Have I understood the process correctly?

Following the directions for Apache on Ubuntu 18.04 LTS (Bionic), I think I have followed the directions correctly, but https is not working.

My domain is: www.vanlevy.com

I ran this command: under the automatic directions, I followed everything upto and including:

sudo certbot --apache

While I was going through the steps, everything seemed to be working fine; i.e. no error messages that I noticed.

The question I have is: should that have done it, or are there more things that I need to do to finish getting / using the certificate?

There is no redirection nor does the https:// variant of the URL work. Also, there are no current certificates: crt.sh | %vanlevy.com

Could you paste the full output of certbot?

I have just re-run the process, and have apparently completely disabled my site. In the hopes that this is a process that will take time to update, I have not re-re-run the process to enable no redirect, but will probably do so shortly.

What follows is all of the input / output.

ubuntu@ip-###-###-###-###:~$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: www.vanlevy.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/www.vanlevy.com.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1

Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-enabled/000-default-le-ssl.conf


Congratulations! You have successfully enabled https://www.vanlevy.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.vanlevy.com


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.vanlevy.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/www.vanlevy.com/privkey.pem
    Your cert will expire on 2019-08-01. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

Hi @egv78

your http works, your https has a timeout ( https://check-your-website.server-daten.de/?q=vanlevy.com ):

Domainname Http-Status redirect Sec. G
• http://www.vanlevy.com/
35.175.243.191 301 https://www.vanlevy.com/ 0.214 A
• http://vanlevy.com/
35.175.243.191 200 0.704 H
• https://vanlevy.com/
35.175.243.191 -14 10.027 T
Timeout - The operation has timed out
• https://www.vanlevy.com/
35.175.243.191 -14 10.030 T
Timeout - The operation has timed out

So it's impossible to see if it works or if there is a firewall.

You have one active certificate:

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
892940580 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-03 18:48:45 2019-08-01 18:48:45 www.vanlevy.com
1 entries

What says

apachectl -S

What's the content of

/etc/apache2/sites-enabled/000-default-le-ssl.conf
1 Like
apachectl -S
AH00526: Syntax error on line 34 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/www.vanlevy.com/fullchain.pem' does not exist or is empty
Action '-S' failed.
The Apache error log may have more information.

I can’t find anything in the error log that tells me anything.

Trying to get into the directory with the pem, I can get into etc/letsencrypt/ but, when I try to get into live, I get: permission denied.


<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf


ServerName www.vanlevy.com
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.vanlevy.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.vanlevy.com/privkey.pem
</VirtualHost>
</IfModule>

Did you run it as root / sudo?

Is the file really empty? Check

sudo cat /etc/letsencrypt/live/www.vanlevy.com/fullchain.pem

What says

certbot certificates

running the sudo cat… I do get a certificate. Two, in fact.

(BTW, I assume you’ve figured this out but my ubuntu skills are ‘developing’ [to be kind to myself]. : - )

@bmw @joohoi can you think of reasons that Apache might give this error while cat can see the contents of the fullchain file?

I think JuergenAuer was on to something when he asked:

@egv78, what is the output of:

sudo apachectl -S
~$ sudo apachectl -S
VirtualHost configuration:
*:443                  www.vanlevy.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   ip-###-###-###-###.ec2.internal (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

Thank you for looking into this, all.

It appears that I need to update my settings in AWS. So, to answer my question, I think I understood the process from LetsEncrypt, just not how it fit into the whole process.

I will then make a suggestion: In your documentation, adding a message to the reader (who may be a learning programmer like myself) to the effect of: This is the end of what Certbot will do for you. You need to check the settings on your hosting service to ensure that these changes can take effect.

(In other words, while you made your process reasonably idiot proof, I am proof that there are always more more idiotic idiots than you expected.)

Now your https works partial ( https://check-your-website.server-daten.de/?q=vanlevy.com ):

Your certificate has only one domain name:

CN=www.vanlevy.com
	03.05.2019
	01.08.2019
expires in 76 days	www.vanlevy.com - 1 entry

so your www-version is secure, your non-www not:

Domainname Http-Status redirect Sec. G
• http://www.vanlevy.com/
35.175.243.191 301 https://www.vanlevy.com/ 0.213 A
• http://vanlevy.com/
35.175.243.191 200 0.337 H
• https://vanlevy.com/
35.175.243.191 200 1.423 N
Certificate error: RemoteCertificateNameMismatch
• https://www.vanlevy.com/
35.175.243.191 200 1.193 I

So two steps:

  • change your vHost
ServerName www.vanlevy.com
ServerAlias vanlevy.com
  • then create a new certificate with both domain names
sudo certbot otherParameters -d www.vanlevy.com -d vanlevy.com

then it should work.

3 Likes

I think it’s all set now, including the naked domain (which just redirects to the www, which is all I wanted it to do).

In case anyone else has my problems of failing to understand where to go after completing LetsEncrypts pathways (and happens to be using AWS), I had to:

1.) Add an inbound rule to the EC2 to allow the https port
2.) Setup a CloudFlare to basically be a proxy https for the static files that are on my S3
3.) Redirect the static urls to point to the CloudFlare.

Thank you all (JuergenAuer, bmw, schoen) for helping me get this up and running!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.