Certbot "successful", but still don't have an ssl certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: SNReloaded.stream

I ran this command:
snreloaded@Machina:~$ sudo certbot certonly --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): snreloaded.stream
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/snreloaded.stream.conf)

What would you like to do?


1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/snreloaded.stream/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/snreloaded.stream/privkey.pem
    Your cert will expire on 2020-04-13. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version):
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2019-09-16T12:58:48

The operating system my web server runs on is (include version): Ubuntu (server) 18.04

My hosting provider, if applicable, is: SelfHosted

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

What seems odd to me is it says it succeeded, but myself and others do have yet to see it with an https connection. Any help would be greatly appreciated!

What is your HTTPS virtual host’s listen address?

sudo apachectl -t -D DUMP_VHOSTS

snreloaded@Machina:~$ sudo apachectl -t -D DUMP_VHOSTS
[sudo] password for snreloaded:
VirtualHost configuration:
*:80 Machina.mtu.edu (/etc/apache2/sites-enabled/000-default.conf:1)

@_az sorry, forgot to tag for the last post. I did post the result of that command

Ah, I did see it, I just forgot to respond.

Right, we can see that your Apache configuration only has a port 80 virtualhost. Certbot does not seem to actually be performing any installation to your webserver.

I suspect the reason is:

This command is contradictory.

certonly means: just give a certificate, I will install it to my webserver by myself.

--apache is an alias for --authenticator apache --installer apache, which tells Certbot to install the certificate to your Apache configuration.

It looks like the contradiction was decided in favor of certonly, which is not what you want.

I think most likely you can just run the same thing without certonly:

sudo certbot --apache

and follow the prompts to install your certificate to your Apache configuration.

Interesting, okay

Here is the output from that command

snreloaded@Machina:~$ sudo certbot --apache
[sudo] password for snreloaded:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): snreloaded.stream
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/snreloaded.stream.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using [‘apache2ctl’, ‘graceful’]
Rolling back to previous server configuration…
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using [‘apache2ctl’, ‘graceful’]
Encountered exception during recovery:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2185, in _reload
util.run_script(self.option(“restart_cmd”))
File “/usr/lib/python3/dist-packages/certbot/util.py”, line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 526, in deploy_certificate
self.installer.restart()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2175, in restart
self._reload()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2203, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2185, in _reload
util.run_script(self.option(“restart_cmd”))
File “/usr/lib/python3/dist-packages/certbot/util.py”, line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/error_handler.py”, line 108, in _call_registered
self.funcs-1
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 626, in _rollback_and_restart
self.installer.restart()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2175, in restart
self._reload()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2203, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

IMPORTANT NOTES:

  • An error occurred and we failed to restore your config and restart
    your server. Please post to
    https://community.letsencrypt.org/c/server-config with details
    about your configuration and this error you received.
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/snreloaded.stream/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/snreloaded.stream/privkey.pem
    Your cert will expire on 2020-04-13. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”
  • Some rewrite rules copied from
    /etc/apache2/sites-enabled/000-default.conf were disabled in the
    vhost for your HTTPS site located at
    /etc/apache2/sites-available/000-default-le-ssl.conf because they
    have the potential to create redirection loops.

This errored out, something about apache2ctl

Certbot tried to install the certificate, but it looks like it’s unable to restart your webserver.

Can you try this again:

apachectl -t -D DUMP_VHOSTS

If there’s a problem with the new config, it should show it. It should also show the changes that Certbot made.

snreloaded@Machina:~$ sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 Machina.mtu.edu (/etc/apache2/sites-enabled/000-default.conf:1)

Yeah, I agree. In the previous error stack, it says it rolled back the changes, which would explain why it’s the same.

Can we try stop the webserver? This would help narrow down why Certbot can’t restart it.

sudo service apache2 stop

and then verify nothing’s running on port 80:

sudo ss -tlnp | grep ":80"

snreloaded@Machina:~ sudo service apache2 stop snreloaded@Machina:~ sudo ss -tlnp | grep “:80”
LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:((“lighttpd”,pid=2104,fd=4)) LISTEN 0 128 [::]:80 [::]:* users:((“lighttpd”,pid=2104,fd=5))

Makes sense.

So, you have two webservers installed:

  • Apache
  • lighttpd

They’re both configured to listen to port 80 - which isn’t going to work. Apache can’t start because lighttpd stole its port.

Do you know what you need lighttpd for? You probably only want one of the webservers at the end of the day.

I don’t think I’m using lighttpd for anything, so I can uninstall it and restart my system, try the reinstall again

Your current website at http://snreloaded.stream/ is being served by lighttpd.

Perhaps be a little careful if you intend to uninstall it - you don’t want to lose any of your work!

Odd, because when I first created the site I had to remove the default Apache page.

My web root is /var/www/html/, and I remember moving the default index.html over (I do have it on GitHub as well)

Total speculation, but perhaps your lighttpd configuration is also using /var/www/html to serve up your website?

If Apache dropped its default page in there when it was installed, it may have given the wrong impression that you were hosting using Apache.

Edit: Just checked, and the default document root on Ubuntu for lighttpd is indeed /var/www/html:

server.document-root        = "/var/www/html"

Do you happen to know what Ubuntu server uses by default? Because I started editing the HTML files on a fresh Ubuntu server install

Do you mean what webserver it uses by default? I’m not sure - there’s a lot of “flavors”. But we definitely know you’re using lighttpd right now because it’s revealed in a response header (last line):

$ curl -X GET -I http://snreloaded.stream/
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: text/html
Accept-Ranges: bytes
ETag: "837399829"
Last-Modified: Sat, 27 Apr 2019 09:54:38 GMT
Content-Length: 1815
Date: Wed, 15 Jan 2020 06:11:13 GMT
Server: lighttpd/1.4.45

Just restarted my server, can you try that command again?

Same result - lighttpd.