Subdomain in subdirectory passes challenge but fails anyway?

Server
1

I installed letsencrypt with the latest github download OK on my Ubuntu 16.04 VPS with the following command:

./letsencrypt-auto certonly --email root@ingber.com --text --renew-by-default --agree-tos --webroot -w /var/www-ssl/creekhouse/ -d creekhouse.ingber.com -w /var/www-ssl/ -d www.ingber.com -w /var/www-ssl/ -d ingber.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for creekhouse.ingber.com
http-01 challenge for www.ingber.com
http-01 challenge for ingber.com
Using the webroot path /var/www-ssl for all unmatched domains.
Waiting for verificationā€¦
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/ingber.com/fullchain.pem. Your cert will
    expire on 2017-06-19. To obtain a new or tweaked version of this
    certificate in the future, simply run letsencrypt-auto again. To
    non-interactively renew all of your certificates, run
    "letsencrypt-auto renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Letā€™s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

Iā€™ve been using SSLstart certs for some time. When I switch my /etc/apache2/sites-enabled/ssl.conf script to use the LE paths, ingber.com and www.ingber.com pass OK, but creekhouse fails:

[Tue Mar 21 05:14:24.103468 2017] [ssl:emerg] [pid 24481] AH02572: Failed to configure at least one certificate and key for creekhouse.ingber.com:443
[Tue Mar 21 05:14:24.103562 2017] [ssl:emerg] [pid 24481] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Tue Mar 21 05:14:24.103572 2017] [ssl:emerg] [pid 24481] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed

The entry in the error.log just confirms this:
Failed to configure at least one certificate and key for creekhouse.ingber.com:443

Note that I do have proper DNS records set up for creekhouse.

Iā€™m using CloudFlare for our sites. I do not have any special http -> https rules set up. However, on ingber.com, I do have in my http file under sites-enabled/

<VirtualHost :80>
ServerName www.ingber.com
ServerAlias ingber.com www.ingber.com
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.) https://%{HTTP_HOST}%{REQUEST_URI}

    <IfModule mod_cloudflare.c>
            DenyAllButCloudFlare
    </IfModule>

<VirtualHost :80>
ServerName creekhouse.ingber.com
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.) https://%{HTTP_HOST}%{REQUEST_URI}

    <IfModule mod_cloudflare.c>
            DenyAllButCloudFlare
    </IfModule>
2

I deleted all letsencrypt, then did a fresh install using
apt-get install python-letsencrypt-apache
then did
letsencrypt certonly --email root@ingber.com --text --renew-by-default --agree-tos --webroot -w /var/www-ssl/ -d ingber.com -w /var/www-ssl/creekhouse/ -d creekhouse.ingber.com -w /var/www-ssl/ -d www.ingber.com

I got the same (negative) results in /var/log/apache2/error.log
AH02572: Failed to configure at least one certificate and key for creekhouse.ingber.com:443

3

Hi @ingber,

Iā€™m not positive of this, but I believe you have to configure the relevant certificate and key in the VirtualHost definition for creekhouse, not just in the general ssl.conf file. When Certbot itself does HTTPS configuration for Apache (which doesnā€™t happen with certonly and may not be preferred for every use case), it will put certificate, chain, and key configuration into each individual VirtualHost separately, even, I believe, when the certificate is shared among several separate virtual hosts.

4

Hi. I did that, which is the reason my current sslstart cert works well.

Thanks.

Lester

Prof. Lester Ingber lester@ingber.com ingber@alumni.caltech.edu
https://www.ingber.com https://alumni.caltech.edu/~ingber
https://linkedin.com/in/ingber https://google.com/+LesterIngber
https://facebook.com/lester.ingber https://twitter.com/ingber

5

Sorry, I didnā€™t understand from your last message whether you mean itā€™s now fixed, or that you already did that and itā€™s still broken.

It would be good to double-check all of the ā€œSSLā€ lines from your Apache config and look at the associated files with openssl. You can do a

grep -r ^SSL /etc/apache2

and then for each associated private key file you can do

openssl rsa -in privkey.pem -check -noout

(the -noout is useful to avoid displaying your secret key parameters), while for each certificate file you can do

openssl x509 -in cert.pem -text -noout

or

openssl x509 -in fullchain.pem -text -noout

I would be happy to see the output of these (with the -noout on openssl rsa, there shouldnā€™t be any secrets there).

6

Seth:

Hi. Yes, it has been working for a couple of years or so. I have a
StartSSL yearly subscription, which covers all *.ingber.com domains; LE
does not (yet?) permit wildcards.

Cloudflare requires such an active public cert to enforce their ā€œSSL: Full
(strict)ā€ setting, so it would have flagged a problem by now.

Thanks.

Lester

Prof. Lester Ingber lester@ingber.com ingber@alumni.caltech.edu
https://www.ingber.com https://alumni.caltech.edu/~ingber
https://linkedin.com/in/ingber https://google.com/+LesterIngber
https://facebook.com/lester.ingber https://twitter.com/ingber

7

OK, maybe you can let us know the output of running the commands that I suggested.

8

Here they are:

14:23:43 ingber@linode# ~: grep -r ^SSL /etc/apache2
14:26:29 ingber@linode# ~: openssl rsa -in privkey.pem -check -noout
Error opening Private Key privkey.pem
139622993933976:error:02001002:system library:fopen:No such file or
directory:bss_file.c:398:fopen(ā€˜privkey.pemā€™,ā€˜rā€™)
139622993933976:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:400:
unable to load Private Key
14:26:45 ingber@linode# ~: openssl x509 -in cert.pem -text -noout
Error opening Certificate cert.pem
140367270237848:error:02001002:system library:fopen:No such file or
directory:bss_file.c:398:fopen(ā€˜cert.pemā€™,ā€˜rā€™)
140367270237848:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:400:
unable to load certificate
14:26:57 ingber@linode# ~: openssl x509 -in fullchain.pem -text -noout
Error opening Certificate fullchain.pem
139777141802648:error:02001002:system library:fopen:No such file or
directory:bss_file.c:398:fopen(ā€˜fullchain.pemā€™,ā€˜rā€™)
139777141802648:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:400:
unable to load certificate

Prof. Lester Ingber lester@ingber.com ingber@alumni.caltech.edu
https://www.ingber.com https://alumni.caltech.edu/~ingber
https://linkedin.com/in/ingber https://google.com/+LesterIngber
https://facebook.com/lester.ingber https://twitter.com/ingber

9

Hi @ingber,

I didnā€™t mean to run those commands as they were, but to run them once each supplying the path of each individual PEM file. In this case youā€™re asking to analyze files in rootā€™s home directory, which donā€™t exist.

Iā€™m puzzled that there are apparently no Apache configuration lines beginning with ā€œSSLā€. Could you try the grep command again without the ^ character?

10

15:16:03 ingber@linode# /etc/apache2: grep SSL * > ~/tp
15:16:29 ingber@linode# /etc/apache2: grep SSL / >> ~/tp
15:16:39 ingber@linode# /etc/apache2: grep SSL //* >> ~/tp

tp is attached.

Prof. Lester Ingber lester@ingber.com ingber@alumni.caltech.edu
https://www.ingber.com https://alumni.caltech.edu/~ingber
https://linkedin.com/in/ingber https://google.com/+LesterIngber
https://facebook.com/lester.ingber https://twitter.com/ingber

11

E-mail attachments arenā€™t supported by this forum software, so the attachment didnā€™t come through. But the other useful thing would be to still have -r in the grep to make it recursive (applying to subdirectories). I believe only /etc/apache2 is a relevant place to look.

