Redirected ports break certbot apache


#1

Please fill out the fields below so we can help you better.

My domain is:
condarelli.it

I ran this command:
certbot --apache --tls-sni-01-port 47443

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: home.condarelli.it
2: redmine.condarelli.it
3: redmine2.condarelli.it:47443
4: zerotier.condarelli.it
5: www.yourhost.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):1,2,4
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/zerotier.condarelli.it.conf)

It contains these names: zerotier.condarelli.it

You requested these names for the new certificate: home.condarelli.it,
redmine.condarelli.it, zerotier.condarelli.it.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/©ancel: E
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for home.condarelli.it
tls-sni-01 challenge for redmine.condarelli.it
tls-sni-01 challenge for zerotier.condarelli.it
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
Created an SSL vhost at /etc/apache2/sites-available/mediawiki-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/mediawiki-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/mediawiki-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/redmine.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/zerotier.conf

Please choose whether HTTPS access is required or optional.

1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting vhost in /etc/apache2/sites-available/mediawiki.conf to ssl vhost in /etc/apache2/sites-available/mediawiki-le-ssl.conf
Redirecting vhost in /etc/apache2/sites-available/backuppc.conf to ssl vhost in /etc/apache2/sites-available/redmine.conf
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00112: Warning: DocumentRoot [/opt/backuppc/BackupPC] does not exist
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs

Rolling back to previous server configuration…
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00112: Warning: DocumentRoot [/opt/backuppc/BackupPC] does not exist
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs

Encountered exception during recovery
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00112: Warning: DocumentRoot [/opt/backuppc/BackupPC] does not exist
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/certbot/error_handler.py”, line 99, in _call_registered
self.funcs-1
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 495, in _rollback_and_restart
self.installer.restart()
File “/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py”, line 1658, in restart
self._reload()
File “/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py”, line 1669, in _reload
raise errors.MisconfigurationError(str(err))
MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00112: Warning: DocumentRoot [/opt/backuppc/BackupPC] does not exist
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs

Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00112: Warning: DocumentRoot [/opt/backuppc/BackupPC] does not exist
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs

IMPORTANT NOTES:

  • An error occurred and we failed to restore your config and restart
    your server. Please submit a bug report to
    https://github.com/letsencrypt/letsencrypt
  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/zerotier.condarelli.it/fullchain.pem. Your
    cert will expire on 2017-08-02. To obtain a new or tweaked version
    of this certificate in the future, simply run certbot again with
    the “certonly” option. To non-interactively renew all of your
    certificates, run “certbot renew”

My operating system is (include version):
debian jessie running in chroot under Synology DSM6.0

My web server is (include version):
apache 2.4.10-10+deb8

My hosting provider, if applicable, is:
not applicable

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

NOTE: disregard errors concerning missing [/opt/backuppc/BackupPC], they are due to my misconfig (fixed).

The command executed as expected, but certificate installation apparently modified sitexxx.conf files and ports.conf adding the default 443 port, which is wrong because (due to the specifics of this server, I can detail if required) this apache2 should be listening only to ports 47080, 47180 and 77443.

The option “–tls-sni-01-port 47443” correctly redirected challenge response to the right port, but it was not enough for successive apache config modification.

I corrected the error by hand and everything is ok, but I wonder where I goofed; any hint welcome.

I also would like to understand if I need to worry about renewals.

TiA
Mauro


#2

@bmw, do you think you could opine on this? It seems to relate to the Apache plugin’s willingness to obey the --tls-sni-01-port option.


#3

While I couldn’t find an open an issue for it, I know Certbot’s Apache plugin has had trouble here in the past and I’ve told people recently that using the Apache plugin using a port other than 443 for HTTPS isn’t currently supported. I opened an issue at https://github.com/certbot/certbot/issues/4617 to look into this problem. In the meantime, you can use certbot certonly either with the Apache plugin or another plugin like webroot to obtain/renew your certificate, but you’ll have to install the certificate yourself.

Sorry for the trouble and we’ll try to look into this soon.


#4

Thanks.
If I can be of any help just let me know.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.