No Renew after setup redirect to https

pronto · December 29, 2020, 10:42pm

My domain is: prontosystems.de (and others)

I ran this command: certbot renew --dry-run

It produced this output: Attempting to renew cert (test.prontosystems.de) from /etc/letsencrypt/renewal/test.prontosystems.de.conf produced an unexpected error: Failed authorization procedure. test.prontosystems.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://test.prontosystems.de/.well-known/acme-challenge/wtbRs8sWFREenQ4DgG0imgefZq0XENhQIngveFT-S8g [185.216.178.34]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>400 Bad Request</title>\n</head><body>\n<h1>Bad Request</h1". Skipping.

My web server is (include version): Apache2 Version 2.4

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Servus Community,

I know the question has been asked many times but I have read quite different feedbacks. I currently run four websites on my server and all of them have the same problem after the redirect from port 80 to port 443 was activated by the certbot wizard (see above).

I am wondering, like some others before, why when issuing the certificate the option is offered to configure the redirect automatically, if afterwards the renew no longer works. However, some users are of the opinion that it should actually work and now I ask for support to find the error or another solution. Finding the error would be preferable to me, as other solutions

Here is the configuration file of a virtual host, the others look basically the same:

<VirtualHost *:80>
     ServerAdmin towi@prontosystems.de
      DocumentRoot /var/www/prontosystems.de/test/wordpress
     ServerName test.prontosystems.de

     ErrorLog ${APACHE_LOG_DIR}/test.prontosystems.de_error.log
     CustomLog ${APACHE_LOG_DIR}/test.prontosystems.de_access.log combined

	SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/test.prontosystems.de/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/test.prontosystems.de/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/test.prontosystems.de/chain.pem

RewriteEngine on
RewriteCond %{SERVER_NAME} =test.prontosystems.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Any help in finding the problem is welcome.

Thx & Bye Tom

sahsanu · December 29, 2020, 11:19pm

Hello @pronto,

You should not specify SSLEngine on there because that port (80) should not be using TLS. You didn't paste the VirtualHost part for port 443 but it is working so seems the only problem is on that VirtualHost. Modify it to something like this:

<VirtualHost *:80>
     ServerAdmin towi@prontosystems.de
     DocumentRoot /var/www/prontosystems.de/test/wordpress
     ServerName test.prontosystems.de

     ErrorLog ${APACHE_LOG_DIR}/test.prontosystems.de_error.log
     CustomLog ${APACHE_LOG_DIR}/test.prontosystems.de_access.log combined

     RewriteEngine on
     RewriteCond %{SERVER_NAME} =test.prontosystems.de
     RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Cheers,
sahsanu

rg305 · December 30, 2020, 2:05am

You've manually (not certbot) enabled TLS on port 80.

curl prontosystems.de
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
 Instead use the HTTPS scheme to access this URL, please.<br />
</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at cloud.prontosystems.de Port 80</address>
</body></html>

See the reason there:
You're speaking plain HTTP to an SSL-enabled server port.
Port 80 should be speaking HTTP.

Checking further...

curl https://prontosystems.de:80/
curl: (51) SSL: no alternative certificate subject name matches target host name 'prontosystems.de'

Shows that the cert being used doesn't contain the name prontosystems.de

Checking without checking the cert...

curl -k https://prontosystems.de:80/
<!DOCTYPE html>
<html>
<head>
        <script> window.location.href="index.php"; </script>
        <meta http-equiv="refresh" content="0; URL=index.php">
</head>
</html>

That returns a secure page (over port 80) that redirects to index.php

Checking with openssl...

openssl s_client -connect prontosystems.de:80
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = cloud.prontosystems.de
verify return:1
---
Certificate chain
 0 s:CN = cloud.prontosystems.de
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFMTCCBBmgAwIBAgISBMiDHhbE...

Shows the default cert being used on port 80 as cloud.prontosystems.de

pronto · December 30, 2020, 12:57pm

Servus Sahsanu,

OK, I thought that made sense. I have now made the settings as you suggested and the redirect to port 443 still works. But the error when renewing the certificate is still the same. Here are both virtual host configuration files:

<VirtualHost *:80>
     ServerAdmin towi@prontosystems.de
      DocumentRoot /var/www/prontosystems.de/test/wordpress
     ServerName test.prontosystems.de

     ErrorLog ${APACHE_LOG_DIR}/test.prontosystems.de_error.log
     CustomLog ${APACHE_LOG_DIR}/test.prontosystems.de_access.log combined

