Certbot not working with the new way that centos 7 handles vhosts

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pandorafw.com

I ran this command: certbot --apache

It produced this output: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

My web server is (include version): Server version: Apache/2.4.6 (CentOS)
Server built: Apr 24 2019 13:45:48

The operating system my web server runs on is (include version): centos 7

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.35.1

other notes: i have a vhost configured for it and listening on port 80, firefox is able to find it and load the site, and it passes all the tests at https://letsdebug.net/

Hi @Mirarora

your main configuration looks ok - https://check-your-website.server-daten.de/?q=pandorafw.com - two older checks, not seen, last is own check.

Domainname Http-Status redirect Sec. G
http://pandorafw.com/ 200 2.490 H
http://www.pandorafw.com/ 200 0.813 H
https://pandorafw.com/ -14 10.014 T
Timeout - The operation has timed out
https://www.pandorafw.com/ -14 10.020 T
Timeout - The operation has timed out
http://pandorafw.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 0.053 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.
http://www.pandorafw.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 0.053 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.

http works, port 80 /.wellknown/acme-challenge answers with the expected http status 404 - Not Found.

So your vHost configuration may be wrong.

What says

apachectl -S (or)
httpd -S

VirtualHost configuration:
*:443 www.pandorafw.com (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: “/run/httpd/httpd.pid”
User: name=“apache” id=48
Group: name=“apache” id=48

Where is your running port 80? Your ip addresses ( https://check-your-website.server-daten.de/?q=pandorafw.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
pandorafw.com A Mazingarbe/Hauts-de-France/France (FR) - OVH ISP Hostname: ns3096138.ip-91-121-75.eu yes 1 0
AAAA yes
www.pandorafw.com A Mazingarbe/Hauts-de-France/France (FR) - OVH ISP Hostname: ns3096138.ip-91-121-75.eu yes 1 0
AAAA yes

Looks like a home server.

Is there a second machine - VM with the port 80 webserver? And port 443 doesn't answer, only timeouts.

ok i’ve opened 443 on the firewall, however when you connect with https instead of showing the site like it does on 80, it gives the apache test page

That's not that I see.

Rechecking your domain now there is a self signed certificate ( https://check-your-website.server-daten.de/?q=pandorafw.com ):

E=root@PFWLive, CN=PFWLive, OU=SomeOrganizationalUnit, 
O=SomeOrganization, L=SomeCity, S=SomeState, C=--
expires in 365 days

And http + https have the same screen:

So you check the wrong machine if you don't see a port 80 vHost.

let me try with a different browser, firefox gives me the apache test page, and i’m running certbot from the terminal on the same machine that is hosting the site

ok something strange is going on here because i did not type in the commands to generate a self signed cert

this one is fixed, it seemed i just needed to rename my vhost config file, i changed it from pandorafw.com.conf to www.pandorafw.com.conf suddenly certbot found it and everything started working correctly

1 Like

Now it's better, but not correct / complete.

Your urls:

Domainname Http-Status redirect Sec. G
http://www.pandorafw.com/ 301 https://www.pandorafw.com/ 0.050 A
http://pandorafw.com/ 200 0.056 H
https://pandorafw.com/ 200 0.644 N
Certificate error: RemoteCertificateNameMismatch
https://www.pandorafw.com/ 200 0.390 B

Your certificate

expires in 90 days	www.pandorafw.com - 1 entry

has only one domain name, so your non-www version isn't secure. Check your both vHosts, if there are both domain names defined (ServerName and ServerAlias).

Then create one certificate with both domain names and use that.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.