Did something wrong while updating certificate

kalimbrajaro · October 1, 2022, 12:07pm

Hey community,
Wanted to update cerfiticate but smth went wrong.
My domain is: [https://www.multiland.net ]
After certbot --apache It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.
AH00526: Syntax error on line 20 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/multiland.net/fullchain.pem' does not exist or is empty
The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apache2ctl configtest.\nAction 'configtest' failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 20 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:\nSSLCertificateFile: file '/etc/letsencrypt/live/multiland.net/fullchain.pem' does not exist or is empty\n")

My web server is (include version): Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):Ubuntu 20.04

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is 1.30.0

MikeMcQ · October 1, 2022, 1:01pm

Welcome to the community @kalimbrajaro

It looks like you deleted your certificate. Can you show result of this command?

sudo certbot certificates

(omit sudo if not needed)

kalimbrajaro · October 1, 2022, 5:47pm

@MikeMcQ

MikeMcQ · October 1, 2022, 6:13pm

Yeah, it looks like you deleted your cert but still use them in your Apache server (which now cannot find them so fails to start).

There are several ways to correct this. One is to follow the instructions below to create a self-signed cert and make a temp change to your Apache config. This will allow your Apache server to be (re)started. You should be able to get a new cert then.

But, I think the reason your cert renewal failed is that you no longer have an A record in your DNS for www.multiland.net. In the past you got a cert with both your apex and the www name but you need to restore the missing A record for the www domain name.

https://eff-certbot.readthedocs.io/en/stable/using.html#safely-deleting-certificates

kalimbrajaro · October 1, 2022, 7:55pm

I've added A record in DNS for www.multiland.net and started safely deleting certificated but it fails.

Here's a Step 1:

root@wordpress:~# sudo bash -c 'grep -R live/multiland.net /etc/{nginx,httpd,apache2}'
grep: /etc/nginx/modules-enabled/50-mod-stream.conf.removed: No such file or directory
grep: /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf.removed: No such file or directory
grep: /etc/nginx/modules-enabled/50-mod-mail.conf.removed: No such file or directory
grep: /etc/nginx/modules-enabled/50-mod-http-image-filter.conf.removed: No such file or directory
grep: /etc/httpd: No such file or directory
/etc/apache2/sites-enabled/000-default-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/multiland.net/fullchain.pem
/etc/apache2/sites-enabled/000-default-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/multiland.net/privkey.pem

Step3:

root@wordpress:~# etc/apache2/sites-available/000-default-le-ssl.conf
-bash: etc/apache2/sites-available/000-default-le-ssl.conf: No such file or directory
root@wordpress:~# etc/apache2/sites-available/multiland.net.conf
-bash: etc/apache2/sites-available/multiland.net.conf: No such file or directory

Do you have any idea what I'm doing wrong?

MikeMcQ · October 1, 2022, 9:40pm

Yes. You omitted the leading / from before etc/apache2/...

More important, you are supposed to use a text editor to update that file per the instructions

Continuing from the previous example, you would open /etc/apache2/sites-available/000-default-le-ssl.conf in a text editor and modify the two matching lines of text to instead say: (see docs for rest)

schoen · October 2, 2022, 5:23am

@kalimbrajaro, if you're totally unfamiliar with using text editors in a Unix environment, you probably want to use nano for this, because it's the simplest and most self-documenting Unix text editor. There are many other choices, but most of the others require at least a little bit of study or practice to use effectively.

kalimbrajaro · October 2, 2022, 10:50am

Thanks,
with the last step I have the next results:

root@wordpress:~# sudo certbot delete --cert-name multiland.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The following certificate(s) are selected for deletion:

multiland.net
WARNING: Before continuing, ensure that the listed certificates are not being
used by any installed server software (e.g. Apache, nginx, mail servers).
Deleting a certificate that is still being used will cause the server software
to stop working. See https://certbot.org/deleting-certs for information on
deleting certificates safely.
Are you sure you want to delete the above certificate(s)?
(Y)es/(N)o: yes
No certificate found with name multiland.net (expected /etc/letsencrypt/renewal/multiland.net.conf).
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Additional info:

root@wordpress:~# nano /etc/apache2/sites-enabled/000-default-le-ssl.conf

<VirtualHost *:443>
ServerAdmin webmaster@localhost

   ServerName multiland.net

    ServerAlias www.multiland.net

    DocumentRoot /var/www/html

    <Directory /var/www/html/>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/multiland.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/multiland.net/privkey.pem

