Issues when transfering servers

deathstar · August 30, 2022, 2:45am

Hey guys,

I recently transfered to a new server and it has been so FUN (sarcasm). I have been having issues with certbot. Last time I transfered servers I really didn't have issues with certbot. Now all the mysql dependent websites aren't working and certbot is failing to properly provide certificates for my websites (i get the browser "attackers may be trying to steal your information" warning). It seems that I zipped the /etc/letsencrypt folder and transfered it to the new server. It doesn't like that the key files are not symlinks. I tried deleting the certificates and creating new ones, but I ran into a bunch of issues. Any advice? Thanks in advance.

My domain is: www.techmasterdesign.com, groupfinder.cc, wavebuddha.com

I ran this command: sudo certbot renew --dry-run

It produced this output:

root@lenovo-server:/etc# sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/iamjulemusic.com.conf

Renewal configuration file /etc/letsencrypt/renewal/iamjulemusic.com.conf is broken.

The error was: expected /etc/letsencrypt/live/iamjulemusic.com/cert.pem to be a symlink

Skipping.

Processing /etc/letsencrypt/renewal/kineticskin.me.conf

Renewal configuration file /etc/letsencrypt/renewal/kineticskin.me.conf is broken.

The error was: expected /etc/letsencrypt/live/kineticskin.me/cert.pem to be a symlink

Skipping.

Processing /etc/letsencrypt/renewal/www.kineticskin.me.conf

Renewal configuration file /etc/letsencrypt/renewal/www.kineticskin.me.conf is broken.

The error was: expected /etc/letsencrypt/live/www.kineticskin.me/cert.pem to be a symlink

Skipping.

Processing /etc/letsencrypt/renewal/www.techmasterdesign.com.conf

Renewal configuration file /etc/letsencrypt/renewal/www.techmasterdesign.com.conf is broken.

The error was: expected /etc/letsencrypt/live/www.techmasterdesign.com/cert.pem to be a symlink

Skipping.

No simulated renewals were attempted.

Additionally, the following renewal configurations were invalid:

/etc/letsencrypt/renewal/iamjulemusic.com.conf (parsefail)

/etc/letsencrypt/renewal/kineticskin.me.conf (parsefail)

/etc/letsencrypt/renewal/www.kineticskin.me.conf (parsefail)

/etc/letsencrypt/renewal/www.techmasterdesign.com.conf (parsefail)

0 renew failure(s), 4 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): apache2

The operating system my web server runs on is (include version): Ubuntu 20

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.29.0

rg305 · August 30, 2022, 2:51am

Do you still have access to the old server?

deathstar · August 30, 2022, 2:59am

It went caput, only boots when it feels like it, but I still have the hard drive.

rg305 · August 30, 2022, 3:07am

Well, it seems that when you zipped that folder, it didn't save any of the symlink information.

You can either:

access the hard drive and re-zip it with the proper symlinks
OR
we can try to recreate them

rg305 · August 30, 2022, 3:11am

To recreate them, you would remove the non-symlinks first and the use:
certbot update_symlinks

See: User Guide — Certbot 1.29.0 documentation (eff-certbot.readthedocs.io)

deathstar · August 30, 2022, 4:14am

Thank you for your help fixing the symlinks. I ended up reinstalling linux as I fucked up by copying too much of the old linux filesystem.

This time around certbot worked almost flawlessly after i used a2ensite and copied over the sites-available. It says it created the certificates, however I am now getting the error "could not reverse map the HTTPS virtualhost to the original," could this possibly be a permission issue, or is certbot maybe missing a dependency?

rg305 · August 30, 2022, 4:18am

That means there is no HTTPS vhost config that covers that name.

Usual Apache mischief
Show:
apachectl -t -D DUMP_VHOSTS

deathstar · August 30, 2022, 4:51am

sorry for the late replies, i've been slowly transfering everything :P.

root@lenovo-server:/home/george# apachectl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server www.techmasterdesign.com (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost www.techmasterdesign.com (/etc/apache2/sites-enabled/000-default.conf:1)
                 alias techmasterdesign.com
         port 80 namevhost groupfinder.cc (/etc/apache2/sites-enabled/groupfinder.conf:1)
                 alias www.groupfinder.cc
         port 80 namevhost wavebuddha.com (/etc/apache2/sites-enabled/wavebuddha.conf:1)
                 alias www.wavebuddha.com
root@lenovo-server:/home/george#

rg305 · August 30, 2022, 5:04am

That looks good, but only has HTTP vhosts.

What shows?:
certbot certificates

deathstar · August 30, 2022, 5:06am

root@lenovo-server:/etc/apache2/sites-enabled# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: techmasterdesign.com
    Serial Number: 4716a2769850c9cf76abb5ec6d103d75d1e
    Key Type: RSA
    Domains: groupfinder.cc techmasterdesign.com wavebuddha.com www.groupfinder.cc www.techmasterdesign.com www.wavebuddha.com
    Expiry Date: 2022-11-28 03:11:15+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/techmasterdesign.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/techmasterdesign.com/privkey.pem

rg305 · August 30, 2022, 5:06am

That's good too.
Which vhost config did you try to enable that failed?

deathstar · August 30, 2022, 5:09am

I used certbot --apache to have it try to generate certificates for all domains. The output was this:


root@lenovo-server:/etc/apache2/sites-enabled# certbot --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: groupfinder.cc

2: www.groupfinder.cc

3: techmasterdesign.com

4: www.techmasterdesign.com

5: wavebuddha.com

6: www.wavebuddha.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel):

Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/techmasterdesign.com.conf)

What would you like to do?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Attempt to reinstall this existing certificate

2: Renew & replace the certificate (may be subject to CA rate limits)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Renewing an existing certificate for groupfinder.cc and 5 more domains

Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/techmasterdesign.com/fullchain.pem

Key is saved at: /etc/letsencrypt/live/techmasterdesign.com/privkey.pem

This certificate expires on 2022-11-28.

