Problem trying to renew my certificate

So, I am very new to that. I have an application that runs inside a VPN, on a Linux VM of my client, to which I have access. But to use it externally, I am using Apache.

This is my ports.conf file:

Listen 80

<IfModule ssl_module>
   Listen 443
</IfModule>

<IfModule mod_gnutls.c>
   Listen 443
</IfModule>

My sites-available/domain.conf is something like that:

<VirtualHost *:80>
        ServerAdmin my_server_admin
        ServerName my_domain_url

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

 <Proxy *>
                Order allow,deny
                Allow from all
        </Proxy>
        ProxyPass / http://localhost:8081/my_domain/
        ProxyPassReverse / http://localhost:8081/my_domain/

        <Location /cdaweb>
                ProxyPass http://localhost:8081/my_domain
                ProxyPassReverse http://localhost:8081/my_domain
        </Location>

</VirtualHost>

And my default-ssl.conf:

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
               ServerAdmin my_server_admin
                ServerName my_domain_url
                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

  <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
      </VirtualHost>
</IfModule>

So, when I try to run sudo certbot renew I always get this error:

Challenge failed for domain my_domain
http-01 challenge for my_domain

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: my_domain
  Type:   connection
  Detail: my_domain_ip: Fetching http://my_domain/.well-known/acme-challenge/DyPyF5DK2dppQHnATloaXtmpoYEc7_NWH868MielQLs: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate my_domain with error: Some challenges have failed.

I have also checked sudo iptables -L -n | grep -E ":(443|80)" and it shows:

image

I have tried to activate firewall and allow ports 80 and 443. But the renew command still doesn't work. I have seen somewhere this command: apachectl -t -D DUMP_VHOSTS and when I run it I get:

AH00526: Syntax error on line 47 of /etc/apache2/sites-enabled/m_domain-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/my_domain/fullchain.pem' does not exist or is empty
Action '-t -D DUMP_VHOSTS' failed.
The Apache error log may have more information.

I don't know how I should proceed to fix that. Please let me know where I am being dumb and how I could fix that quickly.

Try that with sudo:

sudo apachectl -t -D DUMP_VHOSTS

That output only shows :8080 which is NOT :80

2 Likes

Thanks for the answer!

I tried sudo apachectl -t -D DUMP_VHOSTS and got:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server my_domain (/etc/apache2/sites-enabled/my_domain-le-ssl.conf:2)
         port 443 namevhost my_domain (/my_domainetc/apache2/sites-enabled/my_domain-le-ssl.conf:2)
         port 443 namevhost my_domain (/etc/apache2/sites-enabled/default-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server my_domain (/etc/apache2/sites-enabled/my_domain.conf:1)
         port 80 namevhost my_domain (/etc/apache2/sites-enabled/my_domain.conf:1)

You were right. I realized port 80 was not open. It was just 8080. So I asked for my client's infra to open it, and it worked. Thank you!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.