How to force Apache 2.4 (httpd) to read fullchain.pem? certbot seems to work but I have an https:// issue X86_64 GNU/Linux (Linux 2 AMI)

Port 80 :upside_down_face:, now I will try:

certbot --redirect --uir
1 Like

I ran this command:

certbot --redirect --uir

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: onearth.studio
2: www.onearth.studio
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested 
and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/onearth.studio.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 

Shall I choose 1 or 2?

1 Like

For Sure! (It's a "blue pill" "red pill" thing)
           

4 Likes

:cold_face: :hot_face:
I'll go for... 1
I do trust you!

1 Like

That's a scary thought!
And now your redirect is working!

HTTP/1.1 301 Moved Permanently
Date: Sun, 02 May 2021 17:55:58 GMT
Server: Apache/2.4.46 () OpenSSL/1.0.2k-fips PHP/7.4.15
Location: https://onearth.studio/
Content-Type: text/html; charset=iso-8859-1

5 Likes

I ran this command:

1

It produced this output:

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf
Added an HTTP->HTTPS rewrite in addition to other RewriteRules; you may wish to check 
for overall consistency.
Redirecting vhost in /etc/httpd/conf/httpd.conf to ssl vhost in /etc/httpd/conf/httpd-
le-ssl.conf
Adding Upgrade-Insecure-Requests header to ssl vhost in /etc/httpd/conf/httpd-le-ssl.c
onf
Enhancement Upgrade-Insecure-Requests was already set.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://onearth.studio and
https://www.onearth.studio
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
2 Likes

This is exactly what we want to see! We're getting there!
@griffin was pointing out you might still be getting a "not found" error? Is this still happening?

5 Likes

What says sudo apachectl -S now?

2 Likes

:sweat_smile: :grinning: :smiley:
THX RIP!
THX GRIFFIN!
THX TO ALL LET'S ENCRYPT COMMUNITY SUPPORT TEAM!

2 Likes

You're quite welcome! :slightly_smiling_face:

3 Likes

Of course you are very welcome. Would you please show the output of:

sudo apachectl -S

To relieve our anxiety :thinking:

5 Likes

I ran this command:

sudo apachectl -S

It produced this answer:

AH00526: Syntax error on line 24 of /etc/httpd/conf/httpd-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/onearth.studio/fullchain.pem' does not
 exist or is empty

Still can't read fullchain.pem, should I post it?

1 Like

I'm pondering this.
Testing shows the certificate chain to be correct. But why this error?

sudo apachectl configtest shows "Syntax OK"
but
sudo apachectl -S shows the error.

Looking into a few workflows so as to verify the certificate.

Can we have another look at the output from:

sudo certbot certificates
5 Likes

Thanks for your answer, I ran this command:

sudo certbot certificates

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: onearth.studio
    Serial Number: 4194300b99ca8a4ebb03f7cf8a68856c8b1
    Key Type: RSA
    Domains: onearth.studio www.onearth.studio
    Expiry Date: 2021-07-24 18:28:10+00:00 (VALID: 82 days)
    Certificate Path: /etc/letsencrypt/live/onearth.studio/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/onearth.studio/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 Like

I think @Osiris has experience debugging this kind of thing. Maybe he'll give us a "leg up" and help us verify the certificate existence and validity.

@griffin is still working it too!

5 Likes

One would think the apachectl -S wasn't ran through sudo even when @OnEarth said he/she did so :thinking: Usually this (the situation where the file and its contents do actually exist, but Apache says it doesn't) is the result of a permission problem.

4 Likes

Is there a certbot command that can be used to fix permissions and file structure?

@OnEarth Are you certain that you ran: sudo apachectl -S ??

5 Likes

Not that I know of. But it's very rare for root not to be able to read the files in question.

4 Likes

Does apache have directory access (execute permission) all the way up into live?

3 Likes

Osiris, Rip and Griffin, I did a copy and paste with the

sudo apachectl -S

command I am pretty sure but who knows I might have done a mistake because now the output is different:

VirtualHost configuration:
*:80                   onearth.studio (/etc/httpd/conf/httpd.conf:58)
*:443                  is a NameVirtualHost
         default server ip-172-31-33-253.us-east-2.compute.internal (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost ip-172-31-33-253.us-east-2.compute.internal (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost onearth.studio (/etc/httpd/conf/httpd-le-ssl.conf:2)
                 alias www.onearth.studio
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/etc/httpd/htdocs"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48
2 Likes