Listen 443 added twice to apache conf when renewing

nek · December 1, 2017, 4:56am

Hey there,

I used certbot 0.19.0 to renew 3 certificates on the same server.
It could successfully renew the first domain but failed for the last 2.
Then I noticed Apache was down.

I tried to restart it but it would always complain port 443 was busy.

When I inspected the ports.conf file, I noticed that:

<IfModule mod_ssl.c>
Listen 443
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
NameVirtualHost *:443

Listen 443
</IfModule>

Listen 443 is there twice, and, I know that sounds silly, but it would prevent Apache from starting.

When I remove one of the instances, it works again, and I can renew the next certificate, but then certbot adds back the extra Listen 443. I can remove the first or last occurence, it doesn’t matter, it’s added back every time.

Not sure what’s causing that, maybe the comments in the mod_ssl.c section? I haven’t tried to remove them, but maybe it’s worth a try when you investigate the issue.

Apache version is:
Apache/2.2.22 (Debian) mod_fcgid/2.3.6 mod_ssl/2.2.27
OpenSSL/1.0.1h

Running on Debian 7.11

HTH

Cheers,
Thibaut

cpu · December 1, 2017, 2:18pm

@joohoi @bmw Do you know what could cause this double Listen directive being added to an apache config by certbot?

joohoi · December 1, 2017, 2:38pm

Certainly! This is definitely a bug in Certbot. This happens because Certbot cannot “see” inside the IfModule block for some reason. Either it doesn’t detect mod_ssl being loaded or something else is going on. I’ll investigate a bit for potential reasons behind this.

joohoi · December 10, 2017, 1:03pm

For some reason Certbot wasn’t able to see LoadModule line in your Apache configuration.

Since version v0.20 released 6th of December, Certbot is doing dump of loaded module configuration directly from Apache binary in addition to the passive file parsing, so this should solve the problem for you.

If you experience the issue after updating Certbot to version 0.20, please let me know, and we can dig deeper.

nek · December 12, 2017, 4:55am

Awesome, thanks!
I’ll let you know if that fixed the issue next time I renew.

system · January 11, 2018, 4:55am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.