No vhost on 80 - don't know how to make one


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:nc.hezner.biz

I ran this command:certbot renew --dryrun

It produced this output:Failed Unable to find a virtual host listening on port 80 …

My web server is (include version):Apache 2.4.6-45

The operating system my web server runs on is (include version):Centos 7

My hosting provider, if applicable, is:none

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.0.29

I got the email that TLS-SNI-01 was being discontinued. Just before my certificate expired and just before the TLS-SNI-01 was due to cut off I renewed the certificate. I have a current certificate that is good till May 10, 2019. After I renewed the certificate I updated Certbot from version 0.12 to current version 0.29. I then tried the dry-run which failed as described above. This is a simple server, not virtualized, that has only the NextCloud on it.
When I ran the httpd -S command it returned:
Virtual Host configuration:
:443 nc.hezner.biz (etc/httpd/conf.d/ssl.conf:56)
Server root: “/etc/httpd”
Main Documentation Root: “/var/www/html/nextcloud”
Main Error Log: “/etc/httpd/logs/error.log”
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex auth-socache: using_defaults
Mutex ssl-cashe: using_defaults
Mutex default: dir=“run/httpd/” mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balaner-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
PIDFile: “/run/httpd/httpd.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48
In /etc/httpd/conf there is httpd.conf which includes the lines ‘Listen 80’ and 'IncludeOptional conf.d/
.conf
In /etc/httpd/conf.d there is ssl.conf which includes the lines ‘Listen 443 https’ and ‘<VirtualHost_default_:443>’
I tried creating a vhost80.conf file in /etc/httpd/conf.d with the contents
<VirtualHost *:80>
DocumentRoot: “/var/www/html/nextcloud”
ServerName nc.hezner.biz

But httpd.service would not restart with that file in there so I removed it. I tried other similar experiments none of which worked. I’ve tried reading the various posts and how-to-create-a-virtual-host articles but am certainly missing something. I’m not any expert but can usually Google and follow directions sucessfully. However I have not figured it out yet.
Please help. Thank you, Pat


#2

The first step you need to take is open port 80 on your firewall/port forward port 80. Without that, HTTP-01 validation won’t succeed.

You were doing the correct thing to add that config. From this point, it’s best to check why it would not restart, and fix it.

apachectl -t

#3

Prior to me getting LetsEncrypt on this server it was running on port 80 sucessfully so know that port 80 has been open and functiong. I have not closed any ports in the main firewall. Would adding LetsEncrypt close a firewall port on the server itself?


#4

No.

Based on https://www.shodan.io/host/66.73.190.17 , I would say that port 80 has never been publicly accessible for your domain.


#5

Hi @pjg51

there is nothing visible ( https://check-your-website.server-daten.de/?q=nc.hezner.biz ):

Domainname Http-Status redirect Sec. G
http://nc.hezner.biz/
66.73.190.17 -14 10.023 T
Timeout - The operation has timed out
https://nc.hezner.biz/
66.73.190.17 302 https://nc.hezner.biz/index.php/login 6.566 B
https://nc.hezner.biz/index.php/login 200 2.514 B
http://nc.hezner.biz/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
66.73.190.17 -14 10.027 T
Timeout - The operation has timed out

Port 80 doesn’t answer. Perhaps share your http config file. Or add something like

Listen 80
<VirtualHost *:80>
    DocumentRoot "yourDocumentroot"
    ServerName nc.hezner.biz

    # Other directives here
</VirtualHost>

#6

I know that it had been open in the past. I’ll go back through notes and see if part of the instructions on the guide that I followed to get LetsEncrypt working had me do something that blocked 80.


#7

@JurgenAuer - do I add this in the /etc/httpd/conf/httpd.conf file right after where it currently says ‘Listen 80’? Or somewhere else?


#8

Yes, try it. First step - port 80 should answer. Second step - creating a certificate, perhaps with --webroot as authenticator.

But the first step should work.


#9

When i edit the httpd.conf to add those lines right after the ‘Listen 80’ line, save the file, and run systemctl restart httpd.service it fails. When I look at systemctl status httpd.service is shows the service as failed


When I comment out those lines and resave the file, then httpd.service will restart without any problem.


#10

What’s the content of line 43 in this file? There is a syntax error, but I can’t see the details.


#11

Line 43 of the httpd.conf file is where I wrote <VirtualHost *:80>
I did not indent that line. Do you see any syntax error in it?


#12

Now your port 80 is running, your webserver answers:

But the redirect of /.well-known/acme-challenge isn’t so good.


#13

I had been doing some troubleshooting and did go back and re-add http to the fire wall but did not think that work as it was not listed when I ran the fireswall-cmd --list-all command.
That is good news that you can see it running. I’ll go back now and uncomment those lines in httpd.conf to see if that works now.
Or is there something else/additional that I should do to fix the redirect?


#14

Check your config to find the (port 80) redirect -> login.

Add before something like

RewriteRule ^/\.well-known/ - [L]

If the path starts with /.well-known/, there is no action. Then recheck the domain to see if it works. Browsers have trouble to check redirects, they cache the result.


#15

I don’t find any lines in the httpd.conf that talk about (port 80) redirect ->login. I looked through the file several times. Do you have any guess about where in the file it would be? I can send more screen shots of the file if that would help.
I uncommented the virtual host lines, saved and tried to restart httpd.service. It sill fails.


Here is a screen shot of where I’ve inserted the virtual host info. Do see the syntax error on the <VirtualHost *:80> line?
Thanks so much for your help with this.


#16

Do you have a .htaccess? Or does nextcloud define that redirect?

What says

apachectl -t

#17

apachectl -t does not return anything
httpd -t returns Syntax OK


#18

That was with the virtual host 80 lines commented out in the httpd.conf file. In case that makes any difference.


#19

Upps - the end element of your screenshot looks wrong:

<VirtualHost>

instead of

</VirtualHost>

#20

You caught my error. When I fixed that then httpd.service restarts OK.
Do I still need to work on the redirect? I’ll go check a dryrun now.