Linux noob getting gray hairs with certbot


#1

Hello,
I m trying to switch my website to https support
Found your help site
so i m trying to generate certificates and configure my server with certbot

debian 9, apache

My domain is:
Which names would you like to activate HTTPS for?

1: 4hosting.de
NEED TO REMOVE DOMAIN NAMES AS A NEW USER IS ONLY ALLOWED 20 LINKS
36: hans-jürgen-ohler.de

I ran this command:
certbot --authenticator webroot --installer apache

It produced this output:

after fixing my errors with webroot pathes i m finally stuck now after entering all webrrots with this log

Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Enabling available site: /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Created an SSL vhost at /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
An unexpected error occurred:
ValueError: Unable to set value to path!
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/4hosting.de/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/4hosting.de/privkey.pem
    Your cert will expire on 2018-10-17. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

I cant find this conf file in my apache2 folder…
Created an SSL vhost at /etc/apache2/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf


#2

this is from the log file

2018-07-19 15:06:04,554:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
2018-07-19 15:06:05,260:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
2018-07-19 15:06:05,924:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
2018-07-19 15:06:06,602:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
2018-07-19 15:06:07,244:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
2018-07-19 15:06:07,347:INFO:certbot_apache.configurator:Created an SSL vhost at /etc/apache2/httpd-le-ssl.conf
2018-07-19 15:06:07,707:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
2018-07-19 15:06:08,323:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
2018-07-19 15:06:08,607:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 489, in deploy_certificate
fullchain_path=fullchain_path)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 306, in deploy_cert
self._deploy_cert(vhost, cert_path, key_path, chain_path, fullchain_path)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 416, in _deploy_cert
self._add_dummy_ssl_directives(vhost.path)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 1402, in _add_dummy_ssl_directives
“insert_cert_file_path”)
File “/usr/lib/python3/dist-packages/certbot_apache/parser.py”, line 328, in add_dir
self.aug.set(aug_conf_path + “/directive[last() + 1]”, directive)
File “/usr/lib/python3/dist-packages/augeas.py”, line 187, in set
raise ValueError(“Unable to set value to path!”)
ValueError: Unable to set value to path!

2018-07-19 15:06:08,608:DEBUG:certbot.error_handler:Calling registered functions
2018-07-19 15:06:08,620:DEBUG:certbot.reporter:Reporting to user: Unable to install the certificate
2018-07-19 15:06:08,620:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.25.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1323, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1093, in run
_install_cert(config, le_client, domains, new_lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 768, in _install_cert
path_provider.cert_path, path_provider.chain_path, path_provider.fullchain_path)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 489, in deploy_certificate
fullchain_path=fullchain_path)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 306, in deploy_cert
self._deploy_cert(vhost, cert_path, key_path, chain_path, fullchain_path)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 416, in _deploy_cert
self._add_dummy_ssl_directives(vhost.path)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 1402, in _add_dummy_ssl_directives
“insert_cert_file_path”)
File “/usr/lib/python3/dist-packages/certbot_apache/parser.py”, line 328, in add_dir
self.aug.set(aug_conf_path + “/directive[last() + 1]”, directive)
File “/usr/lib/python3/dist-packages/augeas.py”, line 187, in set
raise ValueError(“Unable to set value to path!”)
ValueError: Unable to set value to path!
2018-07-19 15:06:08,622:ERROR:certbot.log:An unexpected error occurred:


#3

Hi,

I’m wondering are you running the apache / Nginx as same permission ( user) as root (the one run certbot)?

Refer to this issue:https://github.com/certbot/certbot/issues/5353

Thank you


#4

Hope i can answer your question correctly

I m logged into my server as root

as root i use
certbot --authenticator webroot --installer apache
to start certbot

in permissions i also can set a www-data user for permission, which has been created by the system

my configuration is a very old, but running one in old httpd.conf file

i m glad its running all fine, but cause of thois new data security stuff, i have to implement https

in all guides i found, it looked so easy :slight_smile:

a lot of domains use the same wwwroot folder
and for a handful domains there is an own folder

just in one folder there was a new folder generated ,well-known
this folder is empty, and all other vhosts didnt got this folder


#5

Is your domain really configured in Apache this way with the ü and not as xn--hans-jrgen-ohler-ozb.de? I wonder if this could be a new instance of the widespread Unicode parsing issues in Certbot.

