Restarting apache after changing conf - please help!

transmodus · June 6, 2022, 8:47pm

I need something very basic explained to me. Please forgive my ignorance. My server is httpd on linux.

To point the web server to the temporary location that contains the challenge file certbot modifies the httpd.conf file.

writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]

writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>

AFAIU this modification can only be enabled after the httpd.conf file is re-read by httpd, which can be done in three ways: stop/start, restart, or reload. For whatever reason certbot fails to perform this action. There are no mentions of any failures even with verbosity on -vvv, and I cannot find the mechanism that performs the restart/reload. All I get is:

Certbot failed to authenticate some domains 
Invalid response : 404

which is not surprising, since the httpd does not know anything about the configuration change without restart/reload.

I can confirm that the challenge file is created successfully, and the httpd.conf changes are also made successfully, because if I add debug-challenge option to the command line, I can wait for the prompt, then open another terminal window and manually perform the httpd restart, then press Enter in the certbot window, and the process completes successfully. But this defies the certbot's usefulness as an automation tool.

What is missing in this picture?
Please help.

Osiris · June 6, 2022, 9:00pm

A complete Certbot log file.

rg305 · June 6, 2022, 9:16pm

Please include the complete certbot command being run.

schoen · June 6, 2022, 9:47pm

@transmodus, Certbot tries to detect your OS and then tries to issue an appropriate command to restart your Apache server. There are some builtin ways that it will do this, but it could get it wrong, especially if your Apache is in a nonstandard location for your OS or was installed in an unusual way. I agree with the other commenters that seeing the command you ran and the log file would be helpful.

The detected OSes are listed in

github.com

certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/entrypoint.py

""" Entry point for Apache Plugin """
from typing import Dict
from typing import Type

from certbot_apache._internal import configurator
from certbot_apache._internal import override_arch
from certbot_apache._internal import override_centos
from certbot_apache._internal import override_darwin
from certbot_apache._internal import override_debian
from certbot_apache._internal import override_fedora
from certbot_apache._internal import override_gentoo
from certbot_apache._internal import override_suse
from certbot_apache._internal import override_void

from certbot import util

OVERRIDE_CLASSES: Dict[str, Type[configurator.ApacheConfigurator]] = {
    "arch": override_arch.ArchConfigurator,
    "cloudlinux": override_centos.CentOSConfigurator,
    "darwin": override_darwin.DarwinConfigurator,

This file has been truncated. show original

If you don't see yours there, or you know that your httpd isn't where it typically is on that OS, then you may have to do something extra here.

transmodus · June 6, 2022, 10:02pm

Here is the command:

/bin/certbot -vvv --apache --apache-server-root /opt/rh/jbcs-httpd24/root/etc/httpd-wtl --apache-logs-root /opt/rh/jbcs-httpd24/root/var/log/httpd-wtl --apache-challenge-location /opt/rh/jbcs-httpd24/root/etc/httpd-wtl/conf.d --apache-ctl /opt/rh/jbcs-httpd24/root/usr/sbin/apachectl --apache-bin /opt/rh/jbcs-httpd24/root/usr/sbin/httpd --force-renewal -d xxx.pmt-tiny.io

And the log is attached.
xxx.pmt-tiny.io.failure.log.txt (22.8 KB)

Osiris · June 6, 2022, 10:15pm

Please don't use that option.

The log indeed does not mentioning anything about reloading Apache. I'm wondering if that is logged even if everything goes correctly though.

schoen · June 6, 2022, 10:25pm

I just took a look really quickly and it (surprisingly) looks like it might not be logged if Certbot thinks it succeeded, only if it thinks it failed. I would think it would be helpful to have it log the reload command it tried to use.

transmodus · June 7, 2022, 12:13am

Yeah from what I see it seems that certbot is convinced that everything worked...
So there IS a reload command somewhere that is supposed to reload httpd? Where is it? Can it be changed to "restart" instead?

rg305 · June 7, 2022, 2:10am

      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "144.24.42.68: Invalid response from https://xxx.pmt-tiny.io/.well-known/acme-challenge/1rYb492yHJpjDusoyh--F5BEHQnkqhW5-6Rn6BBq220: 404",
        "status": 403

That seems to imply that the HTTP request did NOT match and was redirected to HTTPS.

