REDHAT 9, Apache Misconfigure

Hi, i encounter this issue, any idea? My other centos 7,8 server are work just fine.
But cannot work with this newly setup RHEL 9

# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error in checking parameter list:
The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Apache is unable to check whether or not the module is loaded because Apache is misconfigured.')



RHEL 9, 
HTTP - Install thru dnf
Server version: Apache/2.4.51 (Red Hat Enterprise Linux)
Server built:   Mar 21 2022 00:00:00
 
apachectl configtest
Syntax OK


Loaded Modules:
 core_module (static)
 so_module (static)
 http_module (static)
 access_compat_module (shared)
 actions_module (shared)
 alias_module (shared)
 allowmethods_module (shared)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_anon_module (shared)
 authn_core_module (shared)
 authn_dbd_module (shared)
 authn_dbm_module (shared)
 authn_file_module (shared)
 authn_socache_module (shared)
 authz_core_module (shared)
 authz_dbd_module (shared)
 authz_dbm_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_owner_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 brotli_module (shared)
 cache_module (shared)
 cache_disk_module (shared)
 cache_socache_module (shared)
 data_module (shared)
 dbd_module (shared)
 deflate_module (shared)
 dir_module (shared)
 dumpio_module (shared)
 echo_module (shared)
 env_module (shared)
 expires_module (shared)
 ext_filter_module (shared)
 filter_module (shared)
 headers_module (shared)
 include_module (shared)
 info_module (shared)
 log_config_module (shared)
 logio_module (shared)
 macro_module (shared)
 mime_magic_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 remoteip_module (shared)
 reqtimeout_module (shared)
 request_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 slotmem_plain_module (shared)
 slotmem_shm_module (shared)
 socache_dbm_module (shared)
 socache_memcache_module (shared)
 socache_redis_module (shared)
 socache_shmcb_module (shared)
 status_module (shared)
 substitute_module (shared)
 suexec_module (shared)
 unique_id_module (shared)
 unixd_module (shared)
 userdir_module (shared)
 version_module (shared)
 vhost_alias_module (shared)
 watchdog_module (shared)
 dav_module (shared)
 dav_fs_module (shared)
 dav_lock_module (shared)
 lua_module (shared)
 mpm_event_module (shared)
 proxy_module (shared)
 lbmethod_bybusyness_module (shared)
 lbmethod_byrequests_module (shared)
 lbmethod_bytraffic_module (shared)
 lbmethod_heartbeat_module (shared)
 proxy_ajp_module (shared)
 proxy_balancer_module (shared)
 proxy_connect_module (shared)
 proxy_express_module (shared)
 proxy_fcgi_module (shared)
 proxy_fdpass_module (shared)
 proxy_ftp_module (shared)
 proxy_http_module (shared)
 proxy_hcheck_module (shared)
 proxy_scgi_module (shared)
 proxy_uwsgi_module (shared)
 proxy_wstunnel_module (shared)
 ssl_module (shared)
 systemd_module (shared)
 cgid_module (shared)
 http2_module (shared)
 proxy_http2_module (shared)
0

Do these work?

apachectl -t -D DUMP_MODULES
apachectl -t -D DUMP_RUN_CFG
apachectl -t -D DUMP_INCLUDES
3 Likes

unfortunately non of these work. what went wrong? but if replace apachectl with httpd, it works

apachectl -t -D DUMP_MODULES

Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
To pass extra arguments to httpd, see the httpd.service(8)
man page.

apachectl -t -D DUMP_RUN_CFG

Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
To pass extra arguments to httpd, see the httpd.service(8)
man page.

apachectl -t -D DUMP_INCLUDES

Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
To pass extra arguments to httpd, see the httpd.service(8)
man page.

I see. That explains it. We will have to update Certbot to use different commands on RHEL9.

In the meantime, you won't be able to use the --apache plugin on RHEL9.

