Certbot on wordpress docker shows error Unable to restart apache using ['apachectl', 'graceful']

My domain is:
www.*************.pl
I ran this command:
sudo certbot --apache -d example.pl -d www.example.pl
From this manual.
CentOS 7 Install Let’s Encrypt SSL on Apache Server - Shouts.dev
It produced this output:
Error while running apachectl graceful.

Job for httpd.service invalid.

Unable to restart apache using ['apachectl', 'graceful']
Error while running apachectl restart.

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

Encountered exception during recovery: MisconfigurationError: Error while running apachectl restart.

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
My web server is (include version):
Server version: Apache/2.4.6 (CentOS)
Server built: Mar 24 2022 14:57:57

The operating system my web server runs on is (include version):
centos-release-7-9.2009.1.el7.centos.x86_64
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no control panel, using console
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.11.0

I did some troubleshooting based on previous posts:
]# grep -Ri "Listen 443" /etc/httpd
/etc/httpd/conf.d/ssl.conf:Listen 443 https

ss -tlpn | grep -E ":(80|443)"

LISTEN 0 128 *:80 : users:(("docker-proxy",pid=20606,fd=4))

â httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2022-10-01 13:20:10 CEST; 1h 54min ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 20234 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 20234 (code=exited, status=1/FAILURE)

Oct 01 13:20:10 vmi*****.contaboserver.net systemd[1]: Starting The Apache HTTP Server...
Oct 01 13:20:10 vmi******.contaboserver.net httpd[20234]: (98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
Oct 01 13:20:10 vmi*****.contaboserver.net httpd[20234]: no listening sockets available, shutting down
Oct 01 13:20:10 vmi*******.contaboserver.net httpd[20234]: AH00015: Unable to open logs
Oct 01 13:20:10 vmi******.contaboserver.net systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Oct 01 13:20:10 vmi*****.contaboserver.net systemd[1]: Failed to start The Apache HTTP Server.
Oct 01 13:20:10 vmi******.contaboserver.net systemd[1]: Unit httpd.service entered failed state.
Oct 01 13:20:10 vmi*****.contaboserver.net systemd[1]: httpd.service failed.

even though my website works, it's wordpress deployed by docker.

I found one of posts on forum how to add virtual host on port 80 but I do no want to mess it up, as I am new to unix, please help. I would really appreciate that. I assume I have to edit apache conf file using VI and add some lines?
JuergenAuer

Oct '18

Hi @tjluoma

check

https://httpd.apache.org/docs/2.4/vhosts/examples.html

Check your configuration file and add something like

# Ensure that Apache listens on port 80
Listen 80
<VirtualHost *:80>
    DocumentRoot "/www/example1"
    ServerName www.example.com

    # Other directives here
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot "/www/example2"
    ServerName www.example.org

    # Other directives here
</VirtualHost>

So Certbot is able to create a SSL-vHost.

I ran also these commands maybe it will help with troubleshooting
[root@v******** ~]# ls -l /etc/apache2/sites-available/
ls: cannot access /etc/apache2/sites-available/: No such file or directory
[root@******** ~]# ls -l /etc/httpd/conf.d/
total 28
-rw-r--r-- 1 root root 2926 Mar 24 2022 autoindex.conf
-rw-r--r-- 1 root root 366 Mar 24 2022 README
-rw-r--r-- 1 root root 9443 Jan 13 2022 ssl.conf
-rw-r--r-- 1 root root 1252 Jan 7 2022 userdir.conf
-rw-r--r-- 1 root root 824 Jan 13 2022 welcome.conf
[root@v******* ~]# ls -l /etc/httpd/sites-enabled/
ls: cannot access /etc/httpd/sites-enabled/: No such file or directory
[root@********* ~]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


No certificates found.


