Could not reverse map the HTTPS VirtualHost to the original : Ubuntu 18.04.1 LTS (BIONIC)

You seem to have similar names in multiple files:

geolocalise-ip.net.host.conf: ServerName cms.geolocation-ip.net
geolocalise-ip.net.host.conf: ServerName geolocation-ip.net
geolocalise-ip.net.host.conf: ServerName newsletter.geolocation-ip.net
geolocalise-ip.net.host.conf: ServerName phpmyadmin.geolocation-ip.net
geolocalise-ip.net.host.conf: ServerName postfixadmin.geolocation-ip.net
geolocalise-ip.net.host.conf: ServerName webmail.geolocation-ip.net
geolocalise-ip.net.host.conf: ServerName www.geolocation-ip.net

geolocation-ip.net.host.conf: ServerName cms.geolocation-ip.net
geolocation-ip.net.host.conf: ServerName geolocation-ip.net
geolocation-ip.net.host.conf: ServerName newsletter.geolocation-ip.net
geolocation-ip.net.host.conf: ServerName phpmyadmin.geolocation-ip.net
geolocation-ip.net.host.conf: ServerName postfixadmin.geolocation-ip.net
geolocation-ip.net.host.conf: ServerName webmail.geolocation-ip.net
geolocation-ip.net.host.conf: ServerName www.geolocation-ip.net

1 Like

You already had the cert, you should not have deleted it (over and over again: crt.sh | geolocaliseip.com)

Only time can fix this.

1 Like

Indeed, I have duplicates… I’m sorry I didn’t explore this possibility because I thought these domain names were not concerned…
I’m very sorry, but Apache didn’t give any mistakes so I didn’t pay attention.
I just corrected it, thank you.

And for the renewal, I didn’t know there was a limit (now it’s done, I read it well: https://letsencrypt.org/docs/rate-limits/), and especially I didn’t see how to replay the scenario for the automatic generation of Virtualhosts.

In short, I thank you very much, and I will wait patiently next Wednesday to renew the operation and I will come back here to say if it worked!

Thanks again
Thierry

Please check to see if you still have any of the recently issued certs:
certbot certificates
ls -l /etc/letsencrypt/live/
ls -l /etc/letsencrypt/archive/

1 Like

No i have nothing … Because i used

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you like to delete the cert(s) you just revoked?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es (recommended)/(N)o: Y 


root@s1:~# ls -l /etc/letsencrypt/live/
total 0
root@s1:~# ls -l /etc/letsencrypt/archive/
total 0

I thought about it for a moment… but no… :cry:

You can wait a few days or you can also separate the single request for 6 names into multiple requests for less names on each request and possibly get those certs right away.

Try just two names:
certbot --authenticator standalone --installer apache -d geolocaliseip.com -d www.geolocaliseip.com --pre-hook “service apache2 stop” --post-hook “service apache2 start”

1 Like

Ah, that’s a good idea!
I tried removing cms.geolocaliseip.com and newsletter.geolocaliseip.com (i don’t use them right away), but unfortunately it doesn’t work…

root@s1:~# certbot --authenticator standalone --installer apache -d geolocaliseip.com -d www.geolocaliseip.com -d phpmyadmin.geolocaliseip.com -d postfixadmin.geolocaliseip.com -d webmail.geolocaliseip.com --pre-hook "service apache2 stop" --post-hook "service apache2 start"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer apache
Running pre-hook command: service apache2 stop
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for geolocaliseip.com
http-01 challenge for phpmyadmin.geolocaliseip.com
http-01 challenge for postfixadmin.geolocaliseip.com
http-01 challenge for webmail.geolocaliseip.com
http-01 challenge for www.geolocaliseip.com
Waiting for verification...
Cleaning up challenges
Running post-hook command: service apache2 start
Could not reverse map the HTTPS VirtualHost to the original

IMPORTANT NOTES:
 - Unable to install the certificate
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/geolocaliseip.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/geolocaliseip.com/privkey.pem
   Your cert will expire on 2019-01-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

And in the log the same problem :

2018-10-18 14:54:20,248:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/geolocaliseip.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/geolocaliseip.com/privkey.pem
Your cert will expire on 2019-01-16. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew"
2018-10-18 14:54:20,281:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 497, in deploy_certificate
    fullchain_path=fullchain_path)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 304, in deploy_cert
    vhosts = self.choose_vhosts(domain)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 328, in choose_vhosts
    return [self.choose_vhost(domain, create_if_no_ssl)]
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 510, in choose_vhost
    vhost = self.make_vhost_ssl(vhost)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 1108, in make_vhost_ssl
    "Could not reverse map the HTTPS VirtualHost to the original")
certbot.errors.PluginError: Could not reverse map the HTTPS VirtualHost to the original

