Error installing a Certificate


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: example.org
I ran this command:
certbot -i apache -a webroot -w /var/www/html/drupal -d example.org
It produced this output:
certbot -i apache -a webroot -w /var/www/html/drupal -d example.org
My web server is (include version):
Apache/2.4.6 (CentOS)
The operating system my web server runs on is (include version):
CentOS Linux release 7.4.1708 (Core)
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi @v.j,

What was the error that you got when trying to install the certificate?


#3

PluginError: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.


#4

Do you have an existing working Apache server on this machine (that’s listening on port 80 for HTTP requests)?


#5

If your website is online ( accessibly via browser through http://yourwebsite )

You should have conf files looking like those two one somewhere in your apache2

/etc/apache2/sites-enabled/example-default.conf

<VirtualHost *:80>
       
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        Protocols h2 http/1.1
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =xxx
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

/etc/apache2/sites-enabled/example-ssl.conf

<IfModule mod_ssl.c>

<VirtualHost *:443>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    Protocols h2 http/1.1
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLCertificateFile /etc/letsencrypt/live/xxx/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/xxx/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    ServerName xxx
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"


</VirtualHost>
# modern configuration, tweak to your need
SSLCipherSuite       EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder     on
SSLCompression          on
SSLSessionTickets       off
SSLOptions +StrictRequire

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>

IF not, your apache setup is broken, or your server is missing dependencies.


#6

I have existing apache server. And till yesterday, it was running on http://mywebsite.org.
I installed openssl and now its running on https://mywebiste which is not a trusted signed certificate.

I’m looking to run my website on both http and https or redirect http to https and with a trusted certificate.


#7

My default.conf file has
<VirtualHost *:80>
and
ssl.conf has
<VirtualHost *:443>
Currently my website is running on both http and https. Basically it redirects http to https.
And I still get the error as
Failed authorization procedure. mywebsite.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mywebsite.org/.well-known/acme-challenge/T-0kBZCsMgkAu3zRlZfxM81CZfSbHfzq4V2FznnLWS8: Timeout


#8

What’s your website? Does connecting to it from the Internet time out? Does it have a firewall blocking outside connections, or certain countries? Does it have IPv6? Does it work?


#9

Yes, One of those. I could resolve the issue.
Thank you very much for the all your help.!


#10

But unfortunately, it doesn’t show the lock symbol on the website url. It’s running on https but no lock symbol. How can we make it more secured.


#11

Also after installing this certificate, other website stopped working.
For example, mywebsite.org is working fine
But apps.mywebsite.org has stopped working.

Can you help me with this please?


#12

We’re going to need you to give us some more information to help further. Not knowing the real domain name prevents us from being able to help as much, and isn’t even protecting any secrets because it’s already logged to the public certificate transparency logs.

There are a lot of reasons your site could show insecure, usually mixed-content issues. Try going through https://www.whynopadlock.com/, if you wish.

As for “stopped working”, please be more specific. It’s not responding? It’s responding but with an invalid certificate? Apache is erroring out when trying to start it?


#13

This website is on different server but with same domain name.
It was all working fine just before installing the certificate.
Sorry, Can’t share the domain name in public as the website is not available to public yet.
I could if there’s any way that I can post it separately.

Now it says:

This site can’t be reached
apps.mywebsite.org took too long to respond.
Try:

Checking the connection
Checking the proxy and the firewall
Running Windows Network Diagnostics
ERR_CONNECTION_TIMED_OUT


#14

It sounds like something in your apache configs got messed up and isn’t listening for that vhost anymore. Post configs?

Also, side note, you made it public to anyone looking at the CT logs when you got a certificate in general.


#15

Do I have to add a * like *.mywebsite.org for the sub domains to work?


#16

That’s one option, but a much simpler one is to just add the subdomains as well. You can have up to 100 names on a single certificate from Let’s Encrypt.


#17

That’s a good idea but where can I add the subdomain names.
I’m sorry but which file.

Thanks!


#18

You add them with additional -d options to Certbot.


#19

Is it like adding a new certificate? Do I have to configure all over again ?

Another question is: I would be assigning this dns (mywebsite.org) to some other server with (may be a new static ip). Does this certificate follow there or I need to install a new SSL certificate in the that server too?

Thanks!


#20

Yes.

The certificate is a file that’s installed on a particular machine so unless you copy over all of the associated files, you don’t have the certificate on another machine.