Ssl not taking effect after installation

Help
1

My domain is: ugochukwu.org

After following the instruction on https://certbot.eff.org/lets-encrypt/debianstretch-apache, I ran the bellow command to get wildcard sll certificate:

certbot certonly
--dns-cloudflare
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini
-d ugochukwu.org
-d *.ugochukwu.org -i apache

Bur it produced the bellow output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): support@myemail.com

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory

(A)gree/(C)ancel: A

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for ugochukwu.org
dns-01 challenge for ugochukwu.org
Unsafe permissions on credentials configuration file: ~/.secrets/certbot/clo udflare.ini
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/ugochukwu.org/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/ugochukwu.org/privkey.pem
    Your cert will expire on 2019-10-09. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

But my problem now is that, during the installation process, it did not ask me if I want to redirect http connections to https, now the installation was done successful but I cannot have my sites redirect to https, which makes it show not secure warning on the browser.
How should I run the final setup or configuration to have my sites and its sub domain to redirect to https?

My web server is (include version): Apache/2.4.25 (Debian)

The operating system my web server runs on is (include version):Debian 9

My hosting provider, if applicable, is: google cloud compute engine

I can login to a root shell on my machine (yes or no, or I don't know): Yes
certbot --version or certbot-auto --version if you're using Certbot): certbot 0.28.0

2

That's because you chose the "certonly" option. It does exactly what it says: it will only get you a certificate. It will not install it for you, it will not add redirects.

You can see in the output:

Plugins selected: Authenticator dns-cloudflare, Installer None

As you can see, your -i apache did not have any effect on certbot. Because of the certonly option.

Solution: remove the certonly option and run certbot again. It should find your certificate and ask you if you want to use that one for installation. Afterwards, it should ask you if you want to add a redirect.

3

Following your instruction here

I modified my code to become

certbot
--dns-cloudflare
--dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini
-d ugochukwu.org
-d *.ugochukwu.org -i apache

but bellow is the response...

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/ugochukwu.org.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-available/ugochukwu.org-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/ugochukwu.org-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/ugochukwu.org-le-ssl.conf
No vhost exists with servername or alias for domain *.ugochukwu.org. No vhost was selected. Please specify ServerName or ServerAlias in the Apache config.
No vhost selected

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/ugochukwu.org/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/ugochukwu.org/privkey.pem
    Your cert will expire on 2019-10-09. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew all of
    your certificates, run "certbot renew"

But still can't get it to work. I took a look at the .../sites-available/ without any trace /etc/apache2/sites-available/ugochukwu.org-le-ssl.conf and still can't get the site secured with ssl letsencrypt cert.

What am I not doing right this time again?

4

Hi @agbams

there

is your answer.

What says

apachectl -S

There you must see the correct vHost. If not, add one. The standard Apache documentation has examples.

5

Bellow are the result of the above code.

VirtualHost configuration:
*:80 is a NameVirtualHost
default server agbams-vm.us-central1-f.c.constant-gecko-246107.inter nal (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost agbams-vm.us-central1-f.c.constant-gecko-246107.in ternal (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost glascas.com (/etc/apache2/sites-enabled/glascas.com.c onf:1)
wild alias *.glascas.com
port 80 namevhost ugochukwu.org (/etc/apache2/sites-enabled/ugochukwu.o rg.conf:1)
wild alias *.ugochukwu
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex proxy: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

I believe that I have vhost as you can see, because I have earlier on created some.

What is my next option now?

6

@JuergenAuer, the above vhost is still missing, which suppose to be created automatically by certbot.

What other thing can I do to get it created automatically by certbot?

7

Your command

has two domain names.

Your port 80

has only one and it's wrong written, must be *.ugochukwu.org. Result: No port 80 vHost with the same two domain names is defined. That's the error message.

So add

ServerName ugochukwu.org

and correct the ServerAlias.

2 Likes
8

Thank you very much @JuergenAuer
You just saved my ass.

1 Like
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.