I think (though I’m not sure) this may have been fixed in Certbot 0.20.0, which was just released a few minutes ago… might be worth testing the new version in case it helps
Whatever it ought to do, apache is trying to listen 443 and finds it cannot
and crashes. There is another “listen 443” in one of the included .conf
files. Removing the “listen” that letsencrypt added fixes the problem.
@ddyer are you by chance using openSUSE? If so, this is a known issue and while it unfortunately wasn’t fixed in the latest release, we hope to get to it soon. was fixed in our latest release.
Hi @ddyer and sorry that you are experiencing problems with Apache plugin.
The issue you are seeing essentially means that Certbot doesn’t have visibility to the part of configuration that defines the Listen 443.
It can follow Include and IncludeOption definitions, so the file inclusion is not the issue here, but more likely some kind of configuration structure inside that included file.
If by any means possible, could you post a snippet of the structure in the file that has the Listen 443 in place, ie:
I’m particularly interested in the module names and structure encapsulating the Listen statement. We’re trying to do module and variable discovery in multiple ways, and it seems to fall short here.
For workaround, moving the Listen 443 to the main httpd.conf should do the job.
I'm reluctant to do that, because the sub-configuration files are managed by another
automated editing process, one which I have even less control over than letsencrypt.
The discussion and debugging over this issue continued in private messages between me and @ddyer over the last few days.
The issue was identified as Certbot being unable to find variable SSL which was used in <IfDefine SSL> statement wrapping the VirtualHost block in one of the virtual host configuration files. This caused Certbot not being able to see the Listen 443 statement that was defined inside of that virtual host.
Variable SSL was added to Apache command line in CentOS/RHEL/Fedora specific configuration file /etc/sysconfig/httpd. We are parsing this file for variables since Certbot v0.20, but the parsing method had a bug, that did not recognize command line options with no whitespace separator, for example -DSSL vs. -D SSL.
As a workaround, I proposed adding Define SSL to the main httpd.conf, thus making it visible for Certbot for the time being.