I'm shifting the site from an existing install at: http://www.gunisforhealth.info/ (on a different server)
So I've set up an ANAME record for vps.gunisforhealth.info and pointed it to the new server 173.231.199.148 (the idea is that I will use an app to migrate content from old site to new site, then I'll shut down old site and shift the public domain to the new site...so I need both sites running)
On the new server I've got two new Apache conf files, one on port 80 and one on port 443. The conf file on 443 already has this directive:
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.gunisforhealth.info/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.gunisforhealth.info/privkey.pem
However, when I try to create the new cert: sudo certbot --apache -d vps.gunisforhealth.info
I get this:
AH00526: Syntax error on line 27 of /etc/apache2/sites-enabled/gunisforhealth.info.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/vps.gunisforhealth.info/fullchain.pem' does not exist or is empty
If I comment the cerbot lines out of the 443 conf file and run apache2ctl configtest all is good.
There are about a dozen other certs on this new server and they all seem to be fine.
It seems strange that I can't create the new cert because certbot finds an error because there's no certificate.
There indeed is no cert at: /etc/letsencrypt/live ... am I missing a creation step somewhere?
The certbot --apache authenticator makes temp changes to your Apache config. After the temp change it reloads Apache and this is what is failing due to the syntax error.
But, you should not get that error if you have properly disabled the HTTPS VirtualHost for that domain.
Can you show result of this?
sudo apache2ctl -t -D DUMP_VHOSTS
Also, your DNS is returning 43.239.97.219 right now. Your ANAME may not have the result you expect. See the Let's Debug test site (link here) for detailed results and you'll see the 43.239... IP is active.
Hey there @MikeMcQ thanks so much for your replies.
First point, DUMP_VHOSTS:
> sudo apache2ctl -t -D DUMP_VHOSTSAH00526: Syntax error on line 27 of /etc/apache2/sites-enabled/gunisforhealth.info.conf: SSLCertificateFile: file '/etc/letsencrypt/live/vps.gunisforhealth.info/fullchain.pem' does not exist or is empty Action '-t -D DUMP_VHOSTS' failed. The Apache error log may have more information
Second point is not clear to me....Yes, the bare domain, and www* are still pointed to the old server (43.239.97.219). However, I'm sure I have done this trick before: I set an ANAME to the new IP for a specific domain. In this case, vps* should point to 173.231.199.148, as indeed it does: http://vps.gunisforhealth.info/
Since that ANAME is properly routing traffic to the new IP, why would certbot have an issue?
Sorry, I wasn't quite following what was happening with your transition.
I see your IP for the vps.gunisforhealth.info is as you describe so no worry.
But, your Apache config is wrong. You cannot reference cert files that don't exist.
To setup a new domain name (anywhere), you can make an HTTP VirtualHost (port 80). Then, once you have the cert you can make the HTTPS VirtualHost. Or, certbot --apache plug-in will make an HTTPS VHost for you.
So, you should have a VirtualHost for vps domain name for just port 80. Then, run certbot --apache and you'll end up with a cert for vps and a VirtualHost that uses that (created by certbot).
Does that make sense or do I still mis-understand your transition?
Hey Mike, thanks again for the fast and helpful reply.
I suspect you are spot on ...I was just trying to get both the vhost files created first, then run certbot, but as you say, this won't work.
I'm just in the middle of file migration at the moment, so will pause. Once migration is done, I will:
1 - delete the port 443 vhost file
2 - run certbot to create the certs
3 - re-create the 443 vhost file
4 - test
5 - re-point the main domains to the new server
6 - ask certbot for new certs for the main domains
7 - adjust the vhost file to include the new certs
That's my plan...