How badly did I break it?

This is more a general question. I am new to the LAMP side of things, coming from Microsoft Server and commercial certs for over a decade now. I also have a bit of a problem with terminology so you'll have to put on your talking to idiots hat as I try to communicate. (currently intentionally shut down as it is a site for my personal growth)
Web Server: Rocky Linux 8.7 on Proxmox
I have both physical and root access to the machine

Every single step to set up and secure an Apache website has been a fight but nonetheless, I figured it all out, got a cert issued and had https successfully operational as of last night.
I ran a check with ssllabs and saw the certname and domains were different. I quickly figured out it was the www that was throwing things off so I researched how to reissue the cert. Note, during the original set up, I did the "certonly" route.

When I reissued, I did not type "certonly" but I did add both of the domains properly. The cert was successfully created but then added files (one for each domain) in new locations. These new .conf files mirrored the existing virtual host file but with extra stuff in them. Httpd will not restart and gives a litany of errors, none of which are even mildly recognizable.

I feel like I should burn it to the ground and start over. It certainly won't take nearly as long to figure out this time. I also apologize but I will not be able to provide logs or things like that until later this evening.

Thanks for any thoughts.

If you want to try to fix this problem show result of below two commands. Otherwise, go ahead and start over and let us know if you need help.

sudo certbot certificates

sudo apachectl -t -D DUMP_VHOSTS

Omit sudo if you don't need it
apachectl might be apache2ctl or httpd on your system (I don't recall off-hand)


Thank you. I would like to attempt to fix it but once it installed the certs, I'm having doubts that it is salvageable. I'll get the results for the vhosts dump later this evening.
If anything, it's a learning experience.

1 Like

This looks like a pretty routine problem to me although I see these every day :slight_smile:


Certbot has the option to revert the changes it made to webserver configurations with the certbot rollback subcommand, but the Certbot documentation does not mention it for the Apache plugin? Weird.


To the both of you:

the vhosts dump revealed

Passing arguments to httpd using apachectl is no longer supported.

Edit: I was hastily typing the reply so I forgot this... I added httpd after typing apachectl and got a response for the location of both .conf files for www and * but nothing else.

then I did the rollback, which revealed that it was looking for stuff i'd commented out in the earlier desperate attempt to undo what was done. Simply un-commented what i'd commented out and then re-ran rollback.

The rollback worked wonderfully though unexpectedly the cert was still updated with the proper domains. I assumed it would "roll back" and eliminate the updated domains and such.

I'm glad I didn't nuke the site. This was far easier. I sat down this evening expecting a fight and I am pleasantly surprised.

Thank you both for the assistance!


Good to hear you made progress. If you want to make sure all is clean please show these results. But, as my Notes said, and you saw in the error message, substitute httpd for apachectl like:

sudo certbot certificates

sudo httpd -t -D DUMP_VHOSTS


Certificate Name:
Serial Number: s0m3 s3r1al numb3r>
Key Type: RSA
Expiry Date: 2023-07-20 01:55:37+00:00 (VALID: 88 days)
Certificate Path: the same path as the original one
Private Key Path: also the same path as the original one

VirtualHost configuration:
*:80 (/etc/httpd/sites-enabled/
*:443 (/etc/httpd/sites-enabled/


Looks nice! Cheers.

You can check the renew w/

sudo certbot renew --dry-run

--dry-run won't affect your existing certs. It's designed for this kind of test.


Congratulations, all simulated renewals succeeded

You people are fantastic. I sincerely expected a headache this evening.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.