Installation to site with Apache built from source

Help
1

When I ran the certbot command: ./certbot-auto certonly --email webmaster@xxx.com -w /var/www/html -d server.xxx.com …etc

It produced this output:
Failed to find executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games

and then I get:

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for server.xxx.com
http-01 challenge for server2.xxx.com
http-01 challenge fo rserver3.xxx.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/server.xxx.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/server.xxx.com/privkey.pem
    Your cert will expire on 2018-09-02. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again. To non-interactively renew all of your certificates, run
    “certbot-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

root@seal:/usr/local/sw/Certbot# ./certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/server.xxx.com.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/server.xxx.com.conf

Cert is due for renewal, auto-renewing…
Failed to find executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
Could not choose appropriate plugin: The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(‘Cannot find Apache control command apache2ctl’,)
Attempting to renew cert (server.xxx.com) from /etc/letsencrypt/renewal/server.xxx.com.conf produced an unexpected error: The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(‘Cannot find Apache control command apache2ctl’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/server.xxx.com/fullchain.pem (failure)

The following certs are not due for renewal yet:
/etc/letsencrypt/live/server.xxx.com/fullchain.pem expires on 2018-09-02 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/server.xxx.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version) is built from source (Apache 2.4.29)
The operating system my web server runs on is (include version):Ubuntu 16.04.4 LTS
I can login to a root shell on my machine.

I suspect that the problem is that the certbot is looking for the built-in apache2 installation rather than the actual running apache HTTP that is compiled and installed from source under /usr/local/apache

How can I get it to work to renew?

2

No, your problem is that certbot did exactly what you told it to do--obtain certs. Installing and configuring those is up to you. That's what the certonly parameter told it to do.

3

Hi,

You would need to specify path to apachectl.

@danb35 I think the issue is when he run certbot renew…
It seems that the previous certs was using Apache plugin to renew, but he compiled that from source, which can’t find the new path (by default)
Then it returned the error message, Apache plugin is not working.

@georged
I believe there is a derivative to specify Apache install location… However I forget where it is…
You might want to add -i Apache after all parameters you entered. (E.g. certbot-auto certonly all parameters -i apache)

Thank you

4

@stevenzhu, thank you but if I install the apache plugin (sudo dnf install certbot-apache) wouln't expect the apache2ctl target rather than mine (/usr/local/apache/bin/apachectl)?

I also tried the -i apache option and get the same error:

Failed to find executable apache2ctl ....

5

See also

The Certbot Apache plugin has some per-OS builtin defaults related to Apache. For example, these are the ones on a Debian system:

    OS_DEFAULTS = dict(
        server_root="/etc/apache2",
        vhost_root="/etc/apache2/sites-available",
        vhost_files="*",
        logs_root="/var/log/apache2",
        version_cmd=['apache2ctl', '-v'],
        apache_cmd="apache2ctl",
        restart_cmd=['apache2ctl', 'graceful'],
        conftest_cmd=['apache2ctl', 'configtest'],
        enmod="a2enmod",
        dismod="a2dismod",
        le_vhost_ext="-le-ssl.conf",
        handle_mods=True,
        handle_sites=True,
        challenge_location="/etc/apache2",
        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
            "certbot_apache", "options-ssl-apache.conf")
    )

You should be able to override each option with a command line option starting with --apache- and the name of the option (except with _ replaced by -). For example --apache-restart-cmd to set the restart_cmd option.

6

@danb35, the certs seem to be successfully installed according to the output listed above.

Congratulations! Your certificate and chain have been saved at:...

The renew is what fails.

7

I was using "installed," admittedly imprecisely, to refer to configuring Apache to use the new certs--the certonly command doesn't do that. But I'd overlooked the issue with renewal.

8

No cigar, unfortunately:

./certbot-auto renew --apache-server-root="/usr/local/apache" --apache-cmd=“apachectl”

usage:
certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --apache-cmd apachectl

9

@danb35, no problem, I guess the question is what would install the certs properly to an apache installation built from source? Because the default instructions and installers seem to assume apache2 packaged installed.

10

It might be counterintuitive, but I believe the name of the option should be --apache-apache-cmd.

11

Unfortunately I get an error:
./certbot-auto renew --apache-server-root="/usr/local/apache" --apache-apache-cmd=“apachectl”
usage:
certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate.
certbot: error: unrecognized arguments: --apache-apache-cmd apachectl

At this point I am desperate, not being able to do the renewals. I am willing to wipe it all off and start from scratch. Is there any doc on how to install the certs from scratch and use my compiled version of apache (not the assumed apache2 package)?

12

@joohoi @bmw, do you know why neither form of this option is working to specify the apache_cmd configuration variable?

13

Could you just create a symlink from apache2ctl to apachectl?

14

I tried it, added the softlink and I also went through the docs and tried from scratch. This is what I get:

./certbot-auto certonly --webroot --email webmaster@mymail.com -w /var/www/html -d server1.com -d server2.com -d server3.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/server1.com.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for server1.com
http-01 challenge for server2.com
http-01 challenge for server3.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/server1.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/server1.com/privkey.pem
    Your cert will expire on 2018-09-03. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again. To non-interactively renew all of your certificates, run
    “certbot-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

root@server1:/usr/local/sw/Certbot# ./certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/server1.com.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/server3.com.conf

Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(‘Could not find configuration root’,)
Attempting to renew cert (server3.com) from /etc/letsencrypt/renewal/server3.com.conf produced an unexpected error: The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(‘Could not find configuration root’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/server3.com/fullchain.pem (failure)

The following certs are not due for renewal yet:
/etc/letsencrypt/live/server1.com/fullchain.pem expires on 2018-09-03 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/server3.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
root@server1:/usr/local/sw/Certbot#

15

--apache-server-root is using ASCII quotation marks, but --apache-apache-cmd is using Unicode left and right quotation marks. Did the forum software edit the post to use fancy quotes? Which quotes did the command actually run use?

What's in /etc/letsencrypt/renewal/server3.com.conf? It's probably using the Apache options you used when originally creating the certificate, not the new ones you used when creating the server1.com certificate today.

(Do you still need both certificates? The server1.com certificate includes the name server3.com. If you don't need it, you could update your Apache configuration to stop using the server3.com certificate and then delete it with certbot delete.)

16

I was able to get a clean renewal by removing the cert that was giving problems. I did it a manual way and it worked:

rm -rf /etc/letsencrypt/live/${DOMAIN}
rm /etc/letsencrypt/renewal/${DOMAIN}.conf

Thank you all for your help but I would be (and I am sure others in the community) will be grateful if there is some docs on how to install the beautiful certbot with cases that apache is compiled by source.

17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.