12

grep -v ā€œ#ā€ tp > tp.txt

mods-available/ssl.conf: SSLRandomSeed startup builtin
mods-available/ssl.conf: SSLRandomSeed startup file:/dev/urandom 512
mods-available/ssl.conf: SSLRandomSeed connect builtin
mods-available/ssl.conf: SSLRandomSeed connect file:/dev/urandom 512
mods-available/ssl.conf: SSLPassPhraseDialog
exec:/usr/share/apache2/ask-for-passphrase
mods-available/ssl.conf: SSLSessionCache
shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
mods-available/ssl.conf: SSLSessionCacheTimeout 300
mods-available/ssl.conf: SSLCipherSuite HIGH:!aNULL
mods-available/ssl.conf: SSLProtocol all -SSLv3
mods-available/ssl.conf.dpkg-old: SSLRandomSeed startup builtin
mods-available/ssl.conf.dpkg-old: SSLRandomSeed startup
file:/dev/urandom 512
mods-available/ssl.conf.dpkg-old: SSLRandomSeed connect builtin
mods-available/ssl.conf.dpkg-old: SSLRandomSeed connect
file:/dev/urandom 512
mods-available/ssl.conf.dpkg-old: SSLPassPhraseDialog
exec:/usr/share/apache2/ask-for-passphrase
mods-available/ssl.conf.dpkg-old: SSLSessionCache
shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
mods-available/ssl.conf.dpkg-old: SSLSessionCacheTimeout 300
mods-available/ssl.conf.dpkg-old: SSLCipherSuite
HIGH:MEDIUM:!aNULL:!MD5
mods-available/ssl.conf.dpkg-old: SSLProtocol All -SSLv2 -SSLv3
mods-enabled/ssl.conf: SSLRandomSeed startup builtin
mods-enabled/ssl.conf: SSLRandomSeed startup file:/dev/urandom 512
mods-enabled/ssl.conf: SSLRandomSeed connect builtin
mods-enabled/ssl.conf: SSLRandomSeed connect file:/dev/urandom 512
mods-enabled/ssl.conf: SSLPassPhraseDialog
exec:/usr/share/apache2/ask-for-passphrase
mods-enabled/ssl.conf: SSLSessionCache
shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
mods-enabled/ssl.conf: SSLSessionCacheTimeout 300
mods-enabled/ssl.conf: SSLCipherSuite HIGH:!aNULL
mods-enabled/ssl.conf: SSLProtocol all -SSLv3
sites-available/default-ssl.conf: SSLEngine on
sites-available/default-ssl.conf: SSLCertificateFile
/etc/ssl/certs/ssl-cert-snakeoil.pem
sites-available/default-ssl.conf: SSLCertificateKeyFile
/etc/ssl/private/ssl-cert-snakeoil.key
sites-available/default-ssl.conf-dist: SSLEngine on
sites-available/default-ssl.conf-dist: SSLCertificateFile
/etc/ssl/certs/ssl-cert-snakeoil.pem
sites-available/default-ssl.conf-dist: SSLCertificateKeyFile
/etc/ssl/private/ssl-cert-snakeoil.key
sites-available/default-ssl.conf-dist: SSLOptions +StdEnvVars
sites-available/default-ssl.conf-dist: SSLOptions +StdEnvVars
sites-available/default-ssl.conf.dpkg-dist: SSLEngine on
sites-available/default-ssl.conf.dpkg-dist: SSLCertificateFile
/etc/ssl/certs/ssl-cert-snakeoil.pem
sites-available/default-ssl.conf.dpkg-dist:
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
sites-available/default-ssl.conf.dpkg-dist:
SSLOptions +StdEnvVars
sites-available/default-ssl.conf.dpkg-dist:
SSLOptions +StdEnvVars
sites-available/default-ssl.dpkg-dist: SSLEngine on
sites-available/default-ssl.dpkg-dist: SSLCertificateFile
/etc/ssl/certs/ssl-cert-snakeoil.pem
sites-available/default-ssl.dpkg-dist: SSLCertificateKeyFile
/etc/ssl/private/ssl-cert-snakeoil.key
sites-available/default-ssl.dpkg-dist: SSLOptions +StdEnvVars
sites-available/default-ssl.dpkg-dist: SSLOptions +StdEnvVars
sites-available/default-ssl.ipv4: SSLEngine on
sites-available/default-ssl.ipv4: SSLCertificateFile
/etc/ssl/certs/ssl-cert-snakeoil.pem
sites-available/default-ssl.ipv4: SSLCertificateKeyFile
/etc/ssl/private/ssl-cert-snakeoil.key
sites-available/default-ssl.ipv4: SSLOptions +StdEnvVars
sites-available/default-ssl.ipv4: SSLOptions +StdEnvVars
sites-available/default-ssl.ipv46: SSLEngine on
sites-available/default-ssl.ipv46: SSLCertificateFile
/etc/ssl/certs/ssl-cert-snakeoil.pem
sites-available/default-ssl.ipv46: SSLCertificateKeyFile
/etc/ssl/private/ssl-cert-snakeoil.key
sites-available/default-ssl.ipv46: SSLOptions +StdEnvVars
sites-available/default-ssl.ipv46: SSLOptions +StdEnvVars
sites-enabled/default-ssl.conf: SSLEngine on
sites-enabled/default-ssl.conf: SSLProtocol all -SSLv2
sites-enabled/default-ssl.conf: SSLCipherSuite
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
sites-enabled/default-ssl.conf: SSLCertificateFile /etc/ssl/startssl/ssl.crt
sites-enabled/default-ssl.conf: SSLCertificateKeyFile
/etc/ssl/startssl/ssl.key
sites-enabled/default-ssl.conf: SSLCertificateChainFile