Which version of Certbot are you running?


#6

its with xn—seems the browser translates it directly to the umlaut version

i instealled certbot via debian9 backports

just selected only 2 domains, and it said, all fine
apache serving my main domain as https

but therefore it created a new cert, and all other domains dont get served

i think there is some kind of limitation in domain amount, or with different webroots in same cert request


#7

I don’t think that’s the case, because Certbot said that the certificate was successfully issued and then gave an error trying to install it in your Apache configuration. For example, it might be this certificate:

https://transparencyreport.google.com/https/certificates/Iet0IPMdO%2BZcY7Pr1gjwV08%2FxMh0ctIjZj7D%2Fm1scnA%3D


#8

It looks like this is an instance of this bug:

It doesn’t look like we’ve been able to fix it so far. Would you be willing to post your Apache configuration and Certbot log here or link them somewhere so we can take a look?

The workaround suggested in that thread is to define each VirtualHost in a separate Apache configuration file, instead of defining them all in the same file. (In current practice this is normally done by creating individual VirtualHost files in /etc/apache2/sites-available and then using a2ensite to create symbolic links to indicate that they should be enabled in the Apache configuration.)


#9

i tried a reinstall, selected just 2 domains form the provied and it worked

i just now have issues, as my redicret rules seem to get overwritten by some jave scripts, and all fixed links in old websites dont work at all, instead of getting to the https

download.chaosempire.eu
firmen-netz.com
those domains for example are two different wwwroot folder than those from the main wwwroot

i could check what happens if i include them again, but i assume i have already 3 cert request generated today…

for the configuration
i can compress it and mail it to you if you like

or put the compressed stuff somewhere in the web and send you a link via PN?


#10

I’d be happy to receive these files however you prefer.


#11

how can i send you a pn


#12

I changed your user level so you should be able to do it now.


#13

@bmw @joohoi, can either of you speculate on this Augeas issue?

As @stevenzhu found, it seems like it’s likely to be an instance of

which it doesn’t appear has been resolved. In this case @ChaosEmpire is using Certbot 0.25.0 and I have a copy of the Apache configuration in case it would be relevant.

One hypothesis that I have about the problem is that there is a very large VirtualHost with a single Serveralias for many different names, some of which are wildcard names missing a dot, e.g. *ab-in-den-mixer.de, which looks to me like a typo for *.ab-in-den-mixer.de. Is it possible that such a form would be accepted by Apache for some purposes but cause trouble for Augeas here?

@ChaosEmpire, etwas was Sie inzwischen ausprobieren könnte: wenn Sie immer statt “*beispiel.de” “*.beispiel.de” meinte, können Sie das in der Konfigurationsdatei korrigieren. Ich glaube auch, dass Ihre Apache-Konfiguration insgesamt etwas unordentlich ist, das ist aber leider keine bestimmte Erklärung. :slight_smile:


#14

The configuration file httpd.conf is a very old relict from my first debian server s0omewhere around 2000
always imported , never split and so on

some old projects have been given up, and old domains have moved to my private website
it really maybe there is a fault, like the missing dot, no one would have ever found it, as the original project for that domain is gone, and if someone does not reach my parking website…i dont know

on the other hand, it seems certbot is reading the file, it found several things, i removed during my trials as it has been server aliases and so on, which never will be used again

so, if it reads all the configuration for those domains, why does it not read the webroot folders in same config, and maybe a config fault like the missing dot can be also found

maybe its possible to have an error handler which at least print something useable than issues in python files at line…this could at least lead to the idea of what can be wrong…

i dont know how many cert request i can do this week, after several tries, so let me know, if i shall fix the config and do a retry, or better wait until someone has moree suggestions what to be changed before a new trial


#15

ok, i removed some more outdated vhosts, also fixed the errors with missing dots in *.domain

tried to create the cert for all domains…

I m back to the errors :slight_smile:

