and in the router firewall to my Debian.
Here is the info you wanted to see:

root@HeligeErikPC:/etc/ssl/certs# sudo apachectl -S
VirtualHost configuration:
*:80 HeligeErikPC.eu (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

4

There

is your error.

Create one with your domain name, then again apachectl -S. Certbot needs such a vHost as template to create the port 443 vHost.

5

Okey. Thanks.
Here is the info:

root@HeligeErikPC:/etc/ssl/certs# sudo apachectl -S
VirtualHost configuration:
*:80 is a NameVirtualHost
default server www.sthlmcity.eu (/etc/apache2/sites-enabled/000-default-le-ssl.conf:40)
port 80 namevhost www.sthlmcity.eu (/etc/apache2/sites-enabled/000-default-le-ssl.conf:40)
port 80 namevhost www.sthlmcity.eu (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 is a NameVirtualHost
default server sthlmcity.eu (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost sthlmcity.eu (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
alias www.sthlmcity.eu
port 443 namevhost HeligeErikPC.eu (/etc/apache2/sites-enabled/000-default-ssl.conf:2)
port 443 namevhost HeligeErikPC.eu (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

And here is when I tried certbot again:

root@HeligeErikPC:/etc/ssl/certs# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: sthlmcity.eu
2: www.sthlmcity.eu

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/sthlmcity.eu.conf)

It contains these names: sthlmcity.eu

You requested these names for the new certificate: sthlmcity.eu,
www.sthlmcity.eu.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.sthlmcity.eu
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Failed redirect for sthlmcity.eu
Unable to set enhancement redirect for sthlmcity.eu
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

IMPORTANT NOTES:

  • We were unable to set up enhancement redirect for your server,
    however, we successfully installed your certificate.
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/sthlmcity.eu/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/sthlmcity.eu/privkey.pem
    Your cert will expire on 2021-02-20. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew all of
    your certificates, run "certbot renew"
6

Wrong!

Every combination of port and domain name must be unique.

Missing non-www version.

And why is your port 80 again blocked?

If you want to create a certificate with both domain names, you need a port 80 vHost with both domain names. You don't have one -> so that can't work.

7

Okay. So I figured out that I can change the name in the default vhost files (both for 80 and 443) to my domain name with www (www.sthlmcity.eu). I could connect to my apache install webpage from my smartphone (with its own IP) which proves that port 80 is open. I dont know how to make new vhost files for domains, Im thinking that staying in the install folder with its vhosts is a good strategy for a beginning. I think I need to learn more about vhosts.

Now certbot gives this:

root@HeligeErikPC:/etc/apache2/sites-enabled# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: sthlmcity.eu
2: www.sthlmcity.eu

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.sthlmcity.eu.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

Unable to restart apache using ['apache2ctl', 'graceful']
Rolling back to previous server configuration...
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

Unable to restart apache using ['apache2ctl', 'graceful']
Encountered exception during recovery:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2185, in _reload
util.run_script(self.option("restart_cmd"))
File "/usr/lib/python3/dist-packages/certbot/util.py", line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/client.py", line 526, in deploy_certificate
self.installer.restart()
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2175, in restart
self._reload()
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2203, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2185, in _reload
util.run_script(self.option("restart_cmd"))
File "/usr/lib/python3/dist-packages/certbot/util.py", line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/error_handler.py", line 108, in _call_registered
self.funcs-1
File "/usr/lib/python3/dist-packages/certbot/client.py", line 626, in _rollback_and_restart
self.installer.restart()
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2175, in restart
self._reload()
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2203, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

IMPORTANT NOTES:

  • An error occurred and we failed to restore your config and restart
    your server. Please post to
    Server - Let's Encrypt Community Support with details
    about your configuration and this error you received.
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.sthlmcity.eu/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/www.sthlmcity.eu/privkey.pem
    Your cert will expire on 2021-02-20. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew all of
    your certificates, run "certbot renew"
8

This error indicates to me that certbot is unable to properly detect or use expected Apache files.
You may do better by just using --webroot to obtain the cert(s) and creating the HTTPS configs by hand.
OR
Perhaps there is a new version of certbot you could use.

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.