/etc/ssl/startssl/sub.class2.server.ca.pem
sites-enabled/default-ssl.conf: SSLEngine on
sites-enabled/default-ssl.conf: SSLProtocol all -SSLv2
sites-enabled/default-ssl.conf: SSLCipherSuite
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
sites-enabled/default-ssl.conf: SSLCertificateFile /etc/ssl/startssl/ssl.crt
sites-enabled/default-ssl.conf: SSLCertificateKeyFile
/etc/ssl/startssl/ssl.key
sites-enabled/default-ssl.conf: SSLCertificateChainFile
/etc/ssl/startssl/sub.class2.server.ca.pem
sites-enabled/default-ssl.conf: SSLEngine on
sites-enabled/default-ssl.conf: SSLProtocol all -SSLv2
sites-enabled/default-ssl.conf: SSLCipherSuite
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
sites-enabled/default-ssl.conf: SSLCertificateFile /etc/ssl/startssl/ssl.crt
sites-enabled/default-ssl.conf: SSLCertificateKeyFile
/etc/ssl/startssl/ssl.key
sites-enabled/default-ssl.conf: SSLCertificateChainFile
/etc/ssl/startssl/sub.class2.server.ca.pem
sites-enabled/default-ssl.conf.letsenc: SSLEngine on
sites-enabled/default-ssl.conf.letsenc: SSLProtocol all -SSLv2
-SSLv3
sites-enabled/default-ssl.conf.letsenc: SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
sites-enabled/default-ssl.conf.letsenc: SSLHonorCipherOrder on
sites-enabled/default-ssl.conf.letsenc: SSLCompression off
sites-enabled/default-ssl.conf.letsenc: SSLOptions +StrictRequire
sites-enabled/default-ssl.conf.letsenc: SSLCertificateKeyFile
/etc/letsencrypt/live/ingber.com/privkey.pem
sites-enabled/default-ssl.conf.letsenc: SSLCertificateChainFile
/etc/letsencrypt/live/ingber.com/fullchain.pem
sites-enabled/default-ssl.conf.letsenc: SSLEngine on
sites-enabled/default-ssl.conf.letsenc: SSLProtocol all -SSLv2
-SSLv3
sites-enabled/default-ssl.conf.letsenc: SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
sites-enabled/default-ssl.conf.letsenc: SSLHonorCipherOrder on
sites-enabled/default-ssl.conf.letsenc: SSLCompression off
sites-enabled/default-ssl.conf.letsenc: SSLOptions +StrictRequire
sites-enabled/default-ssl.conf.letsenc: SSLCertificateKeyFile
/etc/letsencrypt/live/ingber.com/privkey.pem
sites-enabled/default-ssl.conf.letsenc: SSLCertificateChainFile
/etc/letsencrypt/live/ingber.com/fullchain.pem
sites-enabled/default-ssl.conf.letsenc: SSLEngine on
sites-enabled/default-ssl.conf.letsenc: SSLProtocol all -SSLv2
-SSLv3
sites-enabled/default-ssl.conf.letsenc: SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
sites-enabled/default-ssl.conf.letsenc: SSLHonorCipherOrder on
sites-enabled/default-ssl.conf.letsenc: SSLCompression off
sites-enabled/default-ssl.conf.letsenc: SSLOptions +StrictRequire
sites-enabled/default-ssl.conf.letsenc: SSLCertificateKeyFile
/etc/letsencrypt/live/ingber.com/privkey.pem
sites-enabled/default-ssl.conf.letsenc: SSLCertificateChainFile
/etc/letsencrypt/live/ingber.com/fullchain.pem
sites-enabled/default-ssl.conf.startssl: SSLEngine on
sites-enabled/default-ssl.conf.startssl: SSLProtocol all -SSLv2
sites-enabled/default-ssl.conf.startssl: SSLCipherSuite
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
sites-enabled/default-ssl.conf.startssl: SSLCertificateFile
/etc/ssl/startssl/ssl.crt
sites-enabled/default-ssl.conf.startssl: SSLCertificateKeyFile
/etc/ssl/startssl/ssl.key
sites-enabled/default-ssl.conf.startssl: SSLCertificateChainFile
/etc/ssl/startssl/sub.class2.server.ca.pem
sites-enabled/default-ssl.conf.startssl: SSLEngine on
sites-enabled/default-ssl.conf.startssl: SSLProtocol all -SSLv2
sites-enabled/default-ssl.conf.startssl: SSLCipherSuite
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
sites-enabled/default-ssl.conf.startssl: SSLCertificateFile
/etc/ssl/startssl/ssl.crt
sites-enabled/default-ssl.conf.startssl: SSLCertificateKeyFile
/etc/ssl/startssl/ssl.key
sites-enabled/default-ssl.conf.startssl: SSLCertificateChainFile
/etc/ssl/startssl/sub.class2.server.ca.pem
sites-enabled/default-ssl.conf.startssl: SSLEngine on
sites-enabled/default-ssl.conf.startssl: SSLProtocol all -SSLv2
sites-enabled/default-ssl.conf.startssl: SSLCipherSuite
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
sites-enabled/default-ssl.conf.startssl: SSLCertificateFile
/etc/ssl/startssl/ssl.crt
sites-enabled/default-ssl.conf.startssl: SSLCertificateKeyFile
/etc/ssl/startssl/ssl.key
sites-enabled/default-ssl.conf.startssl: SSLCertificateChainFile
/etc/ssl/startssl/sub.class2.server.ca.pem