MikeMcQ · October 2, 2022, 1:56pm

You have not modified your VirtualHost to use the new self-signed certs those instructions described.

kalimbrajaro · October 3, 2022, 7:54pm

Thank you...now I have this:

root@wordpress:~# sudo bash -c 'grep -R live/multiland.net /etc/{nginx,httpd,apache2}'
grep: /etc/nginx/modules-enabled/50-mod-stream.conf.removed: No such file or directory
grep: /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf.removed: No such file or directory
grep: /etc/nginx/modules-enabled/50-mod-mail.conf.removed: No such file or directory
grep: /etc/nginx/modules-enabled/50-mod-http-image-filter.conf.removed: No such file or directory
grep: /etc/httpd: No such file or directory

root@wordpress:~# sudo certbot delete --cert-name multiland.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log

The following certificate(s) are selected for deletion:

multiland.net

WARNING: Before continuing, ensure that the listed certificates are not being
used by any installed server software (e.g. Apache, nginx, mail servers).
Deleting a certificate that is still being used will cause the server software
to stop working. See https://certbot.org/deleting-certs for information on
deleting certificates safely.

Are you sure you want to delete the above certificate(s)?

(Y)es/(N)o: y
No certificate found with name multiland.net (expected /etc/letsencrypt/renewal/multiland.net.conf).
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Am I moving in the right direction ?

rg305 · October 3, 2022, 8:02pm

It seems you tried to delete it, but it doesn't exist ?!?!?!

Please show:
history | grep -Ei 'encrypt|certbot'
and
certbot certificates

kalimbrajaro · October 3, 2022, 8:27pm

root@wordpress:~# history | grep -Ei 'encrypt|certbot'
3 certbot --apache -d multiland.net -d www.multiland.net
6 sudo apt install certbot python3-certbot-nginx
7 certbot
8 sudo systemctl status certbot.timer
9 sudo certbot renew --dry-run
10 sudo apt install certbot python3-certbot-nginx
20 sudo certbot --nginx -d multiland.net -d www.multiland.net
21 certbot
22 sudo apt install certbot
23 apt remove certbot
24 sudo apt install certbot python3-certbot-nginx
28 sudo apt-get remove certbot
30 sudo apt install certbot python3-certbot-apache
39 sudo certbot --apache
40 $ sudo certbot delete
41 certbot delete
43 sudo apt-get remove certbot
44 sudo snap install --classic certbot
45 sudo ln -s /snap/bin/certbot /usr/bin/certbot
46 sudo certbot --apache
47 sudo certbot certonly --apache
48 sudo apt-get remove certbot
61 certbot --apache
63 certbot --cert-name www.multiland.net --apache -d www.multiland.net,multiland.net
64 certbot --cert-name www.multiland.net --apache -d "www.multiland.net, multiland.net"
68 sudo certbot --apache
71 certbot --version
72 sudo certbot certificates
73 certbot --apache
76 sudo openssl req -nodes -batch -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/self-signed-privkey.pem -out /etc/letsencrypt/self-signed-cert.pem -days 356
78 /etc/apache2/sites-enabled/000-default-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/multiland.net/fullchain.pem
80 /etc/apache2/sites-available/000-default-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/multiland.net/fullchain.pem
81 SSLCertificateFile /etc/letsencrypt/self-signed-cert.pem
82 SSLCertificateKeyFile /etc/letsencrypt/self-signed-privkey.pem
86 /etc/letsencrypt/live/multiland.net/fullchain.pem
97 /etc/letsencrypt/live/multiland.net/fullchain.pem
100 /etc/letsencrypt/live/
101 /etc/letsencrypt/
102 certbot certificates
104 sudo openssl req -nodes -batch -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/self-signed-privkey.pem -out /etc/letsencrypt/self-signed-cert.pem -days 356
112 sudo certbot delete --cert-name multiland.net
113 sudo certbot certificates
114 sudo certbot delete --cert-name example.com
115 sudo certbot delete --cert-name multiland.net
116 certbot -v
117 /etc/letsencrypt/live/multiland.net/fullchain.pem
118 nano /etc/letsencrypt/live/multiland.net/fullchain.pem
122 sudo certbot delete --cert-name example.com
123 sudo certbot delete --cert-name multiland.net
129 nano /etc/letsencrypt/live/multiland.net/fullchain.pem
131 nano SSLCertificateFile /etc/letsencrypt/live/multiland.net/fullchain.pem
132 nano SSLCertificateKeyFile /etc/letsencrypt/live/multiland.net/privkey.pem
133 nano SSLCertificateFile /etc/letsencrypt/live/multiland.net/fullchain.pem
134 sudo certbot delete --cert-name multiland.net
138 nano /etc/apache2/sites-enabled/000-default-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/multiland.net/privkey.pem
142 sudo certbot delete --cert-name multiland.net
143 nano /etc/letsencrypt/self-signed-cert.pem
144 nano /etc/letsencrypt/self-signed-privkey.pem
146 sudo certbot delete --cert-name multiland.net
151 sudo certbot delete --cert-name multiland.net
152 history | grep -Ei 'encrypt|certbot'

