Certbot renew gives incomprehensible errors

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: alf4all.nl

I ran this command: sudo certbot renew

It produced this output: ?

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.8.0

After sudo certbot renew a lot of errors. After I opened port 80 i could renew my certificate. Now sudo certbot -v comes with:

Keeping the existing certificate
Deploying certificate
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/alf4all.conf
Successfully deployed certificate for alf4all.nl to /etc/apache2/sites-enabled/alf4all.conf
Failed redirect for alf4all.nl
Unable to set the redirect enhancement for alf4all.nl.

NEXT STEPS:

  • The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running:
    certbot install --cert-name alf4all.nl

Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Other details of apache:
I made a symbolic link in /etc/apache2/sites-enabled -> alf4all.conf
certbot --install put at the end of alf4all.conf:
ServerName alf4all.nl
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/alf4all.nl/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/alf4all.nl/privkey.pem

on top of alf4all.conf:

ServerAdmin w.nijs@alf4all.demon.nl

0pptions-ssl-apache.conf:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA>
SSLHonorCipherOrder off
SSLSessionTickets off

SSLOptions +StrictRequire

LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"" vhost>
LogFormat "%v %h %l %u %t "%r" %>s %b" vhost_common

Pleas can somebody help or give a hint where to look? Thanks and regards...
Wijnand

1 Like

Welcome back @Wijnand

Let us start by showing us the output of these two commands

ls -lR /etc/apache2/sites*
sudo apache2ctl -t -D DUMP_VHOSTS
3 Likes

What a service, thanks a lot...

ls -l /etc/apache2/sites* gives:

/etc/apache2/sites-available:
total 12
-rw-r--r-- 1 root root 1332 Mar 1 2023 000-default.conf
-rw-r--r-- 1 root root 6338 Mar 1 2023 default-ssl.conf

/etc/apache2/sites-enabled:
total 0
lrwxrwxrwx 1 root root 35 Jul 5 18:12 alf4all.conf -> /media/alf4all/apache2/alf4all.conf
wijnand@server-a:/etc/apache2$ ls -l /etc/apache2/sites*
/etc/apache2/sites-available:
total 12
-rw-r--r-- 1 root root 1332 Mar 1 2023 000-default.conf
-rw-r--r-- 1 root root 6338 Mar 1 2023 default-ssl.conf

/etc/apache2/sites-enabled:
total 0
lrwxrwxrwx 1 root root 35 Jul 5 18:12 alf4all.conf -> /media/alf4all/apache2/alf4all.conf
wls -l /etc/apache2/sites* gives:

/etc/apache2/sites-available:
total 12
-rw-r--r-- 1 root root 1332 Mar 1 2023 000-default.conf
-rw-r--r-- 1 root root 6338 Mar 1 2023 default-ssl.conf

/etc/apache2/sites-enabled:
total 0
lrwxrwxrwx 1 root root 35 Jul 5 18:12 alf4all.conf -> /media/alf4all/apache2/alf4all.conf
wijnand@server-a:/etc/apache2$ ls -l /etc/apache2/sites*
/etc/apache2/sites-available:
total 12
-rw-r--r-- 1 root root 1332 Mar 1 2023 000-default.conf
-rw-r--r-- 1 root root 6338 Mar 1 2023 default-ssl.conf

/etc/apache2/sites-enabled:
total 0
lrwxrwxrwx 1 root root 35 Jul 5 18:12 alf4all.conf -> /media/alf4all/apache2/alf4all.conf

wijnand@server-a:/etc/apache2$ sudo apache2ctl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
88.159.57.235:443 alf4all.nl (/etc/apache2/sites-enabled/alf4all.conf:1)
88.159.57.235:80 alf4all.nl (/etc/apache2/sites-enabled/alf4all.conf:1)

I see the remark:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message

Is that the problem maybe?

I think the problem is probably because of your unusual sites-available / enabled usage. Normally you have the conf file in sites-available and link to it from sites-enabled. Then, your Apache includes all the files in sites-enabled.

But, let us look at your conf file too. Please show contents of below file and add 3 backticks before and after so we don't lose some of the Apache tags. Like this
```
contents of /etc/apache2/sites-enabled/alf4all.conf
```

3 Likes

First: with the link in sites-enabled to my alf4all.conf file has worked for years, second: after going to work with certification it worked perfect with https including the redirection from http to https. I got an email that I have to renew my certificates and from that time started the troubles... I try a lot and maybe I have do a lot of damage in the settings, that's the history... Now your question:

<VirtualHost alf4all.nl:80 alf4all.nl:443>

# VirtualHost alf4all
#---------------------
ServerAdmin w.nijs@alf4all.demon.nl
DocumentRoot "/media/alf4all/alf4all"
SetEnvIf Request_URI "\.(txt|jpg|png|gif|ico|js|css|swf|js?.|css?.)$" StaticContent

<Directory />
 Options FollowSymLinks
 AllowOverride None
</Directory>

<Directory "/media/alf4all/alf4all/">
 Options +Indexes +FollowSymLinks +MultiViews +Includes
 AllowOverride None
 Require all granted
 AddType text/html .htm
 AddOutputFilter INCLUDES .htm
</Directory>

