No https on Apache after certbot install

Just ran certbot on a new installation of Apache2. I can see our site via www, but not https. I have looked all over trying to find a solution with no luck. HTTP views normally, HTTPS says it can't make a secure connection. Ports 80 and 443 are open.

My domain is: starionhost.net

I ran this command: certbot --apache

It produced this output: normal, no errors.

My web server is (include version): Apache2 v2.4.54

The operating system my web server runs on is (include version): Debian 11 bullseye

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin 1.9.99

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.29.0

1 Like

Continuing to search, it looks like maybe the certificates aren't referenced in Apache? I thought that's what cerbot was supposed to do, put the files where they belong and set the Apache references to them, hence specifying the server type i.e. certbot --apache

Am I misunderstanding?

1 Like

Hi @starion and Welcome to the forum.
Could you please show the command you used to obtain the certificate?
According to crt.sh:

You have received certs a couple of times today for www and starionhost.net
Your certbot command would be extremely helpful to help you resolve this issue.

I suspect you may have used "certonly" or some other form of a manual cert request.

Please advise!

4 Likes

I understand that webmin configures Apache. So, you can use certbot (or other clients) to get a cert but then you instruct webmin where to find the certs so webmin configures Apache and the HTTPS VirtualHost.

I don't use webmin myself so am just relying on their docs. Many "panels" work this way. It can be difficult to make apache changes outside of a panel.

Below is a link to a namecheap page for installing a cert into webmin. Their example uses a cert that you bought from them. So, just replace that language with the cert files from certbot and Let's Encrypt. You should probably also use a certbot command that only gets a cert and does not try to configure Apache. Something like:

certbot certonly -a apache -d starionhost.com -d www.starionhost.com --deploy-hook "command to restart apache"

I am using namecheap example just because it was the first good one I found.

4 Likes

Simply certbot --apache

Webmin doesn't configure Apache, it's just a web interface to the Apache configurations, so no, Webmin wouldn't have anything to do with why certbot didn't configure it.

1 Like

That command would pull the certs again, which I don't really need. I know where the certs are, I just need to figure out where Apache wants to see them.

1 Like

Apache wants to see them where you tell Apache they are :slight_smile:

Seriously though. Using the --apache plug-in normally configures your VirtualHost. That did not happen here. I still believe you configure webmin to know where the certs are and it configures your apache VirtualHost accordingly (as described in that namecheap link I provided).

But, perhaps I am wrong. Can you show us the contents of the file with your VirtualHost for this domain (should be more than one VirtualHost). If you don't know where they are show us output of this command:

apachectl -t -D DUMP_VHOSTS

When showing the contents of apache config files, please place 3 backticks before and after the output so certain info is not lost like:

```
contents of apache config file
```

4 Likes

Here it is, this looks like the stock virtual host config, so I'm pretty sure certbot didn't touch it. The output below is from /etc/apache2/sites-available/000-default.conf

As for Webmin, it is simply a web program that gives you a window into the config files, nothing more. It doesn't make any decisions programmatically. Changes you make in Webmin reflect in the Apache config files, and changes made to config files directly through the command line reflect exactly in Webmin. Webmin just formats it into pretty screens that make it easier to find the options you want. It is still possible to screw up your apache config, Webmin won't stop you. lol.

# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

ServerAdmin masked@starionhost.net
DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerName www.starionhost.net

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
2 Likes

Hopefully there is a symlink in /sites-enabled/ to this as well.

That said, what you show is only an Apache fragment - not a complete VirtualHost.

Can you show output of this?

apachectl -t -D DUMP_VHOSTS

Also please show output of this

certbot certificates
3 Likes

Output of apachectl -t -D DUMP_VHOSTS:

VirtualHost configuration:
*:*                    www.starionhost.net (/etc/apache2/sites-enabled/000-default.conf:1)

Output of certbot certificates:

Found the following certs:
  Certificate Name: starionhost.net
    Serial Number: yesthereisaserialnumber
    Key Type: RSA
    Domains: starionhost.net www.starionhost.net
    Expiry Date: 2022-11-11 20:46:28+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/starionhost.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/starionhost.net/privkey.pem
1 Like

And contents of this too. Sorry

/etc/letsencrypt/renewal/starionhost.net.conf

PS:

All certificates are in the public Certificate Transparency Log. Serial numbers are not secret. Several tools exist to search / view them. One example is this

3 Likes

Contents of /etc/letsencrypt/renewal/starionhost.net.conf

# renew_before_expiry = 30 days
version = 1.29.0
archive_dir = /etc/letsencrypt/archive/starionhost.net
cert = /etc/letsencrypt/live/starionhost.net/cert.pem
privkey = /etc/letsencrypt/live/starionhost.net/privkey.pem
chain = /etc/letsencrypt/live/starionhost.net/chain.pem
fullchain = /etc/letsencrypt/live/starionhost.net/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = c59572a10cc4fccf3c4fddaba7ed72b9
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa

RE: Serial number....I got yelled at on another forum for posting it, so I just didn't put it. It's not really relevant here anyway though, is it? :slight_smile:

1 Like

I don't understand how --apache ever worked with your config. I completely understand why your certs are not working - just not how you ever got them with --apache plugin. Should have gotten one of several error messages.

Can you show result of this

certbot renew --dry-run

No, I did not need serial number but no reason to bother suppressing

3 Likes

Serial numbers are part of the public certificate, so are available through certificate transparancy logs anyway.. So no clue why you would have been yelled at for posting it :roll_eyes:

4 Likes

Hey, what do I know, I'm just trying to get along... :upside_down_face:

1 Like

I wasn't yelling at you, but at the people yelling at you previously for posting the cert :wink:

3 Likes

Output of certbot renew --dry-run

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/starionhost.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for starionhost.net and www.starionhost.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/starionhost.net/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 Like

From what I'm reading, certbot was supposed to create some rewrite rules in the apache config? I don't see any rewrite rules anywhere, if I even knew where those would be and what they would look like...

Certbot does more than that. Usually you should have a VirtualHost config for port 80 (http) to start with. If challenge is successful certbot will create another VirtualHost config for port 443 (https) with the cert files and other ssl config options for Apache.

None of that happened.

You do not have an explicit VirtualHost for this domain name. You just have some sort of default server from Apache (see the *:* name/port info). Normally you get an error about certbot not finding a virtualhost but that did not happen.

The best way forward is to update your 000-default conf so it is an explicit VirtualHost and re-run certbot. It should create another conf file with suffix of -le-ssl.conf. And, update the http virtualhost with the redirects. Try just adding

<VirtualHost *:80>

at top of your default.conf
and

</VirtualHost>

at the bottom.
then show result of this before trying certbot:

apachectl -t -D DUMP_VHOSTS
3 Likes

Okay, here's the latest output:

VirtualHost configuration:
*:80                   starionhost.net (/etc/apache2/sites-enabled/starionhost.net.conf:1)