Need assistance with pre-built VM

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
ocic.k12.ok.us

I ran this command:
sudo certbot --apache

It produced this output:
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

My web server is (include version):
Apache

The operating system my web server runs on is (include version):
Unbutu 22

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.8.0

As subject says; an educational nonprofit was provided with a prebuilt Linux VM from the US Department of Education to collect survey data. I setup the VM on an internal host, and it is accessible and working---but has no SSL certificate.

I have full access to the server via webmin, and can edit or create what is necessary.

Thank you all.

this doesn't run on apache.

if you do not want to modify the VM, you can use whatever reverse proxy you're used to and have it handle tls termination.

2 Likes

Your DNS points to google services. You need the IP addresses to point to your host.

2 Likes

I should clarify; the server is survey.ocic.k12.ok.us

The DNS record for the server is not Google services

The server is survey.ocic.k12.ok.us

No, that domain is not :slight_smile:

But, the survey domain responds to HTTP requests from an nginx server. Not Apache.

If that is your reverse proxy to Apache VM the cert for it should be setup there. Otherwise, please explain more about your server config.

curl -i http://survey.ocic.k12.ok.us/.well-known/acme-challenge/Test404
HTTP/1.1 200 OK
Server: nginx/1.24.0
2 Likes

Thank you for the help.

Hmm.

(Apologies here, since I'm not a Linux admin by nature).

Webmin doesn't show nginx as one of the configured servers, but it clearly shows Apache. However, on a whim, I ran the installation instructions for nginx...and it worked. A certificate was installed for survey.ocic.k12.ok.us

However.

Step 8. I tested the command for automatic renewal, and it failed:

Failed to renew certificate survey.ocic.k12.ok.us with error: Some challenges have failed.
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/survey.ocic.k12.ok.us/fullchain.pem (failure)

Plus, the site still shows it is not secure

1 Like

Also: receiving this error message now:

nginx restart failed:
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] still could not bind()

Can you just talk us through your server configuration in your own words?

Describe the overview of where the nginx reverse proxy runs and where this Apache VM is (same machine, different, all on your premises, ...)

When you used certbot with --nginx plugin you told Certbot to setup nginx to handle port 443. But, the error is saying something is already using that port.

What does this show

sudo ss -pant | grep -i listen | grep -Ei ':80|:443|httpd|apache|nginx'
2 Likes

That's probably because you were supposed to follow "the webmin way" to TLS instead of installing certbot yourself.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.