Rate limited after trying multiple solutions to "Could not reverse map the HTTPS VirtualHost to the original" issue

My domain is:

ocalog.com

I ran this command:
sudo env PATH=$PATH ./certbot-auto --apache --debug -v --apache-server-root /usr/local/apache2 --apache-logs-root /usr/local/apache2/logs --apache-challenge-location /usr/local/apache2 -d ocalog.com

It produced this output:
Multiple times:
Could not reverse map the HTTPS VirtualHost to the original

and then

Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: ocalog.com

My web server is (include version):

Server version: Apache/2.4.26 (Unix)
Server built:   Jul  2 2017 02:33:34
Server's Module Magic Number: 20120211:68
Server loaded:  APR 1.6.2, APR-UTIL 1.6.0
Compiled using: APR 1.6.2, APR-UTIL 1.6.0
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/usr/local/apache2"
 -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

The operating system my web server runs on is (include version):

NAME="Amazon Linux AMI"
VERSION="2017.03"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2017.03"
PRETTY_NAME="Amazon Linux AMI 2017.03"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2017.03:ga"
HOME_URL="AWS | Amazon Linux AMI"

My hosting provider, if applicable, is:

Amazon web services

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No.


I'm pretty frustrated by all this. I've tried several times to fix the VHosts mapping problem by splitting them into different files, so that my httpd.conf file now includes:

Include conf/vhosts/ocalog.conf

instead of the original vhosts. I couldn't see if this fixed the problem though, because all of a sudden I'm being rate limited. So I guess I can't fix this problem for a week or something?

Hi @MichaelJFlynn,

That particular rate limit only lasts for one hour. You can also avoid it by using --staging for your testing.

If you could post the Apache configuration files, or a link to them, we can try to see if there’s something about them that Certbot might have trouble parsing.

It seems that adding --apache-vhost-root /usr/local/apache2/conf/vhosts to the arguments fixed the "reverse mapping" issue, but now I'm getting:

No vhost exists with servername or alias of: ocalog.com (or it's in a file with multiple vhosts, which Certbot can't parse yet). No vhost was selected. Please specify ServerName or ServerAlias in the Apache config, or split vhosts into separate files.

In /usr/local/apache2/conf/vhosts, I have one file, ocalog.conf, which contains:

<VirtualHost *:80>
 ServerName ocalog.com
 ServerAlias www.ocalog.com

 WSGIScriptAlias / /home/ocalog/greennode/greennode/prod_wsgi.py
 <Directory /home/ocalog/greennode/greennode>
  <Files prod_wsgi.py>
  Require all granted
  </Files>
 </Directory>

</VirtualHost>

I’m pretty curious about this part of the printout as well:

Performing the following challenges:
tls-sni-01 challenge for ocalog.com
No vhost exists with servername or alias of: ocalog.com (or it's in a file with multiple vhosts, which Certbot can't parse yet). No vhost was selected. Please specify ServerName or ServerAlias in the Apache config, or split vhosts into separate files.
Falling back to default vhost *:443...
Adding Include /usr/local/apache2/conf/challenges/le_tls_sni_01_cert_challenge.conf to /files/usr/local/apache2/conf/httpd.conf
writing a config file with text:
 <IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName 0305c8c7412a9412813868f396dcd499.c25af619bfaf3fcfca4c401a95ec99a7.acme.invalid
    UseCanonicalName on
    SSLStrictSNIVHostCheck on

    LimitRequestBody 1048576

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /var/lib/letsencrypt/Ce2q6ngG84aTuXhAnm1mx1hfqYN8XMtbb2vhhAaeKmQ.crt
    SSLCertificateKeyFile /var/lib/letsencrypt/Ce2q6ngG84aTuXhAnm1mx1hfqYN8XMtbb2vhhAaeKmQ.pem

    DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/
</VirtualHost>

</IfModule>

Creating backup of /usr/local/apache2/conf/httpd.conf

This seems to be the root of it. Why is it “falling back to default vhost *:443”? Shouldn’t it be creating a new ssl vhost during the installation process? Why is there a /files/ prefix in Adding Include /usr/local/apache2/conf/challenges/le_tls_sni_01_cert_challenge.conf to /files/usr/local/apache2/conf/httpd.conf? That directory doesn’t exist on my system. The VirtualHost in the printout seems to be correct, why isn’t it being saved anywhere?

@bmw, could you please take a look at this?

@MichaelJFlynn, I'm sorry you're having trouble. You seem to have found a bug in our VirtualHost parsing on Amazon Linux. I created Not finding vhosts on A{mazon,rch}Linux · Issue #4905 · certbot/certbot · GitHub to track this issue.

To answer the questions in your most recent post:

Why is it "falling back to default vhost *:443"?

Certbot isn't finding your virtual host so it's falling back to the settings that are most likely to work. Determining why this is happening and how to fix it is the subject of the GitHub issue I created.

Shouldn't it be creating a new ssl vhost during the installation process?

Yes, but the installation process is failing. If Certbot isn't exiting with:

...
IMPORTANT NOTES:
 - Unable to install the certificate
...

please provide the full output from certbot-auto redacting domains, email addresses, and IP addresses as wish.

Why is there a /files/ prefix in Adding Include /usr/local/apache2/conf/challenges/le_tls_sni_01_cert_challenge.conf to /files/usr/local/apache2/conf/httpd.conf?

It's the internal representation of our parser. You're only seeing these messages because you included -v on the command line.

The VirtualHost in the printout seems to be correct, why isn't it being saved anywhere?

It is being saved temporarily so Certbot can complete the domain validation challenge required by Let's Encrypt to issue your cert. The file and these changes are reverted before Certbot exits.

To get your site working with HTTPS in the meantime, you can add certonly to the command line which will cause Certbot to obtain your certificate, but not install it. If you run this command, I suspect you'll see a prompt like:

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/ocalog.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

You can choose 1 at this prompt and Certbot will exit without renewing your cert.

After this, you can install your certificates manually using the files described here. Finally, you can set up your certificates to be automatically renewed using the steps found under "Automating Renewal" here.

I'm sorry we can't automate installation for you yet. Keep an eye on the GitHub issue I linked above which we'll try to resolve in the next couple months.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.