Running Certbot on Bitnami Apache Server - Extra Steps Needed

Please fill out the fields below so we can help you better.

My domain is: mitchellfarmct.com

I ran this command: sudo certbot --apache

It produced this output: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

My operating system is (include version): Debian 8 Jessie

My web server is (include version): Apache 2.4.23

My hosting provider, if applicable, is: Bitnami on Google Cloud

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

How did you install certbot - was it from apt / apt-get? I think bitnami supplies its own version of Apache, that’s separate from the ordinary Debian one, right? However, the python-certbot-apache package in Debian declares a dependency on the normal Debian apache2 package. So you might have both installed now, and certbot might be trying to configure the wrong one.

If that’s the case, I’m not entirely sure how to solve it, but Certbot’s Apache plugin does provide some options to allow you to explicitly specify the paths to various Apache-related things, so these might help, I guess. Type certbot --help apache for a list.

Thanks for the reply, I found the solution and have installed on 2 domains so far. Here it is, hope this helps the next guy.

This came straight from Bitnami Docs: https://docs.bitnami.com/google/components/apache/

Install Git - SSH into Server: sudo apt-get install git
Change to temp directory: cd /tmp
Clone the Certbot client repository from Github: git clone https://github.com/certbot/certbot
Change to cerbot directory: cd certbot
Use the certbot-auto script to download and install all the necessary dependencies: ./certbot-auto
The certbot-auto script will download all the necessary dependencies and also request root privileges to run the client.
Request a new certificate for your domain as below.
Remember to replace the DOMAIN placeholder with your actual domain name, and the APPNAME placeholder with the path to your application. ./certbot-auto certonly --webroot -w /opt/bitnami/apps/APPNAME/htdocs/ -d DOMAIN
Copy your SSL certificate and certificate key file to the correct locations.
Remember to replace the DOMAIN placeholder with your actual domain name.
sudo cp /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/server.crt
sudo cp /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key
Restart the Apache server: sudo /opt/bitnami/ctlscript.sh restart apache
Done

1 Like

The unfortunate thing about their approach is that it won’t handle renewals automatically. There is a certbot renew command to renew certificates that are near expiry (it’s OK to run it frequently because it only renews when necessary), but the updated certificates will still be found in /etc/letsencrypt/live/DOMAIN and so you’ll have to copy them over again.

It would be nice if Bitnami could be configured to directly use the version in /etc/letsencrypt/live so that it would be updated automatically when the certificates were renewed.

Hmm, I wonder if creating symlinks from /opt/bitnami/apache2/conf/server.crt to /etc/letsencrypt/live/DOMAIN/fullchain.pem and /opt/bitnami/apache2/conf/server.key to /etc/letsencrypt/live/DOMAIN/privkey.pem would work?

If not, of course you could just put those copy and restart commands in a small shell script and call it from Certbot’s --post-hook. You’ll have to use --post-hook to restart (or reload, if that works) Apache after the renewal anyway.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.