"Please add a virtual host for port 80."

Help
1

Hello!

I am trying to setup my first Let’s Encrypt certificate on my server http://mini.luo.ma which is running Mac OS.

I ran sudo certbot --apache and everything seemed to be going OK until here:

No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): mini.luo.ma
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mini.luo.ma
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for 
Certbot to prove to the CA that you control your domain. 
Please add a virtual host for port 80.

You can connect to http://mini.luo.ma which is running on port 80, so I’m not sure what the issue is.

Any help would be appreciated. I tried searching the forums but didn’t see anything directly related. Apologies if I missed something obvious.

2

I’ve moved this to the “Help” topic instead.

Could you please post your Apache configs? I suspect you have a very basic setup without a virtual host configured.

3

Hi @tjluoma

check

https://httpd.apache.org/docs/2.4/vhosts/examples.html

Check your configuration file and add something like

# Ensure that Apache listens on port 80
Listen 80
<VirtualHost *:80>
    DocumentRoot "/www/example1"
    ServerName www.example.com

    # Other directives here
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot "/www/example2"
    ServerName www.example.org

    # Other directives here
</VirtualHost>

So Certbot is able to create a SSL-vHost.

Certbot on wordpress docker shows error Unable to restart apache using ['apachectl', 'graceful']
4

I’d be glad to – I suspect you are correct, although I have several domains all running on that same machine.

Can you be more specific what you would like me to post? I’m afraid I don’t know much about Apache’s files, as I’ve configured everything though Apple’s “Server.app”

Thank you!

5

Thanks for the tip!

I remember being told not to edit /etc/apache2/httpd.conf directly. Is that true for this too?

At the end of that file is an include directive:

Include /etc/apache2/other/*.conf

so I created a new file at /etc/apache2/virtual.conf

Listen 80
<VirtualHost *:80>
    DocumentRoot "/Users/luomat/Sites/mini.luo.ma"
    ServerName mini.luo.ma

    # Other directives here
</VirtualHost>

and restarted the web services via the Server.app (because that was the easiest way I knew how).

But that obviously wasn’t enough because I tried sudo certbot --apache again and got the same result:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): mini.luo.ma
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mini.luo.ma
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently 
needed for Certbot to prove to the CA that you control your domain. 
Please add a virtual host for port 80.
6

Please share your log.

7

Sorry, it turns out that I had put the file at /etc/apache2/virtual.conf instead of at /etc/apache2/other/virtual.conf so it wasn’t being included.

I moved it to the right place, restarted apache again, and then tried

sudo certbot --apache

and now get this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apachectl configtest.

AH00526: Syntax error on line 1 of /private/etc/apache2/other/virtual.conf:
Cannot define multiple Listeners on the same IP:port

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running apachectl configtest.\n\nAH00526: Syntax error on line 1 of /private/etc/apache2/other/virtual.conf:\nCannot define multiple Listeners on the same IP:port\n')

The main httpd.conf has this section:

<IfDefine SERVER_APP_HAS_DEFAULT_PORTS>
    Listen 8080
</IfDefine>
<IfDefine !SERVER_APP_HAS_DEFAULT_PORTS>
    Listen 80
</IfDefine>

Could that be what is causing the conflict?

I can’t upload my log as a new user, so I have to include it in the post:

2018-10-25 18:59:00,844:DEBUG:certbot.main:certbot version: 0.27.1
2018-10-25 18:59:00,846:DEBUG:certbot.main:Arguments: ['--apache']
2018-10-25 18:59:00,846:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-10-25 18:59:00,905:DEBUG:certbot.log:Root logging level set at 20
2018-10-25 18:59:00,906:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-10-25 18:59:00,908:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2018-10-25 18:59:01,128:ERROR:certbot.util:Error while running apachectl configtest.

AH00526: Syntax error on line 1 of /private/etc/apache2/other/virtual.conf:
Cannot define multiple Listeners on the same IP:port

2018-10-25 18:59:01,129:DEBUG:certbot.plugins.disco:Misconfigured PluginEntryPoint#apache: Error while running apachectl configtest.

AH00526: Syntax error on line 1 of /private/etc/apache2/other/virtual.conf:
Cannot define multiple Listeners on the same IP:port
Traceback (most recent call last):
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 2211, in config_test
    util.run_script(self.option("conftest_cmd"))
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/util.py", line 86, in run_script
    raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apachectl configtest.

