On Fedora 35, Apache, certbot --apache command fails

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: markmeretzky.com

I ran this command:
certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel):

My web server is (include version):
Apache/2.4.53 (Fedora Linux)

The operating system my web server runs on is (include version):
NAME="Fedora Linux"
VERSION="35 (Server Edition)"

My hosting provider, if applicable, is:
Linode

I can login to a root shell on my machine (yes or no, or I don't know):
Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.27.0

I have the Apache web server running on my brand new Fedora Linode (IP address 45.79.140.111,
domain name markmeretzky.com). It's currently listening on port 80; you can point your browser at
http://www.markmeretzky.com/
I would like the web server to listen on port 443 as well, so that I could also point a browser at
https://www.markmeretzky.com/
I am trying to follow the certbot instructions at
Certbot Instructions | Certbot
In step 7 of these instructions, I typed (as root)

/usr/bin/certbot --apache

and it said
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel):

The debug log /var/log/letsencrypt/letsencrypt.log says
2022-06-02 14:51:48,061:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_fedora.FedoraConfigurator object at 0x7f64d95ddac0> and installer <certbot_apache._internal.override_fedora.FedoraConfigurator object at 0x7f64d95ddac0>
2022-06-02 14:51:48,061:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2022-06-02 14:52:05,056:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/2035/bin/certbot", line 8, in
sys.exit(main())
File "/var/lib/snapd/snap/certbot/2035/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/var/lib/snapd/snap/certbot/2035/lib/python3.8/site-packages/certbot/_internal/main.py", line 1744, in main
return config.func(config, plugins)
File "/var/lib/snapd/snap/certbot/2035/lib/python3.8/site-packages/certbot/_internal/main.py", line 1434, in run
le_client = _init_le_client(config, authenticator, installer)
File "/var/lib/snapd/snap/certbot/2035/lib/python3.8/site-packages/certbot/_internal/main.py", line 827, in _init_le_client
acc, acme = _determine_account(config)
File "/var/lib/snapd/snap/certbot/2035/lib/python3.8/site-packages/certbot/_internal/main.py", line 733, in _determine_account
config.email = display_ops.get_email()
File "/var/lib/snapd/snap/certbot/2035/lib/python3.8/site-packages/certbot/display/ops.py", line 63, in get_email
raise errors.Error(
certbot.errors.Error: An e-mail address or --register-unsafely-without-email must be provided.
2022-06-02 14:52:05,084:ERROR:certbot._internal.log:An e-mail address or --register-unsafely-without-email must be provided.

I know little about system administration. Thank you in advance.

1 Like
2

The error presented should provide the info you'd need:

What it means is: you skipped over the question where Certbot asked for your email address. This email address is used for expiry emails and/or important changes in the Let's Encrypt issuance, which might affect your setup. If you don't provide an email address, Let's Encrypt won't have a way to warn you for such things.

You don't HAVE to provide an email address, but as an extra caution, the Certbot developers have made it mandatory to provide the command line option --register-unsafely-without-email if you really don't want to provide an email address. That way you say to Certbot: "I really know what I'm doing, don't ask me for an email address.:

4 Likes
3

Not exactly the same command.
Please show the output of:
which certbot
and
/usr/bin/certbot --version

5 Likes
4

Thank you for getting back to me so fast.

which certbot

/usr/bin/certbot

/usr/bin/certbot --version

certbot 1.27.0

The problem was: I thought that certbot's request for my email address indicated that something had gone wrong at that point.
I didn't understand that everybody has to provide their email address.

Now certbot is saying

Please enter the domain name(s) you would like on your certificate (comma and/or

space separated) (Enter 'c' to cancel): markmeretzky.com,www.markmeretzky.com

Requesting a certificate for markmeretzky.com and www.markmeretzky.com

Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

But I am currently running an Apache server on port 80 of my brand new Linode fedora. To prove it, you can point your browser at these two URLs:
http://markmeretzky.com/

http://www.markmeretzky.com/

Any ideas?

