Certbot renew fails during apache2ctl configtest

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I’m having trouble with certbot not munging the Apache config file properly when trying to renew certificates. Running ‘apache2ctl configtest’ by itself returns a “Syntax OK” message. Any recommendations on how to proceed? Thanks.

- Daniel

My domain is:
mesa5.coloradomesa.edu, cal.coloradomesa.edu, dsi.coloradomesa.edu

I ran this command:
certbot renew --dry-run -v

My web server is (include version):
Apache 2.4.29-1ubuntu4.13

The operating system my web server runs on is (include version):
Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is:
N/A (self-hosted)

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Output:
mesa5 # certbot renew --dry-run -v
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/mesa5.coloradomesa.edu.conf

Requested authenticator <certbot.cli._Default object at 0x7f52bd699da0> and installer <certbot.cli._Default object at 0x7f52bd699da0>
Var dry_run=True (set by user).
Var server={‘dry_run’, ‘staging’} (set by user).
Var dry_run=True (set by user).
Var server={‘dry_run’, ‘staging’} (set by user).
Var account={‘server’} (set by user).
Cert not due for renewal, but simulating renewal for dry run
Requested authenticator apache and installer apache
Apache version is 2.4.29
Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f52bd696e80>
Prep: True
Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f52bd696e80>
Prep: True
Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0x7f52bd696e80> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7f52bd696e80>
Plugins selected: Authenticator apache, Installer apache
Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f52bd699240>)>), contact=(‘mailto:XXXX@coloradomesa.edu’,), agreement=‘https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri=‘https://acme-staging.api.letsencrypt.org/acme/reg/2019622’, new_authzr_uri=‘https://acme-staging.api.letsencrypt.org/acme/new-authz’, terms_of_service=‘https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’), ca0f4aa705661d942f4552607bbf4197, Meta(creation_dt=datetime.datetime(2017, 4, 27, 15, 56, 54, tzinfo=), creation_host=‘mesa5.coloradomesa.edu’))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
https://acme-staging-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 724
Received response:
HTTP 200
Server: nginx
Date: Mon, 30 Mar 2020 14:41:07 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

[ .... ]

Renewing an existing certificate
Requesting fresh nonce
[ … ]
Performing the following challenges:
http-01 challenge for cal.coloradomesa.edu
http-01 challenge for dsi.coloradomesa.edu
http-01 challenge for mesa5.coloradomesa.edu
Adding a temporary challenge validation Include for name: cal.coloradomesa.edu in: /etc/apache2/sites-available/shib_test.conf
Adding a temporary challenge validation Include for name: cal.coloradomesa.edu in: /etc/apache2/sites-available/cal_cmu.conf
Adding a temporary challenge validation Include for name: cal.coloradomesa.edu in: /etc/apache2/sites-available/cal_cmu.conf
Adding a temporary challenge validation Include for name: dsi.coloradomesa.edu in: /etc/apache2/sites-available/dsi.conf
Adding a temporary challenge validation Include for name: dsi.coloradomesa.edu in: /etc/apache2/sites-available/dsi.conf
Adding a temporary challenge validation Include for name: mesa5.coloradomesa.edu in: /etc/apache2/sites-available/mesa5_cmu.conf
Adding a temporary challenge validation Include for name: mesa5.coloradomesa.edu in: /etc/apache2/sites-available/mesa5_cmu.conf
writing a pre config file with text:
RewriteEngine on
RewriteRule ^/.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]

writing a post config file with text:
<Directory /var/lib/letsencrypt/http_challenges>
Require all granted

<Location /.well-known/acme-challenge>
Require all granted

Creating backup of /etc/apache2/sites-available/mesa5_cmu.conf
Creating backup of /etc/apache2/sites-available/dsi.conf
Creating backup of /etc/apache2/sites-available/cal_cmu.conf
Creating backup of /etc/apache2/sites-available/shib_test.conf
Creating backup of /etc/apache2/apache2.conf
Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 9 of /etc/apache2/sites-available/dsi.conf:
Cannot define multiple Listeners on the same IP:port

Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2212, in config_test
util.run_script(self.option(“conftest_cmd”))
File “/usr/lib/python3/dist-packages/certbot/util.py”, line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 9 of /etc/apache2/sites-available/dsi.conf:
Cannot define multiple Listeners on the same IP:port

