How to check if renewal setup is correct (LAMPP installation)

My domain is: 123.online-server.cloud

My web server is (include version):
** LAMPP installation **
Server: Apache/2.4.51 (Unix) OpenSSL/1.1.1l PHP/7.3.33 mod_perl/2.0.11 Perl/v5.32.1

The operating system my web server runs on is (include version): Ubuntu server 20.04

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.26.0


Hello,
I'd like to check if the auto-renewal is correctly configured and active. The certificate will expire on june the first. I have used snapd to install it the first time.
Following these post1, post2, crontab has no entries, instead OnCalendar gave me this result:

$ grep OnCalendar /etc/systemd/system/snap.certbot.renew.timer
OnCalendar=*-*-* 03:55
OnCalendar=*-*-* 13:28

(does this mean that it is configured correctly?)

But if I run:

$ sudo certbot renew --dry-run

I get this:

Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using ['apache2ctl', 'graceful']
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using ['apache2ctl', 'graceful']
Encountered exception during recovery: certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Failed to renew certificate 123.online-server.cloud with error: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/123.online-server.cloud/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

Could it be since, in the XAMPP installation, the apache working directory is /opt/lampp/ ?

yes.

you can tell certbot that.

  --apache-server-root APACHE_SERVER_ROOT
                        Apache server root directory (default: /etc/apache2)

  --apache-bin APACHE_BIN
                        Full path to apache2/httpd binary (default: None)

and more: User Guide — Certbot 1.26.0 documentation

2 Likes

Thanks 9peppe, could it be this command also helpful or could it generate some conflict?

certbot renew --cert-name "certificate name" --deploy-hook "/opt/lampp/lampp start"

that command won't conflict but might be redundant.

if you use the apache plugin, certbot should do everything (you need to set it up with all the nonstandard paths, read the page I linked)

1 Like

I read the documentation, but, just to be sure, when saying "nonstandard paths", did I write the commands correctly:

certbot --apache-server-root "/opt/lampp"
certbot --apache-bin "/opt/lampp/bin"

also /opt/lampp/bin/ contains an httpd file, not sure it's a binary.

no. it's one command:

certbot renew --cert-name "the_cert" --apache --apache-bin /opt/lampp/bin/httpd --apache-server-root /some/other/path/where/httpd.conf/is

2 Likes

Thanks 9peppe, just to be sure if I wrote it right:

certbot renew --cert-name "123.online-server.cloud" --apache --apache-bin /opt/lampp/bin/httpd --apache-server-root /opt/lampp/etc/httpd.conf

1 Like

certbot renew --cert-name "123.online-server.cloud" --apache --apache-bin /opt/lampp/bin/httpd --apache-server-root /opt/lampp/etc/

it should be like this. you can add --dry-run to make your experiments and check if it works.

I don't know if that's going to be enough because that directory is not exclusive to apache.

2 Likes

Thanks 9peppe, you helped me a lot with success from the beginning of my project, but this time I think I have few problems to solve first.

I try to explain with order hoping not to mess up too much.

If I add this line:

Include "/opt/lampp/apache2/conf/httpd.conf"

at the end of my file /opt/lampp/etc/httpd.conf , and then run /op/lampp restart, i get this error:

Starting XAMPP for Linux 7.3.33-0...
XAMPP: Starting Apache...fail.
AH00526: Syntax error on line 7 of /etc/letsencrypt/options-ssl-apache.conf:
SSLEngine not allowed in <Directory> context

I think that where it says "SSLEngine not allowed in context" there is the clue.

This is file /opt/lampp/apache2/conf/httpd.conf

Alias /bitnami/ "/opt/lampp/apache2/htdocs/"
Alias /bitnami "/opt/lampp/apache2/htdocs"

<Directory "/opt/lampp/apache2/htdocs">
    Include /etc/letsencrypt/options-ssl-apache.conf
    Options Indexes FollowSymLinks
   #Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

This is the file /etc/letsencrypt/options-ssl-apache.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

This is /opt/lampp/etc/extra/httpd-vhosts.conf

<VirtualHost *:80>

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%123.online-server.cloud/$1 [R=301,L] 

</VirtualHost>

<VirtualHost *:443>

    #SSLEngine On
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/123.online-server.cloud/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/123.online-server.cloud/privkey.pem

    ErrorLog "logs/123.online-server.cloud-error_log"
    CustomLog "logs/123.online-server.cloud-access_log" common
</VirtualHost>

Thanks again for any suggestion you can provide.

1 Like

Well... Don't include that file in that context. Include it outside.

Also, I can't read your config carefully right now. But you should get the actual Apache documentation and read it.

You're not making small adjustments, you're nearly rewriting the whole thing, you need to understand what you're doing and understand it well.

1 Like

SOLVED: the renewal now seems to be ok.

Thanks to this post Installing a certificate in a LAMP configuration where @rg305 gave great support to the user. Thanks also to @9peppe for the last reply.

What I did is mostly explained in that topic, but just in my case I have modified the DocumentRoot directives in these files:
/etc/apache2/sites-enabled/000-default.conf
/etc/apache2/sites-enabled/000-default-le-ssl.conf

to match the lampp root of website pages

DocumentRoot /opt/lampp/htdocs

After I run:

sudo certbot certonly --webroot -w /opt/lampp/htdocs -d 123.online-server.cloud

the result reassures me:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for 123.online-server.cloud

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/123.online-server.cloud/fullchain.pem
Key is saved at: /etc/letsencrypt/live/123.online-server.cloud/privkey.pem
This certificate expires on 2022-08-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

then running also

sudo certbot renew --dry-run

confirms the good result:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/123.online-server.cloud.conf


Simulating renewal of an existing certificate for 123.online-server.cloud


Congratulations, all simulated renewals succeeded:

/etc/letsencrypt/live/123.online-server.cloud/fullchain.pem (success)


I've got just one doubt which I hope someone can clarify: the certificate read by the browser in this moment expires on:

notBefore=Mar 3 13:03:35 2022 GMT
notAfter=Jun 1 13:03:34 2022 GMT

running, at the end of my process,
sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/123.online-server.cloud/cert.pem

gives:

notBefore=May 3 10:12:33 2022 GMT
notAfter=Aug 1 10:12:32 2022 GMT

which I consider the new one.

Does it mean that the new one will be automatically read by the browser right after the first of June?

Thanks a lot.

No, it means you used certonly and you have to reload apache manually. You could do it manually, or add a

--deploy-hook "command that reloads apache"

option to your certbot invocation.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.