I deleted my ssl cert and now certbot won't let me get another one

oh? I thought cozyboradcast.stream was the official and www redirected to it based on this:

 ServerAdmin campervan@cozybroadcast.stream
        DocumentRoot /var/www/cozybroadcast.stream/
        ServerName cozybroadcast.stream
        ServerAlias www.cozybroadcast.stream

The RewriteRule that certbot creates in the port 80 conf actually ends up just redirecting to https without stripping or adding www. to the name. Also, there is no redirect at all in the port 443 conf file to either non-www or www.


Personally, I would just replace the entire Rewrite section added by certbot in the port 80 conf with either this:

Redirect permanent / https://cozybroadcast.stream/

or this:

Redirect permanent / https://www.cozybroadcast.stream/

Ok, so since I prefer no "www" because it feels dated to me,
I replace all of

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.cozybroadcast.stream [OR]
RewriteCond %{SERVER_NAME} =cozybroadcast.stream
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]


Redirect permanent / https://cozybroadcast.stream/

You can actually duplicate the port 443 conf inside the cozybroadcast.stream-le-ssl.conf file itself then, for example, have one port 443 VirtualHost have:

ServerName www.cozybroadcast.stream

Redirect permanent / https://cozybroadcast.stream/

standard stuff

and the other port 443 VirtualHost have:

ServerName cozybroadcast.stream

standard stuff

your stuff

Neither port 443 VirtualHost would have a ServerAlias in that case.


That's absolutely correct. :slightly_smiling_face:


After doing those things, you'll want to reload apache:

sudo apachectl -k graceful

then update your certbot renewal configuration so it doesn't screw up your optimizations upon renewal:

sudo certbot certonly --apache -d "cozybroadcast.stream,www.cozybroadcast.stream" --deploy-hook "sudo apachectl -k graceful" --force-renewal

That certbot command will also necessarily update your certificate to set the correct renewal parameters.

You can then test your renewal with this:

sudo certbot renew --dry-run

If that works (and your configuration files don't get messed up), you should be good to go.


Sorry you lost me here, what do you mean "your stuff; standard stuff"
Is that all the proxy stuff? like

<Proxy *>
 Order deny,allow
 Allow from all
SSLEngine on
SSLProxyEngine On
SSLCertificateFile    [path/to]/server.cert
SSLCertificateKeyFile [path/to]/server.key
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass /[your port number]/
ProxyPassReverse /[your port number]/

Standard stuff is just the basic SSL stuff to establish connection to the port 443 VirtualHost for www.cozybroadcast.stream before redirecting to the port 443 VirtualHost for cozybroadcast.stream where all the real action happens.

In essence, the standard stuff are the lines added by certbot to to your port 443 VirtualHost beyond what it copied from your basic port 80 VirtualHost.

Your stuff is all of your proxy directives and other customizations.

Basically, the entire port 80 VirtualHost and the port 443 VirtualHost for www.cozybroadcast.stream only serve to redirect to the port 443 VirtualHost for cozybroadcast.stream where anything of value happens.


You need to be sure to also put these SSL directives in the port 443 VirtualHost for www.cozybroadcast.stream or you'll run into problems with that address not working:

SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/cozybroadcast.stream/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cozybroadcast.stream/privkey.pem

The ServerAlias www.cozybroadcast.stream that you commented out in the port 43 VirtualHost for cozybroadcast.stream should be removed entirely. You want the port 43 VirtualHost for www.cozybroadcast.stream to handle requests for that host.

Without these lines in a VirtualHost:

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

I don't think you'll get any logging for activity pertaining to that VirtualHost.

1 Like

Thank you. Everything works great until I start adding the Proxy stuff in. But I don't think that has to do with the SSL
It's a 500 error

[client] AH01144: No protocol handler was valid for the URL / (scheme 'https'). If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer:
1 Like

Our issue for this upstream is Apache may not have permission to read webroot directory for challenges · Issue #6561 · certbot/certbot · GitHub. A restrictive umask might do it, but regardless of how the user finds themselves in this situation, that issue is tracking avoiding or providing better error output about this problem.


Thanks much as always, @bmw.


1 Like