Encountered vhost ambiguity

I’m trying to install a certificate on an Untangle security gateway. Untangle runs on Debian 9 with Apache web server.
I can get through the entire process manually but I’m having trouble automating some parts of the process. I’m having trouble with the virtual host selection when certbot tries to read the uvm.conf file.
There are multiple virtual hosts defined in the uvm.conf file. It looks like this:

<VirtualHost :80>
IncludeOptional /etc/apache2/uvm-dev
.conf
Include /etc/apache2/uvm.conf
IncludeOptional /etc/apache2/uvm-dev*.conf

<VirtualHost :443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
IncludeOptional /etc/apache2/uvm-dev
.conf
Include /etc/apache2/uvm.conf
IncludeOptional /etc/apache2/uvm-dev*.conf

When certbot tries to parse this file it gives me this question:

We were unable to find a vhost with a ServerName or Address of
Which virtual host would you like to choose?


1: uvm.conf | | | Enabled
2: uvm.conf | | HTTPS | Enabled


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel):

If I select 2 then the certificate is installed successfully but I’m wondering if there is a way to automate this selection. I realize I can just add the server name and alias to the virtual host but due to the nature of this device it isn’t really intended that modifications are made to the apache configuration and any changes would likely not be preserved when updates are installed. At the very least it would be nice if certbot would ignore the *:80 virtual host and default to the only one that actually supports https.

1 Like

Hi @esgeroth

Certbot doesn’t understand your configuration. So Certbot asks to find a domain name.

Normally, you use the -d option to define minimal one domain name. So Certbot can find a vHost.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Sorry, didn’t get a notice that this had been updated.

As I described above I do realize why certbot can’t determine which vhost to use. The webserver in this instance is just the web gui for an Untangle firewall. I can’t rely on editing the apache .conf file because it can be overwritten at any time by an update of the firewall software. I’m wondering if there is a way to automate the selection when certbot asks which virtual host to use. I’m guessing that certbot does not have this capability so maybe this would be better asked as a feature request. In this example at least there is only one virtual host available that supports https so it would be nice if certbot would just default to that instead of asking.

1 Like

I am having similar problems with untangle. You can “upvote” for this feature to the untangle dev team (I did as well). https://untanglengfirewall.featureupvote.com/suggestions/15290/lets-encrypt

A few days later … the solution should be simple.

If you use the --apache authenticator, Certbot tries to understand your configuration - and may fail.

So

  • use the webroot authenticator, then only the webroot / DocumentRoot is required (with the -d option to specify your domain) and
  • use certonly, so you don’t need an installer.
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.