5 Likes

what is your suggestion or solution for this?

i tried with standalone before, but end up also encounter this error.

thanks alot

You could do something like:

certbot certonly -d example.com \
--webroot -w /var/www/html \
--deploy-hook "systemctl reload httpd" 

Making sure to replace example.com with your real domain and /var/www/html with the document root of your domain.

You'll then have to manually configure the HTTPS virtualhost in your Apache configuration to use the certificate.

6 Likes

Can't the default be temporarily overridden by using --apache-ctl? (Until it has been fixed in Certbot.)

5 Likes

Whoops, good point. Yes, that will probably work.

3 Likes

do you have any example how to temporary overridden? much appreciated.

1 Like

You'll just have to replace: apachectl with httpd

httpd -t -D DUMP_RUN_CFG
httpd -t -D DUMP_MODULES

root@biblebreeze httpd]# apachectl -t -D DUMP_RUN_CFG
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
To pass extra arguments to httpd, see the httpd.service(8)
man page.
[root@biblebreeze httpd]# httpd -t -D DUMP_RUN_CFG
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48
[root@biblebreeze httpd]# httpd -t -D DUMP_MODULES
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
access_compat_module (shared)
actions_module (shared)
alias_module (shared)
allowmethods_module (shared)
auth_basic_module (shared)
auth_digest_module (shared)
authn_anon_module (shared)
authn_core_module (shared)
authn_dbd_module (shared)
authn_dbm_module (shared)
authn_file_module (shared)
authn_socache_module (shared)
authz_core_module (shared)
authz_dbd_module (shared)
authz_dbm_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_owner_module (shared)
authz_user_module (shared)
autoindex_module (shared)
brotli_module (shared)
cache_module (shared)
cache_disk_module (shared)
cache_socache_module (shared)
data_module (shared)
dbd_module (shared)
deflate_module (shared)
dir_module (shared)
dumpio_module (shared)
echo_module (shared)
env_module (shared)
expires_module (shared)
ext_filter_module (shared)
filter_module (shared)
headers_module (shared)
include_module (shared)
info_module (shared)
log_config_module (shared)
logio_module (shared)
macro_module (shared)
mime_magic_module (shared)
mime_module (shared)
negotiation_module (shared)
remoteip_module (shared)
reqtimeout_module (shared)
request_module (shared)
rewrite_module (shared)
setenvif_module (shared)
slotmem_plain_module (shared)
slotmem_shm_module (shared)
socache_dbm_module (shared)
socache_memcache_module (shared)
socache_redis_module (shared)
socache_shmcb_module (shared)
status_module (shared)
substitute_module (shared)
suexec_module (shared)
unique_id_module (shared)
unixd_module (shared)
userdir_module (shared)
version_module (shared)
vhost_alias_module (shared)
watchdog_module (shared)
dav_module (shared)
dav_fs_module (shared)
dav_lock_module (shared)
lua_module (shared)
mpm_event_module (shared)
proxy_module (shared)
lbmethod_bybusyness_module (shared)
lbmethod_byrequests_module (shared)
lbmethod_bytraffic_module (shared)
lbmethod_heartbeat_module (shared)
proxy_ajp_module (shared)
proxy_balancer_module (shared)
proxy_connect_module (shared)
proxy_express_module (shared)
proxy_fcgi_module (shared)
proxy_fdpass_module (shared)
proxy_ftp_module (shared)
proxy_http_module (shared)
proxy_hcheck_module (shared)
proxy_scgi_module (shared)
proxy_uwsgi_module (shared)
proxy_wstunnel_module (shared)
ssl_module (shared)
systemd_module (shared)
cgid_module (shared)
http2_module (shared)
proxy_http2_module (shared)
[root@biblebreeze httpd]#

I tried replacing /usr/sbin/apachectl with a symbolic link to httpd. That does not work. I am not sure what arguments 'certbot renew' is passing to httpd, but they are not correct. The output includes an 'Usage: apachectl...' error. Meanwhile, after the symbol link mod, the commands
httpd -t -D DUMP_RUN_CFG
httpd -t -D DUMP_MODULE

do work, or at least they output information about httpd configuration.

