Problems with getting Certbot setup to work

Hello,

I am having trouble to setup my SSL certificate properly. My specs are listed down below, I ran certbot with the following commands:

sudo apt-get install python-certbot-apache
sudo certbot --apache
[Run the whole process, provide E-Mail adress, activate redirect with option 2]
sudo systemctl restart apache2

After running this I only get messages that the process has been successful.

The 80 and the 433 port is opened on my home router. I am not sure if the problem may lie with my registrar, I set it up to route the domain "eekhof.org" to the public IP of my Raspi (A: 92.19....). Every time I run the certbot this way (I also tried some other commands, but this is the gist), my Webpage becomes unreachable, while SSH continues to work.

I fixed this each time by completely purging both apache and certbot, and then reinstalling apache. Currently, I did not retry the whole process after reinstalling, which is why my website should be online as http at the moment.

I would like my webpage to work after running all this, with https protocol activated.

I hope I understood everything properly and didn't ask a too obvious question, I would be very thankful for your help, all the best
Lucas

My domain is: eekhof.org

My web server is (include version): Apache/2.4.38 (Raspbian)

The operating system my web server runs on is (include version): Raspbian GNU/Linux 10 (buster)

My hosting provider, if applicable, is: united-domains.de

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Hi @LucasTrever, and welcome to the LE community forum

I would start here:

[make sure that both ports are allowed and forward to the same internal IP]

Then, make sure that Apache is configured correctly:
apachectl -t -D DUMP_VHOSTS
netstat -pant | grep -i listen | grep -Ei 'apache|http'

Hi, thanks ^.^

From this I get

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80                   127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)

And from
netstat -pant | grep -i listen | grep -Ei 'apache|http'
I get

sudo netstat -pant | grep -i listen | grep -Ei 'apache|http'
tcp6       0      0 :::80                   :::*                    LISTEN      9563/apache2 

I am not really sure what this tells me, sorry... As I said however, at the current state I did not rerun the certbot yet - From what I can gather, the certbot will manage the configuration of the apache server to the correct port?

That shows us what Apache is doing:

• It is configured to listen on all IPs for HTTP connections.
  But is configured to serve content only on IP 127.0.1.1 (for HTTP connections) [NOT GOOD].

That seems a bit off.
There should be an FQDN being serviced [your domain name(s)] via HTTP.
From that, certbot could use it to obtain a cert and build the matching HTTPS vhost.

So...
Step #1 is for you to get a properly working HTTP site.
Step #2 is for you to get a cert for that site
Step #3 [which can be combined with step #2] is for you to use that cert in a secured version of your site.

Alright, I tried to fix this, as said in step #1: I don't know if this was the right thing to do, but I modified /etc/hosts. I commented out the line 127.0.1.1 raspberrypi and I added the lines:

127.0.0.1       localhost.localdomain   localhost
127.0.1.1       raspberrypi.eekhof.org  raspberrypi
92.[... My IP]  raspberrypi.eekhof.org  raspberrypi

Now when I use apachectl -t -D DUMP_VHOSTS I get the result:

VirtualHost configuration:
*:80                   raspberrypi.eekhof.org (/etc/apache2/sites-enabled/000-default.conf:1)

Did I successfully complete step #1, and should now just rerun certbot --apache to complete steps #2 and #3?

EDIT:
I tried to run certbot --apache, but I got the following error:

Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 87 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration

Rolling back to previous server configuration...
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 87 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration

That's odd. Certbot creates the -le-ssl.conf file from your HTTP VirtualHost. Yet, your apachectl -t just before re-running certbot did not complain about the RewriteEngine.

We should look at this file. Please show its contents.

/etc/apache2/sites-enabled/000-default.conf

Add 3 backticks before and after the output like this:
```
contents of file
```

Ok, here it is:

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
#	ServerName eekhof.org
#	ServerAlias www.eekhof.org

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	<Directory "/var/www/html/privateusers/lucas">
		AuthType Basic
		AuthName "lucas"
		AuthUserFile /etc/apache2/.htpasswd
		Require valid-user
	</Directory>

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

You should un-comment those two lines. The idea is to have that VirtualHost be explicitly for those two domain names.

Then re-run certbot with the --apache plug-in. It should create a ...le-ssl.conf file again (since it failed last time). This time it will use this VirtualHost as the template for the new VirtualHost.

