Getting error when trying to create certs

My domain is: ewiscombe.com

I ran this command: certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: eddotfarms.com
2: www.eddotfarms.com
3: ewiscombe.com
4: www.ewiscombe.com
5: wiscombearabians.com
6: www.wiscombearabians.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 3
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for ewiscombe.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. ewiscombe.com (tls-sni-01): urn:acme:error:malformed :: The request message was malformed :: Server only speaks HTTP, not TLS

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: ewiscombe.com
  Type: malformed
  Detail: Server only speaks HTTP, not TLS

  To fix these errors, please make sure that you did not provide any

My web server is (include version): Apache version 2.4.18

The operating system my web server runs on is (include version): Ubuntu Linux 16.04.2

My hosting provider, if applicable, is: ovh

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): webmin, but most work done through shell

Hi @warrik,

This sounds like you have an existing configuration file in /etc/apache2 that listens on port 80 but activates HTTPS. Can you check whether this is the case?

You could probably find all potentially relevant files with

grep -r :80 /etc/apache2

It looks like http is listening on port 80 and https is listening on 443

Last login: Sun Sep 10 17:04:18 2017 from 71.199.38.204
$ grep -r :80 /etc/apache2
/etc/apache2/ports.conf:Listen *:80 http
/etc/apache2/sites-available/000-default.conf:<VirtualHost *:80>
/etc/apache2/sites-available/000-default.conf:<VirtualHost ewiscombe.com *:80>
/etc/apache2/sites-available/000-default.conf:<VirtualHost wiscombearabians.com *:80>
/etc/apache2/sites-available/000-default.conf:<VirtualHost eddotfarms.com *:80>
$ grep -r :443 /etc/apache2
/etc/apache2/ports.conf:Listen *:443 https
/etc/apache2/sites-available/default-ssl.conf:<VirtualHost *:443>
/etc/apache2/sites-available/default-ssl.conf:<VirtualHost ewiscombe.com *:443>
/etc/apache2/sites-available/default-ssl.conf:<VirtualHost wiscombearabians.com *:443>
/etc/apache2/sites-available/default-ssl.conf:<VirtualHost eddotfarms.com *:443>

I think I may have described the problem the wrong way round! When I go to https://ewiscombe.com/ in a browser (which uses port 443), I get an error which is indicative of an HTTP listener on that port.

Could you post the entirety of /etc/apache2/sites-available/default-ssl.conf? My thought is that maybe it doesn’t actually enable HTTPS in one or more of these VirtualHosts.

Also, older versions of Certbot will get horribly confused by the fact that you have more than one VirtualHost defined in a single configuration file (in this case, you have four apiece). Certbot historically expected that each VirtualHost would have its own separate file in /etc/apache2/sites-available, enabled via a symlink which can be created with a2ensite. But, I’m not positive whether that’s the underlying problem here.

I could try removing the defaul-ssl.conf and creating seperate conf files.

This is my first time trying to create using certbot (my old server I’d created certs from lets encrypt when first released)

here is a copy of the default-ssl.conf (I tried copying the ssl certs from my old server and pointing to them, so that’s why it’s showing cert files )
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

SSLEngine on

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Include /etc/letsencrypt/options-ssl-apache.conf

<VirtualHost ewiscombe.com *:443>
ServerName ewiscombe.com
ServerAdmin webmaster@localhost
ServerAlias www.ewiscombe.com
DocumentRoot /var/www/html/ewiscombe.com/
CustomLog /var/log/apache2/www.test.ewiscombe.com-access.log combined

SSLEngine on
 SSLCertificateFile     /etc/letsencrypt/live/ewiscombe.com/cert.pem
            SSLCertificateKeyFile /etc/letsencrypt/live/ewiscombe.com/privkey.pem

            #   Server Certificate Chain:
            #   Point SSLCertificateChainFile at a file containing the
            #   concatenation of PEM encoded CA certificates which form the
            #   certificate chain for the server certificate. Alternatively
            #   the referenced file can be the same as SSLCertificateFile
            #   when the CA certificates are directly appended to the server
            #   certificate for convinience.
            SSLCertificateChainFile /etc/letsencrypt/live/ewiscombe.com/chain.pem

ServerName wiscombearabians.com ServerAdmin webmaster@localhost ServerAlias www.wiscombearabians.com DocumentRoot /var/www/html/wiscombearabians.com/ CustomLog /var/log/apache2/wiscombearabians.com-access.log combined

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/wiscombearabians.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/wiscombearabians.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/wiscombearabians.com/chain.pem

<VirtualHost eddotfarms.com *:443>
ServerName eddotfarms.com
ServerAdmin webmaster@localhost
ServerAlias www.eddotfarms.com
DocumentRoot /var/www/html/wiscombearabians.com/
CustomLog /var/log/apache2/wiscombearabians.com-access.log combined

    #SSLEngine on
    #SSLCertificateFile /etc/letsencrypt/live/wiscombearabians.com/cert.pem
    #SSLCertificateKeyFile /etc/letsencrypt/live/wiscombearabians.com/privkey.pem
    #SSLCertificateChainFile /etc/letsencrypt/live/wiscombearabians.com/chain.pem

The last one looks like the problem to me because it has the SSLEngine on line commented out. I think Apache is interpreting this as "this isn't an HTTPS VirtualHost" and therefore is speaking HTTP on this port.

You might be able to succeed by either deleting the final VirtualHost or uncommenting the certificate references (perhaps you commented them out because these files don't currently exist on this system)?

You might also be able to succeed by splitting all the VirtualHosts out into separate files, one per VirtualHost. In that case you would again probably not have the eddotfarms.com HTTPS VirtualHost initially but you could allow Certbot to create it for you.

It's the same software; the Let's Encrypt client letsencrypt was renamed to Certbot.

Thanks,

I deleted the default-ssl.conf and recreated individual ones and it worked

Great! Glad to hear it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.