Also, 'certbot --apache-ctl httpd renew' produces essentially the same error. Again, it appears the certbot is attempting to pass invalid command line options to htppd.

Any suggestions about how I can renew my certbot certs?

For example, the output of httpd -t -D DUMP_RUN_CFG is

[Mon Sep 05 07:10:52.969150 2022] [so:warn] [pid 20292:tid 20292] AH01574: module headers_module is already loaded, skipping
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/home/fulab/www/html"
Main ErrorLog: "/etc/httpd/logs/MYDOMAIN.com-error_log"
Mutex proxy-balancer-shm: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-cache: using_defaults
Mutex cache-socache: using_defaults
Mutex fcgid-pipe: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

The output of

httpd -t -D DUMP_MODULE is

[Mon Sep 05 07:12:42.666475 2022] [so:warn] [pid 20837:tid 20837] AH01574: module headers_module is already loaded, skipping
Syntax OK

Both seem like they would work-around the certbot problem with RedHat9 and Apache.

What is the error you see? Is it stopping the renew or does that result in another problem. We normally like to see each person's problem in their own thread. Problems are rarely identical and it gets confusing quickly when multiple problems are worked in same thread.

2 Likes

httpd -t -D DUMP_INCLUDES

produces the following output:

Included configuration files:
(*) /etc/httpd/conf/httpd.conf
(58) /etc/httpd/conf.modules.d/00-base.conf
(58) /etc/httpd/conf.modules.d/00-dav.conf
(58) /etc/httpd/conf.modules.d/00-lua.conf
(58) /etc/httpd/conf.modules.d/00-mpm.conf
(58) /etc/httpd/conf.modules.d/00-optional.conf
(58) /etc/httpd/conf.modules.d/00-proxy.conf
(58) /etc/httpd/conf.modules.d/00-ssl.conf
(58) /etc/httpd/conf.modules.d/00-systemd.conf
(58) /etc/httpd/conf.modules.d/01-cgi.conf
(58) /etc/httpd/conf.modules.d/10-fcgid.conf
(58) /etc/httpd/conf.modules.d/10-h2.conf
(58) /etc/httpd/conf.modules.d/10-proxy_h2.conf
(58) /etc/httpd/conf.modules.d/apreq.conf
[Mon Sep 05 07:57:44.549877 2022] [so:warn] [pid 33773:tid 33773] AH01574: module headers_module is already loaded, skipping
(189) /etc/httpd/conf.d/autoindex.conf
(189) /etc/httpd/conf.d/fcgid.conf
(189) /etc/httpd/conf.d/manual.conf
(189) /etc/httpd/conf.d/php.conf
(189) /etc/httpd/conf.d/ssl.conf
(189) /etc/httpd/conf.d/userdir.conf
(189) /etc/httpd/conf.d/welcome.conf
(1267) /etc/httpd/conf/httpd-le-ssl.conf
(20) /etc/letsencrypt/options-ssl-apache.conf
(43) /etc/letsencrypt/options-ssl-apache.conf
(92) /etc/letsencrypt/options-ssl-apache.conf
(174) /etc/letsencrypt/options-ssl-apache.conf
(207) /etc/letsencrypt/options-ssl-apache.conf
(228) /etc/letsencrypt/options-ssl-apache.conf
(252) /etc/letsencrypt/options-ssl-apache.conf
(270) /etc/letsencrypt/options-ssl-apache.conf

Is that your compliant? Because that's just an Apache warning message. You can find the answer on an Apache support forum.

If you want further help getting certs please start a new thread. Thanks

2 Likes
  1. Start your own topic
  2. Use --webroot authentication.
2 Likes

I started my own topic. To be clear - my issue is that I am unable to renew my certs using certbot on RHEL 9, although the same certs have been renewed multiple times on the same server prior to installing RHEL 9.