No longer able to access site after running cert install tutorial

rb_dao · December 10, 2017, 5:01pm

I ran this command:
apt-get install python-certbot-apache -t jessie-backports
certbot --apache

It produced this output: No errors in the logs

My web server is (include version): Apahce2
The operating system my web server runs on is (include version): Debian 8

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Followed the instructions here (https://certbot.eff.org/#debianjessie-apache) to get a cert setup, but im now not able to connect to my website (worked before I ran that command). When I test ping the server on port 80/443 it times out.

Osiris · December 10, 2017, 5:14pm

Please output the actual output or log.

Does your Apache run at the moment? What happens if you try to start it? Does the Apache (error) log say anything?

rb_dao · December 10, 2017, 5:21pm

It runs fine at the moment, just can’t connect to it from a url.

Was yesterday when I attempted this so i’m not sure what the actual output was but it didn’t seem erronious then, but looking at the error.log it does look like something’s gone wrong somewhere.

Output of error.log

[Sun Dec 10 04:57:34.307440 2017] [ssl:warn] [pid 356] AH01906: www.pantz.co.uk:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Dec 10 04:57:34.336396 2017] [ssl:warn] [pid 356] AH01909: www.pantz.co.uk:443:0 server certificate does NOT include an ID which matches the server name
[Sun Dec 10 04:57:35.731339 2017] [ssl:warn] [pid 502] AH01906: www.pantz.co.uk:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Dec 10 04:57:35.731389 2017] [ssl:warn] [pid 502] AH01909: www.pantz.co.uk:443:0 server certificate does NOT include an ID which matches the server name
[Sun Dec 10 04:57:35.732386 2017] [mpm_prefork:notice] [pid 502] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured – resuming normal operations
[Sun Dec 10 04:57:35.732422 2017] [core:notice] [pid 502] AH00094: Command line: ‘/usr/sbin/apache2’
[Sun Dec 10 05:09:54.940974 2017] [mpm_prefork:notice] [pid 502] AH00169: caught SIGTERM, shutting down
[Sun Dec 10 05:09:56.099075 2017] [ssl:warn] [pid 1117] AH01906: www.pantz.co.uk:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Dec 10 05:09:56.099150 2017] [ssl:warn] [pid 1117] AH01909: www.pantz.co.uk:443:0 server certificate does NOT include an ID which matches the server name
[Sun Dec 10 05:09:56.194033 2017] [ssl:warn] [pid 1118] AH01906: www.pantz.co.uk:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Dec 10 05:09:56.194071 2017] [ssl:warn] [pid 1118] AH01909: www.pantz.co.uk:443:0 server certificate does NOT include an ID which matches the server name
[Sun Dec 10 05:09:56.194931 2017] [mpm_prefork:notice] [pid 1118] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured – resuming normal operations
[Sun Dec 10 05:09:56.194952 2017] [core:notice] [pid 1118] AH00094: Command line: ‘/usr/sbin/apache2’
[Sun Dec 10 07:00:55.924146 2017] [mpm_prefork:notice] [pid 1118] AH00169: caught SIGTERM, shutting down
[Sun Dec 10 07:02:23.404389 2017] [ssl:emerg] [pid 1509] AH02572: Failed to configure at least one certificate and key for www.pantz.co.uk:443
[Sun Dec 10 07:02:23.404460 2017] [ssl:emerg] [pid 1509] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Dec 10 07:02:23.404466 2017] [ssl:emerg] [pid 1509] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed
[Sun Dec 10 07:03:52.113770 2017] [ssl:emerg] [pid 1560] AH02572: Failed to configure at least one certificate and key for www.pantz.co.uk:443
[Sun Dec 10 07:03:52.113838 2017] [ssl:emerg] [pid 1560] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Dec 10 07:03:52.113844 2017] [ssl:emerg] [pid 1560] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed
[Sun Dec 10 07:15:16.795778 2017] [ssl:warn] [pid 2711] AH01906: 4995ebda186997377b7df34533bd2bc1.f8d0369e2bf727b597c49b6e2e4c1f23.acme.invalid:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Dec 10 07:15:16.796017 2017] [ssl:emerg] [pid 2711] AH02572: Failed to configure at least one certificate and key for www.pantz.co.uk:443
[Sun Dec 10 07:15:16.796038 2017] [ssl:emerg] [pid 2711] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Sun Dec 10 07:15:16.796047 2017] [ssl:emerg] [pid 2711] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) – Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Sun Dec 10 07:15:16.796059 2017] [ssl:emerg] [pid 2711] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Dec 10 07:15:16.796064 2017] [ssl:emerg] [pid 2711] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed
[Sun Dec 10 07:15:16.946434 2017] [ssl:emerg] [pid 2718] AH02572: Failed to configure at least one certificate and key for www.pantz.co.uk:443
[Sun Dec 10 07:15:16.946500 2017] [ssl:emerg] [pid 2718] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Dec 10 07:15:16.946506 2017] [ssl:emerg] [pid 2718] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed
[Sun Dec 10 07:16:08.713717 2017] [ssl:emerg] [pid 2736] AH02572: Failed to configure at least one certificate and key for www.pantz.co.uk:443
[Sun Dec 10 07:16:08.713796 2017] [ssl:emerg] [pid 2736] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Dec 10 07:16:08.713802 2017] [ssl:emerg] [pid 2736] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed
[Sun Dec 10 07:18:16.106982 2017] [ssl:emerg] [pid 2767] AH02572: Failed to configure at least one certificate and key for www.pantz.co.uk:443
[Sun Dec 10 07:18:16.107063 2017] [ssl:emerg] [pid 2767] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Dec 10 07:18:16.107069 2017] [ssl:emerg] [pid 2767] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed
[Sun Dec 10 07:26:27.963312 2017] [ssl:emerg] [pid 2831] AH02572: Failed to configure at least one certificate and key for www.pantz.co.uk:443
[Sun Dec 10 07:26:27.963381 2017] [ssl:emerg] [pid 2831] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Dec 10 07:26:27.963387 2017] [ssl:emerg] [pid 2831] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed
[Sun Dec 10 07:54:49.912736 2017] [ssl:emerg] [pid 2954] AH02572: Failed to configure at least one certificate and key for www.pantz.co.uk:443
[Sun Dec 10 07:54:49.912812 2017] [ssl:emerg] [pid 2954] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Dec 10 07:54:49.912818 2017] [ssl:emerg] [pid 2954] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed
[Sun Dec 10 08:05:29.461233 2017] [ssl:emerg] [pid 3067] AH02572: Failed to configure at least one certificate and key for www.pantz.co.uk:443
[Sun Dec 10 08:05:29.461304 2017] [ssl:emerg] [pid 3067] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Dec 10 08:05:29.461310 2017] [ssl:emerg] [pid 3067] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed
[Sun Dec 10 09:20:30.633222 2017] [ssl:emerg] [pid 3308] AH02572: Failed to configure at least one certificate and key for www.pantz.co.uk:443
[Sun Dec 10 09:20:30.633293 2017] [ssl:emerg] [pid 3308] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Dec 10 09:20:30.633300 2017] [ssl:emerg] [pid 3308] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed
[Sun Dec 10 09:21:35.196050 2017] [ssl:emerg] [pid 3340] AH02572: Failed to configure at least one certificate and key for www.pantz.co.uk:443
[Sun Dec 10 09:21:35.196119 2017] [ssl:emerg] [pid 3340] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Dec 10 09:21:35.196125 2017] [ssl:emerg] [pid 3340] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed
[Sun Dec 10 09:26:11.944425 2017] [ssl:emerg] [pid 3407] AH02572: Failed to configure at least one certificate and key for www.pantz.co.uk:443
[Sun Dec 10 09:26:11.944494 2017] [ssl:emerg] [pid 3407] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Dec 10 09:26:11.944500 2017] [ssl:emerg] [pid 3407] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed
[Sun Dec 10 10:02:58.730914 2017] [ssl:emerg] [pid 3608] AH02572: Failed to configure at least one certificate and key for www.pantz.co.uk:443
[Sun Dec 10 10:02:58.730984 2017] [ssl:emerg] [pid 3608] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Dec 10 10:02:58.730991 2017] [ssl:emerg] [pid 3608] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed
[Sun Dec 10 10:07:24.904492 2017] [ssl:emerg] [pid 3647] AH02572: Failed to configure at least one certificate and key for www.pantz.co.uk:443
[Sun Dec 10 10:07:24.904562 2017] [ssl:emerg] [pid 3647] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Sun Dec 10 10:07:24.904568 2017] [ssl:emerg] [pid 3647] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed

Osiris · December 10, 2017, 5:24pm

That’s a whole lot of errors. Can’t imagine your Apache is working “fine”, especially as your server replies with “Connection refused” on port 80 and 443.

And it doesn’t seem to have a Let’s Encrypt certificate configured, as end leaf certificates don’t have the CA BasicConstraint set to TRUE.

What was the output of certbot --apache? And what is your Apache configuration?

rb_dao · December 10, 2017, 5:31pm

Sorry what I meant by working fine was it restarts, as with any changes I made prior to tinkering with certbot resulted in the server not restarting after changes were saved with errors.

It’s not actually working properly at the moment as you pointed out it isn’t replying to post 80/443. What I meant was prior to running the certbot commands it was functioning on 80/443.

I am not sure if there is a way to check previous outputs from the ssh, so I ran the command again and it’s pretty much a similar output to last night with "Action ‘graceful’ failed being something I did notice last night.

output of certbot --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: www.pantz.co.uk

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):1
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.pantz.co.uk
/usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from ‘char *’ to a different pointer type: will be forbidden in the future (chec k that the types are as you expect; use an explicit ffi.cast() if they are corre ct)
result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist

Cleaning up challenges
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

Encountered exception during recovery
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/certbot/error_handler.py”, line 99, in _call_registered
self.funcs-1
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 280, in _cleanup_challenges
self.auth.cleanup(achalls)
File “/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py”, line 1 769, in cleanup
self.restart()
File “/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py”, line 1 658, in restart
self._reload()
File “/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py”, line 1 669, in _reload
raise errors.MisconfigurationError(str(err))
MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist

Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/certbot/error_handler.py”, line 99, in _call_registered
self.funcs-1
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 280, in _cleanup_challenges
self.auth.cleanup(achalls)
File “/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py”, line 1 769, in cleanup
self.restart()
File “/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py”, line 1 658, in restart
self._reload()
File “/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py”, line 1 669, in _reload
raise errors.MisconfigurationError(str(err))
MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist

As for my apache config, there seemed to be 2 files before one with 80’s info and one with 443. Any changes to either of these files now results in the apache2 service failing to restart, which makes me think there might be one somewhere else overruling things.

rb_dao · December 10, 2017, 6:07pm

Decided this config is a total mess, was my first delve into debian and it shows. Have purged everything and started from scratch.

I’m going to want to get ssl sorted however once I get back to the stage I was at, is there a better way to install certbot / certs than how I attempted?

I have a ssl code from my own host but they only give a .key and .cer file and I was having no luck figuring out what to do with those so certbot seems like a good way around that.

system · January 9, 2018, 6:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.