SSL on Ubuntu 16.04 with apache and varnish

My domain is:

I ran this command: sudo certbot --apache -d -d

It produced this output: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I am running a Magento 2 eshop on that domain that has varnish-cache listening at :80 , and apache2 is listening at :8080. Maybe that’s the reason I am getting the above return message. Also, would I be having problems running SSL with varnish-cache?

--apache probably isn’t going to work out if you’ve got Varnish sitting in front.

You’re going to need something to terminate SSL.

Varnish isn’t capable of terminating SSL on its own, as far as I know.

So you’re going to either need to configure Apache to listen on port 443 and proxy requests back to port 80 (Varnish) … which will then proxy them back to port 8080.

Or you can run something like haproxy in front of Varnish.

That is going to take some manual configuration. For Certbot, you’re probably going to want to use the webroot authenticator, rather than --apache. And you’re probably going to end up using certonly as well.


If I configure Apache to listen on port 443 (and proxy requests back to port 80), wouldn’t Certbot work with --apache ? Could you elaborate some more on webroot and certonly?

I’ve not investigated this in Certbot in any depth, but I believe it relies on port 80 and 443 as fixed ports for its config manipulation. Maybe someone can correct me, but looking at its source code, I think that’s the case.

Essentially, what I would do is:

certbot certonly -d -d \
--authenticator webroot -w /path/to/your/webroot

Which will issue certificates and install them to /etc/letsencrypt/live/

And then you would just hardcode the port 443 VirtualHost (which is proxying back to Varnish) to use that certificate.

1 Like

He’s not listening on 80, so that would require --preferred-challenges tls-sni to use port 443.
But I don’t think you can get a new cert via TLS any longer.

So he will have to put something to listen on 80.

1 Like

His Varnish is on port 80 passing requests through to Apache on 8080, so the webroot authentication should succeed as long as Varnish doesn’t intercept the /.well-known/acme-challenge path.

1 Like

had a typo in the name… I do see 80 listening

maybe he can just add a “fake” listener on fake IP:80
in the same block that serves real IP:8080 and certbot will then know where to work from…

LE requests go to varnish:80 which connects to real IP:8080
Which is in the same block as fake IP:80.

something like anyone of these:
Whichever it will hold…

So if I do as @_az said and:

certbot certonly -d -d \
--authenticator webroot -w /path/to/your/webroot

And then change the Apache2 port to 443 (right?), I should be probably be ok?

PS, I just checked /etc/apache2/ports.conf and :

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 8080

<IfModule ssl_module>
    Listen 443

<IfModule mod_gnutls.c>
    Listen 443

meaning, shouldn’t LE work since Apache2 theoretically should be listening to 443?

You need a new virtualhost for 443 to terminate SSL. Not replacing your port 8080 one.

The network has to flow like this:

[Apache 443 HTTPS] --> [Varnish 80 HTTP] --> [Apache 8080 HTTP] is the new flow when you include SSL.


[Varnish 80 HTTP] --> [Apache 8080 HTTP] remains as it is.

so requests can flow either way. Don’t change anything in the latter case, you’re adding a new thing in front.

1 Like

See which ports you are already listening on and using in Apache:
netstat -pant | grep -i LISTEN
grep -Ri listen /etc/apache2

1 Like

I am listening to :

tcp        0      0    *               LISTEN      -
tcp        0      0    *               LISTEN      -
tcp        0      0*               LISTEN      -
tcp        0      0*               LISTEN      -
tcp        0      0   *               LISTEN      -
tcp        0      0    *               LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 :::25                   :::*                    LISTEN      -
tcp6       0      0 :::143                  :::*                    LISTEN      -
tcp6       0      0 :::8080                 :::*                    LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN      -

And apache2:

/etc/apache2/apache2.conf:#   supposed to determine listening ports for incoming connections which can be
/etc/apache2/apache2.conf:# Include list of ports to listen on
/etc/apache2/ports.conf:Listen 8080
/etc/apache2/ports.conf:        Listen 443
/etc/apache2/ports.conf:        Listen 443

EDIT: So I am not listening to 443 ?

That is correct there is nothing listening on port 443.
Which after you get a cert you should be.

Something is already on (presumably Varnish)
I would try adding
right below
Listen 8080

But I'm still a bit confused how your server block is defined...
Please show the block that covers: &

1 Like

So, if I somehow get the certificate now, I could revert to my previous setup and everything would be ok?

Could you please elaborate on what you mean by show the block ?

I'm not sure you've made any changes yet...

The section that contains

or something like that.
try finding the file with:
grep -Eri 'servername|serveralias' /etc/apache2

1 Like

Yeah, no definition entries exist. Should there be though?

Not if your site is already accessible from the Internet.

what do you have configured in varnish?
(like a proxy to backend on port 8080 statement)

I'm starting to think this is a lot less complicated than I originally thought.

1 Like

Guys I think you are going down a dark path. No modifications should be required to Apache nor Varnish in order to get a certificate. Roll back whatever changes you’ve made during this thread and just try the certonly.

One step at a time.

1 Like

I'm trying to work on this one thing only.

Fix that (permanently) and it all works - now and forever*

No, it’s the wrong approach. Varnish is correctly bound to 80. Certbot is not made to address this use case with --apache.