AH00526: Syntax error on line 1 of /private/etc/apache2/other/virtual.conf:
Cannot define multiple Listeners on the same IP:port


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/plugins/disco.py", line 132, in prepare
    self._initialized.prepare()
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 235, in prepare
    self.config_test()
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 2213, in config_test
    raise errors.MisconfigurationError(str(err))
certbot.errors.MisconfigurationError: Error while running apachectl configtest.

AH00526: Syntax error on line 1 of /private/etc/apache2/other/virtual.conf:
Cannot define multiple Listeners on the same IP:port

2018-10-25 18:59:01,132:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_darwin.DarwinConfigurator object at 0x111268a20>
Prep: Error while running apachectl configtest.

AH00526: Syntax error on line 1 of /private/etc/apache2/other/virtual.conf:
Cannot define multiple Listeners on the same IP:port

2018-10-25 18:59:01,133:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
8

You can only have one Listen 80, so use that in your main file and remove this in your special file.

9

Ok! Now we’re getting… closer? I hope.

I re-ran sudo certbot --apache and got further this time:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: mini.luo.ma
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mini.luo.ma
Error while running apachectl configtest.

AH00526: Syntax error on line 1 of /etc/apache2/other/le_http_01_challenge_pre.conf:
Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration

Cleaning up challenges
Error while running apachectl configtest.

AH00526: Syntax error on line 1 of /etc/apache2/other/le_http_01_challenge_pre.conf:
Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration

sigh

Here’s the log again:

% sudo cat /var/log/letsencrypt/letsencrypt.log

2018-10-25 19:10:41,776:DEBUG:certbot.main:certbot version: 0.27.1
2018-10-25 19:10:41,777:DEBUG:certbot.main:Arguments: ['--apache']
2018-10-25 19:10:41,778:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-10-25 19:10:41,852:DEBUG:certbot.log:Root logging level set at 20
2018-10-25 19:10:41,853:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-10-25 19:10:41,855:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2018-10-25 19:10:42,267:DEBUG:certbot_apache.configurator:Apache version is 2.4.33
2018-10-25 19:10:42,742:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_darwin.DarwinConfigurator object at 0x10c236f28>
Prep: True
2018-10-25 19:10:42,744:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_darwin.DarwinConfigurator object at 0x10c236f28> and installer <certbot_apache.override_darwin.DarwinConfigurator object at 0x10c236f28>
2018-10-25 19:10:42,744:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2018-10-25 19:10:42,754:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/44513276', new_authzr_uri=None, terms_of_service=None), f2832ae8a8a7757befecf1d75fec7bf6, Meta(creation_dt=datetime.datetime(2018, 10, 25, 21, 45, 27, tzinfo=<UTC>), creation_host='tj.luo.ma'))>
2018-10-25 19:10:42,773:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2018-10-25 19:10:42,840:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2018-10-25 19:10:42,946:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2018-10-25 19:10:42,948:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 25 Oct 2018 23:10:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 25 Oct 2018 23:10:42 GMT
Connection: keep-alive

{
  "79YXntg7iZM": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2018-10-25 19:10:51,973:INFO:certbot.main:Obtaining a new certificate
2018-10-25 19:10:52,129:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
2018-10-25 19:10:52,135:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem
2018-10-25 19:10:52,137:DEBUG:acme.client:Requesting fresh nonce
2018-10-25 19:10:52,137:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-order.
2018-10-25 19:10:52,177:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-order HTTP/1.1" 405 0
2018-10-25 19:10:52,178:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 103
Allow: POST
Replay-Nonce: x9pcS95ckCtOM_r4n5y7EEX-XQD8sxCJ10qwraZHH8Y
Expires: Thu, 25 Oct 2018 23:10:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 25 Oct 2018 23:10:52 GMT
Connection: keep-alive


2018-10-25 19:10:52,178:DEBUG:acme.client:Storing nonce: x9pcS95ckCtOM_r4n5y7EEX-XQD8sxCJ10qwraZHH8Y
2018-10-25 19:10:52,179:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "mini.luo.ma"\n    }\n  ],\n  "status": "pending",\n  "resource": "new-order"\n}'
2018-10-25 19:10:52,183:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDQ1MTMyNzYiLCAibm9uY2UiOiAieDlwY1M5NWNrQ3RPTV9yNG41eTdFRVgtWFFEOHN4Q0oxMHF3cmFaSEg4WSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "h0gq1mWd3zSnPPdGfMf8kqK8Oyh24rcBF6VpgDRVvkTXZZof5JxcNvwvsO-P1AWH4QkNYQCP0t8oWkGIyH5pez1j-gC7dTkrcSWBjRL54zPYdjjQvUZ5W6KAftQetSO-xqffaqZGrXzBgTd-d87Uln8Z04rHT_FQbynANKzZQt363Z4kg8tMBgTbwuCM4zEsS6nTWvLV3bjA8o9cmNTb0GqFZZVZ76TCT01TI0pW9lzbZ82vg6WK7Tz8A5CNRCEtzyOca7UEnZ79f_RB8WViO1MGbSJMmkqmMo41HTFAtCUyQI_FpBSGEAsef4l7CpeCkZIvZJ-3AwEm_RYx1aN2Kg",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIm1pbmkubHVvLm1hIgogICAgfQogIF0sCiAgInN0YXR1cyI6ICJwZW5kaW5nIiwKICAicmVzb3VyY2UiOiAibmV3LW9yZGVyIgp9"
}
2018-10-25 19:10:52,236:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 360
2018-10-25 19:10:52,237:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 360
Boulder-Requester: 44513276
Location: https://acme-v02.api.letsencrypt.org/acme/order/44513276/137329649
Replay-Nonce: S3Z6toGHlM3uK7vm4CC0dgD5kVvV6R-4J11zsHNb-A4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 25 Oct 2018 23:10:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 25 Oct 2018 23:10:52 GMT
Connection: keep-alive

{
  "status": "pending",
  "expires": "2018-11-01T21:45:50Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "mini.luo.ma"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/pkJq9I05sdRjohYVAUb7XDdPw7m99v1hCs52AD83pBw"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/44513276/137329649"
}
2018-10-25 19:10:52,237:DEBUG:acme.client:Storing nonce: S3Z6toGHlM3uK7vm4CC0dgD5kVvV6R-4J11zsHNb-A4
2018-10-25 19:10:52,237:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/pkJq9I05sdRjohYVAUb7XDdPw7m99v1hCs52AD83pBw.
2018-10-25 19:10:52,285:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz/pkJq9I05sdRjohYVAUb7XDdPw7m99v1hCs52AD83pBw HTTP/1.1" 200 903
2018-10-25 19:10:52,286:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 903
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 25 Oct 2018 23:10:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 25 Oct 2018 23:10:52 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "mini.luo.ma"
  },
  "status": "pending",
  "expires": "2018-11-01T21:45:50Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/pkJq9I05sdRjohYVAUb7XDdPw7m99v1hCs52AD83pBw/8634067764",
      "token": "Yfhw07G1KbI8bWgJ_7SzRBDCXryFJSw9mF9qCkRmwko"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/pkJq9I05sdRjohYVAUb7XDdPw7m99v1hCs52AD83pBw/8634067765",
      "token": "Hj-cD-rmLI8knTngpaHbUhfRNukYqxO1mxxRZdj6wmY"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/pkJq9I05sdRjohYVAUb7XDdPw7m99v1hCs52AD83pBw/8634067766",
      "token": "Wte06TW8fGHMecM0odfCTFWDcUpSSud8K6O2iU7METY"
    }
  ]
}
2018-10-25 19:10:52,286:INFO:certbot.auth_handler:Performing the following challenges:
2018-10-25 19:10:52,287:INFO:certbot.auth_handler:http-01 challenge for mini.luo.ma
2018-10-25 19:10:52,296:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: mini.luo.ma in: /private/etc/apache2/httpd.conf
2018-10-25 19:10:52,297:DEBUG:certbot_apache.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]

2018-10-25 19:10:52,297:DEBUG:certbot_apache.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>

2018-10-25 19:10:52,383:DEBUG:certbot.reverter:Creating backup of /private/etc/apache2/httpd.conf
2018-10-25 19:10:52,629:ERROR:certbot.util:Error while running apachectl configtest.

AH00526: Syntax error on line 1 of /etc/apache2/other/le_http_01_challenge_pre.conf:
Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration

2018-10-25 19:10:52,634:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 2211, in config_test
    util.run_script(self.option("conftest_cmd"))
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/util.py", line 86, in run_script
    raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apachectl configtest.

AH00526: Syntax error on line 1 of /etc/apache2/other/le_http_01_challenge_pre.conf:
Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/auth_handler.py", line 126, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 2286, in perform
    self.restart()
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 2173, in restart
    self.config_test()
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 2213, in config_test
    raise errors.MisconfigurationError(str(err))
certbot.errors.MisconfigurationError: Error while running apachectl configtest.

AH00526: Syntax error on line 1 of /etc/apache2/other/le_http_01_challenge_pre.conf:
Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration


2018-10-25 19:10:52,635:DEBUG:certbot.error_handler:Calling registered functions
2018-10-25 19:10:52,635:INFO:certbot.auth_handler:Cleaning up challenges
2018-10-25 19:10:52,969:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 2211, in config_test
    util.run_script(self.option("conftest_cmd"))
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/util.py", line 86, in run_script
    raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apachectl configtest.

AH00526: Syntax error on line 1 of /etc/apache2/other/le_http_01_challenge_pre.conf:
Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.27.1', 'console_scripts', 'certbot')()
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/main.py", line 1124, in run
    certname, lineage)
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/main.py", line 120, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/client.py", line 334, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/client.py", line 370, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/auth_handler.py", line 126, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 2286, in perform
    self.restart()
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 2173, in restart
    self.config_test()
  File "/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 2213, in config_test
    raise errors.MisconfigurationError(str(err))
certbot.errors.MisconfigurationError: Error while running apachectl configtest.

AH00526: Syntax error on line 1 of /etc/apache2/other/le_http_01_challenge_pre.conf:
Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration
10

My reply has been hidden by Askimet, so I have to wait for it to be approved.

I suppose this one might not show up either.

11

OK, so my previous message said something about RewriteEngine not being enabled, so I un-commented this line from /etc/apache2/httpd.conf:

LoadModule rewrite_module libexec/apache2/mod_rewrite.so

and then tried again.

Different failure this time!

% sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: mini.luo.ma
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mini.luo.ma
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mini.luo.ma (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mini.luo.ma/.well-known/acme-challenge/Wte06TW8fGHMecM0odfCTFWDcUpSSud8K6O2iU7METY: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mini.luo.ma
   Type:   unauthorized
   Detail: Invalid response from
   http://mini.luo.ma/.well-known/acme-challenge/Wte06TW8fGHMecM0odfCTFWDcUpSSud8K6O2iU7METY:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

As far as I know mini.luo.ma has all the right DNS information. None of that has changed in over a year, as far as I can remember. But I’m no DNS expert. How do I check?

12

Can you show the entire [relevant part] of that file?

This leaves way too much to the imagination:

Otherwise, and for testing purposes, please place a test.txt file at:
http://mini.luo.ma/.well-known/acme-challenge/test.txt

13

OK, so there’s a file at http://mini.luo.ma/.well-known/acme-challenge/test.txt now.

Here’s the output of egrep -v '#|^$' /etc/apache2/httpd.conf for my server (you’ll see I’ve moved the stuff from ‘virtual.conf’ into it:

