Error inserting certificates in /etc/httpd/conf/httpd.conf


#1

Hi,

Can I get some assistance please.
Have installed LE v1 and v2 on a few testing environment in the last few months.
Am looking at installing V2 wildcard cert on a new Centos 7 with Apache testing environment.
Am still in early config stages and not clear why the error.

This is a new Server on our private cloud environment were we have a few other servers configured VMware.

Currently have one Vhost site on this server that displays a basic message where site is connected to via http through a basic HTML file.

Am looking at inserting the four lines of LE references in the main httpd.conf file at /etc/httpd/conf/httpd.conf
the certs are for wildcard domain for this server so do not want to insert in each Vhost conf file.

A scan of the ports shows they are open for 80 and 443.

When I advance to the next step of getting Certs and https started, the apache server throws an error and won’t start at all.

If I remove cert references, basic httpd starts for port 80 access.

Selluix is set to permissive mode, has not matter if enforced or permissive…

This is the output from the /var/log/httpd/error.log

[Fri Apr 13 08:23:35.409940 2018] [core:notice] [pid 1586] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Fri Apr 13 08:23:35.412496 2018] [suexec:notice] [pid 1586] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Apr 13 08:23:35.415993 2018] [ssl:emerg] [pid 1586] AH02311: Fatal error initialising mod_ssl, exiting. See /home/sites/www/logs/error.log for more information

The error log for the last line states “/home/sites/www/logs/error.log”
These are the errors in that file

[Fri Apr 13 08:23:35.415748 2018] [ssl:warn] [pid 1586] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Fri Apr 13 08:23:35.415979 2018] [ssl:emerg] [pid 1586] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)

For the last error “…SSLEngine On should go in the VirtualHost, not in global scope…” have made the change in file /etc/httpd/conf.d/ssl.conf
Turned off SSLEngine
#SSLEngine on
SSLEngine off

In the Vhost conf files I have included SSLEngine On
This is how the vhost httpd.conf is constructed

<VirtualHost *:80>
> 	ServerAdmin name@exampleweb.com
>     ServerName example.com
>     ServerAlias www.example.com
> 	
> 	DocumentRoot /home/sites/www/public_html
> 	
> 	ErrorLog /home/sites/www/logs/error.log
> 	CustomLog /home/sites/www/logs/access.log combinedio
> 		
>     <Directory /home/Sites/www/public_html>
>        DirectoryIndex index.html
>         Options -Indexes +FollowSymLinks +Includes
> 		AllowOverride All
> 		Order allow,deny
> 		Allow from All
> 		Require all granted
>     </Directory>
> 
> </VirtualHost>
>  <IfModule mod_ssl.c>
>    <VirtualHost *:443>
>      SSLEngine on
>     
>  	 ServerAdmin name@exampleweb.com
>  	 ServerName example.com
>      ServerAlias www.example.com
> 	
>     ErrorLog /home/sites/www/logs/error.log
>     CustomLog /home/sites/www/logs/access.log combinedio
>  	ErrorLog /home/sites/www/logs/error_ssl.log
>    
>     DocumentRoot /home/sites/www/public_html
>     <Directory /home/sites/www/public_html>
>          DirectoryIndex index.html
>          Options -Indexes +FollowSymLinks +Includes
> 		 AllowOverride All
>  		 Order allow,deny
>  		 Allow from All
>  		 Require all granted
>     </Directory>
>   </VirtualHost>
> </IfModule>

Any help would be appreciated. Thanks in Advance.


#2

What are the four lines?

Please show the public cert used.


#3

These are the four lines

SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem

Please show the public cert used.

Are you referring to the contents of the cert.pem file?

Thanks for your response


#4

Try it with only one (fullchain.pem or cert.pem) not both.

And yes, the contents of the public cert (cert.pem).


#5

tried with one at a time .

Excluding cert.pem raised this error

[Fri Apr 13 10:41:46.763728 2018] [core:notice] [pid 2651] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Fri Apr 13 10:41:46.765664 2018] [suexec:notice] [pid 2651] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Apr 13 10:41:46.765901 2018] [ssl:emerg] [pid 2651] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Fri Apr 13 10:41:46.765921 2018] [ssl:emerg] [pid 2651] AH02312: Fatal error initialising mod_ssl, exiting.

