Help with certificate renewal on Amazon Linux (1)


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: myappatory.net

I ran this command:
certbot renew --dry-run --preferred-challenges http-01,dns-01

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/myappatory.net.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for myappatory.net
Cleaning up challenges
Attempting to renew cert (myappatory.net) from /etc/letsencrypt/renewal/myappatory.net.conf produced an unexpected error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/myappatory.net/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/myappatory.net/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

My web server is (include version):
Apache/2.4.25 (Amazon)

The operating system my web server runs on is (include version):
amazon-linux-ami/2017.03

My hosting provider, if applicable, is:
Amazon

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

How do I add the virtual host listening on port 80 that seems to be required now for http-01 challenges

Thanks.


#2

Unfortunately this is part of the http-01 validation requirement.
You will need to enable a port 80 listener to handle the validations.
[as well as ensuring the Internet can reach your server over port 80]

There may be a simple way to group all validations into just one dedicated vhost config.
Validating them all form the same document root.


#3

I don’t know how to do that. The only place I can find reference to virtual hosts is in the /etc/httpd/conf.d/ssl.conf file. It has the following -

#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443 https
...
<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443
... 

Do I need to edit this file? If so what do I need to add?


#4

This should show you your vhosts:
apachectl -t -D DUMP_VHOSTS

They should be “included” in the default config file:
/etc/httpd/httpd.conf ?

If not there, try searching for all conf files:
find /etc/httpd -name *.conf


#5

Ok I found on another server I own the following in /etc/httpd/conf/httpd.conf

 <VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName "myappatory-1.com"
    ServerAlias "myappatory-1.com"
RewriteEngine on
RewriteCond %{SERVER_NAME} =myappatory-1.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

So can I add these lines to my httpd.conf file and simply change the DNS server name?


#6

If you modify the http->https rewrite rules more “generically”, you can use the same http config file for all your domains.
Like:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

This will allow you to include all your sites into this same http conf:
ServerAlias site1.com
ServerAlias site2.com
ServerAlias site3.com

ServerAlias siteX.com
or catch-all with:
ServerAlias *

Then if using mod_alias
You can just direct all authentication request (for all domains) to the same folder:
Alias "/.well-known/acme-challenge" "/etc/httpd/ACMEchallenges" #or whichever path you choose

Certbot should be able to detect this config and use the challenge folder specified (for all domains).


#7

Thanks but I want to keep things as simple as possible. Would adding the lines for the VirtualHost I posted above work? (with changing the DNS name to myapptory.net) ?


#8

I can’t see what was there before and what it is you are adding…
So I can’t be sure.


#9

To make it simple: Can I add the following to my httpd.conf file -

<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName "myappatory.net"
    ServerAlias "myappatory.net"
RewriteEngine on
RewriteCond %{SERVER_NAME} =myappatory.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

There is currently no <VirutalHost …> entries in my httpd.conf file.

apachectl -t -D DUMP_VHOSTS

returns
*:443 myappatory.net (/etc/httpd/conf.d/ssl.conf:56)


#10

If that is the only domain that needs a cert then yes, that should work.


#11

Thanks so much for your help!


#12

Be sure to enable the site:
use a2ensite
(or something like that - I’m not an Apache expert)


#13

a2ensite doesn’t exist on my machine (Amazon Linux). Hopefully that won’t pose a problem


#14

Well “enable” anyway you can then.
You can always test it from the Internet to be sure it gets through and responds as expected (first, before getting a cert).


#15

Success!

sudo ./certbot-auto renew --dry-run
** Saving debug log to /var/log/letsencrypt/letsencrypt.log**

** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -**
** Processing /etc/letsencrypt/renewal/myappatory.net.conf**
** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -**
** Cert not due for renewal, but simulating renewal for dry run**
** Plugins selected: Authenticator apache, Installer apache**
** Renewing an existing certificate**
** Performing the following challenges:**
** http-01 challenge for myappatory.net**
** Waiting for verification…**
** Cleaning up challenges**

** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -**
** new certificate deployed with reload of apache server; fullchain is**
** /etc/letsencrypt/live/myappatory.net/fullchain.pem**
** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -**

** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -**
** ** DRY RUN: simulating ‘certbot renew’ close to cert expiry**
** ** (The test certificates below have not been saved.)**

** Congratulations, all renewals succeeded. The following certs have been renewed:**
** /etc/letsencrypt/live/myappatory.net/fullchain.pem (success)**
** ** DRY RUN: simulating ‘certbot renew’ close to cert expiry**
** ** (The test certificates above have not been saved.)**
** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -**


#16

are in order!

Now you can remove the --dry-run and renew (as needed)


closed #17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.