#	SSLEngine on
#        SSLCertificateFile /etc/letsencrypt/live/test.prontosystems.de/cert.pem
#        SSLCertificateKeyFile /etc/letsencrypt/live/test.prontosystems.de/privkey.pem
#        SSLCertificateChainFile /etc/letsencrypt/live/test.prontosystems.de/chain.pem

RewriteEngine on
RewriteCond %{SERVER_NAME} =test.prontosystems.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

---snip---

<IfModule mod_ssl.c>
<VirtualHost *:443>
     ServerAdmin towi@prontosystems.de
      DocumentRoot /var/www/prontosystems.de/test/wordpress
     ServerName test.prontosystems.de

     ErrorLog ${APACHE_LOG_DIR}/test.prontosystems.de_error.log
     CustomLog ${APACHE_LOG_DIR}/test.prontosystems.de_access.log combined


SSLCertificateFile /etc/letsencrypt/live/test.prontosystems.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/test.prontosystems.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

For the sake of completeness, here is the output of the certbot renew --dry-run command regarding this vhost:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test.prontosystems.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for test.prontosystems.de
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (test.prontosystems.de) from /etc/letsencrypt/renewal/test.prontosystems.de.conf produced an unexpected error: Failed authorization procedure. test.prontosystems.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://test.prontosystems.de/.well-known/acme-challenge/fp-hH7OAWWOktXXyheARq919pfn5P0tf-rFYey-Y_Hg [185.216.178.34]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>400 Bad Request</title>\n</head><body>\n<h1>Bad Request</h1". Skipping.

But I have discovered something else mystery. I have four vhosts on the system, all four are issued with letsencrypt certificates and have been configured in the same way (except for the one that we have now changed) but only three of them return the above-mentioned error message, one, however, seems to be working. This was also the case tonight and I must have overseen it (sorry, but it was very late). Here is the complete output of the renewal process. Please pay attention to the vhost www.prontosystems.de (Sorry long):

# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/cloud.prontosystems.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cloud.prontosystems.de
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (cloud.prontosystems.de) from /etc/letsencrypt/renewal/cloud.prontosystems.de.conf produced an unexpected error: Failed authorization procedure. cloud.prontosystems.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cloud.prontosystems.de/.well-known/acme-challenge/gTUCbdXVg_YzZQaRMeFIDzV5yV29eqyt5oMuO9G-4TQ [185.216.178.34]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>400 Bad Request</title>\n</head><body>\n<h1>Bad Request</h1". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test.prontosystems.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for test.prontosystems.de
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (test.prontosystems.de) from /etc/letsencrypt/renewal/test.prontosystems.de.conf produced an unexpected error: Failed authorization procedure. test.prontosystems.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://test.prontosystems.de/.well-known/acme-challenge/fp-hH7OAWWOktXXyheARq919pfn5P0tf-rFYey-Y_Hg [185.216.178.34]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>400 Bad Request</title>\n</head><body>\n<h1>Bad Request</h1". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.lampenfischer.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.lampenfischer.de
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.lampenfischer.de) from /etc/letsencrypt/renewal/www.lampenfischer.de.conf produced an unexpected error: Failed authorization procedure. www.lampenfischer.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.lampenfischer.de/.well-known/acme-challenge/iOHEkaCHk5-HKV6eJ0TQILgfltZlMzhT-x27gAKs7VU [185.216.178.34]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>400 Bad Request</title>\n</head><body>\n<h1>Bad Request</h1". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.prontosystems.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/www.prontosystems.de/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs could not be renewed:
  /etc/letsencrypt/live/cloud.prontosystems.de/fullchain.pem (failure)
  /etc/letsencrypt/live/test.prontosystems.de/fullchain.pem (failure)
  /etc/letsencrypt/live/www.lampenfischer.de/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/www.prontosystems.de/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/cloud.prontosystems.de/fullchain.pem (failure)
  /etc/letsencrypt/live/test.prontosystems.de/fullchain.pem (failure)
  /etc/letsencrypt/live/www.lampenfischer.de/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: cloud.prontosystems.de
   Type:   unauthorized
   Detail: Invalid response from
   http://cloud.prontosystems.de/.well-known/acme-challenge/gTUCbdXVg_YzZQaRMeFIDzV5yV29eqyt5oMuO9G-4TQ
   [185.216.178.34]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>400 Bad
   Request</title>\n</head><body>\n<h1>Bad Request</h1"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: test.prontosystems.de
   Type:   unauthorized
   Detail: Invalid response from
   http://test.prontosystems.de/.well-known/acme-challenge/fp-hH7OAWWOktXXyheARq919pfn5P0tf-rFYey-Y_Hg
   [185.216.178.34]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>400 Bad
   Request</title>\n</head><body>\n<h1>Bad Request</h1"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: www.lampenfischer.de
   Type:   unauthorized
   Detail: Invalid response from
   http://www.lampenfischer.de/.well-known/acme-challenge/iOHEkaCHk5-HKV6eJ0TQILgfltZlMzhT-x27gAKs7VU
   [185.216.178.34]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>400 Bad
   Request</title>\n</head><body>\n<h1>Bad Request</h1"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Here are the two vhost configuration files of the vhost that seems to have no problems:

