Problems generating certificates

Help
1

My domain is: https://www.shitouttaluck.co.uk/

I ran this command: certbot --apache

It produced this output:

 
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.


Unable to restart apache using ['apache2ctl', 'graceful']
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.


Unable to restart apache using ['apache2ctl', 'graceful']
Encountered exception during recovery: certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

My web server is (include version): Server version: Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.5 LTS

My hosting provider, if applicable, is: Fasthosts

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.2

Problem
I am trying to generate a new certificate for the above site but I run into the errors shown above.
If I take a look at my virtual servers error logs I see the following

Apache Error log for Virtual Server - tail -30 /var/log/apache2/shitouttaluck.error.log

[Thu Dec 22 23:18:38.285171 2022] [ssl:info] [pid 1378473] AH01914: Configuring server www.shitouttaluck.co.uk:443 for SSL protocol
[Thu Dec 22 23:18:38.285311 2022] [ssl:emerg] [pid 1378473] AH02572: Failed to configure at least one certificate and key for www.shitouttaluck.co.uk:443
[Thu Dec 22 23:18:38.285325 2022] [ssl:emerg] [pid 1378473] SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Thu Dec 22 23:18:38.285334 2022] [ssl:emerg] [pid 1378473] SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Thu Dec 22 23:18:38.285347 2022] [ssl:emerg] [pid 1378473] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned

I have several other servers running on this box all running LetsEncrypt certificates, but this has just stopped working for me.

** Steps to recreate the problem**
As the root user

  1. Create config file in /etc/apache2/sites-available
  2. apache2 -configtest - This passes with an OK
  3. a2ensite - Enabling site shitouttaluck
  4. Activate new config by running - systemctl reload apache2 This loads fine and returns to prompt
  5. run **certbot --apache"
 certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: <Site removed by issue logger>
2: <Site removed by issue logger>
3: <Site removed by issue logger>
4: www.shitouttaluck.co.uk
5: www.stupid-cunt.co.uk
6: <Site removed by issue logger>
7: <Site removed by issue logger>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 4

This then generates the error from above.
I have left 5 showing as this is a working config (don't be displeased, they let me buy them. i didn't think profanity was allowed in DNS names)

I then have to disable the site that isn't working and restart apache as this error causes Apache to barf and crash out.

Any help gratefully recieved

3

What shows?:
sudo apachectl -t -D DUMP_VHOSTS
and certbot logs:
/var/log/letsencrypt/letsencrypt.log

1 Like
4 
VirtualHost configuration:
77.68.94.253:80        is a NameVirtualHost
         default server www.arightoldrant.co.uk (/etc/apache2/sites-enabled/le-redirect-www.arightoldrant.co.uk.conf:1)
         port 80 namevhost www.arightoldrant.co.uk (/etc/apache2/sites-enabled/le-redirect-www.arightoldrant.co.uk.conf:1)
         port 80 namevhost www.arightoldrant.com (/etc/apache2/sites-enabled/le-redirect-www.arightoldrant.com.conf:1)
         port 80 namevhost www.influenceoperations.co.uk (/etc/apache2/sites-enabled/le-redirect-www.influenceoperations.com.conf:1)
         port 80 namevhost www.onyourdesktop.com (/etc/apache2/sites-enabled/le-redirect-www.onyourdesktop.com.conf:1)
77.68.94.253:443       is a NameVirtualHost
         default server www.arightoldrant.co.uk (/etc/apache2/sites-enabled/arightoldrant.co.uk.conf:1)
         port 443 namevhost www.arightoldrant.co.uk (/etc/apache2/sites-enabled/arightoldrant.co.uk.conf:1)
                 alias www.arightoldrant.co.uk
         port 443 namevhost www.arightoldrant.com (/etc/apache2/sites-enabled/arightoldrant.com.conf:1)
                 alias www.arightoldrant.com
         port 443 namevhost www.dirty-thongs.com (/etc/apache2/sites-enabled/dirty-thongs.conf:1)
                 alias www.dirty-thongs.com
         port 443 namevhost www.influenceoperations.co.uk (/etc/apache2/sites-enabled/influenceoperations.co.uk.conf:1)
                 alias www.influenceoperations.co.uk
         port 443 namevhost www.onyourdesktop.com (/etc/apache2/sites-enabled/onyourdesktop.com.conf:1)
                 alias www.onyourdesktop.com
         port 443 namevhost www.stupid-cunt.co.uk (/etc/apache2/sites-enabled/stupid-cunt.conf:1)
                 alias www.stupid-cunt.co.uk
*:80                   www.tiny-thongs.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:443                  www.tiny-thongs.com (/etc/apache2/sites-enabled/default-ssl.conf:2)
5

Please show the file you disabled.

