Letsencrypt-auto --apache couldn't find server. How far did I get?


#1

./letsencrypt-auto --apache -d ehealth.id.au -d www.ehealth.id.au

No vhost exist with servername or alias… No vhost was selected.

I have some directories in /etc/letsencrypt, one of which which include meta.json, private_key.json and regr.json. There is no ‘live’ directory, and none of the other directories contain any files. I assume that, because the server was not found, no certs were actually created. Is this right? If so, I will go the cert-only route, and manually configure the servers, as others seem to have done.


#2

Correct.

I’d guess that your apache config has multiple domains within the same file ( not currently supported by the official client).


#3

A bit off topic, but why doesn’t the client support multiple domains in a single vhosts file? Until I started reading this forum, it never occurred to me to have my domains split into multiple vhosts. After all, it a “vhosts” file, not a “vhost” file.

This seems to be a recurring problem for people. While I personally would prefer to configure my own server, the lack of vhosts support seems to go against LE’s second key principle! I wouldn’t have thought it would be too hard to parse a single file, even the output would be multiple files.


#4

If I had used a ServerAlias to put both domains in the same VirtualHost ntry, would that have worked?


#5

IIRC multiple domains within the same <VirtualHost> (using ServerAlias) is fine, but multiple <VirtualHost>s in the same file doesn’t work at the moment.


#6

Just the way it was originally designed i think ( since convention with may debian based systems is to have each domain in a separate file in /etc/apache2/sites-available … and then you can enable / disable them on a site by site basis with a2ensite / a2dissite ). Pretty sure there is a plan though to increase this to read multiple domains in the same file.

as @pfg said ( and beat me to it :slight_smile: )


#7

I have separate files for each base domain, but in each file I have two entries, one for the www-prefixed, and one for the non-prefixed domain. So, having just created a separate certificate for the non-www prefixed domain using webroot, if I wanted to simplify the situation, I should replace all the separate www entries in the individual files for the domains with a ServerAlias, then regenerate the certificates? Sould I revoke the initial certificates?


#8

A single certificate with both www and non-www while using ServerAlias would seem like the best option here, yes. Hopefully, the client won’t be too confused by the existing separate certificate lineages for www and non-www. Your procedure sounds about right, though I can’t say that I’ve tried “merging” certificate lineages before (not to say that it won’t just work :smile:).

You probably don’t want to revoke anything. That’s something you do when your private key is stolen and you want to tell browsers that a certificate shouldn’t be accepted. It’s not the equivalent of removing the certificate from your configuration or anything like that.


#9

This may be another topic, or a bug. I had used
./letsencrypt-auto certonly --webroot -w /var/www/ehealth -d ehealth.id.au -w /var/www/oz-ehealth -d oz-ehealth.org -w /var/www/top -d turnofphrase.com.au -w /var/www/twba-tv -d twba.tv

When I went back to reconfigure the VIrtualHost entries and to regenerate the certs, I found that only one set of certs, ehealth.id.au, had been generated. Is this expected, or did I specify something incorrectly, or is there a bug?

The .well-known directory was created in each webroot.


#10

Running one command with lots of different -d domains says you want one certificate, valid for all those domains.

So that’s why it only create one certificate, if you use a tool that can show what’s inside the certificate it will have Subject Alternative Names (SANs) for all the domains you listed, which means a web browser will go “Yup, this is fine” when it sees that certificate presented for any of those domains.

If you wanted separate certificates, you need to run the command separately to make each certificate. Remember there is a limit on how many certificates Let’s Encrypt will give you per week, so if you’ve got dozens more domains that’s a factor.


#11

Thanks. I tried a website site checker that informed me there was no cerificate for one of my sites. When I used openssl x509 to actually look at the cert, it was as you have described. The only problem was with the site checker.


#12

OK, if the certificate looks fine but the checker still doesn’t like some sites, those sites might not have been configured in Apache to use the certificate ?

I haven’t been following all of this thread, I see you started out with the --apache switch where Let’s Encrypt takes responsibility for configuring Apache, but the most recent command you used doesn’t do that, probably you will need to go change the configuration files yourself to make Apache send over this certificate for all the sites it mentions ?


#13

I figured it would be something like that. I stopped using Debian back in 2004, but I don’t remember having a separate vhosts file for each domain.

Funny how the brain rewrites memories to make life feel more consistent.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.