Could not reverse map the HTTPS VirtualHost to the original

My domain is: 8teeth.com

I ran this command: sudo certbot --apache

It produced this output:
(after I entered '8teeth.com www.8teeth.com' and selected '1: Attempt to reinstall this existing certificate')

Deploying certificate
Some rewrite rules copied from /etc/apache2/sites-enabled/000-default.conf were disabled in the vhost for your HTTPS site lo
cated at /etc/apache2/sites-available/000-default-le-ssl.conf because they have the potential to create redirection loops.
Could not install certificate

NEXT STEPS:
- The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try install
ing it again by running:
  certbot install --cert-name 8teeth.com

Could not reverse map the HTTPS VirtualHost to the original
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.
log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Amazon Lightsail

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.7.4

Hi @benaustralia, and welcome to the LE community forum

What shows?:
sudo apachectl -t -D DUMP_VHOSTS

Observe port 443 is filtered

$ nmap -Pn -p80,443 8teeth.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-11-28 23:07 UTC
Nmap scan report for 8teeth.com (3.12.65.18)
Host is up (0.083s latency).
rDNS record for 3.12.65.18: ec2-3-12-65-18.us-east-2.compute.amazonaws.com

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 1.91 seconds

Now connecting to port 80 is redirection to port 443 (which is filtered from above)

$ curl -Ii http://8teeth.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Tue, 28 Nov 2023 23:08:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: https://8teeth.com/.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1

Whereas when making the request on port 80 to www.8teeth.com there is no redirection.

$ curl -Ii http://www.8teeth.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Date: Tue, 28 Nov 2023 23:09:59 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

Here details on Apache can be found in documentation and forums:

• Documentation: Apache HTTP Server - The Apache HTTP Server Project
• Apache HTTP Server Support - The Apache HTTP Server Project
• https://www.apachelounge.com/

Perhaps a better way to show that www.8teeth.com and 8teeth.com do not respond the same
is with Let's Debug.

www.8teeth.com get an OK here https://letsdebug.net/www.8teeth.com/1692094

8teeth.com get an 2 ERRORs here https://letsdebug.net/8teeth.com/1692096

ANotWorking
ERROR
8teeth.com has an A (IPv4) record (3.12.65.18) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with 8teeth.com/3.12.65.18: Get "https://8teeth.com/.well-known/acme-challenge/letsdebug-test": dial tcp 3.12.65.18:443: i/o timeout

Trace:
@0ms: Making a request to http://8teeth.com/.well-known/acme-challenge/letsdebug-test (using initial IP 3.12.65.18)
@0ms: Dialing 3.12.65.18
@55ms: Server response: HTTP 301 Moved Permanently
@55ms: Received redirect to https://8teeth.com/.well-known/acme-challenge/letsdebug-test
@56ms: Dialing 3.12.65.18
@10002ms: Experienced error: dial tcp 3.12.65.18:443: i/o timeout

IssueFromLetsEncrypt
ERROR
A test authorization for 8teeth.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
3.12.65.18: Fetching https://8teeth.com/.well-known/acme-challenge/7kH-Fzm3rdoYqPi86yaz4jLcrB0jui7uJWrKTh71Fvo: Timeout during connect (likely firewall problem)

VirtualHost configuration:
*:80                   ip-172-26-1-129.us-east-2.compute.internal (/etc/apache2/sites-enabl
ed/000-default.conf:1)

Thanks for asking!

Then we should have a look at that lonely file.

<VirtualHost *:80>
 # The ServerName directive sets the request scheme, hostname and port that
 # the server uses to identify itself. This is used when creating
 # redirection URLs. In the context of virtual hosts, the ServerName
 # specifies what hostname must appear in the request's Host: header to
 # match this virtual host. For the default virtual host (this file) this
 # value is not decisive as it is used as a last resort host regardless.
 # However, you must set it for any further virtual host explicitly.
 #ServerName www.example.com

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

 # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
 # error, crit, alert, emerg.
 # It is also possible to configure the loglevel for particular
 # modules, e.g.
 #LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

 # For most configuration files from conf-available/, which are
 # enabled or disabled at a global level, it is possible to
 # include a line for only one particular virtual host. For example the
 # following line enables the CGI configuration for this host only
 # after it has been globally disabled with "a2disconf".
 #Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =8teeth.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Here is a look! Should I delete this file?

Only if you intend on replacing it.
The system needs one.

This one doesn't seem to be doing much.
It does try to forward 8teeth.com to HTTPS.
[but it fails to handle www.8teeth.com and the ACME challenge requests]

Thanks for this. I had no idea that tool existed! Nice!

Thanks for this diagnosis. I'm new to this - what would you suggest I do to fix this?

I'd start with having a fully functional HTTP site [that includes both 8teeth.com and www.8teeth.com].

Then I would secure it with HTTPS.

8teeth.com and www.8teeth.com were working OK before I messed up with Certbot.

Happy to try any actions you suggest. Thanks again!