<VirtualHost *:80> 
  ServerName www.prontosystems.de
  DocumentRoot /var/www/prontosystems.de/www/wordpress
  Redirect permanent / https://www.prontosystems.de/
</VirtualHost>

    <VirtualHost *:443>
         ServerAdmin towi@prontosystems.de
          DocumentRoot /var/www/prontosystems.de/www/wordpress
         ServerName www.prontosystems.de

    	SSLEngine on
    	SSLCertificateFile /etc/letsencrypt/live/www.prontosystems.de/cert.pem
    	SSLCertificateKeyFile /etc/letsencrypt/live/www.prontosystems.de/privkey.pem
    	SSLCertificateChainFile /etc/letsencrypt/live/www.prontosystems.de/chain.pem

         ErrorLog ${APACHE_LOG_DIR}/www.prontosystems.de_error.log
         CustomLog ${APACHE_LOG_DIR}/www.prontosystems.de_access.log combined

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =www.prontosystems.de
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

    </VirtualHost>

---snip---

<IfModule mod_ssl.c>
<VirtualHost *:443>
     ServerAdmin towi@prontosystems.de
      DocumentRoot /var/www/prontosystems.de/www/wordpress
     ServerName www.prontosystems.de

     ErrorLog ${APACHE_LOG_DIR}/www.prontosystems.de_error.log
     CustomLog ${APACHE_LOG_DIR}/www.prontosystems.de_access.log combined


SSLCertificateFile /etc/letsencrypt/live/www.prontosystems.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.prontosystems.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

I hope this brings us a little closer to the problem. Thank you for your attention.

Thx & Bye Tom

sahsanu · December 30, 2020, 1:12pm

Did you reload/restart Apache?

Also, why are you using two VirtualHost for www.prontosystems.de?, indeed, the first one should cause a loop.

pronto · December 30, 2020, 1:45pm

Servus Sahsanu,

Did you reload/restart Apache?

Yes of course, I did it twice because I configured after the first change the vhost test.prontosystems.de in the same way as www.prontosystems.de is configured but the result is the same. Only the vhost www.prontosystems seems to work as expected.

Also, why are you using two VirtualHost for www.prontosystems.de ?, indeed, the first one should cause a loop.

To be honest, I don't know why this is configured that way.

Thx for your attention & Bye Tom

sahsanu · December 30, 2020, 2:02pm

I would like to see all your virtualhost conf files, could you please show the output of this command?

for i in /etc/apache2/sites-enabled/*;do echo -e "###### Checking $i:\n";cat "$i";done

If the output is large you can paste it in some service like https://pastebin.com/

pronto · December 30, 2020, 2:18pm

Servus Sahsanu,

Please note that this isn't the inital config we started yesterday but it is the current running config. I won't change anything for now so as not to disturb your investigation.

Many thanks for your help & Bye Tom

sahsanu · December 30, 2020, 2:38pm

First of all, you should backup your apache conf:

sudo tar -pzcvf /root/backup_apache2_2020-12-30.tar.gz /etc/apache2/

In /etc/apache2/sites-enabled/cloud.prontosystems.conf remove these lines:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/cloud.prontosystems.de/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.prontosystems.de/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/cloud.prontosystems.de/chain.pem

and you could also remove these ones:

#RewriteCond %{SERVER_PORT} 80
#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#RedirectPermanent / https://cloud.prontosystems.de/

In /etc/apache2/sites-enabled/test.prontosystems.conf remove these lines:

<VirtualHost *:443>
     ServerAdmin dev@prontosystems.de
      DocumentRoot /var/www/prontosystems.de/test/wordpress
     ServerName test.prontosystems.de

	SSLEngine on
	SSLCertificateFile /etc/letsencrypt/live/test.prontosystems.de/cert.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/test.prontosystems.de/privkey.pem
	SSLCertificateChainFile /etc/letsencrypt/live/test.prontosystems.de/chain.pem