Prof. Lester Ingber lester@ingber.com ingber@alumni.caltech.edu
https://www.ingber.com https://alumni.caltech.edu/~ingber
https://linkedin.com/in/ingber https://google.com/+LesterIngber
https://facebook.com/lester.ingber https://twitter.com/ingber

13

Hi @ingber,

Iā€™ll try to find someone with more Apache knowledge who might be able to help, but from the output of that command, it seems to me that your Apache configuration is rather non-standard. For one thing, you seem to have kept around old, no longer used versions of your configuration in sites-enabled, where expect that Apache would still try to use them. Do you think you could move the disused configurations somewhere else to be sure that theyā€™re no longer used, and then restart Apache? And could we see the default-ssl.conf.letsenc fileā€™s contents?

14

One thing, besides the obvious problem of course, is certain: youā€™ve got enough certificates at the moment! Be careful not to hit the rate limits!

--renew-by-default will get you new certificates every time you run the command. But the issuing of the certificates isnā€™t actually the problem, so it will give you new certs every time. With the (almost certain) possibility of hitting the rate limits.

1 Like
15

Seth:

Thatā€™s enough on this.

Thanks for your time.

Lester

Prof. Lester Ingber lester@ingber.com ingber@alumni.caltech.edu
https://www.ingber.com https://alumni.caltech.edu/~ingber
https://linkedin.com/in/ingber https://google.com/+LesterIngber
https://facebook.com/lester.ingber https://twitter.com/ingber

16

Hi. I doubt that is a problem. The only active conf files are those that
end in .conf, per my settings. There is only one (1) active cert from
startssl. If I switch files to .conf.lestenc -> .conf, then there still is
only one (1) cert from LE.

Lester

Prof. Lester Ingber lester@ingber.com ingber@alumni.caltech.edu
https://www.ingber.com https://alumni.caltech.edu/~ingber
https://linkedin.com/in/ingber https://google.com/+LesterIngber
https://facebook.com/lester.ingber https://twitter.com/ingber

17

Sorry, I wasn't trying to directly help you with your current problem. But you are using the certbot client (the name letsencrypt for the client was renamed to certbot in 2016) to get real Let's Encrypt certificates issued. If you look at the rate limits page I linked to, you can see you can't do that indefinitely within the time frame of 7 days.

So I was trying to warn you about the existence of these rate limits, so you won't get an error when you try to use letsencrypt-auto again.

The reason you're having so much certificates issued already is the --renew-by-default switch. If you leave that one out, the client should ask you what to do: really issue a new cert? (You already have many, many issued on March 22nd) Or just install an already issued certificate.

18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.