Getting error when trying to create certs

My domain is:

I ran this command: certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 3
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (tls-sni-01): urn:acme:error:malformed :: The request message was malformed :: Server only speaks HTTP, not TLS


  • The following errors were reported by the server:

    Type: malformed
    Detail: Server only speaks HTTP, not TLS

    To fix these errors, please make sure that you did not provide any

My web server is (include version): Apache version 2.4.18

The operating system my web server runs on is (include version): Ubuntu Linux 16.04.2

My hosting provider, if applicable, is: ovh

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): webmin, but most work done through shell

Hi @warrik,

This sounds like you have an existing configuration file in /etc/apache2 that listens on port 80 but activates HTTPS. Can you check whether this is the case?

You could probably find all potentially relevant files with

grep -r :80 /etc/apache2

It looks like http is listening on port 80 and https is listening on 443

Last login: Sun Sep 10 17:04:18 2017 from
$ grep -r :80 /etc/apache2
/etc/apache2/ports.conf:Listen *:80 http
/etc/apache2/sites-available/000-default.conf:<VirtualHost *:80>
/etc/apache2/sites-available/000-default.conf:<VirtualHost *:80>
/etc/apache2/sites-available/000-default.conf:<VirtualHost *:80>
/etc/apache2/sites-available/000-default.conf:<VirtualHost *:80>
$ grep -r :443 /etc/apache2
/etc/apache2/ports.conf:Listen *:443 https
/etc/apache2/sites-available/default-ssl.conf:<VirtualHost *:443>
/etc/apache2/sites-available/default-ssl.conf:<VirtualHost *:443>
/etc/apache2/sites-available/default-ssl.conf:<VirtualHost *:443>
/etc/apache2/sites-available/default-ssl.conf:<VirtualHost *:443>

I think I may have described the problem the wrong way round! When I go to in a browser (which uses port 443), I get an error which is indicative of an HTTP listener on that port.

Could you post the entirety of /etc/apache2/sites-available/default-ssl.conf? My thought is that maybe it doesn’t actually enable HTTPS in one or more of these VirtualHosts.

Also, older versions of Certbot will get horribly confused by the fact that you have more than one VirtualHost defined in a single configuration file (in this case, you have four apiece). Certbot historically expected that each VirtualHost would have its own separate file in /etc/apache2/sites-available, enabled via a symlink which can be created with a2ensite. But, I’m not positive whether that’s the underlying problem here.

I could try removing the defaul-ssl.conf and creating seperate conf files.

This is my first time trying to create using certbot (my old server I’d created certs from lets encrypt when first released)

here is a copy of the default-ssl.conf (I tried copying the ssl certs from my old server and pointing to them, so that’s why it’s showing cert files )
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

SSLEngine on

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Include /etc/letsencrypt/options-ssl-apache.conf

<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/
CustomLog /var/log/apache2/ combined

SSLEngine on
 SSLCertificateFile     /etc/letsencrypt/live/
            SSLCertificateKeyFile /etc/letsencrypt/live/

            #   Server Certificate Chain:
            #   Point SSLCertificateChainFile at a file containing the
            #   concatenation of PEM encoded CA certificates which form the
            #   certificate chain for the server certificate. Alternatively
            #   the referenced file can be the same as SSLCertificateFile
            #   when the CA certificates are directly appended to the server
            #   certificate for convinience.
            SSLCertificateChainFile /etc/letsencrypt/live/
ServerName ServerAdmin webmaster@localhost ServerAlias DocumentRoot /var/www/html/ CustomLog /var/log/apache2/ combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
    SSLCertificateChainFile /etc/letsencrypt/live/

<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/
CustomLog /var/log/apache2/ combined

    #SSLEngine on
    #SSLCertificateFile /etc/letsencrypt/live/
    #SSLCertificateKeyFile /etc/letsencrypt/live/
    #SSLCertificateChainFile /etc/letsencrypt/live/

The last one looks like the problem to me because it has the SSLEngine on line commented out. I think Apache is interpreting this as "this isn't an HTTPS VirtualHost" and therefore is speaking HTTP on this port.

You might be able to succeed by either deleting the final VirtualHost or uncommenting the certificate references (perhaps you commented them out because these files don't currently exist on this system)?

You might also be able to succeed by splitting all the VirtualHosts out into separate files, one per VirtualHost. In that case you would again probably not have the HTTPS VirtualHost initially but you could allow Certbot to create it for you.

It's the same software; the Let's Encrypt client letsencrypt was renamed to Certbot.


I deleted the default-ssl.conf and recreated individual ones and it worked

Great! Glad to hear it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.