Installing a certificate in a LAMP configuration

Hello,

The following is my configuration:

OS: Ubuntu 18.04
Certbot: 1.9.0
LAMP: 7.4.11.0
Domain: marref.org

I want to install a certificate for my website but I am encountering some issues. I use a LAMP stack to host my website and things seem to work fine over HTTP. When I try to install a certificate using Certbot, I get the following.

$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError('Cannot find Apache executable apache2ctl')

However, my website is up and running:

$ sudo netstat -nap | grep :80
tcp        0      0 10.128.0.2:45210        169.254.169.254:80      ESTABLISHED 1123/python3        
tcp        0      0 10.128.0.2:45206        169.254.169.254:80      CLOSE_WAIT  1123/python3        
tcp        0      0 10.128.0.2:45212        169.254.169.254:80      ESTABLISHED 1125/python3        
tcp        0      0 10.128.0.2:45214        169.254.169.254:80      ESTABLISHED 1122/python3        
tcp6       0      0 :::80                   :::*                    LISTEN      25464/httpd

This question is the most relevant in my case and it suggests installing the certificate as follows:

$ certbot --apache-server-root /opt/lampp/apache2/conf --apache

However, I get the same error as previously mentioned, plus I could not see the parameter --apache-server-root in the options when consulting certbot --help.

I appreciate your help,

Thank you.

Hi and welcome to the community!

You could try using --webroot instead.
Please show the output of:
sudo acpachectl -S
EDIT: sudo apachectl -S

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

This is the output:

$ sudo acpachectl -S
sudo: acpachectl: command not found
1 Like

Well that's a fine "How do you do?"... "command not found"
I guess the LAMP is not so well lit.
Try:
sudo apt update
sudo apt upgrade apache2

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

I actually uninstalled Apache2 myself because of some conflicting behaviour I saw when using LAMP.

I will do that and re-attempt.

LAMP without Apache is just LMP
LOL

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

My expertise is completely outside this domain, but how am I able to access my website then? And what is the httpd I see?

It might still be running "in memory".
Even though you've actually uninstalled it.
It will most likely not survive a reboot.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

Thank you for the details.

I am now back to my initial problem where I was able to install a certificate following this tutorial. However, then I needed to do further configurations such as enabling PHP-file execution and using phpMyAdmin. Since I am not a web-hosting wizard or any kind of wizard, I decided to use LAMP which makes things work out of the box.

When trying to start LAMP, the system moans about an Apache server running:

>     $ sudo /opt/lampp/lampp start
>     Starting XAMPP for Linux 7.4.11-0...
>     XAMPP: Starting Apache...fail.
>     XAMPP:  Another web server is already running.
>     XAMPP: Starting MySQL...already running.
>     XAMPP: Starting ProFTPD...already running.

and it is indeed:

   $ sudo netstat -nap | grep :80
    ...    
    tcp6       0      0 :::80                   :::*                    LISTEN      11103/apache2 

So when I kill the apache process:
$ sudo kill 11103

I can finally run the LAMP's apache which looks like this:

> $ sudo /opt/lampp/lampp start
> Starting XAMPP for Linux 7.4.11-0...
> XAMPP: Starting Apache...ok.
> XAMPP: Starting MySQL...already running.
> XAMPP: Starting ProFTPD...already running.

And it shows like this (httpd instead of apache2):

$ sudo netstat -nap | grep :80
...    
tcp6       0      0 :::80                   :::*                    LISTEN      11236/httpd 

Now in this system state, I have a working website in the sense PHP files are executed and phpMyAdmin is accessible, but I can no longer access it using https. It looks like the certificate attaches itself to apache2, but not httpd.

So that's my problem.

Please show:
ps -ef | grep httpd

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

I think you misspelled apachectl here.