Also, using IPs in vhost configs can be problematic:
77.68.94.253:80
77.68.94.253:443

2 Likes
6 
<VirtualHost www.shitouttaluck.co.uk:443>
    ServerAdmin webmaster@localhost
    ServerName www.shitouttaluck.co.uk
    DocumentRoot /var/www/html/shitouttaluck/


    ErrorLog ${APACHE_LOG_DIR}/shitouttaluck.error.log
    CustomLog ${APACHE_LOG_DIR}/shitouttaluck.access.log combined

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on
    SSLCompression      off
    SSLSessionTickets   off



    <FilesMatch "\.(cgi|shtml|phtml|php)$">
                   SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
                   SSLOptions +StdEnvVars
    </Directory>

    # For Wordpress
    <Directory /var/www/html/shitouttaluck/>
    Options +FollowSymlinks
    AllowOverride All
    Require all granted
    </Directory>

    ServerAlias www.shitouttaluck.co.uk

</VirtualHost>
7

That's even worse!
LOL

3 Likes
8

And the redirect

<VirtualHost www.shitouttaluck.co.uk:80>
ServerName www.shitouttaluck.co.uk

ServerSignature Off

RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

ErrorLog /var/log/apache2/redirect.error.log
LogLevel warn
</VirtualHost>
9

Are those two separate files?

1 Like
10

Have i been doing vhost wrong all these years?

11

I don't know...
You never even answered the question.

They can be separate files.
Only you mentioned disabling "the site" and a thought one file.

1 Like
12

yes, two seperate files
shitouttaluck.conf for SSL
le-redirect-shitouttaluck.conf for HTTP

and I just kept the french bit because I couldn't be bothered changing it

13

OK, well enough.
Take the name out of the virtualhost lines [throughout all files].
Put the names closer together, and use both names:

    ServerName www.shitouttaluck.co.uk
    ServerAlias shitouttaluck.co.uk

Put both names in both files.
The HTTP server block seems to lack the base domain.

1 Like
14

That's redundant - LOL

1 Like
15

Funny, I read that as LE [LetsEncrypt], while you read it in French [the].
LE redirect ...
the redirect ...

1 Like
16

Do you you mean like this?
I was under the impression that NamedVirtualHosts were the way HTTP differentiated on a multi tennented IT.

<VirtualHost :443 >
    ServerAdmin webmaster@localhost
    ServerAlias shitouttaluck.co.uk
    ServerName www.shitouttaluck.co.uk
    DocumentRoot /var/www/html/shitouttaluck/


    ErrorLog ${APACHE_LOG_DIR}/shitouttaluck.error.log
    CustomLog ${APACHE_LOG_DIR}/shitouttaluck.access.log combined

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on
    SSLCompression      off
    SSLSessionTickets   off



    <FilesMatch "\.(cgi|shtml|phtml|php)$">
                   SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
                   SSLOptions +StdEnvVars
    </Directory>

    # For Wordpress
    <Directory /var/www/html/shitouttaluck/>
    Options +FollowSymlinks
    AllowOverride All
    Require all granted
    </Directory>

</VirtualHost>
17

No. like:
<VirtualHost *:443 >

And they usually go in the other order [name first, then alias(es)]:

3 Likes
18

You don't have an SSLCertificateFile and SSLCertificateKeyFile configured in this virtual host.

This isn't valid from Apache's perspective.

You'll have to either comment out this virtual host or put in a snakeoil certificate, before you'll be able to start Apache and use certbot --apache.

3 Likes
19

Using a name [in virtualhost] as a separator does nothing, when all the names resolve to the same IP anyway.
The covered server names are the separation.

1 Like
20

@rg305 Thanks for your help here. All renamed. I have created another issue but it's a rouge domain I don't have appearing somewhere. a bit of prepping will hopefully find it.

Then I will get round to retrying the certbot along with @_az bit about 'snakeoil' cert :slight_smile:

1 Like
21

Ok that has now all worked and I am getting certs as I need.

Final question to @_az
I have the following pair showing

7: shitouttaluck.co.uk
8: www.shitouttaluck.co.uk

and the same for all my other vhosts. Should I just get all my vhosts up and running and then just hit Enter? will this generate the same cert for all 16 sites or individual ones p[er site?