Your key file has been saved at:
/etc/letsencrypt/live/chaotix.eu/privkey.pem
Your cert will expire on 2018-10-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the “certonly” option. To non-interactively renew all of your certificate
2018-07-20 11:27:57,160:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/httpd-le-ssl.conf
2018-07-20 11:27:57,552:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/httpd-le-ssl.conf
2018-07-20 11:27:58,290:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/httpd-le-ssl.conf
2018-07-20 11:27:58,992:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/httpd-le-ssl.conf
2018-07-20 11:27:59,683:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/httpd-le-ssl.conf
2018-07-20 11:28:00,371:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/httpd-le-ssl.conf
2018-07-20 11:28:01,079:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/httpd-le-ssl.conf
2018-07-20 11:28:01,840:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/httpd-le-ssl.conf
2018-07-20 11:28:02,536:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/httpd-le-ssl.conf
2018-07-20 11:28:02,633:DEBUG:certbot.reverter:Creating backup of /etc/apache2/httpd-le-ssl.conf
2018-07-20 11:28:02,687:INFO:certbot_apache.configurator:Created an SSL vhost at /etc/apache2/httpd-le-ssl.conf
2018-07-20 11:28:03,563:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/httpd-le-ssl.conf
2018-07-20 11:28:03,960:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 489, in deploy_certificate
fullchain_path=fullchain_path)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 306, in deploy_cert
self._deploy_cert(vhost, cert_path, key_path, chain_path, fullchain_path)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 416, in _deploy_cert
self._add_dummy_ssl_directives(vhost.path)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 1402, in _add_dummy_ssl_directives
“insert_cert_file_path”)
File “/usr/lib/python3/dist-packages/certbot_apache/parser.py”, line 328, in add_dir
self.aug.set(aug_conf_path + “/directive[last() + 1]”, directive)
File “/usr/lib/python3/dist-packages/augeas.py”, line 187, in set
raise ValueError(“Unable to set value to path!”)
ValueError: Unable to set value to path!

2018-07-20 11:28:03,960:DEBUG:certbot.error_handler:Calling registered functions
2018-07-20 11:28:03,985:DEBUG:certbot.reporter:Reporting to user: Unable to install the certificate
2018-07-20 11:28:03,987:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.25.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1323, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1093, in run
_install_cert(config, le_client, domains, new_lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 768, in _install_cert
path_provider.cert_path, path_provider.chain_path, path_provider.fullchain_path)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 489, in deploy_certificate
fullchain_path=fullchain_path)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 306, in deploy_cert
self._deploy_cert(vhost, cert_path, key_path, chain_path, fullchain_path)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 416, in _deploy_cert
self._add_dummy_ssl_directives(vhost.path)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 1402, in _add_dummy_ssl_directives
“insert_cert_file_path”)
File “/usr/lib/python3/dist-packages/certbot_apache/parser.py”, line 328, in add_dir
self.aug.set(aug_conf_path + “/directive[last() + 1]”, directive)
File “/usr/lib/python3/dist-packages/augeas.py”, line 187, in set
raise ValueError(“Unable to set value to path!”)
ValueError: Unable to set value to path!
2018-07-20 11:28:03,988:ERROR:certbot.log:An unexpected error occurred:


#16

When I see your very long list

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:download.chaosempire.eu&lu=cert_search

with 36 domain names:

I would split this. Use the stage system and create a new test certificate with the first 18 domain names. If that works, a test certificate with the other 18 domain names -> should crash.

So reduce the number of certificates (divide and conquer). / 2 in each step.

The cert creation works. The deployment is the problem.


#17

as you said, the deployment is the problem, so splitting the cert for generation makes no sense

it seems to be an issue with several vhosts in one config, or redirects
chjoosing only 2 domains of the main webroot has not been an issue, including the redirects there, so i assume its a problem cause of several vhosts

so if there is an error, it needs to get fixed, or at least catched and stoipped with a message, multiple vhosts, please do the following…

instead of an exceptioon error withount any hint

i m pretty sure, the developers will find the issues

for the moment i was able to use the new 38domains cert, just by readding the deleted symlink


#18

I’ll hope to hear from @joohoi about this next week and I’m prepared to share your configuration with him if it’s helpful.

I’m sorry that the idea about the missing dot didn’t fix the problem! :frowning:


#19

no reason for a sorry, it’s not your fault, i m happy you found my faults.and all are working in their free time, this is so much more than many people do for others


#20

The error is thrown by the underlying Augeas library, and unfortunately we are not able to get more detailed error messages. I would like to have a copy of the configuration to play with to be able to understand what’s causing the issue.


Renew cert issue