My domain is:

I ran this command:
sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/
Simulating renewal of an existing certificate for and *
Waiting 10 seconds for DNS changes to propagate
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/ (success)

My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 22.04
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Certbot 1.29.0

All the installation appeared to go fine, accessing my site with http works fine, but attempting to access via https results in the error message: ERR_SSL_PROTOCOL_ERROR

I have two enabled sites in apache2/sites-enabled:

<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/dokuwiki
	DirectoryIndex index.php index.html index.htm
	<Directory /var/www/dokuwiki/>
		Require all granted
		Options Indexes FollowSymLinks MultiViews
		AllowOverride all
		Order allow,deny
		allow from all
		Require all granted
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	Alias /log/ "/var/log/"
	<Directory "/var/log">
		Options Indexes MultiViews FollowSymLinks
		AllowOverride None
		Order deny,allow
		Deny from all
		Allow from all
		Require all granted

I have the default-ssl file in sites-available:

# default-ssl.conf
<IfModule mod_ssl.c>
	<VirtualHost _defualt_:443>
		ServerAdmin webmaster@localhost
		DocumentRoot /var/www/html
		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined

		SSLEngine on
		SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
		SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

		#SSLCACertificatePath /etc/ssl/certs/
		#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

		#SSLCARevocationPath /etc/apache2/ssl.crl/
		#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

		#SSLVerifyClient require
		#SSLVerifyDepth 10
		#SSL +FakeBasicAuth +ExportCertData +StrictRequire
		<FilesMatch "\.(cgi|shtml|phtml|php)$">
			SSLOptions +StdEnvVars
		<Directory /usr/lib/cgi-bin>
			SSLOptions +StdEnvVars

I have port 443 enabled through my firewall.

my enabled apache mods:

  • access_compat.load
  • alias.conf
  • alias.load
  • auth.basic.load
  • authn_core.load
  • authz_core.load
  • authz_host.load
  • authz_user.load
  • autoindex.conf
  • autoindex.load
  • deflate.conf
  • deflate.load
  • dir.conf
  • dir.load
  • env.load
  • filter.load
  • mime.conf
  • mime.load
  • mpm_prefork.conf
  • mpm_prefork.load
  • negotiation.conf
  • negotiation.load
  • php8.1.conf
  • php8.1.load
  • proxy.conf
  • proxy.load
  • proxy_http.load
  • reqtimeout.conf
  • reqtimeout.load
  • rewrite.load
  • setenvif.conf
  • setenvif.load
  • socache_shmcb.load
  • ssl.cof
  • ssl.load
  • status.conf
  • status.load
  • vhost_alias.load

I'm sure it's something with the VirtualHosts, but I don't really understand how they work. I also want to add an additional VHost in the future so that an app I currently access via IP address and a port number can be accessed as a subdomain. I used a wildcard certificate in the hopes that it would cover newly created subdomains, too.

Thank you in advance for your time

1 Like

Let me see if my skills are still sharp.

Can you try to run this apachectl -D DUMP_VHOSTS and share the output? (Might be apache2ctl or whichever you used to restart/reload your Apache web server)


Yep, just give me a moment to type out the result (because yay, the console I have access to won't let me highlight and copy stuff)

VirtualHost configuration:
*:80                               is a NameVirtualHost
                       default server (/etc/apache2/sites-enabled/
                       port 80 namevhost (/etc/apache2/sites-enabled/
                       port 80 namevhost (/etc/apache2/sites-enabled/
1 Like

The output indicates it doesn't have any ssl virtual host.
Can you share the content of /etc/apache2/sites-enabled/

P.S. if the current console doesn't allow you to copy and paste, it might be good to switch to one that does...


Nvm. I see you shared the content in the first post.


Let me get on my computer and type a 443 virtual host file.


Thanks. I didn't expect to have to alter my existing conf files. I guess it's a bit that the certbot instructions leave out, or my admittdly winding path through various links to instructions skipped it.


Only the files (or links to files) in the sites-enabled are actually used by Apache.

ls -l /etc/apache2/sites-available/
ls -l /etc/apache2/sites-enabled/


Replace /etc/apache2/certs/apache.crt and /etc/apache2/certs/apache.key with the certificate and key file path from certbot. Make sure to use fullchain instead of cert or chain.

<VirtualHost *:443>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

       SSLEngine on
       SSLCertificateFile /etc/apache2/certs/apache.crt
       SSLCertificateKeyFile /etc/apache2/certs/apache.key

I think the required TLS might also be for the other site (both sites may need TLS).

Which one(s) need the cert?

Why do I think that?:

[I see a wildcard entry in that cert]


AHA! While I was poking certbot to see if it would print out the paths for me, I found out that if I just run the command certbot it'll ask me which site I want to activate SSL for, and then once I select one it'll autogenerate a conf file for it in sites-available and I just need to deactivate my current one in sites-enabled and replace it with the newly created one from certbot.

Thanks everyone for the help.



Be informed that you presently have 5 valid certs that cover that base domain name:

And you will likely be using and renewing only one of them.
So, if you provided your email address during the certification process, you will be receiving notifications about their expiries in the coming months - don't be alarmed (be informed).
All such unrenewed certs will be noticed.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.