I'm not sure what options were used to make the conf file before. Maybe Certbot found some other settings in your base Apache config. Your Certbot version 0.31 is more than 3.5 years old so many improvements have been made. See certbot.eff.org for upgrade options.

The lines are uncommented, and I updated to Certbot version 1.30.0. The error remains:

Deploying certificate
Successfully deployed certificate for eekhof.org to /etc/apache2/sites-available/000-default-le-ssl.conf
Successfully deployed certificate for www.eekhof.org to /etc/apache2/sites-available/000-default-le-ssl.conf
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 87 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration

We were unable to install your certificate, however, we successfully restored your server to its prior configuration.

NEXT STEPS:
- The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name eekhof.org

Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 87 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Odd. What does this do now?

sudo apache2ctl configtest

This yields

Syntax OK

Let's try making sure the rewrite engine is enabled

I am not certain this is the right way for your system but you could try

a2enmod rewrite

I did

Certbot now says that enabling HTTPS was successful:

Successfully deployed certificate for eekhof.org to /etc/apache2/sites-available/000-default-le-ssl.conf
Successfully deployed certificate for www.eekhof.org to /etc/apache2/sites-available/000-default-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://eekhof.org and https://www.eekhof.org

I then ran sudo systemctl restart apache2 and even sudo reboot.
But neither https://eekhof.org nor https://www.eekhof.org are reachable.

It now looks like your firewall may not have port 443 open. Is that possible? I am just about to sign off but you might try this website to test

Yes, it seems then that there is a problem:
443 port seems to be filtered, check your firewall/server configuration.

When I try nmap -p 433 eekhof.org I get:

Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-16 13:02 CEST
Nmap scan report for eekhof.org (92.194.255.158)
Host is up (0.062s latency).
rDNS record for 92.194.255.158: port-92-194-255-158.dynamic.as20676.net

PORT    STATE  SERVICE
433/tcp closed nnsp

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

I am not sure, I really thought I had forwarded 433 on the router. Is there something else I can do, maybe check if there is some kind of firewall running on the raspi that blocks 433?

It will be about a week until I will be able to access the router configuration again.

try 443, not 433

Oh God, my bad - Here are the results for nmap -p 443 eekhof.org:

Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-16 15:26 CEST
Nmap scan report for eekhof.org (92.194.255.158)
Host is up (0.081s latency).
rDNS record for 92.194.255.158: port-92-194-255-158.dynamic.as20676.net

PORT    STATE    SERVICE
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 0.93 seconds

Yes, that's what I saw earlier too. Check your router to ensure it has port 443 open (and routed if needed). Check any other firewall.

I'd also like to see the contents of this file (to finish the redirect engine error)

/etc/apache2/sites-available/000-default-le-ssl.conf

Ok, here follows /etc/apache2/sites-available/000-default-le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	#EIGENS VON LUCAS EEKHOF HINZUGEFUEGT:
	<Directory "/var/www/html/privateusers/lucas">
		AuthType Basic
		AuthName "lucas"
		AuthUserFile /etc/apache2/.htpasswd
		Require valid-user
	</Directory>



ServerName eekhof.org
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.eekhof.org
SSLCertificateFile /etc/letsencrypt/live/eekhof.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/eekhof.org/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	<Directory "/var/www/html/privateusers/lucas">
		AuthType Basic
		AuthName "lucas"
		AuthUserFile /etc/apache2/.htpasswd
		Require valid-user
	</Directory>



RewriteEngine on
RewriteCond %{SERVER_NAME} =www.eekhof.org [OR]
RewriteCond %{SERVER_NAME} =eekhof.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	ServerName eekhof.org
	ServerAlias www.eekhof.org

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	<Directory "/var/www/html/privateusers/lucas">
		AuthType Basic
		AuthName "lucas"
		AuthUserFile /etc/apache2/.htpasswd
		Require valid-user
	</Directory>



</VirtualHost>
</IfModule>

I will double check the router as soon as possible.

OK. Once you get port 443 resolved there is some work needed in your port 80 VirtualHosts

Let's start with seeing this again

apachectl -t -D DUMP_VHOSTS

NOTE: I still don't understand why you could get a cert but not have it installed due to the rewrite issue. But, I am not going to bother with that now that's it's resolved.