Error running command

My domain is: screwloosedan.com

I ran this command:

sudo certbot --apache -d screwloosedan.com -d www.screwloosedan.com

It produced this output:

Error running command ['apache2ctl', '-t', '-D', 'DUMP_INCLUDES'] for runtime parameters!

My web server is:

$ apache2 -v	
Server version: Apache/2.4.18 (Ubuntu)
Server built:   2017-09-18T15:09:02

The operating system my web server runs on is (include version):

Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site: no

Certbot version:

certbot 0.21.1

This is a fairly basic Ubuntu 16.04 install with standard Apache install.

Based on the error I attempted to run:
$ sudo apache2ctl -t -D DUMP_INCLUDES
It only returned:

Syntax OK

I presume this is an issue with the version of Apache2. I did find this patch, which suggests that the DUMP_INCLUDES was added in version 2.4.23.

I presume my only choices are to upgrade Apache or use certbot manually? Is there a recommended workaround?

please show the version of certbot used and update that as needed as well

Cerbot version:

certbot 0.21.1

I believe that is the latest. It was installed as per the instructions on the eff website:

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache

For what it's worth I couldn't reproduce this problem.

I just spun up a Docker image of ubuntu:xenial, installed apache2:

ii apache2 2.4.18-2ubuntu3.5 amd64 Apache HTTP Server

installed Certbot from the PPA and ran your Certbot invocation verbatim, which worked okay:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for screwloosedan.com
http-01 challenge for www.screwloosedan.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges

and also works when putting a successful issuance:

Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate for a.foo.monkas.xyz to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf

This is how the apachectl command goes for me:

root@bb3946939fa2:/# apache2ctl -t -D DUMP_INCLUDES
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
Syntax OK

Maybe check what your exact package version of apache2 is?

1 Like

Thanks @_az !! Not sure why I didn’t try reproducing the issue myself. After your post I spun up another VPS and was able to get certificates. It made me start comparing all the differences.

I’m still not really sure what caused the issue, but I have installed this bad bot blocker. Once I commented out the Include that points to the bot-blocker configs in my .conf file, it allowed the certbot to run properly.

Still trying to figure out why the error message points to the apache2ctl -t -D DUMP_INCLUDES command, as that doesn’t seem to be impacted by the bot blocker.

So, as I posted last night I was able to install the certificates successfully after commenting out the "Includes" that points to my bad bots list.

Unfortunately, attempting to run and renew --dry-run fails with the same original message (because I put the include back in).

I turned up the verbosity while running cerbot and I see "OSError: [Errno 12] Cannot allocate memory" error message, which I think that's probably really the issue (the bad bot list is a very large list):

~$ sudo certbot renew --dry-run -vvvvv
Root logging level set at -30

Cert not due for renewal, but simulating renewal for dry run
Requested authenticator apache and installer apache
Apache version is 2.4.18
Error running command ['apache2ctl', '-t', '-D', 'DUMP_INCLUDES'] for runtime parameters!

Misconfigured PluginEntryPoint#apache: ('Error accessing loaded Apache parameters: %s', ['apache2ctl', '-t', '-D', 'DUMP_INCLUDES'])
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot_apache/parser.py", line 222, in _get_runtime_cfg
universal_newlines=True)
File "/usr/lib/python3.5/subprocess.py", line 947, in init
restore_signals, start_new_session)
File "/usr/lib/python3.5/subprocess.py", line 1490, in _execute_child
restore_signals, start_new_session, preexec_fn)
OSError: [Errno 12] Cannot allocate memory

Anyone else run across something like this? The largest conf file that is included is ~365K in size, which is perhaps too much for the script?

That’s interesting. Could you let us know how large the resulting output actually is?

apache2ctl -t -D DUMP_INCLUDES | wc -c

You could also use a different authenticator that doesn’t need to parse your Apache configuration, probably --webroot if you are serving static files from somewhere or if you could make an exception in your configuration to allow it to do so. The --apache method parses your configuration every time, while the --webroot method doesn’t need to know about your configuration (but you do have to tell it a directory where static files can be placed in order for the existing server to serve them).

1 Like

As I mentioned before, the DUMP_INCLUDES doesn't actually seem to return anything (I believe that feature is only available in the Apache versions > 2.4.23, I'm only at 2.4.18).

$ sudo apache2ctl -t -D DUMP_INCLUDES | wc -c
Syntax OK
0

I don't know why the script complains in that way, I haven't looked at the code but I presume there is a function that tries the DUMP_INCLUDES if it's available or reverts to some other method otherwise, but the error handling returns the same error either way.

Switching to webroot method, it seemed like I needed to update my .config file to remove the references to apache, so I made it look like this:

# Options used in the renewal process
[renewalparams]
account = xxxxxxxxxx
authenticator = webroot
# installer = apache

Would renewing the certs be done by something like this?

sudo certbot renew --webroot --webroot-path /var/www/html --post-hook 'systemctl restart apache2.service' --dry-run

Yes, but if you get the certificate once with certonly, Certbot will save all of the other options in the .conf file and so you won’t have to specify them explicitly with certbot renew.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.