Certificate invalid


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dev.plnms.com

I ran this command:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-apache
sudo apt-get install certbot python3-certbot-dns-route53

sudo certbot certonly --webroot
sudo certbot certonly --dns-route53

It produced this output:

Renewing an existing certificate
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/dev.plnms.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/dev.plnms.com/privkey.pem
    Your cert will expire on 2019-06-11. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version): Ubuntu 16.04

The operating system my web server runs on is (include version): apache

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0


#2

Please specify the exact commands used. Also, my crystal ball has fallen on the ground and is broken, so I can’t see the “site for ubuntu apache” you’ve used. Could you please tell us?

Please specify the whole output, preferably in “Preformatted text” (see the </> logo in the top bar of the text editor).


#3

@Osiris I have updated the original post


#4

Hi @skasliwal

you use certonly, so you have to install the certificate manual.

Your webserver has a self signed bitnami certificate ( https://check-your-website.server-daten.de/?q=dev.plnms.com ):

CN=www.example.com, OU=Certificate generated at boot time, O=Bitnami
	04.02.2019
	01.02.2029
expires in 3613 days	

Not a Letsencrypt certificate.

One header:

X-Redirect-By: WordPress


#5

@JuergenAuer Thanks for the quick response. I am not very good with Linux but I definitely need to implement Let’s Encrypt for our site. Can you please guide me how and what to do for the successful implementation?


#6

Hi @skasliwal,

certbot certonly means “obtain the certificate, but don’t install it”. This is meant for (1) people who don’t use Apache or nginx (because Certbot won’t know how to install certificates in their environments), or (2) system administrators who prefer to edit their own Apache or nginx configurations, instead of having Certbot do it for them.

It doesn’t seem like you’re in either of these categories, so certbot certonly may not be the right choice for you. (If you followed a tutorial that suggested this route, as it sounds like you did, you might have misunderstood the instructions in it, or the tutorial author may not have explained some assumptions clearly.)

Is there a specific reason that you use --webroot instead of --apache? If you just use

certbot --apache

it may be able to issue and install the certificate for you. If it has problems, you could also try

certbot -a webroot -i apache

which means “obtain the certificate with the webroot plug-in, but then install it with the apache plug-in”.


#7

(Apache is normally configured by editing text files in /etc/apache2, or /etc/httpd on some systems. These files have to be modified in order for Apache to know that you want to have an HTTPS configuration and to tell it where to find your certificate and private key.)


#8

You have a bitnami certificate. And you use webroot.

So it looks that you have a Bitnami environment, not a standard Apache.

You have a ~~ new certificate, created 2019-02-28:

https://crt.sh/?q=dev.plnms.com

Creating a new certificate had worked.

But bitnami requires additional steps (I don’t know these).


#9

@schoen I executed this command and got this output:

Renewing an existing certificate
Resetting dropped connection: acme-v02.api.letsencrypt.org
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using [‘apache2ctl’, ‘graceful’]
Rolling back to previous server configuration…
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using [‘apache2ctl’, ‘graceful’]
Encountered exception during recovery:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2184, in _reload
util.run_script(self.option(“restart_cmd”))
File “/usr/lib/python3/dist-packages/certbot/util.py”, line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 526, in deploy_certificate
self.installer.restart()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2174, in restart
self._reload()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2202, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2184, in _reload
util.run_script(self.option(“restart_cmd”))
File “/usr/lib/python3/dist-packages/certbot/util.py”, line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/error_handler.py”, line 108, in _call_registered
self.funcs-1
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 626, in _rollback_and_restart
self.installer.restart()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2174, in restart
self._reload()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2202, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

IMPORTANT NOTES:

  • An error occurred and we failed to restore your config and restart
    your server. Please post to
    https://community.letsencrypt.org/c/server-config with details
    about your configuration and this error you received.
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/dev.plnms.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/dev.plnms.com/privkey.pem
    Your cert will expire on 2019-06-11. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

#10

Oh yeah, I guess there is a separate Bitnami Apache that’s installed in a different location (and Certbot is trying to use the normal operating system packaged Apache). I don’t remember how to deal with this. Maybe it would be helpful to start a thread called “Certbot with Bitnami Apache” or something to attract attention from people who are more familiar with Bitnami configurations (or be sure to find a Bitnami-specific tutorial).


#11

@JuergenAuer Thanks for the help


#12

@schoen Thanks for the help


#13

Sorry not to be more familiar with Bitnami—it’s quite a popular environment and can be a bit tricky to get it to work with Certbot. :frowning:


#14

@schoen no worries schoen, I have opened another thread for this topic and found some articles which I am trying now, hopefully that will work! :slightly_smiling_face: