Problem after revoking certificate in order to activate new domain

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: christinevilella.tk (old one which I have revoked successfully)
christinevilella.ml (the new one which I have an issue to request certificate)

I ran this command: ./certbot-auto --apache -d christineonline.ml

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for christineonline.ml
Waiting for verificationā€¦
Challenge failed for domain christineonline.ml
http-01 challenge for christineonline.ml
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Raspbian 4.19.66-v7+ on RPI 2B

I can login to a root shell on my machine (yes or no, or I donā€™t know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if youā€™re using Certbot): cerbot 1.4.0

Dear community,
I have an issue after having revoke previous domain certificate for christinevilella.tk
Command used to revoke : ./certbot-auto revoke --domain christineonline.tk --cert-path /etc/letsencrypt/live/christineonline.tk/cert.pem --key-path /etc/letsencrypt/live/christineonline.tk/privkey.pem

Output :
Upgrading certbot-auto 1.3.0 to 1.4.0ā€¦
Replacing certbot-autoā€¦
Creating virtual environmentā€¦
Installing Python packagesā€¦
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Would you like to delete the cert(s) you just revoked, along with all earlier
and later versions of the cert?

(Y)es (recommended)/(N)o: Y

Deleted all files relating to certificate christineonline.tk.

Congratulations! You have successfully revoked the certificate that was located
at /etc/letsencrypt/live/christineonline.tk/cert.pem

Now, I would like to activate new domain christineonline.ml with this command : ./certbot-auto --apache -d christineonline.ml

OUTPUT
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for christineonline.ml
Waiting for verificationā€¦
Challenge failed for domain christineonline.ml
http-01 challenge for christineonline.ml
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

It sounds like my webserver donā€™t respond.

I have 2 apache configuration files under /etc/apache2/sites-enabled folder.

$ cat /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog /var/www/html/log/http.error
RewriteEngine on
RewriteCond %{SERVER_NAME} =christineonline.tk
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

$ cat /etc/apache2/sites-enabled/000-default-le-ssl.conf

<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog /var/www/html/log/http.error

ServerName christineonline.tk
SSLCertificateFile /etc/letsencrypt/live/christineonline.tk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/christineonline.tk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

I donā€™t have too much knownledge with Apache server but it sounds an issue with my Apache domain configuration or maybe Iā€™m wrong.

Can you please support me to troubleshoot my issue to get new domain certificate ?

Many thanks for your support,
Best Regards
Cyril

2

I donā€™t understand why you thought you had to revoke a certificate you donā€™t need anymore.
Deletion is more than enough for that.

Your port 80 vhost config has no servername and the rewrite to HTTPS will no longer work as it only compares to the old .tk name.

Your port 443 vhost config has a servername for the old .tk domain only.

There is no config to service the new .ml name.

You need to read up on how to configure your web server.

3

Hi rg305 and entire community,

Finally, I managed this morning to solve my Apache2 issue. And sorry to disturb here.

Here is how I solved it.

First I have updated my hosts file to include new ServerName.

Then, I rewrite completely my .conf file as following
$ cat /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ServerName christineonline.ml
DocumentRoot /var/www/html
ErrorLog /var/www/html/log/http.error
RewriteEngine on
RewriteCond %{SERVER_NAME} =christineonline.ml
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

$ cat /etc/apache2/sites-available/000-default-le-ssl.conf

<VirtualHost *:443>
ServerName christineonline.ml
DocumentRoot /var/www/html
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
ErrorLog /var/www/html/log/http.error

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/christineonline.ml/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/christineonline.ml/privkey.pem



<VirtualHost *:80>
ServerName christineonline.ml
DocumentRoot /var/www/html
ErrorLog /var/www/html/log/http.error
RewriteEngine on

Some rewrite rules in this file were disabled on your HTTPS site,

because they have the potential to create redirection loops.

RewriteCond %{SERVER_NAME} =christineonline.ml

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

And activate the new virtual host
sudo a2ensite 000-default.conf

And get successfully my new domain with revised virtual host as certified !

Sorry for disturbing and thanks for your consideration,
Best Regards
Cyril

1 Like
4

Iā€™m glad my post helped you get a cert, but it still looks like you may have a server name in two places doing the same thing.
Please show output of:
apachectl -S

5

Hi rg305,

Thanks for supporting my issue !

Here below is the commande output :

$ sudo apachectl -S
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/apache2.conf:235
VirtualHost configuration:
*:443 christineonline.ml (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server christineonline.ml (/etc/apache2/sites-enabled/000-default-le-ssl.conf:16)
port 80 namevhost christineonline.ml (/etc/apache2/sites-enabled/000-default-le-ssl.conf:16)
port 80 namevhost christineonline.ml (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: ā€œ/etc/apache2ā€
Main DocumentRoot: ā€œ/var/www/htmlā€
Main ErrorLog: ā€œ/var/www/html/log/http.errorā€
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: ā€œ/var/run/apache2/apache2.pidā€
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=ā€œwww-dataā€ id=33
Group: name=ā€œwww-dataā€ id=33

Thanks again for your help
Best Regards
Cyril

6

This is an overlap/name conflict. Each name should only appear in one vhost config per service.
[once for HTTP and once for HTTPS]
Here we see that port 80 (HTTP) has the same name in two vhost configs.

7

Hi rg305,
Ok so this is what I did to have a clean vhost configuration:
a2dissite 000-default-le-ssl.conf service apache2 restart

Then I have remove all redirect settings from 000-default.conf.
And have deleted the 000-default-le-ssl.conf

Then I have run again for cert-bot
OUTPUT :
./certbot-auto --apache --domain christineonline.ml --email cyrillouiphone@gmail.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf

Congratulations! You have successfully enabled https://christineonline.ml

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=christineonline.ml

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/christineonline.ml-0001/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/christineonline.ml-0001/privkey.pem
    Your cert will expire on 2020-08-11. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again with the ā€œcertonlyā€ option. To non-interactively renew all
    of your certificates, run ā€œcertbot-auto renewā€

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Letā€™s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

This have created a new folder for certificate into /etc/letsencrypt/live/christineonline.ml-0001/

And also have created a new SSL conf file 000-default-le-ssl.conf :

<VirtualHost *:443>
ServerName christineonline.ml
DocumentRoot /var/www/html
ErrorLog /var/www/html/log/http.error

SSLCertificateFile /etc/letsencrypt/live/christineonline.ml-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/christineonline.ml-0001/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

Website is active on HTTPS 443 and certificate also active.

However, when I run for
$apachectl -S
OUTPUT
AH00526: Syntax error on line 8 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file ā€˜/etc/letsencrypt/live/christineonline.ml-0001/fullchain.pemā€™ does not exist or is empty
Action ā€˜configtestā€™ failed.
The Apache error log may have more information.

Really strange because .pem files are in the live folder /christineonline.ml-001/
Sounds like Apache couldnā€™t read inside .
Is it a R/W file issue ?

Many thanks again
Best Regards

8

Please show output of:
certbot certificates
[there we will see what file names should be used]

And also, just for sanity check:
ls -l /etc/letsencrypt/live/christineonline.ml-0001/

9

Hi again and thanks for your quick answer.

Here is the output of $ certbot certificates
OUTPUT
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/christineonline.ml.conf produced an unexpected error: expected /etc/letsencrypt/live/christineonline.ml/cert.pem to be a symlink. Skipping.

Found the following certs:
Certificate Name: christineonline.ml-0001
Serial Number: 304e6b719ba6e891da582aace336f309c41
Domains: christineonline.ml
Expiry Date: 2020-08-11 13:41:32+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/christineonline.ml-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/christineonline.ml-0001/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/christineonline.ml.conf

And here list of files of the folder :
ls -l /etc/letsencrypt/live/christineonline.ml-0001/
total 4
lrwxrwxrwx 1 root root 47 May 13 16:41 cert.pem -> ā€¦/ā€¦/archive/christineonline.ml-0001/cert1.pem
lrwxrwxrwx 1 root root 48 May 13 16:41 chain.pem -> ā€¦/ā€¦/archive/christineonline.ml-0001/chain1.pem
lrwxrwxrwx 1 root root 52 May 13 16:41 fullchain.pem -> ā€¦/ā€¦/archive/christineonline.ml-0001/fullchain1.pem
lrwxrwxrwx 1 root root 50 May 13 16:41 privkey.pem -> ā€¦/ā€¦/archive/christineonline.ml-0001/privkey1.pem
-rw-rā€“r-- 1 root root 692 May 13 16:41 README

Many thanks again !

1 Like
10

Please show:
ls -l /etc/letsencrypt/live/
ls -l /etc/letsencrypt/live/christineonline.ml/
ls -l /etc/letsencrypt/renewal/

11

That may need to be removed.

Please also show:
ls -l /etc/letsencrypt/archive/christineonline.ml-0001/

12

Ok so I will now share output without deleting old renewal .conf.

ls -l /etc/letsencrypt/live/
total 12
drwxr-xr-x 2 root root 4096 May 13 16:34 christineonline.ml
drwxr-xr-x 2 root root 4096 May 13 16:41 christineonline.ml-0001
-rw-rā€“r-- 1 root root 740 May 13 09:52 README

ls -l /etc/letsencrypt/live/christineonline.ml/
total 4
-rw-rā€“r-- 1 root root 692 May 13 09:52 README

ls -l /etc/letsencrypt/renewal/
total 8
-rw-rā€“r-- 1 root root 573 May 13 16:41 christineonline.ml-0001.conf
-rw-rā€“r-- 1 root root 611 May 13 09:52 christineonline.ml.conf

ls -l /etc/letsencrypt/archive/christineonline.ml-0001/
total 16
-rw-rā€“r-- 1 root root 1919 May 13 16:41 cert1.pem
-rw-rā€“r-- 1 root root 1647 May 13 16:41 chain1.pem
-rw-rā€“r-- 1 root root 3566 May 13 16:41 fullchain1.pem
-rw------- 1 root root 1704 May 13 16:41 privkey1.pem

Thanks again for your help !

1 Like
13

Two renewal files but only one is valid:

14

Two live folders, but only one have files in it:

[EMPTY]

15

At some point, you probably tried deleting things manuallyā€¦
That is not a good idea.
[There are too many moving parts to deal with ā€œmanuallyā€]

I suggest you try to using cerbot to delete the bad cert stuff.
certbot delete --cert-name christineonline.ml
Then recheck the renewals.
If it works, stop here and jump for joy - LOL

If that still ā€œfailsā€, try to ā€œcleanupā€ the remnants of the initial unused cert manually.
rm -R /etc/letsencrypt/live/christineonline.ml/
rm /etc/letsencrypt/renewal/christineonline.ml.conf/
Then re-recheck the renewals.
That better work!

16

Guess what ? certbot delete did the thing !
No more christineonline.ml in renewal or somewhere else.

I did some other checks and problem is 100% solved !
Thanks a lot for your great support :+1: :partying_face:

Have a nice evening
Best Regards

1 Like
17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.