You should review your Apache configuration.
OR
Switch to --webroot authentication.

transmodus · June 7, 2022, 4:26am

As mentioned above the EXACT same configuration works fine when I stop and reload the conf files before proceeding. Doesn't seem to me that the http/https has anything to do with that. And the response is 404, file not found, so the connection is made successfully over https.

Osiris · June 7, 2022, 6:12am

Looking at the code for the reloading part:

github.com

certbot/certbot/blob/295fc5e33a68c945d2f62e84ed8e6aaecfe93102/certbot-apache/certbot_apache/_internal/configurator.py#L2455-L2478

      
        
            def _reload(self) -> None:
                """Reloads the Apache server.
            
            
    :raises .errors.MisconfigurationError: If reload fails
            
            
    """
                try:
                    util.run_script(self.options.restart_cmd)
                except errors.SubprocessError as err:
                    logger.warning("Unable to restart apache using %s",
                                self.options.restart_cmd)
                    if self.options.restart_cmd_alt:
                        logger.debug("Trying alternative restart command: %s",
                                     self.options.restart_cmd_alt)
                        # There is an alternative restart command available
                        # This usually is "restart" verb while original is "graceful"
                        try:
                            util.run_script(self.options.restart_cmd_alt)
                            return
                        except errors.SubprocessError as secerr:

This file has been truncated. show original

It indeed looks like the plugin is only logging stuff when reloading does not succeed.

It defaults to apache2ctl graceful (certbot/configurator.py at 295fc5e33a68c945d2f62e84ed8e6aaecfe93102 · certbot/certbot · GitHub), but as @schoen said it can be overridden by specific distro configurations.

I'm interested to see the log if you'd add some logging to configurator.py at line 2462.

transmodus · June 7, 2022, 6:40am

Yes, I'm game. Tell me what and where to add.
BTW, maybe this is the problem?

[root@cmp-l2p-web-qa-04 wtl.d]# which apache2ctl
/usr/bin/which: no apache2ctl in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/var/lib/snapd/snap/bin:/root/bin)
[root@cmp-l2p-web-qa-04 wtl.d]# which apachectl
/sbin/apachectl

I'll make a symlink for apache2ctl and try the renewal again.

transmodus · June 7, 2022, 6:41am

[root@cmp-l2p-web-qa-04 wtl.d]# ls -l /sbin/apachectl
lrwxrwxrwx 1 root root 44 Mar  8 08:32 /sbin/apachectl -> /opt/rh/jbcs-httpd24/root/usr/sbin/apachectl
[root@cmp-l2p-web-qa-04 wtl.d]# ln -s /opt/rh/jbcs-httpd24/root/usr/sbin/apachectl /sbin/apache2ctl
[root@cmp-l2p-web-qa-04 wtl.d]# ls -l /sbin/apache*
lrwxrwxrwx 1 root root 44 Jun  6 23:41 /sbin/apache2ctl -> /opt/rh/jbcs-httpd24/root/usr/sbin/apachectl
lrwxrwxrwx 1 root root 44 Mar  8 08:32 /sbin/apachectl -> /opt/rh/jbcs-httpd24/root/usr/sbin/apachectl

transmodus · June 7, 2022, 6:42am

Still interested in replacing "reload" with "restart" - there are other issues at play.

Osiris · June 7, 2022, 7:22am

I'm not sure that would fix it, as it would log an error if the command couldn't be found.

I'm also interested to see what the Apache log would show. Usually I'd use tail -f to open the log and show the lines being added in realtime and then run e.g. Certbot to see what Apache does.

transmodus · June 7, 2022, 7:34am

I'll try that tomorrow with the apache2ctl link in place. But I agree about the error.

transmodus · June 7, 2022, 5:30pm

creating apache2ctl link did not help.

