That specifies the webroot, but doesn't select the webroot authenticator.
Sorry for stepping in. I didn't want it to go unnoticed. You saw it though. 
1 Like
sorry I confound webroot and webroot-path options.
As I wasn't careful, I use certonly option. How to install certificate, Is that --installer option with webroot?
Just a little question more, why the apache option didn't work?
Thanks
If the webroot authenticator worked and the apache authenticator didn't, my guess would be either that certbot couldn't correctly process your apache configuration or that something in your apache installation itself is non-standard. You can specify certain things about your apache configuration to certbot using some options. See the apache: section in the certbot command-line options for more information.
There is no webroot installer. You'll probably have to manually install the certificate by modifying your apache configuration to point to the files in live then add a --deploy-hook that will reload apache after each successful renewal.
Something like:
certbot certonly --webroot -w /var/www/html/ --deploy-hook "apachectl -k graceful"
1 Like
You can always split authenticator and installer, see
Combining plugins.
https://certbot.eff.org/docs/using.html#combining-plugins
certbot run -a webroot -i apache -w /var/www/html -d example.com
2 Likes
Hello,
Sorry for late reply.
After installing the certificate, I cannot connect. So I had a doubt about my router setup.
To be sure, I installed a self signated certificate. Then that works with a warning message because the certificate authority is unknown (normal).
I create a new VM, Debian buster, install apache, create a virtualhost, install certbot, and I have the same problem with certbot --apache.
root@dolidelices:~# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): benoit@xxxx.com
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
(Y)es/(N)o: y
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o: y
Account registered.
Which names would you like to activate HTTPS for?
1: dolidelice.zelec.homelinux.net
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for dolidelice.zelec.homelinux.net
Performing the following challenges:
http-01 challenge for dolidelice.zelec.homelinux.net
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain dolidelice.zelec.homelinux.net
http-01 challenge for dolidelice.zelec.homelinux.net
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: dolidelice.zelec.homelinux.net
Type: unauthorized
Detail: Invalid response from
http://dolidelice.zelec.homelinux.net/.well-known/acme-challenge/aMxGEWf8RH7PwJDv6L5VuaGlmW3PkSDENDVXkpbQtMI
[92.188.16.194]: "\n\n404 Not
Found\n\nNot Found
\n<p"
I tried with webroot
root@dolidelices:~# certbot --webroot -w /var/www/html/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
With the webroot plugin, you probably want to use the "certonly" command, eg:
certbot certonly --webroot
(Alternatively, add a --installer flag. See https://eff.org/letsencrypt-plugins
and "--help plugins" for more information.)
root@dolidelices:~# certbot --webroot certonly -w /var/www/html/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): dolidelice.zelec.homelinux.net
Requesting a certificate for dolidelice.zelec.homelinux.net
Performing the following challenges:
http-01 challenge for dolidelice.zelec.homelinux.net
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: benoit@z-elec.com).
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/dolidelice.zelec.homelinux.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/dolidelice.zelec.homelinux.net/privkey.pem
Your certificate will expire on 2021-04-17. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew all of your
certificates, run "certbot renew"
So I wanted to install:
root@dolidelices:~# certbot run -a webroot -i apache -w /var/www/html -d dolidelice.zelec.homelinux.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/dolidelice.zelec.homelinux.net.conf)
What would you like to do?
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/dolidelice.zelec.homelinux.net.conf
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/conf-enabled/dolibarr.conf to ssl vhost in /etc/apache2/sites-enabled/dolidelice.zelec.homelinux.net.conf
Congratulations! You have successfully enabled
https://dolidelice.zelec.homelinux.net
Now my /etc/apache2/sites-enable/dolidelice.zelec.homelinux.net.conf is:
ServerAdmin benoit@z-elec.com DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
ServerName dolidelice.zelec.homelinux.net
SSLCertificateFile /etc/letsencrypt/live/dolidelice.zelec.homelinux.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dolidelice.zelec.homelinux.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
Everything seems to be correct but when I try to connect I have ERR_SSL_PROTOCOL_ERROR.
Thanks for help
As @JuergenAuer mentioned earlier a couple of times...
you don't have VirtualHosts in your configuration.
Start by reading here:
1 Like
Sorry, I created the vhost, but with the port 443.
I modify that, to have dolidelice.zelec.homelinux.conf:
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
then certbot again
root@dolidelices:/etc/apache2/sites-available# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
1: dolidelice.zelec.homelinux.net
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/dolidelice.zelec.homelinux.net.conf)
What would you like to do?
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for dolidelice.zelec.homelinux.net
Created an SSL vhost at /etc/apache2/conf-available/dolibarr-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/conf-available/dolibarr-le-ssl.conf
Enabling available site: /etc/apache2/conf-available/dolibarr-le-ssl.conf
Enhancement redirect was already set.
Your existing certificate has been successfully renewed, and the new certificate
has been installed.
The new certificate covers the following domains:
https://dolidelice.zelec.homelinux.net
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/dolidelice.zelec.homelinux.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/dolidelice.zelec.homelinux.net/privkey.pem
Your certificate will expire on 2021-04-17. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the "certonly" option. To non-interactively
renew all of your certificates, run "certbot renew" - Some rewrite rules copied from
/etc/apache2/conf-enabled/dolibarr.conf were disabled in the vhost
for your HTTPS site located at
/etc/apache2/conf-available/dolibarr-le-ssl.conf because they have
the potential to create redirection loops.
but I can't connect, error ssl protocol.
I see no VirtualHost block or ServerName directive. Did you take a look at the documentation via the link that I provided? You seem to be missing many things.
1 Like
I read the documentation, but I made a mistake when copy/paste
here the complete file
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
Where are the <VirtualHost> and </VirtualHost> lines?
1 Like
Blockquote
ServerName dolidelice.zelec.homelinux.net
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Blockquote
My friend, I'm meaning where are the two lines themselves that actually have VirtualHost literally written in them?
For example:
<VirtualHost *:80>
DocumentRoot "/www/example1"
ServerName www.example.com
# Other directives here
</VirtualHost>
they appear when I type my text between <> but disapears when I publy it
Ah...
Edit your outputs and add this line above:
```text
and this line below:
```
Those will format your outputs correctly. They must be on separate lines from your output.
1 Like
thanks for the information. I made a printscreen of the file
<VirtualHost dolidelice.zelec.homelinux.net:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerName dolidelice.zelec.homelinux.net
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
Thanks for that. Please try what I mentioned though, just so that I can be sure our formatter is working correctly.
1 Like
That's better like that