Could not reverse map the HTTPS VirtualHost to the original?

Help
1

Hi There,

I have two vhosts configured on the server. Was able to install the certs for one of the hosts but I get error with the second one.
I am not able to understand what I am doing wrong.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.chuckingfoot.com

I ran this command: sudo certbot --apache

It produced this output:
root@wp-thirugns:/etc/apache2# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Which names would you like to activate HTTPS for?

1: chuckingfoot.com
2: www.chuckingfoot.com
3: filemyitreturns.com
4: www.filemyitreturns.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ā€˜cā€™ to cancel): 1,2
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isnā€™t close to expiry.
(ref: /etc/letsencrypt/renewal/chuckingfoot.com.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ā€˜cā€™ to cancel): 1
Keeping the existing certificate
Could not reverse map the HTTPS VirtualHost to the original

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/chuckingfoot.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/chuckingfoot.com/privkey.pem
    Your cert will expire on 2018-09-04. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the ā€œcertonlyā€ option. To non-interactively renew all of
    your certificates, run ā€œcertbot renewā€
    root@wp-thirugns:/etc/apache2#

My web server is (include version): Apache/2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I donā€™t know): Yes

Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel): No

2

Please show:
grep -Eri 'ServerName|ServerAlias|SSLCertificate' /etc/apache2

3

root@wp-thirugns:~# grep -Eri ā€˜ServerName|ServerAlias|SSLCertificateā€™ /etc/apach e2
/etc/apache2/mods-available/info.conf: # http://servername/server-info (requir es that mod_info.c be loaded).
/etc/apache2/mods-available/status.conf: # with the URL of http://servern ame/server-status
/etc/apache2/sites-available/filemyitreturns.com-le-ssl.conf: ServerName filem yitreturns.com
/etc/apache2/sites-available/filemyitreturns.com-le-ssl.conf: ServerAlias www. filemyitreturns.com
/etc/apache2/sites-available/filemyitreturns.com-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/filemyitreturns.com/fullchain.pem
/etc/apache2/sites-available/filemyitreturns.com-le-ssl.conf:SSLCertificateKeyFi le /etc/letsencrypt/live/filemyitreturns.com/privkey.pem
/etc/apache2/sites-available/000-default.conf.dpkg-dist: # The ServerNam directive sets the request scheme, hostname and port that
/etc/apache2/sites-available/000-default.conf.dpkg-dist: # redirection UR Ls. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/000-default.conf.dpkg-dist: #ServerName www. example.com
/etc/apache2/sites-available/default-ssl.conf: # SSLCertificateFile d irective is needed.
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateFile / etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateKeyFile /e tc/ssl/private/ssl-cert-snakeoil.key
/etc/apache2/sites-available/default-ssl.conf: # Point SSLCertificat ChainFile at a file containing the
/etc/apache2/sites-available/default-ssl.conf: # the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-available/default-ssl.conf: #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
/etc/apache2/sites-available/chuckingfoot.com.conf: ServerName chuckingfoot.c om
/etc/apache2/sites-available/chuckingfoot.com.conf: ServerAlias www.chuckingf oot.com
/etc/apache2/sites-available/filemyitreturns.com.conf: ServerName filemyitretur ns.com
/etc/apache2/sites-available/filemyitreturns.com.conf: ServerAlias www.filemyit returns.com

4

You have two sites:

  1. filemyitreturns.com
  2. chuckingfoot.com

And two port 80 config files:

  1. filemyitreturns.com.conf
  2. chuckingfoot.com.conf

But only one port 443 config file:

  1. filemyitreturns.com-le-ssl.conf
    (which serves as the ā€œdefaultā€ when a 443 requests is unmatched. So both https://chuckingfoot.com/ and https://filemyitreturns.com/ will show the content at the document root in filemyitreturns.com-le-ssl.conf)
6

both the domain names map to their respective folders on the server.
filemyitreturns.com leads to the correct folder and is forced ssl enabled

chuckingfoot.com goes to the non ssl url correctly, but https give ā€œThis server could not prove that it is www.chuckingfoot.com; its security certificate is from filemyitreturns.com. This may be caused by a misconfiguration or an attacker intercepting your connection.ā€

but certbot is not creating the *-le-ssl.conf for chuckingfoot.com

should I manually add the entries?

