Could not reverse map the HTTPS VirtualHost to the original

I was able to use certbot on two of my domains, cloud.XXX.de and vault.XXX.de but on my third page that i want to create certbot fails with "Could not reverse map the HTTPS VirtualHost to the original".

  • Certbot can Renew Certificates for the other pages successfully
  • apache2ctl configtest returns Syntax OK
  • apache2 starts without any visible errors
  • Creating a Cert for md.XXX.de results in Could not reverse map the HTTPS VirtualHost to the original
  • the http Version of md.XXX.de returns the path/page that was defined in the vhost file, the https version returns the website of Cloud.XXX.de - i dont know why but i suppose its because i didnt define a File for https so it just uses another one.
  • I also tried to include ServerAlias www.md.xxx.de in the md.xxx.de config but it did not seem to change anything. This is the most minimal version of the vhost config i could think of and still its not working
  • I also tried making another A DNS entry with another sub Domain and the same config but it still does not seem to work.

My Vhost Configs look like this:

000-default.conf

<VirtualHost *:80>

	#htaccess bs
	<Directory /var/www/html/empty>
            AllowOverride All
            Require all granted
	</Directory>

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html/empty

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

default-ssl.conf

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		ServerAdmin webmaster@localhost

		DocumentRoot /var/www/html/empty

		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined

		SSLEngine on

		SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
		SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars
		</Directory>
	</VirtualHost>
</IfModule>

#own:
#https://upcloud.com/community/tutorials/install-lets-encrypt-apache/
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

cloud.XXX.de.conf

<VirtualHost *:80>

    ServerName cloud.XXX.de

    DocumentRoot /var/www/html/xxx-cloud

    <Directory /var/www/html/xxx-cloud/>

        Require all granted
        AllowOverride All
	Options FollowSymLinks MultiViews

	<IfModule mod_dav.c>
		Dav off
	</IfModule>

    </Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.cloud.XXX.de [OR]
RewriteCond %{SERVER_NAME} =cloud.XXX.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

cloud.XXX.de-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>

    ServerName cloud.XXX.de

    DocumentRoot /var/www/html/xxx-cloud

    <Directory /var/www/html/xxx-cloud/>

        Require all granted
        AllowOverride All
	Options FollowSymLinks MultiViews

	php_flag output_buffering off

	<IfModule mod_dav.c>
		Dav off
	</IfModule>

    </Directory>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/cloud.xxx.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.xxx.de/privkey.pem
</VirtualHost>
</IfModule>

vault.xxx.de.conf

<VirtualHost *:80>

    ServerName vault.xxx.de
    DocumentRoot /var/www/html/test

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /notifications/hub(.*) ws://127.0.0.1:3012/$1 [P,L]
    ProxyPass / http://127.0.0.1:1336/

    ProxyPreserveHost On
    ProxyRequests Off
    RequestHeader set X-Real-IP %{REMOTE_ADDR}s


    RewriteCond %{SERVER_NAME} =vault.xxx.de
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

vault.xxx.de-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>

    ServerName vault.xxx.de
    DocumentRoot /var/www/html/test

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /notifications/hub(.*) ws://<SERVER>:3012/$1 [P,L]
    ProxyPass / http://127.0.0.1:1336/

    ProxyPreserveHost On
    ProxyRequests Off
    RequestHeader set X-Real-IP %{REMOTE_ADDR}s

SSLCertificateFile /etc/letsencrypt/live/vault.xxx.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/vault.xxx.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

