Just ran certbot on a new installation of Apache2. I can see our site via www, but not https. I have looked all over trying to find a solution with no luck. HTTP views normally, HTTPS says it can't make a secure connection. Ports 80 and 443 are open.
Continuing to search, it looks like maybe the certificates aren't referenced in Apache? I thought that's what cerbot was supposed to do, put the files where they belong and set the Apache references to them, hence specifying the server type i.e. certbot --apache
Hi @starion and Welcome to the forum.
Could you please show the command you used to obtain the certificate?
According to crt.sh:
You have received certs a couple of times today for www and starionhost.net
Your certbot command would be extremely helpful to help you resolve this issue.
I suspect you may have used "certonly" or some other form of a manual cert request.
I understand that webmin configures Apache. So, you can use certbot (or other clients) to get a cert but then you instruct webmin where to find the certs so webmin configures Apache and the HTTPS VirtualHost.
I don't use webmin myself so am just relying on their docs. Many "panels" work this way. It can be difficult to make apache changes outside of a panel.
Below is a link to a namecheap page for installing a cert into webmin. Their example uses a cert that you bought from them. So, just replace that language with the cert files from certbot and Let's Encrypt. You should probably also use a certbot command that only gets a cert and does not try to configure Apache. Something like:
certbot certonly -a apache -d starionhost.com -d www.starionhost.com --deploy-hook "command to restart apache"
I am using namecheap example just because it was the first good one I found.
Webmin doesn't configure Apache, it's just a web interface to the Apache configurations, so no, Webmin wouldn't have anything to do with why certbot didn't configure it.
That command would pull the certs again, which I don't really need. I know where the certs are, I just need to figure out where Apache wants to see them.
Apache wants to see them where you tell Apache they are
Seriously though. Using the --apache plug-in normally configures your VirtualHost. That did not happen here. I still believe you configure webmin to know where the certs are and it configures your apache VirtualHost accordingly (as described in that namecheap link I provided).
But, perhaps I am wrong. Can you show us the contents of the file with your VirtualHost for this domain (should be more than one VirtualHost). If you don't know where they are show us output of this command:
apachectl -t -D DUMP_VHOSTS
When showing the contents of apache config files, please place 3 backticks before and after the output so certain info is not lost like:
Here it is, this looks like the stock virtual host config, so I'm pretty sure certbot didn't touch it. The output below is from /etc/apache2/sites-available/000-default.conf
As for Webmin, it is simply a web program that gives you a window into the config files, nothing more. It doesn't make any decisions programmatically. Changes you make in Webmin reflect in the Apache config files, and changes made to config files directly through the command line reflect exactly in Webmin. Webmin just formats it into pretty screens that make it easier to find the options you want. It is still possible to screw up your apache config, Webmin won't stop you. lol.
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin masked@starionhost.net
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerName www.starionhost.net
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
All certificates are in the public Certificate Transparency Log. Serial numbers are not secret. Several tools exist to search / view them. One example is this
I don't understand how --apache ever worked with your config. I completely understand why your certs are not working - just not how you ever got them with --apache plugin. Should have gotten one of several error messages.
Can you show result of this
certbot renew --dry-run
No, I did not need serial number but no reason to bother suppressing
Serial numbers are part of the public certificate, so are available through certificate transparancy logs anyway.. So no clue why you would have been yelled at for posting it
From what I'm reading, certbot was supposed to create some rewrite rules in the apache config? I don't see any rewrite rules anywhere, if I even knew where those would be and what they would look like...
Certbot does more than that. Usually you should have a VirtualHost config for port 80 (http) to start with. If challenge is successful certbot will create another VirtualHost config for port 443 (https) with the cert files and other ssl config options for Apache.
None of that happened.
You do not have an explicit VirtualHost for this domain name. You just have some sort of default server from Apache (see the *:* name/port info). Normally you get an error about certbot not finding a virtualhost but that did not happen.
The best way forward is to update your 000-default conf so it is an explicit VirtualHost and re-run certbot. It should create another conf file with suffix of -le-ssl.conf. And, update the http virtualhost with the redirects. Try just adding
<VirtualHost *:80>
at top of your default.conf
and
</VirtualHost>
at the bottom.
then show result of this before trying certbot: