Certbot - VHOST missing ServerName or ServerAlias Means Challenges Don't Pass

My domain is: domain.tld

I ran this command: certbot --apache -n -d domain.tld -d www.domain.tld --agree-tos --email mail@domain.com --redirect

It produced this output: > Encountered vhost ambiguity but unable to ask for user guidance in non-interactive mode. Currently Certbot needs each vhost to be in its own conf file, and may need vhosts to be explicitly labelled with ServerName or ServerAlias directories.

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

If you’re using a control panel to manage the webserver, I’d look for any plugin or module that supports Let’s Encrypt. Many control panels don’t take kindly to external configuration edits.

I agree with @motoko’s advice; it’s quite possible that this is some kind of conflict between Certbot and the control panel, or that, even if it’s not, it’s going to produce a conflict in the future.

If you’re sure that you want to use Certbot, you can run the command again without -n to find out what the question that it wants to ask is. This complaint is essentially that it’s not allowed to ask you questions when running with -n. If you allow it to ask, you’ll probably see what it is that Certbot needs to know and was unable to decide.

Hmm, weird. I remember that I’ve said ‘No’ to the Control panel question. But anyway, I’m using DigitalOcean droplet, there’s no CP involved.

The prompt is about vhosts file and which one to be used. Can I pass this somehow with a parameter?

My point is to generate certificate for both www and non-www version of the domain with a single line, including the -n command. Is that possible somehow?

First thing first, you’ll want to find out what certbot needs to ask. Run without the -n command, and with --test-cert to get a test certificate and see what’s going on. This will let you figure out what is needed without running into rate limits. If certbot is going to modify your configurations, it desires a specific layout and you may not be doing that in a way it understands.

Personally, I like control and just use certonly with webroot since the path to the currently-active certificates doesn’t change and just reload the web server config after the renew command.

@bmw, can you help out here with a question about vhost selection ambiguity in the Apache plugin?

What’s going on here is Certbot can’t determine which virtual host to use to satisfy your request. You should add ServerName or ServerAlias directives to the correct Apache virtual host (and make sure there are no conflicting ones in another vhost on the same address and port).

I see. Is there any way of doing this without user interaction(with certbot, preferably)?
The creating of the DO droplets, the domain adding process and all that are automated, so I would like to automate that part as well.

Thanks for the answers!

This involves editing an Apache configuration file, but you could do it from a shell script with sed or something.

For example,

sed -i '/something/ aAnother thing' example-file.conf

is a command that will modify the file example-file.conf by inserting a new line containing the text “Another thing” immediately after any line that contains the text “something”.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.