[root@v**** ~]# sudo netstat -pant | grep -i listen | grep -Ei '80|443|apache'
sudo: netstat: command not found
[root@******** ~]# find /etc/httpd -ls
917883 4 drwxr-xr-x 5 root root 4096 Oct 1 13:20 /etc/httpd
917929 0 lrwxrwxrwx 1 root root 19 Oct 1 13:17 /etc/httpd/logs -> ../../var/log/httpd
917911 4 drwxr-xr-x 2 root root 4096 Oct 1 13:34 /etc/httpd/conf.d
917918 4 -rw-r--r-- 1 root root 824 Jan 13 2022 /etc/httpd/conf.d/welcome.conf
917912 4 -rw-r--r-- 1 root root 366 Mar 24 2022 /etc/httpd/conf.d/README
917935 12 -rw-r--r-- 1 root root 9443 Jan 13 2022 /etc/httpd/conf.d/ssl.conf
917916 4 -rw-r--r-- 1 root root 2926 Mar 24 2022 /etc/httpd/conf.d/autoindex.conf
917917 4 -rw-r--r-- 1 root root 1252 Jan 7 2022 /etc/httpd/conf.d/userdir.conf
917931 0 lrwxrwxrwx 1 root root 10 Oct 1 13:17 /etc/httpd/run -> /run/httpd
917930 0 lrwxrwxrwx 1 root root 29 Oct 1 13:17 /etc/httpd/modules -> ../../usr/lib64/httpd/modules
917919 4 drwxr-xr-x 2 root root 4096 Oct 1 13:17 /etc/httpd/conf.modules.d
917920 4 -rw-r--r-- 1 root root 3739 Jan 13 2022 /etc/httpd/conf.modules.d/00-base.conf
917923 4 -rw-r--r-- 1 root root 742 Jan 13 2022 /etc/httpd/conf.modules.d/00-mpm.conf
917925 4 -rw-r--r-- 1 root root 88 Jan 7 2022 /etc/httpd/conf.modules.d/00-systemd.conf
917924 4 -rw-r--r-- 1 root root 957 Jan 13 2022 /etc/httpd/conf.modules.d/00-proxy.conf
917922 4 -rw-r--r-- 1 root root 41 Jan 7 2022 /etc/httpd/conf.modules.d/00-lua.conf
917921 4 -rw-r--r-- 1 root root 139 Jan 7 2022 /etc/httpd/conf.modules.d/00-dav.conf
917936 4 -rw-r--r-- 1 root root 41 Jan 7 2022 /etc/httpd/conf.modules.d/00-ssl.conf
917926 4 -rw-r--r-- 1 root root 451 Jan 7 2022 /etc/httpd/conf.modules.d/01-cgi.conf
917909 4 drwxr-xr-x 2 root root 4096 Oct 1 13:17 /etc/httpd/conf
917928 16 -rw-r--r-- 1 root root 13064 Mar 24 2022 /etc/httpd/conf/magic
917927 12 -rw-r--r-- 1 root root 11753 Jan 13 2022 /etc/httpd/conf/httpd.conf
[root@********** ~]# sudo vi /etc/apache2/apache2.conf

/bin/bash: q: command not found

shell returned 127

Press ENTER or type command to continue
[root@v*******


~]# apachectl -V
Server version: Apache/2.4.6 (CentOS)
Server built: Mar 24 2022 14:57:57
Server's Module Magic Number: 20120211:24
Server loaded: APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture: 64-bit
Server MPM: prefork
threaded: no
forked: yes (variable process count)
Server compiled with....

I would try --webroot [instead of --apache].
Which will bypass the Apache modifications and restarts.

3 Likes

great thank you for responding! I did it but it seems like I need to put webroot directory. Is he asking for main directory where my website is located or directory of apache? may you please let me know which command will show me directory that he wants? I remember I installed wordpress in folder my_wordpress but maybe he is asking for /var/www something like that? or /etc/httpd/conf.d/ssl.conf ? I apologize for not being precise but I am not yet familiar with this folder structure. I am looking and found smth like this on other forums, @rg305 please let me know your thoughts
[root@drop3 ~]# find /etc/httpd/ -type d
/etc/httpd/
/etc/httpd/conf
/etc/httpd/conf.d
/etc/httpd/conf.modules.d

[root@**** ~]# sudo certbot --webroot -d example.pl -d www.example.pl
Saving debug log to /var/log/letsencrypt/letsencrypt.log
With the webroot plugin, you probably want to use the "certonly" command, eg:

certbot certonly --webroot

(Alternatively, add a --installer flag. See User Guide — Certbot 1.30.0 documentation
and "--help plugins" for more information.)
[root@vm***** ~]# sudo certbot certonly --webroot -d example.pl -d www.example.pl
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for example.pl and www.example.pl
Performing the following challenges:
http-01 challenge for example.pl
http-01 challenge for www.example.pl
Input the webroot for example.pl: (Enter 'c' to cancel):


does not exist or is not a directory


Input the webroot for example.pl: (Enter 'c' to cancel): c
Cleaning up challenges
Every requested domain must have a webroot when using the webroot plugin.
[root@****** ~]# ^C
[root@***** ~]# ls
my_wordpress update.txt
[root@vm***** ~]#

It is the folder named in the DocumentRoot for the VirtualHost for this domain. You can also put it in the command line like:

sudo certbot certonly --webroot -w (DocumentRoot folder) -d example.pl -d www.example.pl
3 Likes

Thank you very much @MikeMcQ I appreciate your response, I found DocumentRoot
by using apachectl -S however I stumbled on DNS error now...