These files will be updated when the certificate renews.

Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate

Some rewrite rules copied from /etc/apache2/sites-enabled/groupfinder.conf were disabled in the vhost for your HTTPS site located at /etc/apache2/sites-available/groupfinder-le-ssl.conf because they have the potential to create redirection loops.

Successfully deployed certificate for groupfinder.cc to /etc/apache2/sites-available/groupfinder-le-ssl.conf

Successfully deployed certificate for www.groupfinder.cc to /etc/apache2/sites-available/groupfinder-le-ssl.conf

Some rewrite rules copied from /etc/apache2/sites-enabled/000-default.conf were disabled in the vhost for your HTTPS site located at /etc/apache2/sites-available/000-default-le-ssl.conf because they have the potential to create redirection loops.

Could not install certificate

**NEXT STEPS:**

- The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running:

certbot install --cert-name techmasterdesign.com

Could not reverse map the HTTPS VirtualHost to the original

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

deathstar · August 30, 2022, 5:12am

If i'm not mistaken, certbot creates the virtualhost ssl .conf files. If it doesn't, then i'm missing them and I should probably create them manually?

rg305 · August 30, 2022, 5:14am

It created them, but did not enable them due to:
the potential to create redirection loops

Some rewrite rules copied from /etc/apache2/sites-enabled/groupfinder.conf were disabled in the vhost for your HTTPS site located at /etc/apache2/sites-available/groupfinder-le-ssl.conf because they have the potential to create redirection loops.
Some rewrite rules copied from /etc/apache2/sites-enabled/000-default.conf were disabled in the vhost for your HTTPS site located at /etc/apache2/sites-available/000-default-le-ssl.conf because they have the potential to create redirection loops.

Let's have a look at those two files:
/etc/apache2/sites-available/groupfinder-le-ssl.conf
/etc/apache2/sites-available/000-default-le-ssl.conf

deathstar · August 30, 2022, 5:16am

these two files don't exist:

/etc/apache2/sites-available/groupfinder-le-ssl.conf
/etc/apache2/sites-available/000-default-le-ssl.conf

I used a terminal command to have it create the symlinks from the sites-enabled folder, strange.

rg305 · August 30, 2022, 5:18am

That doesn't add up... 2 + 2 = 2 [LOL]

Let's see:
ls -l /etc/apache2/sites-available/
cat /etc/apache2/sites-enabled/groupfinder.conf
cat /etc/apache2/sites-enabled/000-default.conf

rg305 · August 30, 2022, 5:19am

There is an apache program for that:
a2ensite

deathstar · August 30, 2022, 5:19am

sites/available:

-rwxrwxrwx 1 root root 1703 Sep 14 2020 000-default.conf
-rw-r--r-- 1 root root 6338 Mar 22 19:00 default-ssl.conf
-rwxrwxrwx 1 root root 432 Sep 13 2020 groupfinder.conf
-rwxrwxrwx 1 root root 431 Sep 13 2020 wavebuddha.conf

root@lenovo-server:/etc/apache2/sites-available# cat /etc/apache2/sites-enabled/groupfinder.conf

<VirtualHost *:80>
ServerName groupfinder.cc
ServerAlias www.groupfinder.cc
ServerAdmin webmaster@localhost
DocumentRoot /var/www/groupfinder
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.groupfinder.cc [OR]
RewriteCond %{SERVER_NAME} =groupfinder.cc
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

root@lenovo-server:/etc/apache2/sites-available# cat /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	ServerName www.techmasterdesign.com
	ServerAlias techmasterdesign.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
	
	RewriteEngine on
	# for www.techmasterdesign.com
	RewriteCond %{SERVER_NAME} =www.techmasterdesign.com
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

	# for techmasterdesign.com
	RewriteCond %{SERVER_NAME} =techmasterdesign.com
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
	
</VirtualHost>

deathstar · August 30, 2022, 5:22am

maybe a simple solution would be to copy the old ssl-le.conf files from my old install to the sites-available folder, and then rerun a2ensite?

rg305 · August 30, 2022, 5:23am

Show that file here first [before enabling it].

Topic		Replies	Views
Moving certs to new server, certbot error Help	5	483	February 27, 2021
Certbot Symlink file broken for renewal due to moving files Help	14	7294	September 17, 2018
Copied a server setup which broke certbot Help	10	2096	July 7, 2019
Broken after moving machine to another provider Help	5	486	August 26, 2021
Help with certbot renew Help	11	853	December 23, 2021

Issues when transfering servers

Related topics