md.xxx.de.conf

<VirtualHost *:80>

    ServerName md.xxx.de
    DocumentRoot /var/www/html/test

</VirtualHost> 

And the Certbot Log looks like this
/var/log/letsencrypt/letsencrypt.log

2021-12-29 12:55:05,875:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-12-29 12:55:05,877:DEBUG:certbot._internal.display.obj:Notifying user: Could not install certificate
2021-12-29 12:55:05,877:DEBUG:certbot._internal.display.obj:Notifying user: NEXT STEPS:
2021-12-29 12:55:05,877:DEBUG:certbot._internal.display.obj:Notifying user: - The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name md.xxx.de
2021-12-29 12:55:05,877:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/1670/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/1670/lib/python3.8/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/1670/lib/python3.8/site-packages/certbot/_internal/main.py", line 1632, in main
    return config.func(config, plugins)
  File "/snap/certbot/1670/lib/python3.8/site-packages/certbot/_internal/main.py", line 1371, in run
    raise installer_err
  File "/snap/certbot/1670/lib/python3.8/site-packages/certbot/_internal/main.py", line 1355, in run
    _install_cert(config, le_client, domains, new_lineage)
  File "/snap/certbot/1670/lib/python3.8/site-packages/certbot/_internal/main.py", line 963, in _install_cert
    le_client.deploy_certificate(domains, path_provider.key_path, path_provider.cert_path,
  File "/snap/certbot/1670/lib/python3.8/site-packages/certbot/_internal/client.py", line 591, in deploy_certificate
    self.installer.deploy_cert(
  File "/snap/certbot/1670/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 509, in deploy_cert
    vhosts = self.choose_vhosts(domain)
  File "/snap/certbot/1670/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 535, in choose_vhosts
    return [self.choose_vhost(domain, create_if_no_ssl)]
  File "/snap/certbot/1670/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 712, in choose_vhost
    vhost = self.make_vhost_ssl(vhost)
  File "/snap/certbot/1670/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 1396, in make_vhost_ssl
    raise errors.PluginError(
certbot.errors.PluginError: Could not reverse map the HTTPS VirtualHost to the original
2021-12-29 12:55:05,878:ERROR:certbot._internal.log:Could not reverse map the HTTPS VirtualHost to the original

Also:

apachectl configtest
Syntax OK

systemctl status apache2
● apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2021-12-29 11:48:29 CET; 1h 28min ago
2 Likes

Welcome to the community @Ethaseo

What is the version of certbot and what oper sys and version are you on?

sudo certbot --version
3 Likes

thank you for welcoming me @MikeMcQ.

certbot --version
certbot 1.22.0

lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.3 LTS
Release:	20.04
Codename:	focal

hostnamectl
[...]
Virtualization: kvm
Operating System: Ubuntu 20.04.3 LTS
Kernel: Linux 5.4.0-91-generic
Architecture: x86-64
4 Likes

Thanks. I searched this forum for that error and there are two categories of causes. Usually it is caused by a "structural" problem in the VHost conf. Less common is syntax.

To review the structure, does this show anything odd?

 sudo apachectl -t -D DUMP_VHOSTS

I would ask you to post that output but you have redacted your domains so far.

One syntax problem related to comments of a certain form with possible other non-displayable chars in the apache conf files. See here for this one.

5 Likes
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server cloud.xxx.de (/etc/apache2/sites-enabled/cloud.xxx.de-le-ssl.conf:2)
         port 443 namevhost cloud.xxx.de (/etc/apache2/sites-enabled/cloud.xxx.de-le-ssl.conf:2)
         port 443 namevhost vsr1291.on-sp.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
         port 443 namevhost vault.xxx.de (/etc/apache2/sites-enabled/vault.xxx.de-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server vsr1291.on-sp.net (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost vsr1291.on-sp.net (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost cloud.xxx.de (/etc/apache2/sites-enabled/cloud.xxx.de.conf:1)
         port 80 namevhost md.xxx.de (/etc/apache2/sites-enabled/md.xxx.de.conf:1)
         port 80 namevhost vault.xxx.de (/etc/apache2/sites-enabled/vault.xxx.de.conf:1)

Sorry for redacting my domains - i only do it for the ones containing my real life name as i dont want to have people find entries here by my name.

Regarding weird characters at the end of the files i couldnt find any but ill look again

Edit:
It was literally a whitespace in the last 2 empty lines of the vhosts file. I feel like the parser should be able to handle this better. Maybe one should open a request on github to fix this. Thank you very much for the idea with the space

4 Likes

I am so glad you are volunteering for that! Thanks :slight_smile:

@Osiris thanks for your prior debug efforts so could resolve this one quickly.

5 Likes

I did what now? :scream:

@Ethaseo What version of certbot are you using? I already made an issue about this a year ago (Augeas doesn't like lines starting with a space or tab after </VirtualHost> · Issue #8224 · certbot/certbot · GitHub). I'd like to know if it's still an issue with current certbot or not.

5 Likes

https://github.com/certbot/certbot/issues/9156

Im also glad you helped me. Thank you very much and i hope you enjoyed for once having all the needed files provided directly at the beginning of the thread :smiley:

See above, i posted it already; 1.22.0

3 Likes

Whoops, missed that, sorry.

4 Likes

Sorry was not clear. No need for screaming - you did a good thing :slight_smile: I found and linked to that older thread you resolved due to a parsing problem. That's what I was thanking you for. And, that was used by @Ethaseo to solve this problem. Looks like the issue #8224 still not resolved - sadly.

5 Likes

I was joking :wink:

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.