I think they do... I am only running own apache instance with virtual host. ....
Alright, run the command below and show its output. You don't have a VirtualHost for wandjbrewers domain names so we are just testing getting a cert for these 4 names. Is that what you want?
sudo certbot certonly --apache --dry-run --cert-name kasdivi.com -d kadsivi.com -d www.kasdivi.com -d theoceanwindow.com -d www.theoceanwindow.com
The above will test getting a cert for those 4 names. If this works we will issue a different command to get a production cert with just those 4 names which do not include your wandjbrewers names you no longer have here.
There is also one minor change to your Apache config we will make by hand but it is not important for this test command.
Let us know the output of the above command.
1 Like
after correcting the typo (you type like I do) I ran your command and got this
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: kasdivi.com
Type: connection
Detail: 209.160.65.133: Fetching http://kasdivi.com/.well-known/acme-challenge/f5-8Fokj2KvTa0CYL9uamf1bS9WFtCiJzm_0ZgUYr8I: Connection refusedDomain: theoceanwindow.com
Type: connection
Detail: 209.160.64.187: Fetching http://theoceanwindow.com/.well-known/acme-challenge/fSjWYkEZF7JYsRyAULcPJpw-3jLloyhaMrW7W7NeM2A: Connection refusedDomain: www.kasdivi.com
Type: connection
Detail: 209.160.65.133: Fetching http://www.kasdivi.com/.well-known/acme-challenge/10zXleg-w4OsD2LUolxmVJ4DDjoTDxp787BT_AchckI: Connection refusedDomain: www.theoceanwindow.com
Type: connection
Detail: 209.160.64.187: Fetching http://www.theoceanwindow.com/.well-known/acme-challenge/A94pW1wKMlKxsRSSoYgAVluLdCTGRfj_KHmUpN5aTOg: Connection refusedHint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
I found in my httpd log that graceful retort failed and this error again
Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).
unable to restart apache using ['apachectl', 'graceful']
Encountered exception during recovery: certbot.errors.MisconfigurationError: Error while running apachectl graceful.apache24 not running? (check /var/run/httpd.pid).
Some challenges have failed.
Yes apaches had been stoppaed but not restarted
Oops. Thanks
Have you fixed anything with Apache since you posted? Because I get successful HTTP requests to it now. Well, at least not "connection refused".
First, change this line
Redirect permanent / https://kasdivi.com
to (note a slash at the end)
Redirect permanent / https://kasdivi.com/
And reload Apache
Then, try this command just as a test
sudo certbot certonly --dry-run --webroot -w /usr/local/www/kasdivi.com -d kasdivi.com -d www.kasdivi.com
1 Like
I had found a reference in the virtual hosts to "localhost: which I removed.. Made yours changes and it runs with no error . How do I include theocanwindow.com (the other remaining original
domain?
Good. I recommend having two certificates. One for kasdivi domains and one for theoceanwindow domains. It is easier to manage certs when each VirtualHost has a cert with only its own domain names in it.
First, let's get kasdivi production cert and update its renewal profile.
Run this and show output:
sudo certbot certonly --cert-name kasdivi.com --webroot -w /usr/local/www/kasdivi.com -d kasdivi.com -d www.kasdivi.com --deploy-hook CMD
Where CMD is whatever you use to reload Apache. I am not certain what it is on FreeBSD but maybe something like: "sudo apachectl graceful" or maybe "sudo service apache2 reload"
The Certbot command will prompt if it is okay to change the domain names in the cert. Let it do that. Once this works we will do something similar for oceanwindow although it needs a change to its VirtualHost before we do that.
1 Like
what changes 0does theoceanwindow need thought you said the different ip was ok? It is an another adapter on the same box
Its VirtualHost for port 443 is missing both domain names. It only has one listed. It needs same as its port 80 VHost
ServerName theoceanwindow.com
ServerAlias www.theoceanwindow.com
Also, the cert files it uses are in /etc/ssl/certs. We want them to be in their new location under /etc/letsencrypt like for kasdivi. UPDATE: You can't change the path yet because we don't yet have its new cert.
But, I didn't want to do those changes until we know we have good working kasdivi. Did those commands work for it? What value did you use for --deploy-hook CMD?
1 Like
I used "apachectl restart" in place of CMD and get this response
certbot: error: unrecognized arguments: restart.
"apachectl restart " works fine from the command line
Did you have quotes around it in the command line to Certbot?
