Certificate is installed but website is still not secure

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.cloudyans.com

I ran this command:

# sudo certbot certonly --apache-ctl /path/to/apachectl

It produced this output:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.cloudyans.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/www.cloudyans.com/privkey.pem
    Your cert will expire on 2020-12-01. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”
  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

IMPORTANT NOTES:

My website is still not secure after I successfully installed the certificate.
Port 443 is enabled.

Certificate location:

# ls -la /etc/letsencrypt/live/www.cloudyans.com/privkey.pem

lrwxrwxrwx 1 root root 44 Sep 2 22:24 /etc/letsencrypt/live/www.cloudyans.com/privkey.pem -> …/…/archive/www.cloudyans.com/privkey1.pem

My web server is (include version):

Server version: Apache/2.4.34 (Unix)

Server built: Jul 30 2018 17:17:22

Server’s Module Magic Number: 20120211:79

Server loaded: APR 1.6.2, APR-UTIL 1.6.0

Compiled using: APR 1.6.2, APR-UTIL 1.6.0
**The operating system my web server runs on is (include version): **

|Description:|Ubuntu 16.04.5 LTS|
|Release:|16.04|

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 1.7.0

1 Like

Hi,

The command you used, certonly means it will only obtain the certificate but not install it for you.
You will still need to install the certificate to your web server, aka configure it in Apache.

You might be able to ask certbot to install the certificate for you by executing the command @griffin suggested below.

P.S. I would highly suggest you to obtain a certificate for both cloudyans.com and www.cloudyans.com, which could be done by running sudo certbot --apache-ctl /path/to/apachectl -d www.cloudyans.com -d cloudyans.com -i apache
If you are running a custom apache installation or something else, please consult with your server manager or IT before proceed as this might modify your Apache configurations

2 Likes

Or perhaps:

sudo certbot install --apache-ctl /path/to/apachectl

Heed the warning of @stevenzhu. You can use rollback to undo the changes.

2 Likes

Ah certbot! A million ways to accomplish the same’ish thing.

Ok I tried this option and this is what I got:

sudo certbot install --apache-ctl /path/to/apachectl

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Certbot doesn’t know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run “certbot certonly” to do so. You’ll need to manually configure your web server to use the resulting certificate.

Should I re-run with “certbot certonly”?

And I tried this as well. See output:

certbot --apache-ctl /path/to/apachectl -d www.cloudyans.com -d cloudyans.com -i apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Spin up a temporary webserver (standalone)

2: Place files in webroot directory (webroot)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2

The apache plugin is not working; there may be problems with your existing configuration.

The error was: NoInstallationError(‘Cannot find Apache executable /path/to/apachectl’)

It’s probably that you don’t have a configuration saved.

Try this:

sudo certbot install --apache

You do realize that you need to replace /path/to/apachectl with your actual path if you’re going to use --apache-ctl?

1 Like

Same result:

sudo certbot install --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log

The apache plugin is not working; there may be problems with your existing configuration.

The error was: NoInstallationError(‘Cannot find Apache executable apache2ctl’)

Now we’re getting somewhere!

And yes I have the complete path.

Let’s try:

sudo certbot install --cert-name www.cloudyans.com --apache --apache-ctl your complete path and executable

Why are you hiding the path and executable?

I’m guessing it may complain about not finding the httpd binary next…

If so, add --apache-bin *your complete path to httpd*

Here is the complete path and the commands:

certbot install --cert-name www.cloudyans.com --apache --apache-bin /opt/bitnami/apache2/bin/httpd.bin

Saving debug log to /var/log/letsencrypt/letsencrypt.log

The apache plugin is not working; there may be problems with your existing configuration.

The error was: NoInstallationError(‘Cannot find Apache executable apache2ctl’)

And this is with httpd:

certbot install --cert-name www.cloudyans.com --apache --apache-ctl /opt/bitnami/apache2/bin/apachectl

Saving debug log to /var/log/letsencrypt/letsencrypt.log

The apache plugin is not working; there may be problems with your existing configuration.

The error was: NoInstallationError(‘Could not find configuration root’)

The apache plugin is not working; there may be problems with your existing configuration.

The error was: NoInstallationError(‘Could not find configuration root’)

Sigh. If you are using Bitnami on a AWS machine, you could save your life (and valuable work hours or free hours) by using lego.

I’ve attached the official tutorial i used back when i was using Bitnami.
https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/

Hopefully your certbot instance didn’t do anything bad to your Bitnami Apache…

Honestly if you said you are using Bitnami in first place, i guess this thread could be shorten to around 3 posts. (No blame or anything like that, just pure facts)

2 Likes

Excellent. Thanks for your assistance!

1 Like

Bitnami returns :scream:

1 Like