Missing a step?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jackiesmcs.com

I ran this command: Certbot - Ubuntufocal Apache (eff.org)

It produced this output:
Requesting a certificate for jackiesmcs.com
Performing the following challenges:
http-01 challenge for jackiesmcs.com
Waiting for verification...
Cleaning up challenges

My web server is (include version): Apache 2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Me

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): WP 5.6

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0

I followed the steps in the above URL, but when I test https://jackiesmcs.com it does not resolve. I am sure I am missing a step, but as I have never done this before I am not sure what it might be. Any assistance is much appreciated.

2 Likes

Hi and welcome to the LE community forum :slight_smile:

"I ran this command:"
Asks for the actual command you ran - not the page/link where you found it.

Were you able to get a cert?

This statement is a bit confusing:

"It doesn't resolve" generally means DNS wasn't able to return an IP for the name; but that is not the case here.
So, I checked the site for HTTP and HTTPS, and HTTP works but HTTPS fails to connect.
Have you allowed HTTPS in through your router/firewall?

2 Likes

Thanks for the reply. I added the link as I thought it would be best to show that I did all those steps rather than list out the commands on that same page. Easier I suppose. At least I thought it was :smiley:

By does not resolve I mean it doesn't load the site over HTTPS.

I do have 8080 open to the host. I also put a computer on the same network as that host to test, and I cannot reach it at HTTPS.

Other than those instructions to enable HTTPS, and open my firewall to 8080, I have not done any other configurations on the host or where I registered the Domain Name. I thought I would have to enter credentials some where but not sure :thinking:

3 Likes

Ok, then did any of the steps fail?
if so, which [detail the complete command and error msg]

And also please show the output of:
apachectl -S

2 Likes

I just realized the link you showed merely installs an ACME client.
Now you need to use it to get a cert - LOL

3 Likes

None of the steps failed.

Here is the output of apachectl -S:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 jackiesmcs.com (/etc/apache2/sites-enabled/jmcs.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used

2 Likes

Please show this:
certbot certificates

And then try this:
certbot --apache

OR read up on how certbot is used.

2 Likes

That's a private IP address and not the public IP address of jackiesmcs.com.

2 Likes

Not a problem.
*:80 binds to all local IPs.
So long as the NAT forwards to the real internal IP - it's all good.

It's actually using 127.0.1.1 as the default NAME not the IP bound by Apache.

2 Likes

I assumed since it takes me all the way to test the site at HTTPS that it did everything for me :stuck_out_tongue:

I started at Getting Started - Let's Encrypt - Free SSL/TLS Certificates and it says it automates the issuance and they have no further instructions on that page to get a cert so me not having a clue :smiley:

3 Likes

I don't think 127.0.1.1 makes a good FQDN for the server though. :upside_down_face:

Certbot will gag on that.

3 Likes

Actually I would prefer using anything other than an FQDN that will be served by the enabled sites.
So, 127.0.1.1 is as good as "MyServer" :slight_smile:

2 Likes

"If Certbot does not meet your needs, or you’d like to try something else, there are many more ACME clients to choose from. Once you’ve chosen ACME client software, see the documentation for that client to proceed."

2 Likes

I don't understand. How is the hostname gonna match then? :worried:

2 Likes

Certbot will overlook that, it only cares for names that you are trying to get a cert for.

2 Likes

Never used linux or apache either so how do I get rid of 127.0.1.1?

I am as noob as it gets here :frowning: I have always used IIS, and made sites with code and used NoIP for free DNS. Never used WP or purchased a Domain name before.

2 Likes

I thought if there's no matching VirtualHost that certbot will choke.

2 Likes

The "hostname" is found as the "servername" in the enabled site.
[might be missing the "www" but that's another issue]

2 Likes

Here is the output to certbot certificates:

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: jackiesmcs.com
Serial Number: a log SN. Not sure if I need to keep it hidden?
Key Type: RSA
Domains: jackiesmcs.com
Expiry Date: 2021-04-24 17:07:07+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/jackiesmcs.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/jackiesmcs.com/privkey.pem


3 Likes

Maybe I'm looking at this weirdly. :thinking:

2 Likes