Could not reverse map the HTTPS VirtualHost to the original?


Hi There,

I have two vhosts configured on the server. Was able to install the certs for one of the hosts but I get error with the second one.
I am not able to understand what I am doing wrong.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot --apache

It produced this output:
root@wp-thirugns:/etc/apache2# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1):

Which names would you like to activate HTTPS for?


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1,2
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
Could not reverse map the HTTPS VirtualHost to the original


  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2018-09-04. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

My web server is (include version): Apache/2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


Please show:
grep -Eri 'ServerName|ServerAlias|SSLCertificate' /etc/apache2


root@wp-thirugns:~# grep -Eri ‘ServerName|ServerAlias|SSLCertificate’ /etc/apach e2
/etc/apache2/mods-available/info.conf: # http://servername/server-info (requir es that mod_info.c be loaded).
/etc/apache2/mods-available/status.conf: # with the URL of http://servern ame/server-status
/etc/apache2/sites-available/ ServerName filem
/etc/apache2/sites-available/ ServerAlias www.
/etc/apache2/sites-available/ /etc/letsencrypt/live/
/etc/apache2/sites-available/ le /etc/letsencrypt/live/
/etc/apache2/sites-available/000-default.conf.dpkg-dist: # The ServerNam directive sets the request scheme, hostname and port that
/etc/apache2/sites-available/000-default.conf.dpkg-dist: # redirection UR Ls. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/000-default.conf.dpkg-dist: #ServerName www.
/etc/apache2/sites-available/default-ssl.conf: # SSLCertificateFile d irective is needed.
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateFile / etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateKeyFile /e tc/ssl/private/ssl-cert-snakeoil.key
/etc/apache2/sites-available/default-ssl.conf: # Point SSLCertificat ChainFile at a file containing the
/etc/apache2/sites-available/default-ssl.conf: # the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-available/default-ssl.conf: #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
/etc/apache2/sites-available/ ServerName chuckingfoot.c om
/etc/apache2/sites-available/ ServerAlias www.chuckingf
/etc/apache2/sites-available/ ServerName filemyitretur
/etc/apache2/sites-available/ ServerAlias www.filemyit


You have two sites:


And two port 80 config files:


But only one port 443 config file:

    (which serves as the “default” when a 443 requests is unmatched. So both and will show the content at the document root in


both the domain names map to their respective folders on the server. leads to the correct folder and is forced ssl enabled goes to the non ssl url correctly, but https give “This server could not prove that it is; its security certificate is from This may be caused by a misconfiguration or an attacker intercepting your connection.”

but certbot is not creating the *-le-ssl.conf for

should I manually add the entries?


Please show:

  1. ls -l /etc/apache2/sites-enabled/
  2. cat /etc/apache2/sites-available/

And stop trying to force a cert renewal:

You are missing an entire file.
The one that uses this cert:


root@wp-thirugns:~# ls -l /etc/apache2/sites-enabled/
total 4
lrwxrwxrwx 1 www-data www-data 35 Jan 15 19:15 000-default.conf -> …/sites-available/000-default.conf
lrwxrwxrwx 1 root root 40 Jun 5 08:27 -> …/sites-available/
lrwxrwxrwx 1 root root 43 Apr 17 07:23 -> …/sites-available/
lrwxrwxrwx 1 root root 60 Jun 5 12:55 -> /etc/apache2/sites-available/

root@wp-thirugns:~# cat /etc/apache2/sites-available/
<VirtualHost *:80>
DocumentRoot /var/www/html/chuckingfoot
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Stopped renewing after I read through another post on the forum.


Ok. I’m not sure why certbot can’t make the needed file (/etc/apache2/sites-available/

But maybe I can walk you through creating it yourself.

Steps (I’ll keep adding them here as we go along - for brevity):

  1. cp /etc/apache2/sites-available/ /etc/apache2/sites-available/
  2. edit the new file.
    DocumentRoot /var/www/html/filemyitreturns
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
    DocumentRoot /var/www/html/chuckingfoot
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
  3. Create symlink:
    ln -sf /etc/apache2/sites-available/ /etc/apache2/sites-enabled/
  4. Restart Apache:
    service apache2 restart


ok done that
here is the new ssl.conf

ServerAdmin ServerName ServerAlias DocumentRoot /var/www/html/chuckingfoot
    <Directory /var/www/html/>
        Options FollowSymLinks
        AllowOverride All
        Require all granted

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/


You are my kinght in the shining armour, the cheat worked!!! Thanks a ton.


Also to force ssl I can just copy the redirect in and put it into after editing the URLs, that should work, right?


Please show the redirect code first.


<VirtualHost *:80>
DocumentRoot /var/www/html/filemyitreturns

    <Directory /var/www/html/>
        Options FollowSymLinks
        AllowOverride All
        Require all granted

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} [OR]
RewriteCond %{SERVER_NAME}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]


That can work.
Just update the domain name to match the file.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.