7

Please show:

  1. ls -l /etc/apache2/sites-enabled/
  2. cat /etc/apache2/sites-available/chuckingfoot.com.conf

And stop trying to force a cert renewal:

You are missing an entire file.
The one that uses this cert:

8

root@wp-thirugns:~# ls -l /etc/apache2/sites-enabled/
total 4
lrwxrwxrwx 1 www-data www-data 35 Jan 15 19:15 000-default.conf -> ā€¦/sites-available/000-default.conf
lrwxrwxrwx 1 root root 40 Jun 5 08:27 chuckingfoot.com.conf -> ā€¦/sites-available/chuckingfoot.com.conf
lrwxrwxrwx 1 root root 43 Apr 17 07:23 filemyitreturns.com.conf -> ā€¦/sites-available/filemyitreturns.com.conf
lrwxrwxrwx 1 root root 60 Jun 5 12:55 filemyitreturns.com-le-ssl.conf -> /etc/apache2/sites-available/filemyitreturns.com-le-ssl.conf

root@wp-thirugns:~# cat /etc/apache2/sites-available/chuckingfoot.com.conf
<VirtualHost *:80>
ServerAdmin sundar.t@live.in
ServerName chuckingfoot.com
ServerAlias www.chuckingfoot.com
DocumentRoot /var/www/html/chuckingfoot
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Stopped renewing after I read through another post on the forum.

9

Ok. Iā€™m not sure why certbot canā€™t make the needed file (/etc/apache2/sites-available/chuckingfoot.com-le-ssl.conf)

But maybe I can walk you through creating it yourself.

Steps (Iā€™ll keep adding them here as we go along - for brevity):

  1. cp /etc/apache2/sites-available/filemyitreturns.com-le-ssl.conf /etc/apache2/sites-available/chuckingfoot.com-ssl.conf
  2. edit the new chuckingfoot.com-ssl.conf file.
    replace:
    ServerName filemyitreturns.com
    ServerAlias www.filemyitreturns.com
    DocumentRoot /var/www/html/filemyitreturns
    SSLCertificateFile /etc/letsencrypt/live/filemyitreturns.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/filemyitreturns.com/privkey.pem
    with:
    ServerName chuckingfoot.com
    ServerAlias www.chuckingfoot.com
    DocumentRoot /var/www/html/chuckingfoot
    SSLCertificateFile /etc/letsencrypt/live/chuckingfoot.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/chuckingfoot.com/privkey.pem
  3. Create symlink:
    ln -sf /etc/apache2/sites-available/chuckingfoot.com-ssl.conf /etc/apache2/sites-enabled/chuckingfoot.com-ssl.conf
  4. Restart Apache:
    service apache2 restart
1 Like
10

ok done that
here is the new ssl.conf

ServerAdmin sundar.t@live.in ServerName chuckingfoot.com ServerAlias www.chuckingfoot.com DocumentRoot /var/www/html/chuckingfoot 
    <Directory /var/www/html/>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/chuckingfoot.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/chuckingfoot.com/privkey.pem

11

You are my kinght in the shining armour, the cheat worked!!! Thanks a ton.

1 Like
12

Also to force ssl I can just copy the redirect in filemyitreturns.com.conf and put it into chuckingfoot.com.conf after editing the URLs, that should work, right?

13

Please show the redirect code first.

14

<VirtualHost *:80>
ServerAdmin sundar.t@live.in
ServerName filemyitreturns.com
ServerAlias www.filemyitreturns.com
DocumentRoot /var/www/html/filemyitreturns

    <Directory /var/www/html/>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =filemyitreturns.com [OR]
RewriteCond %{SERVER_NAME} =www.filemyitreturns.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

15

That can work.
Just update the domain name to match the file.

1 Like
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.