Here is where I think information about reloading apache should appear:

With ' --debug-challenges' :

2022-06-07 10:24:16,542:DEBUG:certbot.reverter:Creating backup of /opt/rh/jbcs-httpd24/root/etc/httpd/conf.d/mod_cluster.conf
2022-06-07 10:24:16,543:DEBUG:certbot.reverter:Creating backup of /opt/rh/jbcs-httpd24/root/etc/httpd-wtl/wtl.d/r3test.paycosmos.com-le-ssl.conf
2022-06-07 10:24:16,543:DEBUG:certbot.reverter:Creating backup of /opt/rh/jbcs-httpd24/root/etc/httpd-wtl/conf.d/mod_cluster.conf
2022-06-07 10:24:16,544:DEBUG:certbot.reverter:Creating backup of /opt/rh/jbcs-httpd24/root/etc/httpd-wtl/wtl.d/r3test.paycosmos.com.conf
2022-06-07 10:24:19,828:DEBUG:certbot._internal.display.obj:Notifying user: Challenges loaded. Press continue to submit to CA.

The following URLs should be accessible from the internet and return the value
mentioned:

URL:
http://r3test.paycosmos.com/.well-known/acme-challenge/suUWNtCPWRb3BfbAwX78v8FE6jwYr2HkmSMV6HPfjGw
Expected value:
suUWNtCPWRb3BfbAwX78v8FE6jwYr2HkmSMV6HPfjGw.tnPLcddM602NajLZJBpYWVPVn3E93ubwf0htgR_QWRQ
<I PRESS ENTER, POSSIBLY RESTARTING HTTPD IN A SEPARATE TERMINAL>:
2022-06-07 10:24:20,700:DEBUG:acme.client:JWS payload:
b'{}'

The same operation without ' --debug-challenges' :

2022-06-07 10:12:24,189:DEBUG:certbot.reverter:Creating backup of /opt/rh/jbcs-httpd24/root/etc/httpd-wtl/wtl.d/r3test.paycosmos.com-le-ssl.conf
2022-06-07 10:12:24,190:DEBUG:certbot.reverter:Creating backup of /opt/rh/jbcs-httpd24/root/etc/httpd-wtl/conf.d/mod_cluster.conf
2022-06-07 10:12:24,190:DEBUG:certbot.reverter:Creating backup of /opt/rh/jbcs-httpd24/root/etc/httpd-wtl/wtl.d/r3test.paycosmos.com.conf
2022-06-07 10:12:24,190:DEBUG:certbot.reverter:Creating backup of /opt/rh/jbcs-httpd24/root/etc/httpd/conf.d/mod_cluster.conf
<THE HTTPD SHOULD GET RELOADED/RESTARTED AT THIS POINT>
2022-06-07 10:12:27,489:DEBUG:acme.client:JWS payload:
b'{}'
2022-06-07 10:12:27,492:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/117136456736/VecRZw:

Osiris · June 7, 2022, 5:50pm

Yes, probably. But I'm more interested in the Apache logs around that time. Not sure how to continue debugging this further without modifying the code to the certbot-apache plugin, but that would have to be done on your computer.

transmodus · June 7, 2022, 6:23pm

Will it require recompilation?
I am ready to do whatever you suggest, it is a test environment and I have full control there.

Osiris · June 7, 2022, 6:39pm

Python is an interpreted language, so: no.

It's kinda hard to tell someone through a forum to do this, do that. Something that one would test out in a few minutes, could take hours unfortunately.

Best way is probably to know how you installed your Apache including its configuration and to try to reproduce it locally.

Also, looking at your own Apache logs doesn't require anything but you looking.

Topic		Replies	Views
Httpd reload fails after loading challenges Help	9	681	May 28, 2022
Renew with apache plugin, challenges fail Server	9	1374	January 26, 2019
How to allow certbot on an access controlled domain 443? Apache Help	21	3292	November 10, 2018
Certbot kills apache. Need help to restart httpd Help	16	1028	June 2, 2019
Will renewal rewrite apache vhost conf files again? Server	4	1933	March 19, 2017

Restarting apache after changing conf - please help!

Related topics