Literally like:
sudo certbot certonly ... --deploy-hook "apachectl restart"
1 Like
no. that was just to make Clear what command I entered
Does it work properly when you put the quotes around it? Because those were required
1 Like
hmmm didn't know that Thanks. FreeBSD give me an excuse to drink I don't need BUT this is what response I get
Renewing an existing certificate for kasdivi.com and www.kasdivi.com
Hook 'deploy-hook' ran with output:
Performing sanity check on apache24 configuration:
Stopping apache24.
Waiting for PIDS: 60297.
Performing sanity check on apache24 configuration:
Starting apache24.
Hook 'deploy-hook' ran with error output:
Syntax OK
Syntax OKSuccessfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem
Key is saved at: /usr/local/etc/letsencrypt/live/kasdivi.com/privkey.pem
This certificate expires on 2025-06-21.
These files will be updated when the certificate renews.
I didn't see any error output
Wonderful. We now have a new cert for just kasdivi and its www subdomain.
We now want to do the same for ocean. Start by changing the two names in VirtualHost for port 443 as I noted earlier.
Then restart Apache from command line to apply those changes.
And then run:
sudo certbot certonly --webroot -w /usr/local/www/theoceanwindow.com -d theoceanwindow.com -d www.theoceanwindow.com --deploy-hook "apachectl restart"
Let us know the results of that command. If that worked we need to update the VirtualHost again to reference its new cert file location
2 Likes
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for theoceanwindow.com and www.theoceanwindow.com
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: www.theoceanwindow.com
Type: unauthorized
Detail: 209.160.64.187: Invalid response from https://theoceanwindow.com/.well-known/acme-challenge/w2KTcWu-UfJ3XvdMxFQv75dVumZFpZfEj8fwazsgQSM: 404Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
jason@triggerfish:/us
It does not look like you changed the ServerName and ServerAlias as I described.
Please show output of this
sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
> *:80 is a NameVirtualHost
> default server kasdivi.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:2)
> port 80 namevhost kasdivi.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:2)
> alias www.kasdivi.com
> port 80 namevhost theoceanwindow.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:37)
> alias www.theoceanwindow.com
> *:443 is a NameVirtualHost
> default server kasdivi.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:18)
> port 443 namevhost kasdivi.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:18)
> alias www.kasdivi.com
> port 443 namevhost theoceanwindow.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:52)
> alias www.theoceanwindow.com
Please show contents of above file again.
Also please show output of below command
sudo ps -eF | grep -i 'apache' | grep -v grep
1 Like
gets me
ps: illegal option -- F
file contents
> #Listen 80
> <VirtualHost *:80>
> ServerAdmin admin@theoceanwindow.com
> DocumentRoot "/usr/local/www/kasdivi.com"
> ServerName kasdivi.com
> ServerAlias www.kasdivi.com
> <Directory "/">
> Allow from all
> AllowOverride All
> Options Indexes FollowSymLinks Includes
> Require all granted
> </Directory>
>
> ErrorLog "/var/log/httpd-error.log"
> CustomLog "/var/log/kasdivi.com-access.log" common
> Redirect permanent / https://kasdivi.com/
> </VirtualHost>
> <VirtualHost *:443>
> ServerAdmin admin@theoceanwindow.com
> DocumentRoot "/usr/local/www/kasdivi.com"
> <Directory "/">
> Allow from all
> AllowOverride All
> Options Indexes FollowSymLinks Includes
> Require all granted
> </Directory>
> SSLEngine on
> SSLCertificateFile /usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem
> SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/kasdivi.com/privkey.pem
> #SSLCertificateChainFile /etc/ssl/certs/ca_bundle.crt
> ServerName kasdivi.com
> ServerAlias www.kasdivi.com
> ErrorLog "/var/log/httpd-error.log"
> CustomLog "/var/log/kasdivi.com-access_log" common
> </VirtualHost>
What happened to the VirtualHosts for oceanwindow? We saw them in the debug output from earlier:
*:80 is a NameVirtualHost
> default server kasdivi.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:2)
> port 80 namevhost kasdivi.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:2)
> alias www.kasdivi.com
> port 80 namevhost theoceanwindow.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:37)
> alias www.theoceanwindow.com
> *:443 is a NameVirtualHost
> default server kasdivi.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:18)
> port 443 namevhost kasdivi.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:18)
> alias www.kasdivi.com
> port 443 namevhost theoceanwindow.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:52)
> alias www.theoceanwindow.com
2 Likes