1 Like

Indeed!
Thanks for the second set of :eyes:

Worth trying again (correctly now):
sudo apachectl -S

These are the outputs:

$ ps -ef | grep httpd
root     11236     1  0 Oct21 ?        00:00:01 /opt/lampp/bin/httpd -k start -E /opt/lampp/logs/error_log -DSSL -D
PHP
daemon   11240 11236  0 Oct21 ?        00:00:00 /opt/lampp/bin/httpd -k start -E /opt/lampp/logs/error_log -DSSL -D
PHP
daemon   11244 11236  0 Oct21 ?        00:00:00 /opt/lampp/bin/httpd -k start -E /opt/lampp/logs/error_log -DSSL -D
PHP
daemon   11245 11236  0 Oct21 ?        00:00:00 /opt/lampp/bin/httpd -k start -E /opt/lampp/logs/error_log -DSSL -D
PHP
daemon   11246 11236  0 Oct21 ?        00:00:00 /opt/lampp/bin/httpd -k start -E /opt/lampp/logs/error_log -DSSL -D
PHP
daemon   11247 11236  0 Oct21 ?        00:00:00 /opt/lampp/bin/httpd -k start -E /opt/lampp/logs/error_log -DSSL -D
PHP
daemon   11248 11236  0 Oct21 ?        00:00:00 /opt/lampp/bin/httpd -k start -E /opt/lampp/logs/error_log -DSSL -D
PHP
daemon   11255 11236  0 Oct21 ?        00:00:00 /opt/lampp/bin/httpd -k start -E /opt/lampp/logs/error_log -DSSL -D
PHP
daemon   11256 11236  0 Oct21 ?        00:00:00 /opt/lampp/bin/httpd -k start -E /opt/lampp/logs/error_log -DSSL -D
PHP
daemon   11498 11236  0 Oct21 ?        00:00:00 /opt/lampp/bin/httpd -k start -E /opt/lampp/logs/error_log -DSSL -D
PHP
aminema+ 16404 16388  0 04:37 pts/0    00:00:00 grep --color=auto httpd

and:

$ sudo apachectl -S
VirtualHost configuration:
*:443                  marref.org (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   amigo-server.us-central1-a.c.thematic-caster-263818.internal (/etc/apache2/sites-enabled/000
-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

So there is where httpd operates from [not from /etc/apache2/].
I don't think certbot using --apache is well prepared for this Apache spinoff.
We need to take a look at this file:

to see if we can use certbot with --webroot instead.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

This is the content of /etc/apache2/sites-enabled/000-default.conf:

$ cat /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com
        ServerAdmin webmaster@localhost
        DocumentRoot /home/aminemarref/websites/marref_org
        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =marref.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

OK. I would remove the "noise" and also rework the redirect logic to just redirect all HTTP to HTTPS [except for the challenge requests].
So it would would something like this:

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot /home/aminemarref/websites/marref_org
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  <LocationMatch "^/(?!\.well-known)">
    #send all other requests to HTTPS
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1
  </LocationMatch>
</VirtualHost>

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

After updating this file, how do I proceed with certificate installation?

We can now use that DocumentRoot path as the --webroot parameter for certbot.
[instead of --apache]
Try:
certbot certonly --webroot -w /home/aminemarref/websites/marref_org -d marref.org

Then also show this file:
/etc/apache2/sites-enabled/000-default-le-ssl.conf
and just to be sure:
certbot certificates

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

This is the output:

$ cat /etc/apache2/sites-enabled/000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>        
        ServerAdmin webmaster@localhost
        DocumentRoot /home/aminemarref/websites/marref_org
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        ServerName marref.org
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/marref.org/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/marref.org/privkey.pem
</VirtualHost>
</IfModule>

And this is the other one:

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: marref.org
    Serial Number: 36f173222438391018299dad0b1f40d75b6
    Domains: marref.org
    Expiry Date: 2021-01-19 15:31:59+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/marref.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/marref.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

OK
So you already have a cert :slight_smile:

We need to test the renewal process and ensure the site can use the cert it has.
But first, what was the outcome of this?

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]