Excluding fullchain.pem raised this error

[Fri Apr 13 10:43:29.329365 2018] [core:notice] [pid 2692] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Fri Apr 13 10:43:29.331754 2018] [suexec:notice] [pid 2692] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Apr 13 10:43:29.334522 2018] [ssl:emerg] [pid 2692] AH02311: Fatal error initialising mod_ssl, exiting. See /home/sites/www/logs/error.log for more information

This is content of cert.pem

-----BEGIN CERTIFICATE-----
MIIFDTCCA/WgAwIBAgISA0/XePO9UJZmDew2/o+KZKtpMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAzMjMwNTAyNTlaFw0x
ODA2MjEwNTAyNTlaMCAxHjAcBgNVBAMMFSouc2ltdHJhY2tzdGFnaW5nLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN6sIEWuE2EL8Im1/mTD2uiB
5r0dw8vswnL1IMhCqmvTNk3qNuQDfj5iuQbke46Zc6DnSc7zCPwjlO3scAZSslQT
jcSmsygd78P9s+Gp/zy9+UEm1TaQwKl0urssew2BjEBBGGGYc8F8RgXJnja953Vr
eIlUWsdtGAO2O3mlFaA5eJc52OHgGKDfxwArKJyrPV0GyXXen/tcioqWE2hGPAqd
M0PEm69jw+ZI1Kqpp3IiXKZ8ZHNZ+Jg4b3+RefnZB44l+EaBuyqtKSqwiRKRgXjK
kJ0GjxGIcF9LbidHnfrRoK+Ir6PsTZ+nfxva+4MxF6tGVsZ267HAOEciQhMdKrsC
AwEAAaOCAhUwggIRMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU6nsOUL1Mn9RcBK6T
nWgbj4nzXPAwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYB
BQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnLzAgBgNVHREEGTAXghUqLnNpbXRyYWNrc3RhZ2luZy5jb20wgf4G
A1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUF
BwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4M
gZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJl
bHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENl
cnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9y
Zy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAkoWOrwTQJji/ZVx05fos
OiIbXRv1nLHlUo2jbT9oUXNSRMCFIrGeVrm4zew+30wt5APVHWNeIdX19UkAtpZY
aGRShS0FhsaGz2blf8vvm2mSJGE0yJw7dy1n+y2tkKjtHu3+WRi3Q8jr3ka9YoPo
DdCW7MQ0uhmUOaXdmu9keB/s7UzcUtdJTOGYYCXTMnLSaerfp2UrkGdTcwPivFnl
/q391guuPPa+Loubgpjm7Dq78HN9xoA4qsRw9n4rRH7+rjk51DE3updSIIPJOEQh
aqOTo9inJp2Mb74wWYzwOw2Oo4WF5xFRCxIXa3rjmXwjuUchP78qvigmJTMX38Pz
rw==
-----END CERTIFICATE-----

#6

Please show:
/home/sites/www/logs/error.log

Also, the cert is a wildcard cert.
But it doesn’t include the base domain.
only good for *.example.com
NOT
example.com & *.example.com

Try changing the servername directive to better match the cert.
Keep in mind that the FQDN should resolve to the same IP in order for it to work correctly.
But for testing, you could use “servername anything.example.com” or even “servername *.example.com”

Also, you can remove this line; and just leave the line above it (with the #)


#7

this is from “/home/sites/www/logs/error.log”