root@wordpress:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No certificates found.

rg305 · October 3, 2022, 8:44pm

Please show these outputs:

cat /etc/apache2/sites-available/000-default-le-ssl.conf
apachectl -t -D DUMP_VHOSTS
which certbot
find / -name certbot

MikeMcQ · October 3, 2022, 8:51pm

Yes, you already deleted it previously so no need to delete it again. What does this do now:

apache2ctl configtest

kalimbrajaro · October 3, 2022, 9:02pm

root@wordpress:~# cat /etc/apache2/sites-available/000-default-le-ssl.conf
SSLCertificateFile /etc/letsencrypt/self-signed-cert.pem
SSLCertificateKeyFile /etc/letsencrypt/self-signed-privkey.pem
root@wordpress:~# apachectl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 multiland.net (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 multiland.net (/etc/apache2/sites-enabled/000-default.conf:4)
root@wordpress:~# which certbot
/usr/bin/certbot
root@wordpress:~# find / -name certbot
/usr/bin/certbot
/root/snap/certbot
/etc/cron.d/certbot
/etc/logrotate.d/certbot
/snap/bin/certbot
/snap/certbot
/snap/certbot/2344/bin/certbot
/snap/certbot/2344/lib/python3.8/site-packages/certbot
/var/snap/certbot

kalimbrajaro · October 3, 2022, 9:03pm

root@wordpress:~# apache2ctl configtest
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK

rg305 · October 3, 2022, 9:16pm

This file is very incomplete:

I think you should disable that file and then delete it:
a2dissite 000-default-le-ssl.conf
rm /etc/apache2/sites-enabled/000-default-le-ssl.conf
rm /etc/apache2/sites-available/000-default-le-ssl.conf

Then let's review the HTTP vhost configuration, with:
cat /etc/apache2/sites-enabled/000-default.conf

[before obtaining another cert and creating the HTTPS vhost]

kalimbrajaro · October 3, 2022, 9:18pm

root@wordpress:~# cat /etc/apache2/sites-enabled/000-default.conf

># Added to mitigate CVE-2017-8295 vulnerability
>UseCanonicalName On
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        
        ServerName multiland.net
        ServerAlias www.multiland.net
   
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
>RewriteEngine on
RewriteCond %{SERVER_NAME} =multiland.net [OR]
RewriteCond %{SERVER_NAME} =www.multiland.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

rg305 · October 3, 2022, 9:21pm

That seems right, except for the three ">" chars:

Are those ">" chars in the file?

kalimbrajaro · October 3, 2022, 9:23pm