ServerRoot "/usr"
<IfDefine SERVER_APP_HAS_DEFAULT_PORTS>
    Listen 8080
</IfDefine>
<IfDefine !SERVER_APP_HAS_DEFAULT_PORTS>
Listen 80
<VirtualHost *:80>
    DocumentRoot "/Users/luomat/Sites/mini.luo.ma"
    ServerName mini.luo.ma
</VirtualHost>
</IfDefine>
LoadModule authn_file_module libexec/apache2/mod_authn_file.so
LoadModule authn_core_module libexec/apache2/mod_authn_core.so
LoadModule authz_host_module libexec/apache2/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache2/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache2/mod_authz_user.so
LoadModule authz_core_module libexec/apache2/mod_authz_core.so
LoadModule access_compat_module libexec/apache2/mod_access_compat.so
LoadModule auth_basic_module libexec/apache2/mod_auth_basic.so
LoadModule reqtimeout_module libexec/apache2/mod_reqtimeout.so
LoadModule filter_module libexec/apache2/mod_filter.so
LoadModule mime_module libexec/apache2/mod_mime.so
LoadModule log_config_module libexec/apache2/mod_log_config.so
LoadModule env_module libexec/apache2/mod_env.so
LoadModule headers_module libexec/apache2/mod_headers.so
LoadModule setenvif_module libexec/apache2/mod_setenvif.so
LoadModule version_module libexec/apache2/mod_version.so
LoadModule slotmem_shm_module libexec/apache2/mod_slotmem_shm.so
LoadModule unixd_module libexec/apache2/mod_unixd.so
LoadModule status_module libexec/apache2/mod_status.so
LoadModule autoindex_module libexec/apache2/mod_autoindex.so
LoadModule negotiation_module libexec/apache2/mod_negotiation.so
LoadModule dir_module libexec/apache2/mod_dir.so
LoadModule alias_module libexec/apache2/mod_alias.so
LoadModule rewrite_module libexec/apache2/mod_rewrite.so
LoadModule hfs_apple_module libexec/apache2/mod_hfs_apple.so
<IfModule unixd_module>
User _www
Group _www
</IfModule>
ServerAdmin you@example.com
<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/Library/WebServer/Documents"
<Directory "/Library/WebServer/Documents">
    Options FollowSymLinks Multiviews
    MultiviewsMatch Any
    AllowOverride None
    Require all granted
</Directory>
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
<FilesMatch "^\.([Hh][Tt]|[Dd][Ss]_[Ss])">
    Require all denied
</FilesMatch>
<Files "rsrc">
    Require all denied
</Files>
<DirectoryMatch ".*\.\.namedfork">
    Require all denied
</DirectoryMatch>
ErrorLog "/private/var/log/apache2/error_log"
LogLevel warn
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "/private/var/log/apache2/access_log" common
</IfModule>
<IfModule alias_module>
    ScriptAliasMatch ^/cgi-bin/((?!(?i:webobjects)).*$) "/Library/WebServer/CGI-Executables/$1"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "/Library/WebServer/CGI-Executables">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<IfModule headers_module>
    RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
    TypesConfig /private/etc/apache2/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
</IfModule>
TraceEnable off
Include /private/etc/apache2/extra/httpd-mpm.conf
Include /private/etc/apache2/extra/httpd-autoindex.conf
<IfModule proxy_html_module>
Include /private/etc/apache2/extra/proxy-html.conf
</IfModule>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Include /private/etc/apache2/other/*.conf

Thanks!

14

The test file works, so that is a good sign.

What is the latest error/problem?

15

Here’s the latest error / problem:

   Domain: mini.luo.ma
   Type:   unauthorized
   Detail: Invalid response from
   http://mini.luo.ma/.well-known/acme-challenge/x8VxWHkDd4IXgf9SLMcfKDCfyxsY7jk-FKUuO-8aJ8Q:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Here’s the full output of the command sudo certbot --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: mini.luo.ma
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mini.luo.ma
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mini.luo.ma (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mini.luo.ma/.well-known/acme-challenge/x8VxWHkDd4IXgf9SLMcfKDCfyxsY7jk-FKUuO-8aJ8Q: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mini.luo.ma
   Type:   unauthorized
   Detail: Invalid response from
   http://mini.luo.ma/.well-known/acme-challenge/x8VxWHkDd4IXgf9SLMcfKDCfyxsY7jk-FKUuO-8aJ8Q:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

DNS should be fine, as far as I know. It’s been the same for eons. Unless there’s something missing that I didn’t know that I need (which, I suppose, is possible).

16

Can you (re)create that file [if it was already deleted]?
[with any content - just to test]

Is there anything in here that we need to look at:
Include /private/etc/apache2/extra/httpd-mpm.conf
Include /private/etc/apache2/extra/httpd-autoindex.conf
Include /private/etc/apache2/extra/proxy-html.conf
Include /private/etc/apache2/other/*.conf

17

OK I see “Testing… 1…2…3” in that file so…

The problem seems that cerbot is not putting the challenge file where you put that file.

Please show:
/etc/letsencrypt/cli.ini

and show the LE logs when run with verbose logging

18

I don't think so. I took a look through them and there's nothing remarkable there. The only 'other' is php7.conf and the rest of them look pretty standard to me. I'm happy to post them somewhere if you think it might be instructive.

19

If there is anything relating to .well-known or acme-challenge or some redirect/directorymatch that could seem harmless but somehow overlaps with the random token string then yes.

can you show the apache error logs?

20

I tried cat /etc/letsencrypt/cli.ini and got this back:

cat: /etc/letsencrypt/cli.ini: No such file or directory

Here's the output of ls -1F /etc/letsencrypt/:

accounts/
csr/
keys/
renewal/
renewal-hooks/
options-ssl-apache.conf

How do I run with verbose logging? sudo certbot --help didn't show anything relevant.