I deleted my ssl cert and now certbot won't let me get another one

Osiris · May 2, 2021, 8:52am

It doesn't need to be a file system permission issue. Could also be a permission issue from within Apache. Therefore: access and error logs! Don't play a guessing game, get the facts straight.

griffin · May 2, 2021, 8:54am

I totally agree about viewing the logs.

What would/could cause this aside from a file-system related permission conflict with the apache process:

Maybe I'm not familiar enough with the guts of apache itself here?

Osiris · May 2, 2021, 8:56am

Shouldn't be possible in this specific case, as certbot places all kinds of permissive permissions in the "post config file" as mentioned above.

griffin · May 2, 2021, 8:58am

That's what had me stumped. I've ran into a few permission-related issues before, but didn't want to proceed here for concern of what might be lurking beneath.

zeesteve1 · May 2, 2021, 8:42pm

@JuergenAuer @Osiris Ok, I'm back. I think the apache error log is explaining the problem here. This same error repeated over and over. Seems to coincide with my calls to certbot:

[Sat May 01 23:54:45.088171 2021] [core:error] [pid 108776:tid 140308787074816] (13)Permission denied: [client 17.58.91.224:35276] AH00035: access to /.well-known/acme-challenge/jLh_t-WCCDK8BJS8aWpbYCG-TTx4Jp13FjILQ7ObMGw denied (filesystem path '/var/lib/letsencrypt/http_challenges') because search permissions are missing on a component of the path

Here are the permissions within that path:
drwxr-xr-x 14 root root 4096 May  1 08:54 var
drwxr-xr-x 41 root root 4096 May  1 09:28 lib
drwx------  4 root root 4096 May  2 09:08 letsencrypt
drwxr-xr-x  2 root root 4096 May  2 07:33 http_challenges

Osiris · May 2, 2021, 9:00pm

That one is drwxr-xr-x on my server.

zeesteve1 · May 2, 2021, 9:27pm

Oh wow!

root@ip-72-167-33-188:/var/lib# chmod 755 letsencrypt/
root@ip-72-167-33-188:/var/www/cozybroadcast.stream# sudo certbot certonly --apache -d "cozybroadcast.stream,www.cozybroadcast.stream" --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Simulating a certificate request for cozybroadcast.stream and www.cozybroadcast.stream
Performing the following challenges:
http-01 challenge for cozybroadcast.stream
http-01 challenge for www.cozybroadcast.stream
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - The dry run was successful.

root@ip-72-167-33-188:/var/www/cozybroadcast.stream# sudo certbot --apache -d "cozybroadcast.stream,www.cozybroadcast.stream"

...

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://cozybroadcast.stream and
https://www.cozybroadcast.stream
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Thank you, everybody! @griffin @Osiris @JuergenAuer

griffin · May 2, 2021, 9:43pm

You're very welcome!

zeesteve1 · May 2, 2021, 9:54pm

This created a second .conf for both default and my url. Should I remove the old url one or disable the new default one?

root@ip-72-167-33-188:/etc/apache2/sites-available# ls
000-default.conf                  cozybroadcast.stream.conf
cozybroadcast.stream-le-ssl.conf  default-ssl.conf

griffin · May 2, 2021, 9:56pm

sudo ls -lRa /etc/apache2/sites-enabled

zeesteve1 · May 2, 2021, 9:59pm

root@ip-72-167-33-188:/etc/apache2/sites-available# sudo ls -lRA
.:
total 20
-rw-r--r-- 1 root root 1332 Apr 13  2020 000-default.conf
-rw------- 1 root root 1623 May  2 21:30 cozybroadcast.stream-le-ssl.conf
-rw------- 1 root root 1627 May  2 21:51 cozybroadcast.stream.conf
-rw-r--r-- 1 root root 6338 Apr 13  2020 default-ssl.conf

griffin · May 2, 2021, 10:02pm

and...

sudo ls -lRA /etc/apache2/sites-enabled

zeesteve1 · May 2, 2021, 10:06pm

root@ip-72-167-33-188:/# sudo ls -lRA /etc/apache2/sites-enabled
/etc/apache2/sites-enabled:
total 4
lrwxrwxrwx 1 root root 61 May  2 21:30 cozybroadcast.stream-le-ssl.conf -> /etc/apache2/sites-available/cozybroadcast.stream-le-ssl.conf
lrwxrwxrwx 1 root root 44 May  1 09:26 cozybroadcast.stream.conf -> ../sites-available/cozybroadcast.stream.conf

griffin · May 2, 2021, 10:07pm

Happens to us all!

zeesteve1 · May 2, 2021, 10:10pm

So I'm confused that I have two .confs enabled now. Which one should I add my virtual host proxy instructions to? Or should I just disable the old one altogether?

griffin · May 2, 2021, 10:13pm

If you look at the two enabled confs, you'll see that cozybroadcast.stream.conf is for port 80 (and is redirected to https) while cozybroadcast.stream-le-ssl.conf (created by certbot) is a mirror of cozybroadcast.stream.conf for port 443 with the necessary SSL pieces. You need both. You would likely want your proxy instructions in httpd-le-ssl.conf since you want the requests to come in from the internet via https on port 443.

zeesteve1 · May 2, 2021, 10:14pm

ah, ok, thanks. but I keep my app listening on port 80?

griffin · May 2, 2021, 10:16pm

If you were to disable the port 80 conf:

Most browsers wouldn't be able to reach your site via an entered address since the default protocol is http (port 80)
Your certificate renewal would fail due to port 80 not responding

griffin · May 2, 2021, 10:18pm

The next thing you should do is decide if you want cozybroadcast.stream or www.cozybroadcast.stream to be the canonical (official) name for your website and redirect all your traffic to your choice.

zeesteve1 · May 2, 2021, 10:19pm

Ok, great. I think I've got everything to move on to setting up pm2.
Thanks for your help, again.