Error in checking parameter list: AH00526:

Jesse · February 1, 2017, 7:28am

I’m trying to setup my site (www.ifweather.com), which is hosted on a DigitalOcean droplet.
First I started with the certbot walk through: https://certbot.eff.org/#ubuntutrusty-apache
I’m running Ubuntu 14.04 and Apache/2.4.7.
After the first attempt I enabled port 443 on my firewall after I didn’t pass the TLS-SNI-01 challenge.
Then I reran “./path/to/certbot-auto --apache” and got the following output.

Enabled Apache ssl module
Error in checking parameter list: AH00526: Syntax error on line 53 of /etc/apache2/sites-enabled/ifweather_front-le-ssl.conf:
SSLCertificateFile: file '/etc/apache2/insert_cert_file_path' does not exist or is empty

Apache is unable to check whether or not the module is loaded because Apache is misconfigured.

IMPORTANT NOTES:
 - Unable to install the certificate
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ifweather.com/fullchain.pem. Your cert will
   expire on 2017-05-02. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot-auto renew"

So far, based on much google searching and forum sleuthing I haven’t made any progress. I’ve installed mod_ssl many times, and rebooted Apache many times, but per the message this appears to be working already.

I do have one bread crumb that I can’t make heads or tails of though. on this forum (https://github.com/certbot/certbot/issues/2584), the last entry by gaddmsk says "Okay, the solution is use only symlinks in sites-enabled. If you have .conf files in folder sites-enabled - you will have that problem."
When I look in my sites-enabled folder, I do see two .conf files that weren’t modified until today when I tried adding entries to them manually. (SSLCertificateFile & SSLCertificateChainFile entries) Should I change them to symlinks?

serverco · February 1, 2017, 7:35am

Currently your server is issuing http not http2 on port 443.

what do you have in your config files ?

Jesse · February 1, 2017, 8:06am

which config files? the sites-enabled ones? Now I see here (link at bottom) that this is where 443 can be opened up, but why no mention of this in the certbot walkthrough?

Here’s one of my .conf files in /sites-enabled/

<VirtualHost *:80>
        ServerName ifweather.com
        ServerAlias www.ifweather.com

        ProxyRequests Off
        ProxyVia Off
        ProxyPreserveHost Off

        ProxyPass       /api http://api.ifweather.com
        ProxyPassReverse /api http://api.ifweather.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/ifweather/current/FrontApp/dist
        <Directory /var/www/ifweather/current/FrontApp/dist>
                RewriteEngine on

                # This relaxes Apache security settings.
                AllowOverride all
                # MultiViews must be turned off.
                Options -MultiViews
                # Uncomment this if you're on Apache >= 2.4:
                Require all granted

                #Don't rewrite files or directories
                RewriteCond %{REQUEST_FILENAME} -f [OR]
                RewriteCond %{REQUEST_FILENAME} -d
                RewriteRule ^ - [L]

                # Rewrite everything else to index.html to allow html5 state links
                RewriteRule ^ index.html [L]
        </Directory>



# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

       #Adding this manually : 01302017
       SSLCertificateFile /etc/letsencrypt/live/ifweather.com/cert.pem
       SSLCertificateChainFile /etc/letsencrypt/live/ifweather.com/fullchain.pem

        </VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Should I be modifying this manually. Something like this: https://grevi.ch/blog/apache2-config-with-multiple-ssl-virtualhosts-on-one-ip-and-one-port-via-subject-alternative-names-san

serverco · February 1, 2017, 8:13am

I think that's because Digitalocean uses a none-standard apache config - hence why you got the error warning and certbot couldn't configure it automatically for you.

Yes, since certbot couldn't configure it automatically, you will need to configure it manually - the link you gave gives a reasonably accurate description of what it should look like. You can also use Redirecting to ssl-config.mozilla.org... for creating a good configuration.

system · March 3, 2017, 8:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.