     ErrorLog ${APACHE_LOG_DIR}/test.prontosystems.de_error.log
     CustomLog ${APACHE_LOG_DIR}/test.prontosystems.de_access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =test.prontosystems.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

In /etc/apache2/sites-enabled/www.lampenfischer.conf remove these lines:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.lampenfischer.de/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.lampenfischer.de/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.lampenfischer.de/chain.pem

In /etc/apache2/sites-enabled/www.prontosystems.conf remove these lines:

<VirtualHost *:443>
     ServerAdmin dev@prontosystems.de
      DocumentRoot /var/www/prontosystems.de/www/wordpress
     ServerName www.prontosystems.de
 
	SSLEngine on
	SSLCertificateFile /etc/letsencrypt/live/www.prontosystems.de/cert.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/www.prontosystems.de/privkey.pem
	SSLCertificateChainFile /etc/letsencrypt/live/www.prontosystems.de/chain.pem
 
     ErrorLog ${APACHE_LOG_DIR}/www.prontosystems.de_error.log
     CustomLog ${APACHE_LOG_DIR}/www.prontosystems.de_access.log combined
 
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.prontosystems.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
 
</VirtualHost>

Once done, restart or reload apache and try again.

Edit: I forgot to request the output of this command after the reload/restart:

sudo apache2ctl -S

pronto · December 30, 2020, 4:00pm

Servus Sahsanu,

all done. The output of the command apache2ctl -S is:

# apache2ctl -S
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/apache2.conf:228
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server cloud.prontosystems.de (/etc/apache2/sites-enabled/cloud.prontosystems-le-ssl.conf:2)
         port 443 namevhost cloud.prontosystems.de (/etc/apache2/sites-enabled/cloud.prontosystems-le-ssl.conf:2)
         port 443 namevhost test.prontosystems.de (/etc/apache2/sites-enabled/test.prontosystems-le-ssl.conf:2)
         port 443 namevhost www.lampenfischer.de (/etc/apache2/sites-enabled/www.lampenfischer-le-ssl.conf:2)
         port 443 namevhost www.prontosystems.de (/etc/apache2/sites-enabled/www.prontosystems-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server cloud.prontosystems.de (/etc/apache2/sites-enabled/cloud.prontosystems.conf:1)
         port 80 namevhost cloud.prontosystems.de (/etc/apache2/sites-enabled/cloud.prontosystems.conf:1)
         port 80 namevhost test.prontosystems.de (/etc/apache2/sites-enabled/test.prontosystems.conf:1)
         port 80 namevhost www.lampenfischer.de (/etc/apache2/sites-enabled/www.lampenfischer.conf:1)
         port 80 namevhost www.prontosystems.de (/etc/apache2/sites-enabled/www.prontosystems.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

I have matched all vhosts to the first and all pages work as expected. The redirect to port 443 also works.

But best of all, the renewal process now works on all four pages as well. I don't know yet what the problem was with the individual configurations, I'll take a closer look tonight. But in the end it will probably have been sloppiness on my part. I promise to do better.

Here is a working example configuration for a website with both vhosts (80; 443), in case others are facing the same problem:

###### Checking /etc/apache2/sites-available/test.prontosystems.conf:

<VirtualHost *:80> 
  Serveradmin towi@prontosystems.de
  ServerName test.prontosystems.de
  DocumentRoot /var/www/prontosystems.de/test/wordpress

	ErrorLog ${APACHE_LOG_DIR}/test.prontosystems.de_error.log
     	CustomLog ${APACHE_LOG_DIR}/test.prontosystems.de_access.log combined

  RewriteEngine on
  RewriteCond %{SERVER_NAME} =test.prontosystems.de
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

###### Checking /etc/apache2/sites-available/test.prontosystems-le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost *:443>
     ServerAdmin towi@prontosystems.de
      DocumentRoot /var/www/prontosystems.de/test/wordpress
     ServerName test.prontosystems.de

     ErrorLog ${APACHE_LOG_DIR}/test.prontosystems.de_error.log
     CustomLog ${APACHE_LOG_DIR}/test.prontosystems.de_access.log combined


SSLCertificateFile /etc/letsencrypt/live/test.prontosystems.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/test.prontosystems.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Thank you very much for your patience and support until the end. Happy New Year and stay healthy...

