IMPORTANT NOTES: - Unable to install the certificate


#1

I get the following error, how can I fix it please?
I tried to reinstall with certbot --apache but it does not fix it, I also deleted the default-ssl.conf
Because in other posts I saw that its help for some people

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/mywebsite.com-0001/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/mywebsite.com-0001/privkey.pem
    Your cert will expire on 2019-02-27. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

I delete the log and installed again, here’s the log (/var/log/letsencrypt/letsencrypt.log):

2018-11-29 12:54:11,478:DEBUG:certbot.main:certbot version: 0.27.0
2018-11-29 12:54:11,479:DEBUG:certbot.main:Arguments: [’–apache’]
2018-11-29 12:54:11,480:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-11-29 12:54:11,494:DEBUG:certbot.log:Root logging level set at 20
2018-11-29 12:54:11,495:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-11-29 12:54:11,496:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2018-11-29 12:54:11,616:DEBUG:certbot_apache.configurator:Apache version is 2.4.34
2018-11-29 12:54:12,065:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f3083771c50>
Prep: True
2018-11-29 12:54:12,067:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0x7f3083771c50> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7f3083771c50>
2018-11-29 12:54:12,067:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2018-11-29 12:54:12,072:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None), uri=‘https://acme-v02.api.letsencrypt.org/acme/acct/46720457’, new_authzr_uri=None, terms_of_service=None), 51cd4193ebc445e258562fdfe4917f84, Meta(creation_dt=datetime.datetime(2018, 11, 29, 10, 6, 14, tzinfo=), creation_host=‘ubuntu-s-1vcpu-1gb-nyc1-01’))>
2018-11-29 12:54:12,073:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2018-11-29 12:54:12,077:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2018-11-29 12:54:12,206:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2018-11-29 12:54:12,207:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 29 Nov 2018 12:54:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 29 Nov 2018 12:54:12 GMT
Connection: keep-alive

{
“X9eKjHdf03k”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert
}
2018-11-29 12:54:17,135:INFO:certbot.renewal:Cert not yet due for renewal
2018-11-29 12:54:22,919:INFO:certbot.main:Keeping the existing certificate
2018-11-29 12:54:22,920:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mywebsite.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mywebsite.com-0001/privkey.pem
Your cert will expire on 2019-02-27. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the “certonly” option. To non-interactively renew all of your certificates, run “certbot renew”
2018-11-29 12:54:22,931:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 497, in deploy_certificate
fullchain_path=fullchain_path)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 334, in deploy_cert
vhosts = self.choose_vhosts(domain)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 358, in choose_vhosts
return [self.choose_vhost(domain, create_if_no_ssl)]
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 540, in choose_vhost
vhost = self.make_vhost_ssl(vhost)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 1138, in make_vhost_ssl
“Could not reverse map the HTTPS VirtualHost to the original”)
certbot.errors.PluginError: Could not reverse map the HTTPS VirtualHost to the original

2018-11-29 12:54:22,931:DEBUG:certbot.error_handler:Calling registered functions
2018-11-29 12:54:22,932:DEBUG:certbot.reporter:Reporting to user: Unable to install the certificate
2018-11-29 12:54:22,932:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.27.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1131, in run
_install_cert(config, le_client, domains, new_lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 772, in _install_cert
path_provider.cert_path, path_provider.chain_path, path_provider.fullchain_path)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 497, in deploy_certificate
fullchain_path=fullchain_path)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 334, in deploy_cert
vhosts = self.choose_vhosts(domain)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 358, in choose_vhosts
return [self.choose_vhost(domain, create_if_no_ssl)]
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 540, in choose_vhost
vhost = self.make_vhost_ssl(vhost)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 1138, in make_vhost_ssl
“Could not reverse map the HTTPS VirtualHost to the original”)
certbot.errors.PluginError: Could not reverse map the HTTPS VirtualHost to the original


#2

Hi @koby423

what’s your domain name? Your apache configuration looks broken. Did you create a backup of your “default-ssl.conf”?


#3

yes, i have a backup.

default-ssl.conf (its the main conf for my website)
https://ghostbin.com/paste/cx9zy

000-default.conf (the website conf with few sub domains - for the sub domains i do not need ssl)
https://ghostbin.com/paste/vnypa

what can be wrong please?


#4

Your iptvhit.com is ~~ ok. https://check-your-website.server-daten.de/?q=iptvhit.com

http://www.iptvhit.com/ 301 http://iptvhit.com/ 0.214 D
http://iptvhit.com/ 200 0.237 H
https://iptvhit.com/ 200 3.137 N
Certificate error: RemoteCertificateNameMismatch
https://www.iptvhit.com/ 200 2.090 N
Certificate error: RemoteCertificateNameMismatch

The only thing is the certificate name mismatch. Your certificate has

CN=iptvh.it 29.11.2018 27.02.2019 iptvh.it - 1 entry

the .it tld. But it looks that you don’t have an it - vHost.

Should com/it have the same content? Then use one vHost, add the it version as ServerAlias. This

ServerName iptvhit.com
ServerAlias iptvhit.com

is redundant.

Perhaps you should create one http vHost with 4 names (com + it, www + non-www), then create one certificate with 4 domain names, then use this certificate.


#5

Hi,

Although certbot can’t automatically install a certificate for you (and as of now, the reason remains uncertain in your case), you could always install the certificate manually, and certbot knows to reload the correct server as it renews automatically…

Thank you


#6

The domain .it is other website
Basically the content of the conf is similar

https://ghostbin.com/paste/ss3vo

i installed on this domain the ssl before 20min and its completed without the error.

for the .it website i have iptvh.conf
and for .com i have the default conf

I’m supposed to integrate default.conf vhost + sub domains inside .it conf?
The domain that currently active with ssl


#7

How can I do this manually? A simple explanation please


#8

If I know it correct, Certbot is happy if there is one individual config file per vHost.

PS: There is the same error:

ServerName iptvh.it 
ServerAlias iptvh.it

Expected is something like:

ServerName iptvh.it 
ServerAlias www.iptvh.it

So the alias is different.


#9

I will share what i did right now, I had an idea for a second ^^

now i can see ssl is active on my .com website

  1. i copied the ssl conf of .it domain to a new conf file:
    000-default-le.ssl.conf

  2. I edited the content that way:
    https://ghostbin.com/paste/xzsfs

  3. sudo a2ensite 000-default-le.ssl.conf

  4. sudo service apache2 restart

www. i do not need so i didnt add, only http://

SSL working on my site, thats fine?


#10

Now it looks better, but not good:

http://www.iptvhit.com/ 301 http://iptvhit.com/ 0.197 D
http://iptvhit.com/ 200 0.367 H
https://www.iptvhit.com/ 301 http://iptvhit.com/ 2.094 N
Certificate error: RemoteCertificateNameMismatch
https://iptvhit.com/ 200 2.324 B

Your www doesn’t work because your certificate has only one name iptvhit.com.

If you have a dns entry www, you should have a correct certificate, so the redirect works without an error.

But some users add www, so removing the dns entry is not really a solution.


#11

Currently I’m not using www, if a user writes www he is directed to http://iptvhit.com
For this reason I have not added www, but yes if I decide very soon to add www I will edit the certificate and conf again,
At least now the ssl works

Thank you very much for the help Juergen!