Certificate fails, need help

feeling · May 7, 2020, 8:47pm

Hi, I tried to setup a ssl-certificate on my schools LMS-Server. But certbot tells me that its unable to do that.
My domain is: schuefwsgt.dd-dns.de or specific schuefwsgt.dd-dns.de/moodle

I ran this command:
sudo apt-get install certbot python3-certbot-apache
sudo certbot --apache

It produced this output:
IMPORTANT NOTES:

Unable to install the certificate
Congratulations! Your certificate and chain have been saved at: …

My web server is (include version): apache2
The operating system my web server runs on: Ubuntu 18
I can login to a root shell on my machine.
I’m not using a control panel to manage my site.
The version of my client is certbot 0.31.0

rg305 · May 7, 2020, 9:34pm

You might have skipped a few installation steps…

feeling · May 8, 2020, 8:15am

okay, everything above apt-get install I haven't written down here beacuse I thought it would be obvious that I did. But of cause I ran
> sudo apt-get update

    sudo apt-get install software-properties-common
    sudo add-apt-repository universe
    sudo add-apt-repository ppa:certbot/certbot
    sudo apt-get update

rg305 · May 8, 2020, 8:18am

OK what about…
sudo apt-get upgrade
Does that show any pending updates?
[or anything unusual]

feeling · May 8, 2020, 8:24am

actually there was an upgrade but it was just the libgd. Doesn't matter I ran the command certbot --apache again and this time I got this:

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/schuefwsgt.dd-dns.de.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate

We were unable to find a vhost with a ServerName or Address of schuefwsgt.dd-dns.de.
Which virtual host would you like to choose?

1: moodle.conf | moodle | | Enabled
2: default-ssl.conf | | HTTPS | Enabled
3: 000-default.conf | Multiple Names | | Enabled

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
The selected vhost would conflict with other HTTPS VirtualHosts within Apache. Please select another vhost or add ServerNames to your configuration.
VirtualHost not able to be selected.

IMPORTANT NOTES:

Unable to install the certificate

Congratulations! Your certificate and chain have been saved at:

rg305 · May 8, 2020, 8:26am

That is not good.
Please show:
apachectl -S
and
certbot certificates

feeling · May 8, 2020, 8:32am

[quote=“output”]AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message
VirtualHost configuration:
*:443 127.0.1.1 (/etc/apache2/sites-enabled/default-ssl.conf:2)
*:80 is a NameVirtualHost
default server moodle (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost moodle (/etc/apache2/sites-enabled/000-default.conf:1)
alias www.moodle_fwsgt.de
port 80 namevhost moodle (/etc/apache2/sites-enabled/moodle.conf:1)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33.[/quote]

[quote]Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: schuefwsgt.dd-dns.de
Domains: schuefwsgt.dd-dns.de
Expiry Date: 2020-08-05 17:34:41+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/schuefwsgt.dd-dns.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/schuefwsgt.dd-dns.de/privkey.pem

- - - - -[/quote]

rg305 · May 8, 2020, 8:35am

Let's try to find the vhost config that uses that cert (if any):
grep -R schuefwsgt.dd-dns.de /etc/apache2

feeling · May 8, 2020, 8:36am

grep: /etc/apache2/sites-enabled/moodle-le-ssl.conf: No such file or directory
/etc/apache2/sites-available/moodle-le-ssl.conf_alt:SSLCertificateFile /etc/letsencrypt/live/schuefwsgt.dd-dns.de/fullchain.pem
/etc/apache2/sites-available/moodle-le-ssl.conf_alt:SSLCertificateKeyFile /etc/letsencrypt/live/schuefwsgt.dd-dns.de/privkey.pem

rg305 · May 8, 2020, 8:38am

There is a break in what should be in /sites-enabled/ and the matching /sites-available/ file:

I guess at some point you renamed an active file...

feeling · May 8, 2020, 8:40am

hmm, remnants of the guy that tried to certificate the server before me? I delete that “_alt”

rg305 · May 8, 2020, 8:40am

You need to understand how /sites-enabled/ and /sites-available/ work.
The “available” are all the files that can be used.
The “enabled” are the ones that are in use.
BUT the enabled is not another copy of that file, it is merely a link to the original file (in the available folder).
So you can’t just rename files in the available folder when they are in use.

rg305 · May 8, 2020, 8:41am

Now you still have a broken "enabled" link.
ls - l /etc/apache2/sites-enabled/
ls - l /etc/apache2/sites-available/

feeling · May 8, 2020, 8:43am

total 0
lrwxrwxrwx 1 root root 35 Dez 2 14:20 000-default.conf -> …/sites-available/000-default.conf
lrwxrwxrwx 1 root root 35 Apr 1 09:08 default-ssl.conf -> …/sites-available/default-ssl.conf
lrwxrwxrwx 1 root root 30 Apr 14 13:38 moodle.conf -> …/sites-available/moodle.conf
lrwxrwxrwx 1 root root 47 Mai 7 19:54 moodle-le-ssl.conf -> /etc/apache2/sites-available/moodle-le-ssl.conf

total 40
-rw-r–r-- 1 root root 1398 Apr 16 13:40 000-default.conf
-rw-r–r-- 1 root root 1398 Apr 14 12:33 000-default.confalt
-rw-r–r-- 1 root root 1332 Jul 16 2019 000-default.conforiginal
-rw-r–r-- 1 root root 6578 Mai 7 18:09 default-ssl.conf
-rw-r–r-- 1 root root 6338 Jul 16 2019 default-ssl.confalt
-rw-r–r-- 1 root root 1372 Mai 7 20:13 moodle.conf
-rw-r–r-- 1 root root 1564 Mai 7 20:28 moodle-le-ssl.conf
-rw-r–r-- 1 root root 1337 Apr 14 12:26 test.conf

rg305 · May 8, 2020, 8:46am

OK so four files are active.

But none of them use the domain “schuefwsgt.dd-dns.de”.
If that is something you still need, then you will need a vhost config for it.
If you no longer need it then you can simply delete that cert with:
certbot --delete {cert-name}
certbot --delete schuefwsgt.dd-dns.de

feeling · May 8, 2020, 8:51am

Thats the content of moodle.conf:

<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName moodle
DocumentRoot /var/www/html/moodle
ErrorLog ${APACHE_LOG_DIR}/moodle_error.log
CustomLog ${APACHE_LOG_DIR}/moodle_access.log combined

Yesterday I tried to change ServerName from "moodle" to "schuefws.dd-dns.de". Result was that "schuefwsgt.dd-dns.de" was unreachable from the Internet

rg305 · May 8, 2020, 8:52am

Add below servername moodle
ServerAlias schuefwsgt.dd-dns.de
then restart apache
then rerun certbot and choose to reinstall the cert

[the cert domain name must match a servername/alias name]

feeling · May 8, 2020, 8:56am

ok, I did
result:
http://schuefwsgt.dd-dns.de reachable
https://schuefwsgt.dd-dns.de gets redirected to https://schuefwsgt.dd-dns.de/moodle
http://schuefwsgt.dd-dns.de/moodle unreachable
https://schuefwsgt.dd-dns.de/moodle unreachable

rg305 · May 8, 2020, 8:59am

That can only be fixed within your config.
Fix this first:
http://schuefwsgt.dd-dns.de/moodle

feeling · May 8, 2020, 9:00am

ServerAlias http://schuefwsgt.dd-dns.de/moodle @ moodle.conf ?