<Solved>Dont have access to old server, Need to move cert from old server to new server

Jacobw · April 11, 2023, 2:36am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.anticipatereality.com

I ran this command: sudo certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): www.anticpatereality.com
Requesting a certificate for www.anticpatereality.com
Performing the following challenges:
http-01 challenge for www.anticpatereality.com
Enabled Apache rewrite module
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using www.anticipatereality.com. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using ['apache2ctl', 'graceful']
Cleaning up challenges
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using www.anticipatereality.com. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using ['apache2ctl', 'graceful']
Encountered exception during recovery: certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using www.anticipatereality.com. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using www.anticipatereality.com. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

My web server is (include version): Apache 2.4.55

The operating system my web server runs on is (include version): Unix Debian 5.10.162-1

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don't know): I can login to the new server but not the old server

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.12.0

schoen · April 11, 2023, 2:46am

Hi @Jacobw,

Certbot expects that, before you run it the first time, you'll already have set up your site with HTTP in Apache, including using the typical pattern for configuring Apache using VirtualHosts.

https://httpd.apache.org/docs/2.4/vhosts/examples.html

This was probably done on your old server but probably has not been done yet on your new server.

This includes not just using the default Apache configuration but explicitly adding a VirtualHost there for your site, including its domain name(s), most often by creating the configuration as a file in /etc/apache2/sites-available and then enabling it with a2ensite.

After that's working properly, Certbot should be able to detect that configuration and then use it to obtain and install a certificate for you.

With those Apache errors, I think you should also double-check that you don't have some other web server application running on this same new server at the same time (and using port 80 so that Apache can't).

Jacobw · April 11, 2023, 3:12am

Hello, Thank you for replying so quick. I should have mentioned in the original comment. My server is running on an bitnami built apache. I have configured my http and https vhosts within the but since i am running though bitnami I did not use the normal sites-available file path.

Is there a way to point certbot to my bitnami files? When looking at the user guides I'm assuming I could use the webroot method and give it the bitnami file path but dont want to mess things up even more.

Thanks

MikeMcQ · April 11, 2023, 3:20am

Often people with Lightsail and Bitnami use the bncert tool as described here:
https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-enabling-https-on-wordpress

Does that help?

And, as to your title "Cant access old server ... need to move cert from old server" ... You can't move the old cert if you don't have access to the old server. Besides, it's usually easier to just get a new cert on your new server.

schoen · April 11, 2023, 3:42am

Yes, it's a very good idea to follow Bitnami-specific documentation here rather than Certbot documentation, since things in Bitnami are not really set up the way Certbot expects (or vice versa).

You could also consult

https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/

Jacobw · April 11, 2023, 12:02pm

When using the bitnami documents and the bncert-tool, I kept getting an error,

Warning: The domain 'www.anticipatereality.com' resolves to a different IP
address than the one detected for this machine, which is '<MY External IP>'. Please
fix its DNS entries or remove it. For more info see:

But thank you for sending me down the correct path, when attempting to solve for that error I found this post and it resolved all my remaining issues!

And note for anyone that finds this later, You don't need access to old certs to get a new one. Thank you to MikeMcQ For educating me on that and to schoen

system · May 11, 2023, 12:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.