# Alias roots
#-------------
Alias /roots/ "/media/alf4all/roots/"

<Directory "/media/alf4all/roots/">
 Options +Indexes +FollowSymLinks +MultiViews +Includes
 AllowOverride None
 Require all granted
 AddType text/html .htm
 AddOutputFilter INCLUDES .htm
</Directory>

# Alias library
#--------------
Alias /library/ "/media/alf4all/library/"

<Directory "/media/alf4all/library/">
 Options +Indexes +FollowSymLinks +MultiViews
 AllowOverride None
 Require all granted
</Directory>

# Alias archive
#---------------
Alias /archive/ "/media/alf4all/archive/"

<Directory "/media/alf4all/archive/">
 Options +Indexes +FollowSymLinks +MultiViews +Includes
 AllowOverride None
 Require all granted
</Directory>

# Alias engineering
#-------------------
Alias /engineering/ "/media/alf4all/engineering/"

<Directory "/media/alf4all/engineering/">
 Options +Indexes +FollowSymLinks +MultiViews
 AllowOverride None
 Require all granted
</Directory>

# Alias povray
#--------------
Alias /povray/ "/media/alf4all/povray/"

<Directory "/media/alf4all/povray/">
 Options +Indexes +FollowSymLinks +MultiViews
 AllowOverride None
 Require all granted
</Directory>

# Alias CGI script alias
#------------------------
ScriptAlias /cgi-bin/ /media/alf4all/cgi-bin/

<Directory "/media/alf4all/cgi-bin">
 Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
 AllowOverride None
 Require all granted
</Directory>

# Alias JavaScript alias
#------------------------
Alias /scripts/ "/media/alf4all/scripts/"

<Directory "/media/alf4all/scripts/">
 Options +Indexes +FollowSymLinks +MultiViews
 AllowOverride None
 Require all granted
</Directory>

# Access
#--------
Include /media/alf4all/apache2/access/access.conf

CustomLog /media/alf4all/apache2/logs/access.log combined env=!dontlog
SetEnvIf Remote_Addr "192.168.178.100" dontlog # local admin requests on server-a
SetEnvIf Remote_Addr "88.159.57.235"   dontlog # internet admin requests

# ErrorLog
#----------
ErrorLog /media/alf4all/apache2/logs/error.log
LogLevel warn

ErrorDocument 401 /custom_401.html
ErrorDocument 403 /custom_403.html
ErrorDocument 404 /custom_404.html

ServerName alf4all.nl
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/alf4all.nl/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/alf4all.nl/privkey.pem
</VirtualHost>

If a call https://alf4all.nl/ with Firefox a got the message: SSL_ERROR_RX_RECORD_TOO_LONG what's the meaning of this error?

First, can you edit your post to use 3 backticks rather than 3 periods? On a US keyboard the backtick is in the upper left. Or, copy/paste the ones from my post.

You only have one symlink in /sites-enabled to alf4all.conf. But, that should have two VirtualHosts (one for port 80 and one for 443) but there is only one. Some of the apache tags were omitted by this forum's formatting because no backticks. So some items were lost but that cannot explain everything.

I can understand why Certbot would not know how to insert redirects from HTTP to HTTPS with such a config. Is this how it has always been?

3 Likes

Oke, I understand now the role of the 3 backticks. Still learning...

I remember the last thing I changed in the .conf was to replace <VirtualHost *:80> by because in some help on errors this would help to open 2 ports for the site.

And changed ownership and mode to www-data:www-data 775

Several issues here.

First, port 80 is currently blocked. You should check your router and firewall(s). Also, check that your ISP has not started blocking it. Some residential ISP's do this.

Second, you should not mix port 80 and port 443 in the same VirtualHost. You should create a new VirtualHost just for port 80 and change your existing VirtualHost statement to be <VirtualHost *:443>. Using a domain name in the VirtualHost makes it an IP-based VHost and name-based VHosts are easier to manage.

Now would be a good time to use the standard method of organizing conf files. That is, in /sites-available have one conf file for each VirtualHost and then use a2ensite and a2dissite to enable / disable them. It does this by making / removing a symlink in /sites-enabled to the /sites-available conf file.

3 Likes

Hello Mike (?), I solved the problem by

  1. Unblocking both ports 80 and and 443 on my router
  2. Changed the header of my alf4all.conf to:
<VirtualHost *:80> 
  ServerName alf4all.nl
  ServerAlias www.alf4all.nl

  Redirect permanent / https://alf4all.nl/
</VirtualHost>

<VirtualHost *:443>
  ServerName alf4all.nl
  ServerAlias www.alf4all.nl

  Protocols h2 http/1.1

  1. Keep my link to alf4all.conf in sites-enabled and no extra modifications or links in/to sites-enabled and/or sites-available.

So the big problems where that the server shares the two ports end the mix of two ports in the same VirtuslHost. Now it's working perfect

Thanks to help me with this problem, it was an eye opener, I have learned a lot (for an 73 years old man :wink:

2 Likes

Okay good. Much progress.

You have the name www.alf4all.nl as a ServerAlias which is fine. But, your cert does not have that name in it and there is no DNS A record for it either. No one will be able to use that domain name without these.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.