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 139, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2287, in perform
self.restart()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2174, in restart
self.config_test()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2214, in config_test
raise errors.MisconfigurationError(str(err))
certbot.errors.MisconfigurationError: Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 9 of /etc/apache2/sites-available/dsi.conf:
Cannot define multiple Listeners on the same IP:port

Calling registered functions
Cleaning up challenges
Attempting to renew cert (mesa5.coloradomesa.edu) from /etc/letsencrypt/renewal/mesa5.coloradomesa.edu.conf produced an unexpected error: Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 9 of /etc/apache2/sites-available/dsi.conf:
Cannot define multiple Listeners on the same IP:port
. Skipping.
Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2212, in config_test
util.run_script(self.option(“conftest_cmd”))
File “/usr/lib/python3/dist-packages/certbot/util.py”, line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 9 of /etc/apache2/sites-available/dsi.conf:
Cannot define multiple Listeners on the same IP:port

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 452, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1193, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 310, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 139, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2287, in perform
self.restart()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2174, in restart
self.config_test()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2214, in config_test
raise errors.MisconfigurationError(str(err))
certbot.errors.MisconfigurationError: Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 9 of /etc/apache2/sites-available/dsi.conf:
Cannot define multiple Listeners on the same IP:port

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mesa5.coloradomesa.edu/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mesa5.coloradomesa.edu/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.31.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1365, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1272, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 477, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
1 renew failure(s), 0 parse failure(s)
mesa5#

2

Here are the contents of the dsi.conf file:

##
#  Library Daily Sentinel Index website
##

# The 'dsi:80' entry was added for on-campus users
# who type in "dsi", instead of the fully-qualified
# name.  Without this VHost, those users would end up
# at the mesa10 web page
Listen dsi.coloradomesa.edu:80
<VirtualHost dsi.coloradomesa.edu:80 dsi:80>
  ServerName dsi.coloradomesa.edu
  Include /etc/apache2/sites-available/dsi.templ
</VirtualHost>

<IfModule mod_ssl.c>
  <VirtualHost dsi.coloradomesa.edu:443 dsi:443>
    ServerName dsi.coloradomesa.edu
    Include /etc/apache2/sites-available/dsi.templ
    SSLCertificateFile /etc/letsencrypt/live/mesa5.coloradomesa.edu/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mesa5.coloradomesa.edu/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
  </VirtualHost>
</IfModule>
3

The active SSL cert was issued ~7 days ago.
If you’re wondering why I’m poking at this right now, it’s because I’m receiving messages indicating that I’m still using the acmev1 protocol. The /etc/letsencrypt/renewal/…conf file does reference the https://acme-v01.api.letsencrypt.org/directory server. I don’t know if this will self-resolve (auto-switch to acmev2) once the Apache config issue is fixed or not.

4

the server in the configfile you can change manually.

if your apache config works (<VirtualHost dsi.coloradomesa.edu:80 dsi:80> does not convince me), move to using

certbot renew -a webroot -i apache -w /path/to/your/webroot

if your apache config does not work, move to

<VirtualHost *:80>
ServerName dsi.coloradomesa.edu
ServerAlias dsi

instead

5

The <VirtualHost dsi.coloradomesa.edu:80 dsi:80> config does work (and has worked for quite a few versions of Apache).

However, your suggestion nudged me in the right direction: elsewhere in my config I was already doing a <VirtualHost IP:PORT> style of config, so I took that approach for this particular VirtualHost as well.

This particular VirtualHost had it’s own IP (distinct from the main IP on this host), and I was still getting the Apache IP:PORT still in use error when trying to do a certbot renew.

Since I no longer need a distinct IP for this VirtualHost, I have changed this VirtualHost to use the server’s main IP (and changed the DNS entry for this name to a CNAME pointing at the main host entry), and I’m cautiously hopeful that this will resolve my problems. It will take a day for the DNS changes to propagate, and then I can check for certain.

Thanks,

6

yeah, that's what the apache documentation supposes. I don't know what happens if you put an hostname in there.

7

It’s working today. Thanks for your assistance!

- Daniel
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.