New to this - vhosts-le-ssl.conf error :(

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: us.liquidsonics.com

I ran this command: sudo certbot --apache -d us.liquidsonics.com

It produced this output:
[root@mirror-us letsencrypt]# sudo certbot --apache -d us.liquidsonics.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Obtaining a new certificate
File: /etc/httpd/conf.d/vhost-le-ssl.conf - Could not be found to be deleted
 - Certbot probably shut down unexpectedly
An unexpected error occurred:
StopIteration
Please see the logfiles in /var/log/letsencrypt for more details.
**IMPORTANT NOTES:**
 **- Unable to install the certificate**
 - Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/us.liquidsonics.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/us.liquidsonics.com/privkey.pem
Your cert will expire on 2020-12-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"

My web server is (include version): Apache/2.4.6

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yup

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Nope

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Cetbot 1.7.0

--
After getting the above error the certificate process drops out. It has generanted the PEM files but hasn't modified apache.

When I visit the url I get:
This site can’t provide a secure connection
us.liquidsonics.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

1 Like
2

Hi @netutgamer

There is the error:

SSL_ERROR_RX_RECORD_TOO_LONG

So it's a http port, not a https port - http://us.liquidsonics.com:443/ works.

  • first use sudo apachctl -S to check your configuration, your port 80 looks ok
  • Disable / delete that port 443 vHost
  • Let Certbot create a new vHost certbot -d yourdomain -i apache --reinstall
  • First make a backup
1 Like
3

Thanks @JuergenAuer

So I ran Apactrl - S and picked up there was a port 44s entry in ssl.conf so I moved that file away from the directory and restarted apache. Running it again validated that it was gone.

AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf.d/vhost.conf:1
VirtualHost configuration:
*:80 us.liquidsonics.com (/etc/httpd/conf.d/vhost.conf:3)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

Leaving me with just the port 80

I ran certbot -d yourdomain -i apache --reinstall and picked option 1 (apache plugin) and got a similar output again

certbot -d us.liquidsonics.com -i apache --reinstall

Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
File: /etc/httpd/conf.d/vhost-le-ssl.conf - Could not be found to be deleted
 - Certbot probably shut down unexpectedly
An unexpected error occurred:
StopIteration
Please see the logfiles in /var/log/letsencrypt for more details.

**IMPORTANT NOTES:**

 **- Unable to install the certificate**
 - Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/us.liquidsonics.com/fullchain.pem

Your key file has been saved at:
/etc/letsencrypt/live/us.liquidsonics.com/privkey.pem
Your cert will expire on 2020-12-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"

Not sure what I'm doing wrong :frowning:

1 Like
4

Check your config to find the place where this file

is used. Change that.

Don't create a new certificate, there is a rate limit.

May be only

certbot --reinstall
1 Like
5

Even --reinstall triggers a rate limit it would seem :frowning:

certbot --reinstall

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: us.liquidsonics.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

Obtaining a new certificate

An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: us.liquidsonics.com: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

Guess I now need to wait a week :frowning:

6

You have already 5 identical certificates, don't create a new.

Install one of the existing certificates.

sudo certbot certificates

https://certbot.eff.org/docs/using.html

1 Like
7

What does this show?:
certbot certificates

2 Likes
8

So I've managed to track this issue down to a something Apache related. And been successfully able to install an SSL (generated one quickly from another free provider and manually installed it). So I now know that my foundations are working.

I now just need to get Certbot sorted. I've capped out on my limits (which I'm surprised at) But I'll now wait until I'm released again as I think it will then be straightforward.

I had managed to generate a cert, and get it installed on the server, and update it, It just wasn't running https in apache correctly. That's now sorted.

Thank you everyone for your help! Especially @JuergenAuer :slight_smile:

4 Likes
9

You don't have to wait to get certbot straightened out. :slightly_smiling_face:

Just add --dry-run to the end of your certbot command to use the staging servers for testing your process. They generate false certificates that are not installed, which won't affect you since you already have a working certificate.

2 Likes
10

There is a test system you can (and should) use.

1 Like
11

Yes the generation of the certificate worked ok, it was just the installation of it within apache.

I don't have the cert on the server now so I need to re-install it again using certbot, and it doesn't' want to do that now because of limits.

--dry-run won't pull the cert to the server will it?

I did do testing calls to start with the gernate the cert, but not to install it.

2 Likes
12

Then

a test certificate isn't helpful, if only the installation is the problem.

The test certificate isn't valid, it's from "Fake LE". So you shouldn't install it.

3 Likes
13

If you want to go ahead and get your apache installation working with LE, I've created a guide for you. :slightly_smiling_face:

Add a CNAME Record

Add a CNAME record to your DNS that points onemore.us.liquidsonics.com to us.liquidsonics.com. You may need to shorten onemore.us.liquidsonics.com to onemore.us if your DNS provider automatically adds .liquidsonics.com to the end.

You can verify that your CNAME record is correct using dig. Your new record should appear as an answer.

Example when I dug your A record:

;QUESTION
us.liquidsonics.com. IN A
;ANSWER
us.liquidsonics.com. 13712 IN A 173.230.148.224

Your result should look something like this:

;QUESTION
onemore.us.liquidsonic.com. IN CNAME
;ANSWER
onemore.us.liquidsonics.com. # IN CNAME us.liquidsonics.com
us.liquidsonics.com. 13712 IN A 173.230.148.224

Generate One More New Certificate

sudo certbot certonly --cert-name us.liquidsonics.com -a apache -d us.liquidsonics.com,onemore.us.liquidsonics.com --keep-until-expiring

If you run into issues here, let us know immediately.

Install Your New Certificate

sudo certbot install --cert-name us.liquidsonics.com -i apache

If anything goes wrong with the installation, you can use the following command to undo the damage caused by the attempted install:
sudo certbot rollback

2 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.