LetsEncrypt Site Inaccessible

My domain is:
https:lab.addmoreroutes.com

I ran this command:
apachectl -t -D DUMP_VHOSTS

It produced this output:

apache2: Syntax error on line 225 of /etc/apache2/apache2.conf: Syntax error on line 16 of /etc/apache2/sites-enabled/lab.addmoreroutes.com-https.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory
Action '-t -D DUMP_VHOSTS' failed.
The Apache error log may have more information.

My web server is (include version):

The operating system my web server runs on is (include version):
Linux Ubuntu 20.4 LTS

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.40.0

The file would have been present when your Apache configuration was generated, although the suffix -https.conf is rather unusual and wasn't generated by Certbot. Who configured your Apache HTTPS configuration file?

4 Likes

I had some initial issues after upgrading to Ubuntu 20.4 LTS and lost remote connectivity and not trying to make any further changes

Current Directory:

root@eve-ng:/etc/apache2# ls
apache2.conf conf-available conf-enabled envvars magic mods-available mods-enabled ports.conf sites-available sites-enabled

root@eve-ng:/etc/apache2/sites-enabled# ls
lab.addmoreroutes.com-http.conf lab.addmoreroutes.com-https.conf netdata.conf unetlab.conf

root@eve-ng:/etc/apache2/sites-available# ls
backup lab.addmoreroutes.com-http.conf lab.addmoreroutes.com-https.conf

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin whatever
        ServerName lab.addmoreroutes.com
        ServerAlias www.lab.addmoreroutes.com
        DocumentRoot /opt/unetlab/html/

        ErrorLog /opt/unetlab/data/Logs/https-error.log
        CustomLog /opt/unetlab/data/Logs/https-access.log combined

        Alias /Exports /opt/unetlab/data/Exports
        Alias /Logs /opt/unetlab/data/Logs

        SSLCertificateFile /etc/letsencrypt/live/lab.addmoreroutes.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/lab.addmoreroutes.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

        <Location /html5/>
            Order allow,deny
            Allow from all
            ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on
            ProxyPassReverse http://127.0.0.1:8080/guacamole/
        </Location>

        <Location /html5/websocket-tunnel>
            Order allow,deny
            Allow from all
            ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
            ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
        </Location>

        ProxyPass /janus-ws ws://127.0.0.1:8188/
        ProxyPassReverse /janus-ws ws://127.0.0.1:8188/
        ProxyPass /chat-ws ws://127.0.0.1:9090/
        ProxyPassReverse /chat-ws ws://127.0.0.1:9090/

        ProxyPassMatch /netdata/(dashboard.js) http://127.0.0.1:19999/$1
        ProxyPassMatch /netdata/css/(.*)$ http://127.0.0.1:19999/css/$1
        ProxyPassMatch /netdata/(dash.*)$ http://127.0.0.1:19999/$1
        ProxyPassMatch /netdata/lib/(.*)$ http://127.0.0.1:19999/lib/$1
        ProxyPassMatch /netdata/api/v1/(.*)$ http://127.0.0.1:19999/api/v1/$1
    </VirtualHost>
</IfModule>

FYI: That name doesn't resolve to any IP.
If you are not using it, you might want to remove it.

3 Likes

Ok, I removed this line and still same issue

root@eve-ng:~# apachectl -t -D DUMP_VHOSTS
apache2: Syntax error on line 225 of /etc/apache2/apache2.conf: Syntax error on line 15 of /etc/apache2/sites-enabled/lab.addmoreroutes.com-https.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory
Action '-t -D DUMP_VHOSTS' failed.
The Apache error log may have more information.

Can you show output of this command?

ls -l /etc/letsencrypt/{,live,renewal}
2 Likes
root@eve-ng:~# ls -l /etc/letsencrypt/{,live,renewal}
/etc/letsencrypt/:
total 32
drwxr-xr-x 4 root root 4096 Jul 29 14:28 accounts
drwx------ 4 root root 4096 Jul 29 02:53 archive
-rw-r--r-- 1 root root  121 Feb 11  2019 cli.ini
drwxr-xr-x 2 root root 4096 Jul 29 03:46 csr
drwx------ 2 root root 4096 Jul 29 03:46 keys
drwx------ 4 root root 4096 Jul 29 02:53 live
drwxr-xr-x 2 root root 4096 Jul 29 03:46 renewal
drwxr-xr-x 5 root root 4096 Jun  5 18:48 renewal-hooks

/etc/letsencrypt/live:
total 12
drwxr-xr-x 2 root root 4096 Jul 29 02:53 addmoreroutes.com
drwxr-xr-x 2 root root 4096 Jul 29 03:46 lab.addmoreroutes.com
-rw-r--r-- 1 root root  740 Jun  7 00:05 README

/etc/letsencrypt/renewal:
total 8
-rw-r--r-- 1 root root 552 Jul 29 02:53 addmoreroutes.com.conf
-rw-r--r-- 1 root root 572 Jul 29 03:46 lab.addmoreroutes.com.conf

Can you show contents of this file:

/etc/letsencrypt/renewal/lab.addmoreroutes.com.conf
3 Likes

renew_before_expiry = 30 days

version = 0.40.0
archive_dir = /etc/letsencrypt/archive/lab.addmoreroutes.com
cert = /etc/letsencrypt/live/lab.addmoreroutes.com/cert.pem
privkey = /etc/letsencrypt/live/lab.addmoreroutes.com/privkey.pem
chain = /etc/letsencrypt/live/lab.addmoreroutes.com/chain.pem
fullchain = /etc/letsencrypt/live/lab.addmoreroutes.com/fullchain.pem

Blockquote

Options used in the renewal process

[renewalparams]
account = acf661ad5b140d0372882e9f3319f3eb
pref_challs = http-01,
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory

Blockquote

Hmm. Did you used to use the apache plug-in? I was a little surprised to see the standalone mentioned in that conf file.

Can you also show contents of this:

/etc/apache2/sites-enabled/lab.addmoreroutes.com-https.conf
2 Likes

Try (re)creating that file, from this output:

cat /etc/letsencrypt/options-ssl-apache.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
3 Likes

GNU nano 4.8 lab.addmoreroutes.com-https.conf

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin whatever
        ServerName lab.addmoreroutes.com
        DocumentRoot /opt/unetlab/html/

        ErrorLog /opt/unetlab/data/Logs/https-error.log
        CustomLog /opt/unetlab/data/Logs/https-access.log combined

        Alias /Exports /opt/unetlab/data/Exports
        Alias /Logs /opt/unetlab/data/Logs

        SSLCertificateFile /etc/letsencrypt/live/lab.addmoreroutes.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/lab.addmoreroutes.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

        <Location /html5/>
            Order allow,deny
            Allow from all
            ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on
            ProxyPassReverse http://127.0.0.1:8080/guacamole/
        </Location>

        <Location /html5/websocket-tunnel>
            Order allow,deny
            Allow from all
            ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
            ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
        </Location>

        ProxyPass /janus-ws ws://127.0.0.1:8188/
        ProxyPassReverse /janus-ws ws://127.0.0.1:8188/
        ProxyPass /chat-ws ws://127.0.0.1:9090/
        ProxyPassReverse /chat-ws ws://127.0.0.1:9090/

        ProxyPassMatch /netdata/(dashboard.js) http://127.0.0.1:19999/$1
        ProxyPassMatch /netdata/css/(.*)$ http://127.0.0.1:19999/css/$1
        ProxyPassMatch /netdata/(dash.*)$ http://127.0.0.1:19999/$1
        ProxyPassMatch /netdata/lib/(.*)$ http://127.0.0.1:19999/lib/$1
        ProxyPassMatch /netdata/api/v1/(.*)$ http://127.0.0.1:19999/api/v1/$1
    </VirtualHost>
</IfModule>

Ok, it looks like you are trying to use a VirtualHost config like would have been created by the apache plug-in but you are now using the standalone.

So, a quick fix to get apache running again is to create the file rg305 showed just two posts ago. The rerun the apachectl -t -D DUMP_VHOSTS and show us what that says.

Also, instead of using blockquote use the </> symbol for code formatting. Or, just place 3 backticks before and after output. Will look nicer.

3 Likes
root@eve-ng:~# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443                  lab.addmoreroutes.com (/etc/apache2/sites-enabled/lab.addmoreroutes.com-https.conf:2)
*:80                   is a NameVirtualHost
         default server lab.addmoreroutes.com (/etc/apache2/sites-enabled/lab.addmoreroutes.com-http.conf:1)
         port 80 namevhost lab.addmoreroutes.com (/etc/apache2/sites-enabled/lab.addmoreroutes.com-http.conf:1)
         port 80 namevhost eve-ng.example.com (/etc/apache2/sites-enabled/unetlab.conf:24)

Great. Try starting apache and see if it works as expected.

There is more work to do to correct your standalone renewal but just one step at a time.

4 Likes

Remote SSL Works and Internal SSL Connection works after reloading Apache service

1 Like

Great. I've run out of time to sort out your remaining items.

You should replace standalone. That is not great as it requires apache to be stopped to successfully renew. That makes it difficult to automate and stopping apache is not necessary. You can use the webroot authenticator with deploy-hook or even go back to using the apache plug-in.

There are also 2 renewal conf files in the /etc/letsencrypt and the other needs review.

2 Likes

that makes sense that it needs to be stopped to renew which explains the issues i have been running into. I am not aware on how to replace standalone with the 2 methods you mentioned.

Thanks for all your help

2 Likes

And now on to the next step.
Finding a way that doesn't require stopping the already running web service.
There are two ways of doing that:

  • using a plugin that can work with your web server [-a apache]
  • telling certbot exactly where to put the challenge [--webroot -w /some/path]

That is just the authentication portion, then there is also the installation question.

  • do you want certbot to update the Apache config [-i apache]
  • do you want certbot to only issue the cert and you'll handle the Apache config [-i certonly]
2 Likes