Letsencrypt breaks my apache conf

Every time letsencrypt renews my certs, it also rewrites my httpd.conf file
with an error that breaks it and knocks my site off the air.

The bit it adds is

   <IfModule mod_ssl.c>                                                                                                                                                                                                               
   Listen 443                                                                                                                                                                                                                         
   </IfModule> 

Apparently, in my configuration, the “listen 443” is already present elsewhere,
and the duplicate listen is seen as a conflict.

The options I’m using to run cerbot are

certbot-auto --apache renew

I think (though I’m not sure) this may have been fixed in Certbot 0.20.0, which was just released a few minutes ago… might be worth testing the new version in case it helps

I noticed the certbot update before I forced the most recent update,
so I think it’s not fixed.

The other listen comes from a #include in httpd.conf that pulls in a bunch
of system framework config files. My system is a VPS managed by interworx

Hi @ddyer,

Could you post your Apache configuration somewhere? (maybe before and after Certbot edits it?)

1 Like

Duplicate statements just override each other, the problem must be different.

Whatever it ought to do, apache is trying to listen 443 and finds it cannot
and crashes. There is another “listen 443” in one of the included .conf
files. Removing the “listen” that letsencrypt added fixes the problem.

@ddyer are you by chance using openSUSE? If so, this is a known issue and while it unfortunately wasn’t fixed in the latest release, we hope to get to it soon. was fixed in our latest release.

Not applicable. My vps is using an interworx control panel that determines
the overall structure of the config files.

OK. @joohoi works on the Apache plugin more than I do so I’ve asked him to take a look here.

Hi @ddyer and sorry that you are experiencing problems with Apache plugin.

The issue you are seeing essentially means that Certbot doesn’t have visibility to the part of configuration that defines the Listen 443.

It can follow Include and IncludeOption definitions, so the file inclusion is not the issue here, but more likely some kind of configuration structure inside that included file.

If by any means possible, could you post a snippet of the structure in the file that has the Listen 443 in place, ie:

#conf.d/includedfile.conf
<IfModule example_module>
  <IfDefine MY_VAR>
      Listen 443
  </IfDefine>
</IfModule>

I’m particularly interested in the module names and structure encapsulating the Listen statement. We’re trying to do module and variable discovery in multiple ways, and it seems to fall short here.

For workaround, moving the Listen 443 to the main httpd.conf should do the job.

I'm reluctant to do that, because the sub-configuration files are managed by another
automated editing process, one which I have even less control over than letsencrypt.

The discussion and debugging over this issue continued in private messages between me and @ddyer over the last few days.

The issue was identified as Certbot being unable to find variable SSL which was used in <IfDefine SSL> statement wrapping the VirtualHost block in one of the virtual host configuration files. This caused Certbot not being able to see the Listen 443 statement that was defined inside of that virtual host.

Variable SSL was added to Apache command line in CentOS/RHEL/Fedora specific configuration file /etc/sysconfig/httpd. We are parsing this file for variables since Certbot v0.20, but the parsing method had a bug, that did not recognize command line options with no whitespace separator, for example -DSSL vs. -D SSL.

As a workaround, I proposed adding Define SSL to the main httpd.conf, thus making it visible for Certbot for the time being.

I created a GitHub issue: https://github.com/certbot/certbot/issues/5317 and pull request: https://github.com/certbot/certbot/pull/5318 fixing this bug.

Thanks for your help in debugging this issue @ddyer !

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

@ddyer has just said that 0.21 did not fix the problem. @joohoi, would you mind continuing to investigate?