Mark Meretzky
mark.meretzky@gmail.com

1 Like
5

Thank you, that was very clear. I thought that certbot's request for my email address meant that something was wrong at that point.
Now certbot is saying

Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): markmeretzky.com
Requesting a certificate for markmeretzky.com
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

I am puzzled because I am running an Apache web server on my brand new Fedora Linode. You can check this by pointing a web browser at
http://markmeretzky.com/
http://www.markmeretzky.com/

Any ideas? Thanks again.
Mark Meretzky
mark.meretzky@gmail.com

2 Likes
6

Please show the output of:
apachectl -t -D DUMP_VHOSTS

6 Likes
7

Thanks again. On my Linode Fedora 35, Apache/2.4.53,

which apachectl
/usr/sbin/apachectl

apachectl -t -D DUMP_VHOSTS
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
To pass extra arguments to httpd, see the httpd.service(8)
man page.

echo $?
1

I have not added any <VirtualHost> paragraphs to my /etc/httpd/conf/httpd.conf file,
because the instructions in step 7 of

gave me the impression that the certbot --apache command would edit the httpd.conf file for me.

8

Certbot generates the HTTPS VirtualHost in a separate configuration file, but it requires a "template" for this so to say. It uses an existing HTTP VirtualHost as this template.

It's common to put separate VirtualHosts in separate configuration files. I don't know how Fedora usually does this, Google might know more. E.g., Ubuntu uses /sites-available/ and /sites-enabled/.

2 Likes
9

Try:
httpd -t -D DUMP_VHOSTS

4 Likes
10

Thank you, rg305 Community leader. I have <VirtualHost> tags in two .conf files:

cd /etc/httpd
find . -type f -name '*.conf' -exec grep -il '<[^<>]*VirtualHost[^<>]*>' {} ';'
./conf/httpd.conf
./conf.d/ssl.conf

The <VirtualHost> tags in the file /etc/httpd/conf/httpd.conf are all in comments.
There is one <VirtualHost> directive in the file /etc/httpd/conf.d/ssl.conf, which I have not edited:

<VirtualHost _default_:443>
   #DocumentRoot "/var/www/html"
   #ServerName www.example.com:443
   #etc.
</VirtualHost>

Do I have to edit the .conf files by hand to insert one or more <VirtualHost> directives before I
give the command /usr/bin/certbot --apache? If so, can I just copy the <VirtualHost> directive that I see here in the Evi Nemeth book ("Unix and Linux System Administration Handbook, 4th ed.", p. 971),

<VirtualHost 45.79.140.111:443>
   ServerName markmeretzky.com
   ServerAdmin root@markmeretzky.com
   DocumentRoot "/var/www/html"
   ErrorLog "logs/error_log"
   CustomLog "logs/access_log" common
   ScriptAlias /cgi-bin/ "/var/www/cgi-bin"
</VirtualHost>

Do I need two <VirtualHost> directives, one for port 80 and one for port 443? Tanks again.

11

Yes.
And restart Apache.

Yes.
But certbot can create the 443 from the 80 for you.

4 Likes
12

Thank you, you solved my problem for me! I appended

<VirtualHost 45.79.140.111:80>
   ServerName markmeretzky.com
   ServerAdmin root@markmeretzky.com
   DocumentRoot "/var/www/html"
   ErrorLog "logs/error_log"
   CustomLog "logs/access_log" common
   ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</VirtualHost>

to my /etc/httpd/conf/httpd.conf file, said (as root)

/usr/bin/systemctl restart httpd.service
/usr/bin/certbot --apache

and discovered that I now had a new .conf file named /etc/http/conf/httpd-le-ssl.conf
containing a <VirtualHost 45.79.140.111:443> directive. I can now point my web browser at
either of the following, and they both work:

http://markmeretzky.com/
https://markmeretzky.com/

Boy, this system administration business is a black art! (I'm just a lowly C++ programmer.)

1 Like
13

If you don't require IP address based virtual hosts, it's common to use a * instead of the IP. E.g., a start of a HTTP VirtualHost section woulds look like:

<VirtualHost *:80>

And a HTTPS section would start with:

<VirtualHost *:443>

Using IP addresses instead of * when it's not required can lead to all kinds of troubles later.

3 Likes
14

Thanks, I certainly want to avoid "all kinds of troubles", so I changed the IP addresses to asterisks in the files httpd.conf and httpd-le-ssl.conf.
Then I restarted the web server with
/usr/bin/systemctl restart httpd.service
Does this editing change count as a "change of configuration" ? If so, step 8 of
https://certbot.eff.org/instructions?ws=apache&os=fedora

implies that I have to run certbot again. What certbot command should I run? Thanks again.

1 Like
15

Step 8 providers you with the exact command to run:

sudo certbot renew --dry-run

That would do a "dry run", which means it will test if everything works without actually getting a new certificate.

3 Likes
16

Thanks. I assume everything will renew itself automatically now.

2 Likes
17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.