B

The main thing to fix is to add these two lines. Without them that VirtualHost is your default which is why some requests work. But, without the names Certbot won't know how to map the names for the new VirtualHost for HTTPS (port 443)

    ServerName 8teeth.com
    ServerAlias www.8teeth.com

Then, adjust your rewrites to look like:

I prefer other ways but this is closer to what you started with.

Thanks for your help.

I edited /etc/apache2/sites-enabled/000-default.conf and added your code:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^8teeth.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.8teeth.com$
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [END,NE,R=permanent]

In which file should I add the below?

ServerName 8teeth.com
ServerAlias www.8teeth.com

The same one

Thanks! /etc/apache2/sites-enabled/000-default.conf looks like this now:

	* Documentation:  https://help.ubuntu.com
	 * Management:     https://landscape.canonical.com
	 * Support:        https://ubuntu.com/advantage
	  GNU nano 4.8            /etc/apache2/sites-enabled/000-default.conf            Modified  
	 # However, you must set it for any further virtual host explicitly.
	  GNU nano 4.8            /etc/apache2/sites-enabled/000-default.conf                      
	  GNU nano 4.8            /etc/apache2/sites-enabled/000-default.conf                      
	<VirtualHost *:80>
	 # The ServerName directive sets the request scheme, hostname and port that
	 # the server uses to identify itself. This is used when creating
	 # redirection URLs. In the context of virtual hosts, the ServerName
	 # specifies what hostname must appear in the request's Host: header to
	 # match this virtual host. For the default virtual host (this file) this
	 # value is not decisive as it is used as a last resort host regardless.
	 # However, you must set it for any further virtual host explicitly.
	 #ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	 # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	 # error, crit, alert, emerg.
	 # It is also possible to configure the loglevel for particular
	 # modules, e.g.
	 #LogLevel info ssl:warn
	 
	 ErrorLog ${APACHE_LOG_DIR}/error.log
	 CustomLog ${APACHE_LOG_DIR}/access.log combined

	  # For most configuration files from conf-available/, which are
	  # enabled or disabled at a global level, it is possible to
	  # include a line for only one particular virtual host. For example the
	  # following line enables the CGI configuration for this host only
	  # after it has been globally disabled with "a2disconf".
	  #Include conf-available/serve-cgi-bin.conf
	  
	  ServerName 8teeth.com
	  ServerAlias www.8teeth.com
	  RewriteEngine on
	  RewriteCond %{HTTP_HOST} ^8teeth.com$ [OR]
	  RewriteCond %{HTTP_HOST} ^www.8teeth.com$
	  RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [END,NE,R=permanent]
	  </VirtualHost>

	  # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

For good measure I:

sudo service apache2

And status:

ubuntu@ip-172-26-1-129:~$ sudo service apache2 status
● apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2023-11-29 03:53:01 UTC; 1min 0s ago
       Docs: https://httpd.apache.org/docs/2.4/
    Process: 127427 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
   Main PID: 127448 (apache2)
      Tasks: 6 (limit: 2330)
     Memory: 15.1M
     CGroup: /system.slice/apache2.service
             ├─127448 /usr/sbin/apache2 -k start
             ├─127449 /usr/sbin/apache2 -k start
             ├─127450 /usr/sbin/apache2 -k start
             ├─127451 /usr/sbin/apache2 -k start
             ├─127452 /usr/sbin/apache2 -k start
             └─127453 /usr/sbin/apache2 -k start

Nov 29 03:53:01 ip-172-26-1-129 systemd[1]: Starting The Apache HTTP Server...
Nov 29 03:53:01 ip-172-26-1-129 systemd[1]: Started The Apache HTTP Server.

Anything else I should try?

B

That looks good. Have you opened HTTPS (port 443) in your Lightsail Firewall?

Also, have you retried this? Did it work?

If so, what does this show
sudo apachectl -t -D DUMP_VHOSTS

Output of 'sudo certbot --apache'. A little different but similar errors:

ubuntu@ip-172-26-1-129:~$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: 8teeth.com
2: www.8teeth.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
ubuntu@ip-172-26-1-129:~$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: 8teeth.com
2: www.8teeth.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2 
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/8teeth.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for 8teeth.com and www.8teeth.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/8teeth.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/8teeth.com/privkey.pem
This certificate expires on 2024-02-27.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Some rewrite rules copied from /etc/apache2/sites-enabled/000-default.conf were disabled in the vhost for your HTTPS site located at 
/etc/apache2/sites-available/000-default-le-ssl.conf because they have the potential to create redirection loops.
Could not install certificate

NEXT STEPS:
- The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it ag
ain by running:
  certbot install --cert-name 8teeth.com

Could not reverse map the HTTPS VirtualHost to the original
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re
-run Certbot with -v for more details.
ubuntu@ip-172-26-1-129:~$ 

sudo apachectl -t -D DUMP_VHOSTS outputs:

VirtualHost configuration:
*:80                   8teeth.com (/etc/apache2/sites-enabled/000-default.conf:1)

I still seem unable to use 8teeth.com without HTTPS.

Thanks for your patience.