[root@vmi********* ~]# apachectl -S
VirtualHost configuration:
:443 vmi********.contaboserver.net (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48
[root@vm****** ~]# sudo certbot --webroot -d podejdzdoniej.pl -d www.podejdzdoniej.pl
Saving debug log to /var/log/letsencrypt/letsencrypt.log
With the webroot plugin, you probably want to use the "certonly" command, eg:

certbot certonly --webroot

(Alternatively, add a --installer flag. See User Guide — Certbot 1.30.0 documentation
and "--help plugins" for more information.)
[root@vmi******* ~]# sudo certbot certonly --webroot -d podejdzdoniej.pl -d www.podejdzdoniej.pl
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for podejdzdoniej.pl and www.podejdzdoniej.pl
Performing the following challenges:
http-01 challenge for podejdzdoniej.pl
http-01 challenge for www.podejdzdoniej.pl
Input the webroot for podejdzdoniej.pl: (Enter 'c' to cancel): /var/www/html

Select the webroot for www.podejdzdoniej.pl:


1: Enter a new webroot
2: /var/www/html


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Challenge failed for domain podejdzdoniej.pl
Challenge failed for domain www.podejdzdoniej.pl
http-01 challenge for podejdzdoniej.pl
http-01 challenge for www.podejdzdoniej.pl
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

Here is my DNS zone, all is ok and site works

I found the post I will check with my provider
if they are blocking it

1 Like

This is most likely because the certbot webroot folder does not match the DocumentRoot in Apache. It is possible to be a DNS issue but it rarely is. And, I don't see anything wrong in your DNS "Edit Zone" to indicate a DNS problem.

The "Main Document Root" in the -S command is not necessarily the same as the one used in the VirtualHost (it is just the main one - the default one).

I am not clear on your -S display. Can you show just this

apachectl -t -D DUMP_VHOSTS
3 Likes

This means your webserver is running inside a docker container, it isn't the apache2 that's installed directly on your OS. You have to find out how to use --webroot and how to use --deploy-hook to reload the appropriate docker containers.

4 Likes

Thanks @MikeMcQ your command didn't work I did below and here is the output, yes as below @9peppe said its wordpress on docker so I do not know about path specifics maybe I will look in docker documentation, I did some search on google and it's entirely different command set for installing let's encrypt on docker than I did at the beginning, I will do some research later on, I would be glad if someone here did this configuration with docker and can advise what commands to put.

[root@vm***** ~]# httpd -S
VirtualHost configuration:
:443 vmi******.contaboserver.net (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48
[root@vmi****** ~]#

1 Like

The easy way, is putting a reverse proxy in front of the container (there are a couple containers that do that automatically with nginx, but the easiest way is to use caddy)

4 Likes

Thanks a ton @9peppe for your input! I really appreciate that, Is there any user friendly manual you can recommend for installing caddy container? I found below but doesn't seems like the easiest manual to follow. Building a Caddy container stack for easy HTTPS with Docker and Ghost (techroads.org)

1 Like

It's a lot easier. Just run the default caddy container (configure the appropriate volumes or ratelimits will get you), and look in its documentation for the reverse_proxy directive.

4 Likes

I am sorry @9peppe I am not that advanced to perform these actions. I have no idea how to configure volumes or ratelimits. I went to caddy official site. I've managed to install caddy and run it but that's it. Which command from below link I should trigger?
Reverse proxy quick-start — Caddy Documentation (caddyserver.com)

I can't do that for you.

You have to read the documentation (for docker, mainly, not caddy) and understand how its networking is working.

Then, you get your Apache working without TLS/SSL, but just on localhost or an internal docker network. After that, you tell caddy how to connect to Apache, and caddy will get a certificate, make your TLS/SSL automatically and forward everything to Apache.

But you need to know what you're doing. Copypasting random stuff without understanding it it's actually dangerous.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.