Thx & Bye Tom

sahsanu · December 30, 2020, 4:07pm

Your are welcome. I'm glad it is working fine

Happy Holidays!

pronto · December 30, 2020, 4:29pm

Servus rg305,

finally, I would also like to answer your contribution:

Checking further...
curl https://prontosystems.de:80/
curl: (51) SSL: no alternative certificate subject name matches target host name 'prontosystems.de'
Shows that the cert being used doesn't contain the name prontosystems.de

It was my mistake to list my domain prontosystems.de without any comments in my initial posting. prontosystems.de is my domain but the FQDN prontosystems.de still points to the old server. Only subdomains are configured on the new server and it was these that caused the problems. The websites on the old server are also not secured with SSL. I'm using the Christmas holiday to redo everything. I'm sorry that I led you up the garden path with this...

Happy New Year and stay healthy.

Thx & Bye Tom

rg305 · December 30, 2020, 6:18pm

If the ServerName is "test.prontosystems.de", then it will be used by this block and must always pass the rewrite conditional check.
If the ServerName is NOT "test.prontosystems.de", then it will NOT be used by this block and will never be checked for this condition.

In short, you are checking the same name twice (in the exact same way) - the second one is redundant.

You can remove this line completely (and always have the same result):
RewriteCond %{SERVER_NAME} =test.prontosystems.de

pronto · December 30, 2020, 6:40pm

Servus rg305,

okay, I'll try your suggestion but your argument leads to another question: If I configure a ServerAlias in one of the vhost configurations, for example prontosystems.de, and the original certificates were all issued to one FQDN with subdomain, then I probably need to issue another certificate for the FQDN prontosystems.de. How do I proceed so that I don't get another vhost from certbot, but can handle this in a vhost configuration with a ServerAlias?

Thx & Bye Tom

rg305 · December 30, 2020, 6:42pm

Yes, certbot will check for both (servername and serveralias).
Like:
ServerName prontosystems.de
ServerAlias www.prontosystems.de

pronto · December 30, 2020, 7:34pm

Servus Rudy,

You can remove this line completely (and always have the same result):
RewriteCond %{SERVER_NAME} =test.prontosystems.de

Okay, confirmed, all websites and redirects are working after removing this line.

Now I'll take a look at the details with the server alias, which I actually need immediately for the domain lampenfischer.de. All DNS records for this domain are already set to the new server.

But I ask again: I have now set the server alias in both vhosts (80; 443) and it works as far as it goes. I only get a certificate warning at the URL https://lampenfischer.de, as expected.

But now I have already issued a certificate for www.lampenfischer.de with certbot and only used the command certbot --apache -d www.lampenfischer.de. If I now issue another certificate, I end up with two certificates, so what do I do with the second? Or can I call the command again afterwards with both server names without everything blowing up and end up with one certificate that I can use for both server names?

certbot --apache -d www.lampenfischer.de -d lampenfischer.de

BTW: Should I open a new thread for this question or is it done within a minute?

Thx & Bye Tom

rg305 · December 30, 2020, 7:44pm

Yes, this is the correct command to get both names on one single cert.

After which you should review which certs are used and no longer used with:
certbot certificates
and remove any that you no longer need with:
certbot remove --cert-name {name}

pronto · December 30, 2020, 7:48pm

Servus Rudy,

in another thread I found this answer, but it is a couple of years old:

If you’re using a new enough version of certbot (formerly letsencrypt), you can run the exact same command you did but add the extra domain at the end and include “–expand” in the command so it will re-use the existing certificate directory.

Is it still working this way?

Thx & Bye Tom

rg305 · December 30, 2020, 7:55pm

You can even force the cert name to be the same... but why?
certbot will handle any changes to the Apache config.
The K.I.S.S. method (keep it simple)

pronto · December 30, 2020, 8:02pm

Okay, everything works. Thank you guys, I learned quite a lot today...

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: cloud.prontosystems.de
    Domains: cloud.prontosystems.de
    Expiry Date: 2021-03-29 18:03:00+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/cloud.prontosystems.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cloud.prontosystems.de/privkey.pem
  Certificate Name: test.prontosystems.de
    Domains: test.prontosystems.de
    Expiry Date: 2021-03-29 17:07:15+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/test.prontosystems.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/test.prontosystems.de/privkey.pem
  Certificate Name: www.lampenfischer.de
    Domains: www.lampenfischer.de lampenfischer.de
    Expiry Date: 2021-03-30 18:57:35+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.lampenfischer.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.lampenfischer.de/privkey.pem
  Certificate Name: www.prontosystems.de
    Domains: www.prontosystems.de
    Expiry Date: 2021-03-28 21:46:32+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/www.prontosystems.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.prontosystems.de/privkey.pem

Thx & Bye Tom