I am no longer able to access my website remotely and/or internally after a cert renewal request. I host the server at home and seem to have screwed up access by choosing to renew the SSL cert.
I issued the command “certbot-auto -d lab.addmoreroutes.com” and it screwed up my access. I was given the option to choose between two options (Redirect/No Redirect) after inputting that command.
I selected “Redirect” and the website was down shortly afterwards. I am now brought to a default Ubuntu page after choosing that option.Let me know what are the quickest steps to rebuild from scratch or restore from a previous date/time. I am not that great using Linux so please forgive me for any stupid questions.
Overview url:lab.addmoreroutes.com What did I do just before it crashed:certbot-auto -d lab.addmoreroutes.com OS Version:Ubuntu 16.04.6 LTS The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.39.0 Can I log into Root Shell ? Yes
*Error Output*
root@eve-ng:~# certbot-auto -d lab.addmoreroutes.com
Upgrading certbot-auto 0.36.0 to 0.39.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lab.addmoreroutes.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/unetlab-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/unetlab-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/unetlab-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Added an HTTP->HTTPS rewrite in addition to other RewriteRules; you may wish to check for overall consistency.
Redirecting vhost in /etc/apache2/sites-enabled/unetlab.conf to ssl vhost in /etc/apache2/sites-available/unetlab-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.
The new certificate covers the following domains: https://lab.addmoreroutes.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=lab.addmoreroutes.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/lab.addmoreroutes.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/lab.addmoreroutes.com/privkey.pem
Your cert will expire on 2020-02-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the "certonly" option. To non-interactively renew *all*
of your certificates, run "certbot-auto renew"
- Some rewrite rules copied from
/etc/apache2/sites-enabled/unetlab.conf were disabled in the vhost
for your HTTPS site located at
/etc/apache2/sites-available/unetlab-le-ssl.conf because they have
the potential to create redirection loops.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
root@*****~# sudo /usr/bin/letsencrypt renew
sudo: /usr/bin/letsencrypt: command not found
/etc/apache2/sites-available/unetlab-le-ssl.conf
root@eve-ng:/etc/apache2/sites-available# sudo vi unetlab-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
RewriteEngine On
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
# RewriteCond %{HTTPS} !=on
# RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
ServerName lab.addmoreroutes.com
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/lab.addmoreroutes.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/lab.addmoreroutes.com/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
RewriteEngine On
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
# RewriteCond %{HTTPS} !=on
# RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
</IfModule>
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
Type :quit<Enter> to exit Vim
root@XXXXXXX:~# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 is a NameVirtualHost
default server eve-ng.example.com (/etc/apache2/sites-enabled/eveng-ssl.conf:2)
port 443 namevhost eve-ng.example.com (/etc/apache2/sites-enabled/eveng-ssl.conf:2)
port 443 namevhost lab.addmoreroutes.com (/etc/apache2/sites-enabled/unetlab-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server eve-ng.example.com (/etc/apache2/sites-enabled/unetlab-le-ssl.conf:16)
port 80 namevhost eve-ng.example.com (/etc/apache2/sites-enabled/unetlab-le-ssl.conf:16)
port 80 namevhost eve-ng.example.com (/etc/apache2/sites-enabled/unetlab.conf:24)
It seems like your configuration is lacking the DocumentRoot for the domain? So it’s defaulting to the default Ubuntu Apache one.
You can find backups of your Apache configuration, before Certbot modified it, in /var/lib/letsencrypt/backups/. The directory names are the timestamps of when the backup was generated.
I would be curious to see whether the backups have versions of the config that contain DocumentRoot …
I am having some issues restarting Apache. What is the exact command ?
root@eve-ng:~# sudo /etc/init.d/apache2 reload
Reloading apache2 configuration (via systemctl): apache2.serviceJob for apache2.service failed because the control process exited with error code. See "systemctl status apache2.service" and "journalctl -xe" for details.
failed!
root@eve-ng:~# apachectl -t
AH00526: Syntax error on line 11 of /etc/apache2/sites-enabled/unetlab-le-ssl.conf:
Invalid command 'a2dissite', perhaps misspelled or defined by a module not included in the server configuration
Action '-t' failed.
The Apache error log may have more information.
I see. Those a2dissite things were commands I wanted you to run, not lines to add to the configuration file. I can see that the way I posted it, it was really unclear.
Open up /etc/apache2/sites-enabled/unetlab-le-ssl.conf and remove the a2dissite lines.
Then, in your terminal (not in a text editor), run:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /opt/unetlab/html/
ErrorLog /opt/unetlab/data/Logs/ssl-error.log
CustomLog /opt/unetlab/data/Logs/ssl-access.log combined
Alias /Exports /opt/unetlab/data/Exports
Alias /Logs /opt/unetlab/data/Logs
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/letsencrypt/live/lab.addmoreroutes.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/lab.addmoreroutes.com/privkey.pem
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
# Many ciphers defined here require a modern version (1.0.1+) of OpenSSL. Some
# require OpenSSL 1.1.0, which as of this writing was in pre-release.
SSLCipherSuite ********LEFT OUT***************************
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
<Location /html5/>
Order allow,deny
Allow from all
ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on
ProxyPassReverse http://127.0.0.1:8080/guacamole/
</Location>
<Location /html5/websocket-tunnel>
Order allow,deny
Allow from all
ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
<Location /html5/>
Order allow,deny
Allow from all
ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on
ProxyPassReverse http://127.0.0.1:8080/guacamole/
</Location>
<Location /html5/websocket-tunnel>
Order allow,deny
Allow from all
ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
</Location>
ProxyPass /janus-ws ws://127.0.0.1:8188/
ProxyPassReverse /janus-ws ws://127.0.0.1:8188/
ProxyPass /chat-ws ws://127.0.0.1:9090/
ProxyPassReverse /chat-ws ws://127.0.0.1:9090/
</VirtualHost>
</IfModule>
. Sorry.