[Mon Mar 26 11:19:22.596442 2018] [ssl:emerg] [pid 10782] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Mon Mar 26 11:23:41.119346 2018] [ssl:warn] [pid 23863] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Mon Mar 26 11:23:41.119576 2018] [ssl:emerg] [pid 23863] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Mon Mar 26 11:27:04.392728 2018] [ssl:warn] [pid 24089] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Mon Mar 26 11:27:04.392855 2018] [ssl:emerg] [pid 24089] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Mon Mar 26 11:31:13.306110 2018] [ssl:emerg] [pid 24397] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/httpd/conf/vhosts/example.com.conf:38)
[Mon Mar 26 11:32:18.596888 2018] [ssl:emerg] [pid 24480] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/httpd/conf/vhosts/example.com.conf:38)
[Mon Mar 26 12:04:54.438458 2018] [ssl:emerg] [pid 1467] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/httpd/conf/vhosts/example.com.conf:38)
[Mon Mar 26 12:05:56.778256 2018] [ssl:emerg] [pid 1521] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/httpd/conf/vhosts/example.com.conf:38)
[Wed Apr 11 16:55:41.449627 2018] [ssl:emerg] [pid 1308] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Wed Apr 11 17:00:32.042245 2018] [ssl:emerg] [pid 16176] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Thu Apr 12 10:56:18.990633 2018] [ssl:emerg] [pid 22021] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Thu Apr 12 15:02:05.752966 2018] [ssl:emerg] [pid 27395] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Thu Apr 12 15:03:43.186910 2018] [ssl:emerg] [pid 27426] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Thu Apr 12 15:03:50.187351 2018] [ssl:emerg] [pid 27450] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Thu Apr 12 17:12:25.495940 2018] [ssl:emerg] [pid 27974] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/httpd/conf/vhosts/example.com.conf:36)
[Thu Apr 12 17:31:31.403526 2018] [ssl:emerg] [pid 28094] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/httpd/conf/vhosts/example.com.conf:36)
[Thu Apr 12 17:32:55.354255 2018] [ssl:warn] [pid 28120] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Thu Apr 12 17:32:55.354468 2018] [ssl:emerg] [pid 28120] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Thu Apr 12 17:36:08.962682 2018] [ssl:warn] [pid 28175] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Thu Apr 12 17:36:08.962807 2018] [ssl:emerg] [pid 28175] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Thu Apr 12 17:49:51.032601 2018] [ssl:emerg] [pid 28251] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Thu Apr 12 17:54:19.724268 2018] [ssl:warn] [pid 28312] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Thu Apr 12 17:54:19.724454 2018] [ssl:emerg] [pid 28312] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Fri Apr 13 08:17:50.823618 2018] [ssl:warn] [pid 1527] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Fri Apr 13 08:17:50.823876 2018] [ssl:emerg] [pid 1527] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Fri Apr 13 08:23:35.415748 2018] [ssl:warn] [pid 1586] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Fri Apr 13 08:23:35.415979 2018] [ssl:emerg] [pid 1586] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Fri Apr 13 08:50:30.697966 2018] [ssl:warn] [pid 1681] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Fri Apr 13 08:50:30.698250 2018] [ssl:emerg] [pid 1681] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Fri Apr 13 10:26:21.880009 2018] [ssl:warn] [pid 2209] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Fri Apr 13 10:26:21.880311 2018] [ssl:emerg] [pid 2209] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Fri Apr 13 10:32:28.957120 2018] [ssl:warn] [pid 2493] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Fri Apr 13 10:32:28.957358 2018] [ssl:emerg] [pid 2493] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Fri Apr 13 10:33:03.153889 2018] [ssl:warn] [pid 2530] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Fri Apr 13 10:33:03.154087 2018] [ssl:emerg] [pid 2530] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Fri Apr 13 10:33:41.067952 2018] [ssl:warn] [pid 2556] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Fri Apr 13 10:33:41.068192 2018] [ssl:emerg] [pid 2556] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)
[Fri Apr 13 10:43:29.334274 2018] [ssl:warn] [pid 2692] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Fri Apr 13 10:43:29.334507 2018] [ssl:emerg] [pid 2692] AH01892: Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)

This is the command we ran to register the domain and received the congratulation registration

certbot certonly --agree-tos --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com

Our intention is to be able to register multiply sub domains… eg car.example.com demo.example.com without having to include references in each Vhost conf file
Have we registered this incorrectly?

looking into your other points…


#8

If you have the time and inclination, show:
(no need to show any lines that start with #)
/etc/httpd/apache2.conf
/etc/httpd/httpd.conf
grep -ie servername -ie alias -ie sslengine /etc/httpd/*
grep -ie servername -ie alias -ie sslengine /etc/httpd/conf-enabled/*
grep -ie servername -ie alias -ie sslengine /etc/httpd/sites-enabled/*
grep -ie servername -ie alias -ie sslengine /etc/httpd/conf/vhosts/*
/etc/httpd/conf/vhosts/example.com.conf:36 (line 36)


#9

I think you have done what you set out to do.
But the vhost configs aren’t lined up with what you set out to do.
We need to find where they differ.
Finding all the files that use the servername directive is a start.


