I screwed up. Certbot failing, won't create certs. See below

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: crucis.net

I ran this command: sudo certbot --apache

It produced this output: Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 8 of /etc/apache2/sites-enabled/ares.crucis.net-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/ares.crucis.net-0001/fullchain.pem' does not exist or is empty

My web server is (include version): Apache/2.4.57 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 23.10

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

I was trying to reinstall the certificates and somehow messed everything up. Now, getting certbot errors.

Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 8 of /etc/apache2/sites-enabled/ares.crucis.net-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/ares.crucis.net-0001/fullchain.pem' does not exist or is empty

can't recreate missing/invalid certificate.

Hello @Crucis, welcome to the Let's Encrypt community. :slightly_smiling_face:

I don't have any solutions, but to jump start other (I know these will be asked).

Show the output of each

  • sudo apachectl -t -D DUMP_VHOSTS
  • sudo netstat -pant | grep -E ':443|:80' | grep -i listen
    Use sudo ss -pant ... if you don't have netstat
2 Likes

You may have to disable that site to get Apache to start.
Once started, you can then move towards reinstalling the cert [if it still exists] OR reissuing a new cert and installing the new one.

4 Likes

Here is a list of issued certificates crt.sh | crucis.net, the latest being 2024-05-03.

3 Likes

That should be sufficient (like removing the like from sites-enabled or running a2dissite on it).

2 Likes

Here's the result of "sudo apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server ares.crucis.net (/etc/apache2/sites-enabled/ares.crucis.net-le-ssl.conf:2)
         port 443 namevhost ares.crucis.net (/etc/apache2/sites-enabled/ares.crucis.net-le-ssl.conf:2)
                 alias crucis.net
         port 443 namevhost crucis-court.com (/etc/apache2/sites-enabled/crucis-court.com-le-ssl.conf:2)
                 alias www.crucis-court.com
         port 443 namevhost crucis.net (/etc/apache2/sites-enabled/crucis.net-le-ssl.conf:2)
                 alias www.crucis.net
*:80                   is a NameVirtualHost
         default server crucis-court.com (/etc/apache2/sites-enabled/crucis-court.com-le-ssl.conf:14)
         port 80 namevhost crucis-court.com (/etc/apache2/sites-enabled/crucis-court.com-le-ssl.conf:14)
                 alias www.crucis-court.com
         port 80 namevhost crucis-court.com (/etc/apache2/sites-enabled/crucis-court.com.conf:1)
                 alias www.crucis-court.com
         port 80 namevhost crucis.net (/etc/apache2/sites-enabled/crucis.net.conf:1)
                 alias www.crucis.net

Here's the resuit of sudo netstat -pant | grep -E ':443|:80' | grep -i listen
tcp 0 0 127.0.0.1:8001 0.0.0.0:* LISTEN 2796/python3
tcp 0 0 127.0.0.1:8024 0.0.0.0:* LISTEN 2792/python3

There shouldn't be a "port 80" virtualhost in the crucis-court.com-le-ssl.conf file.

Also, where did the file /etc/letsencrypt/live/ares.crucis.net-0001/fullchain.pem go? Did you delete certificates from Certbot perhaps without reading the documentation? Can you show the output of the command sudo certbot certificates please?

2 Likes

I entered "apache2ctl configtest and got this result.
AH00526: Syntax error on line 8 of /etc/apache2/sites-enabled/ares.crucis.net-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/ares.crucis.net-0001/fullchain.pem' does not exist or is empty
Action 'configtest' failed.

In fact, the directory is gone. It did exist, now it doesn't So. How do I recreate the cert? I can't using certbot. I built this server and its certs six months ago. I've major surgery since and don't remember how I did it.

Stop Apache trying to access the deleted file. Suggestions have been posted already above.

2 Likes

Update: I've been able to get certbot running and have recreated certs for one VHOST (crucis.net). However, I seem to now have an Apache2 VHOST issue with the second domain (crucis-court.com).

I'd appreciate any pointers on this.

Thanks, mw

1 Like

Please see my post above with regard to the double port 80 virtualhost. Notice there are two port 80 virtualhosts for crucis-court.com/www.crucis-court.com.

3 Likes

As requested, output from sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: ares.crucis.net
Serial Number: 4309dbdb09c9f66bd6e34636782b94158ea
Key Type: ECDSA
Domains: ares.crucis.net
Expiry Date: 2024-08-02 16:48:12+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/ares.crucis.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ares.crucis.net/privkey.pem
Certificate Name: crucis-court.com
Serial Number: 445c7c3dc3868dcb3ffa8408a911bcbd695
Key Type: ECDSA
Domains: crucis.net ares.crucis.net crucis-court.com www.crucis-court.com www.crucis.net
Expiry Date: 2024-08-02 20:08:09+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/crucis-court.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/crucis-court.com/privkey.pem
Certificate Name: crucis.net-0001
Serial Number: 46c626cf1e6446ab40d5640cf87007180a3
Key Type: ECDSA
Domains: crucis.net www.crucis.net
Expiry Date: 2024-08-02 16:47:05+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/crucis.net-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/crucis.net-0001/privkey.pem
Certificate Name: crucis.net
Serial Number: 378aaf66ed8354a9463aa2cced809ec8713
Key Type: ECDSA
Domains: crucis.net
Expiry Date: 2024-08-01 19:47:51+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/crucis.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/crucis.net/privkey.pem
Certificate Name: www.crucis-court.com
Serial Number: 41799fe5cd6f392077bef14dffcd997847c
Key Type: ECDSA
Domains: www.crucis-court.com
Expiry Date: 2024-07-09 20:54:36+00:00 (VALID: 65 days)
Certificate Path: /etc/letsencrypt/live/www.crucis-court.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.crucis-court.com/privkey.pem
Certificate Name: www.crucis.net
Serial Number: 4dc81d98be788fc245e1b0596e59fb022af
Key Type: ECDSA
Domains: www.crucis.net
Expiry Date: 2024-08-01 19:28:03+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/www.crucis.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.crucis.net/privkey.pem


It seems like you could do with just one cert:

3 Likes

And? Does this mean I can only have one VHOST? Which cert should I use for crucis-court.com? Supporting a second domain didn't use to be so difficult. Course that was 15 years ago and that system worked until it crashed last year. I'm now relearning how to support two domains with Apache2.

So, what is the significance of having two domains on the same port?

You can have a multitude of virtual hosts. It's just not recommended to have two virtualhosts for the same set of domain names: because which virtualhost will be used? It doesn't make sense to have a duplicate virtualhost.

4 Likes

@Crucis to help further assisting you.

Here details on Apache can be found in documentation and forums:

2 Likes

OK, I'm confused. Do you mean crucis.net should not be a VHOST, but crucis-court.com should be the only VHOST?

When I read the Apache2 docs, my understanding was that each domain had to be a separate VHOST.

mw

Thank you.

mw

3 Likes

No, that's not what I'm saying. The only thing I'm saying is that you have TWO files, crucis-court.com.conf and crucis-court.com-le-ssl.conf BOTH have a port 80 virtualhost for crucis-court.com with alias www.crucis-court.com. That's one too much. Usually the crucis-court.com-le-ssl.conf configuration file ONLY has the port 443 virtualhost.

I'm not sure I can explain it any simpler than this.

4 Likes

OK, I think I understand. Let me rephrase.
crucis-court.com.conf is for the "non-ssl" port 80. HTTP.

crucis-court.com-le-ssl.conf(HTTPS) should only have port 443.

Thanks for bearing with me.,
mw

2 Likes