2018-10-18 14:54:20,282:DEBUG:certbot.error_handler:Calling registered functions
2018-10-18 14:54:20,285:DEBUG:certbot.reporter:Reporting to user: Unable to install the certificate
2018-10-18 14:54:20,285:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1131, in run
    _install_cert(config, le_client, domains, new_lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 772, in _install_cert
    path_provider.cert_path, path_provider.chain_path, path_provider.fullchain_path)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 497, in deploy_certificate
    fullchain_path=fullchain_path)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 304, in deploy_cert
    vhosts = self.choose_vhosts(domain)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 328, in choose_vhosts
    return [self.choose_vhost(domain, create_if_no_ssl)]
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 510, in choose_vhost
    vhost = self.make_vhost_ssl(vhost)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 1108, in make_vhost_ssl
    "Could not reverse map the HTTPS VirtualHost to the original")
certbot.errors.PluginError: Could not reverse map the HTTPS VirtualHost to the original

I have :
root@s1:~# ls -l /etc/apache2/sites-enabled/
total 0
lrwxrwxrwx 1 root root 46 oct. 10 11:52 geolocaliseip.com.host.conf -> …/sites-available/geolocaliseip.com.host.conf

That’s too bad it’s not that.

Please show:
grep ':443' /etc/apache2/

Also, is there a reason why you stop/start the apache web server (and run a new standalone server) to do the authentication? (that is not the preferred method)
Ideally, you would only restart the web server when a certificate is updated/renewed. And most of the daily renewal attempts would have no effect at all.

Certainly, I keep this from an old version because there was an incompatibility: Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

Otherwise here is the result :

root@s1:~# grep -r ‘:443’ /etc/apache2/
/etc/apache2/sites-available/default-ssl.conf: VirtualHost default:443

Hello, everyone,
Does anyone have any ideas?
For information I created the virtualhosts manually to be able to progress on the rest of the installation, but I would really like to understand where the problem comes from.

Thank you in advance for any idea

Please show all files in use:
ls -l /etc/apache2/sites-enabled/

Hi rg305, sorry for the wait …

The result :
root@s1:~# ls -l /etc/apache2/sites-enabled/
total 0
lrwxrwxrwx 1 root root 46 oct. 10 11:52 geolocaliseip.com.host.conf -> …/sites-available/geolocaliseip.com.host.conf
lrwxrwxrwx 1 root root 53 oct. 18 16:21 geolocaliseip.com.host-le-ssl.conf -> …/sites-available/geolocaliseip.com.host-le-ssl.conf

But it’s me that I created file geolocaliseip.com.host-le-ssl.conf.txt (4.6 KB)

And there’s nothing else …

The uploaded file shows 7 vhosts that all share the same certificate.
The first two even share the same DocumentRoot - they can easily be combined.
As for the other 5…
I think you may do better by separating the vhosts into individual files or maybe also using individual certs.
Something is confusing the system…
Most likely that confusion stems from all vhosts being in one IFMODULE block:
<IfModule mod_ssl.c>
[vhost config #1]
[vhost config #2]

[vhost config #7]
</IfModule>

So, I would first try separating each vhost into its’ own file:

File #1:
<IfModule mod_ssl.c>
[vhost config #1]
</IfModule>

File #2:
<IfModule mod_ssl.c>
[vhost config #2]
</IfModule>

File #7:
<IfModule mod_ssl.c>
[vhost config #7]
</IfModule>

OR
Try temporaily removing the IFMODULE block - since you know you are using it.
Just change those two lines to:
#<IfModule mod_ssl.c>
#</IfModule>

Hi rg305, thank you for your answer. However, I sincerely think that the problem doesn’t come from that or it’s a new Bug. I say this because I use this kind of configuration on almost all my servers and I’ve done 4 recently and they all work…
These are sub-domains so in principle they are managed in the same file.

I have simmilar issue after upgrading from 14.04 to 18.04
certbot stopped creating ssl vhost files with

Could not reverse map the HTTPS VirtualHost to the original

This is probably either Ubuntu, or Apache, has been upgraded and now is handling the default, or all, vhosts in a slightly different manner - one in which certbot can’t “understand”.
I’m thinking Apache has replaced the default Apache conf and it no longer makes “sense”.
If you have anyway to compare the before conf to the current conf, you may find the trouble their.
Otherwise, I would try removing the <IfModule mod_ssl.c> block wrapper.
And also look for any overlapping vhost names:
grep -Eri 'servername|serveralias' /etc/apache2/

Hello guys,
That’s right, I forgot to say that my other servers are Ubuntu 16.04 (One of my servers in 16.04: Server version: Apache/2.4.18 (Ubuntu) Server built: 2018-04-18T14:53:04) and the server where I have a problem is in 18.04 (Server version: Apache/2.4.29 (Ubuntu) Server built: 2018-10-03T14:41:08) …

So, as rg305 says, the problem may come from Ubuntu or Apache …

You might also have an older version of Certbot that can’t understand as many variants of Apache configurations as newer versions; you might want to check how recent your Certbot is.

Hello schoen,
My version is
root@s1:~# certbot --version
certbot 0.26.1

So, it’s correct it’s not the last one, but i done a APT-GET to get it, like it write on https://certbot.eff.org/lets-encrypt/ubuntubionic-apache

What should I do? An attempt to update the package? or a reinstallation without APT?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.