#10

Ok, collecting information…


#11

“/etc/httpd/apache2.conf”
Don’t have this file

Contents of this file here

/etc/httpd/httpd.conf

# file //etc/httpd/conf/httpd.conf 
ServerRoot "/etc/httpd"

Listen 80
Listen 443

Include conf.modules.d/*.conf

User apache
Group apache

ServerAdmin root@localhost

<Directory />
    AllowOverride none
    Require all denied
</Directory>

<Directory "/var/www">
    AllowOverride None
    Require all granted
</Directory>

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None

    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "logs/error_log"

LogLevel warn

<IfModule log_config_module>
   LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

   CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

</IfModule>

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    TypesConfig /etc/mime.types

    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

AddDefaultCharset UTF-8

<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on

SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
#SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem

IncludeOptional conf/vhosts/*.conf

grep -ie servername -ie alias -ie sslengine /etc/httpd/*

[root@appdev1 ~]# grep -ie servername -ie alias -ie sslengine /etc/httpd/*
grep: /etc/httpd/conf: Is a directory
grep: /etc/httpd/conf.d: Is a directory
grep: /etc/httpd/conf.modules.d: Is a directory
grep: /etc/httpd/logs: Is a directory
grep: /etc/httpd/modules: Is a directory
grep: /etc/httpd/run: Is a directory

Dont have this structure setup for these two
grep -ie servername -ie alias -ie sslengine /etc/httpd/conf-enabled/*
grep -ie servername -ie alias -ie sslengine /etc/httpd/sites-enabled/*

grep -ie servername -ie alias -ie sslengine /etc/httpd/conf/vhosts/*

ServerName example.com
ServerAlias appdev1.example.com
 #SSLEngine on
     ServerName example.com
 ServerAlias appdev1.example.com

/etc/httpd/conf/vhosts/example.com.conf:36 (line 36)
<VirtualHost xx.xxx.xx.3:443>


#12

From /etc/httpd/httpd.conf
These lines are in the wrong place:


#13

Which file(s) had these lines?:


#14

show this entire file:


#15

From /etc/httpd/httpd.conf
These lines are in the wrong place:

SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
#SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem

Where should these be ?
in individual vhost conf files in this directory…?

/etc/httpd/conf/vhosts/*


#16

In the vhost file(s).


#17

Which file(s) had these lines?:

ServerName example.com
ServerAlias appdev1.example.com
#SSLEngine on
ServerName example.com
ServerAlias appdev1.example.com

/etc/httpd/conf/vhosts/example.com.conf


#18

show:
/etc/httpd/conf/vhosts/example.com.conf
and
ls -l /etc/httpd/conf/vhosts/*.conf

NOTE:
The httpd.conf file shows:
ServerRoot “/etc/httpd”
IncludeOptional conf/vhosts/*.conf
So it will use all the *.conf files in the /etc/httpd/conf/vhosts/ directory.


#19

ls -l /etc/httpd/conf/vhosts/*.conf

lrwxrwxrwx. 1 root root 35 Apr 11 16:50 /etc/httpd/conf/vhosts/example.com.conf -> /home/sites/www/httpd.conf

/etc/httpd/conf/vhosts/example.com.conf

<VirtualHost xx.xxx.xx.3:80>
	ServerAdmin support@example2.com.au
    ServerName appdev1.example.com
    ServerAlias appdev1.example.com
	
	DocumentRoot /home/sites/www/public_html
	
	ErrorLog /home/sites/www/logs/error.log
	CustomLog /home/sites/www/logs/access.log combinedio

    <Directory /home/sites/www/public_html>
       DirectoryIndex index.html
        Options -Indexes +FollowSymLinks +Includes
		AllowOverride All
		Order allow,deny
		Allow from All
		Require all granted
	
   </Directory>
</VirtualHost>

<IfModule mod_ssl.c>
  <VirtualHost xx.xxx.xx.3:443>
     #SSLEngine on
    
 	 ServerAdmin support@exanple2.com.au
 	 ServerName appdev1.example.com
     ServerAlias appdev1.example.com
	
    ErrorLog /home/sites/www/logs/error.log
    CustomLog /home/sites/www/logs/access.log combinedio
   
     DocumentRoot /home/sites/www/public_html
     <Directory /home/sites/www/public_html>
         DirectoryIndex index.html
         Options -Indexes +FollowSymLinks +Includes
 		AllowOverride All
 		Order allow,deny
 		Allow from All
 		Require all granted

		</Directory>
	
 </VirtualHost>
</IfModule>

#20

ADD:
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

BELOW:
<VirtualHost xx.xxx.xx.3:443>