Create new certs on Macbook M4

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sccai.net

I ran this command: sudo certbot -d sccai.net -d www.sccai.net

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log

ssl_module is statically linked but --apache-bin is missing; not disabling session tickets.

Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/sccai.net-0001.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate

2: Renew & replace the certificate (may be subject to CA rate limits)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Deploying certificate

Could not install certificate

An unexpected error occurred:

StopIteration

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Server version: Apache/2.4.62 (Unix)

The operating system my web server runs on is (include version): MacOS 15.2

My hosting provider, if applicable, is: Xfinity

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 3.1.0
letsencrypt.txt (12.1 KB)

I uninstalled certbot and tried it again for a clean log file.
letsencrypt.txt (44.3 KB)

It seems to not like your existing configuration:

2025-01-29 13:39:51,451:DEBUG:certbot._internal.cert_manager:Renewal conf file /etc/letsencrypt/renewal/sccai.net.conf is broken. Skipping.
2025-01-29 13:39:51,452:DEBUG:certbot._internal.cert_manager:Traceback was:
Traceback (most recent call last):
  File "/opt/homebrew/Cellar/certbot/3.1.0/libexec/lib/python3.13/site-packages/certbot/_internal/cert_manager.py", line 421, in _search_lineages
    candidate_lineage = storage.RenewableCert(renewal_file, cli_config)
  File "/opt/homebrew/Cellar/certbot/3.1.0/libexec/lib/python3.13/site-packages/certbot/_internal/storage.py", line 507, in __init__
    self._check_symlinks()
    ~~~~~~~~~~~~~~~~~~~~^^
  File "/opt/homebrew/Cellar/certbot/3.1.0/libexec/lib/python3.13/site-packages/certbot/_internal/storage.py", line 586, in _check_symlinks
    raise errors.CertStorageError(
        "expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/sccai.net/cert.pem to be a symlink

I can't comment on the reasons for that but I'd suggest removing that renewal (sudo certbot delete) and starting again, maybe backup your configuration first if this site is important.

Please look at the second .txt file.
The first one has that error because I deleted the sccai.net stuff and retried it. That's the cause of that error. The second file is from a clean re-install of certbot.
Thanks.

Thanks yes I see that now. Teh actual certificate file renewal looks great:

2025-01-29 17:53:01,422:DEBUG:certbot._internal.storage:Creating directory /etc/letsencrypt/archive.
2025-01-29 17:53:01,422:DEBUG:certbot._internal.storage:Creating directory /etc/letsencrypt/live.
2025-01-29 17:53:01,423:DEBUG:certbot._internal.storage:Writing README to /etc/letsencrypt/live/README.
2025-01-29 17:53:01,424:DEBUG:certbot._internal.storage:Creating directory /etc/letsencrypt/archive/sccai.net.
2025-01-29 17:53:01,424:DEBUG:certbot._internal.storage:Creating directory /etc/letsencrypt/live/sccai.net.
2025-01-29 17:53:01,425:DEBUG:certbot._internal.storage:Writing certificate to /etc/letsencrypt/live/sccai.net/cert.pem.
2025-01-29 17:53:01,425:DEBUG:certbot._internal.storage:Writing private key to /etc/letsencrypt/live/sccai.net/privkey.pem.
2025-01-29 17:53:01,426:DEBUG:certbot._internal.storage:Writing chain to /etc/letsencrypt/live/sccai.net/chain.pem.
2025-01-29 17:53:01,426:DEBUG:certbot._internal.storage:Writing full chain to /etc/letsencrypt/live/sccai.net/fullchain.pem.
2025-01-29 17:53:01,426:DEBUG:certbot._internal.storage:Writing README to /etc/letsencrypt/live/sccai.net/README.
2025-01-29 17:53:01,430:DEBUG:certbot.configuration:Var account=a57485c872885595708e2d7e7bb154ba (set by user).
2025-01-29 17:53:01,431:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2025-01-29 17:53:01,431:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2025-01-29 17:53:01,431:DEBUG:certbot._internal.storage:Writing new config /etc/letsencrypt/renewal/sccai.net.conf.
2025-01-29 17:53:01,432:DEBUG:certbot._internal.display.obj:Notifying user: 
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/sccai.net/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/sccai.net/privkey.pem

But when it tries to deploy to apache it chokes on processing /opt/homebrew/etc/httpd/httpd-le-ssl.conf

Have a look in your apache http.conf etc as there is something it doesn't like there.

I have a different app, but on aws ec2. That one is a react app running on 8081, and the apache on the ec2 works well to proxy the ports. certbot works there fine too. I'd copied the section from ecs and put it into my Mac. This is what it looks like:

<VirtualHost *:80>
   DocumentRoot /var/projects/sccai
   ProxyRequests Off
   ProxyPreserveHost On
   ProxyVia Full

   <Directory "/var/projects/sccai/.well-known">
       Options FollowSymLinks
       AllowOverride None 
       Require all granted
   </Directory>

   <Proxy *>
      Require all granted
   </Proxy>

   # Explicitly prevent proxying for .well-known/acme-challenge path
    <Location "/.well-known/acme-challenge">
        ProxyPass !
        SetHandler None
        Options +Indexes
    </Location>

   <Location / >
      ProxyPass http://127.0.0.1:5090/
      ProxyPassReverse http://127.0.0.1:5090/
   </Location>

   <Location /sockjs-node >
      ProxyPass ws://127.0.0.1:5090/sockjs-node
      ProxyPassReverse ws://127.0.0.1:5090/sockjs-node
   </Location>

ServerName sccai.net
ServerAlias www.sccai.net

#CustomLog logs/sccai-access_log common
RewriteEngine on

RewriteCond %{SERVER_NAME} =sccai.net
RewriteRule ^.*\.git.* - [R=404]
RewriteCond %{SERVER_NAME} =sccai.net
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

It seems pretty innocent....

Thanks,

should I remove all the Proxy and Rewrite stuff out of VirtualHost while certbot runs and then put them back in after the certs are done? Will that work?

Sorry I'm not enough of an apache or certbot expert to answer that but maybe someone else can come along and comment.

Anyway, I tried it. Commented out the proxy stuff. The first run:

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

(base) mac:~ tomtong$ sudo certbot -d sccai.net -d www.sccai.net

Saving debug log to /var/log/letsencrypt/letsencrypt.log

ssl_module is statically linked but --apache-bin is missing; not disabling session tickets.

Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/sccai.net.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate

2: Renew & replace the certificate (may be subject to CA rate limits)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Deploying certificate

File: /opt/homebrew/etc/httpd/httpd-le-ssl.conf - Could not be found to be deleted

  • Certbot probably shut down unexpectedly

Could not install certificate

An unexpected error occurred:

StopIteration

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Hmm... so I went there and touched httpd-le-ssl.conf that it exists. So after that, the second run just fails, again during deployment:

===========

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/sccai.net.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate

2: Renew & replace the certificate (may be subject to CA rate limits)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Deploying certificate

Could not install certificate

An unexpected error occurred:

StopIteration

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

============

Certbot is trying to move the existing httpd-le-ssl.conf to somewhere, and that seems to be failing.... Maybe I need to go create that folder first? Maybe this folder existed prior to MacOS 15.2 or M4Pro?

From the certbot code it looks like it would just be in the same folder with a numbered filename.

Googling /opt/homebrew/etc/httpd/httpd-le-ssl.conf - Could not be found to be deleted suggests that it's caused by:

RewriteCond %{SERVER_NAME} =sccai.net
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

The RewriteRule is commented out so it can't match the rule to the condition:

1 Like