"sudo certbot --apache" fails in Intel Clear Linux

My domain is: physworx.com

I ran this command: sudo certbot --apache

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(‘Could not find configuration root’)

In addition, initially “apache2ctl” could not be found. I had to make a symlink in /usr/local/bin as per below:
apache2ctl -> /usr/bin/apachectl

My web server is (include version): Apache/2.4.41 (Unix) OpenSSL/1.1.1d

The operating system my web server runs on is (include version): Intel Clear Linux version 32380

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

Full output from /var/log/letsencrypt/letsencrypt.log:
2020-02-22 09:40:23,150:DEBUG:certbot._internal.main:certbot version: 1.0.0
2020-02-22 09:40:23,151:DEBUG:certbot._internal.main:Arguments: [’–apache’]
2020-02-22 09:40:23,151:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#certbot-route53:auth,PluginEntryPoint#dns-cloudflare,PluginEntryPoint#dns-cloudxns,PluginEntryPoint#dns-digitalocean,PluginEntryPoint#dns-dnsimple,PluginEntryPoint#dns-dnsmadeeasy,PluginEntryPoint#dns-gehirn,PluginEntryPoint#dns-google,PluginEntryPoint#dns-linode,PluginEntryPoint#dns-luadns,PluginEntryPoint#dns-nsone,PluginEntryPoint#dns-ovh,PluginEntryPoint#dns-rfc2136,PluginEntryPoint#dns-route53,PluginEntryPoint#dns-sakuracloud,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-02-22 09:40:23,166:DEBUG:certbot._internal.log:Root logging level set at 20
2020-02-22 09:40:23,166:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-02-22 09:40:23,167:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2020-02-22 09:40:23,241:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.41
2020-02-22 09:40:23,335:DEBUG:certbot._internal.plugins.disco:No installation (PluginEntryPoint#apache): Could not find configuration root
Traceback (most recent call last):
File “/usr/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py”, line 130, in prepare
self._initialized.prepare()
File “/usr/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py”, line 251, in prepare
self.parser = self.get_parser()
File “/usr/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py”, line 344, in get_parser
return parser.ApacheParser(
File “/usr/lib/python3.8/site-packages/certbot_apache/_internal/parser.py”, line 61, in init
self.loc = {“root”: self._find_config_root()}
File “/usr/lib/python3.8/site-packages/certbot_apache/_internal/parser.py”, line 984, in _find_config_root
raise errors.NoInstallationError(“Could not find configuration root”)
certbot.errors.NoInstallationError: Could not find configuration root
2020-02-22 09:40:23,336:DEBUG:certbot._internal.plugins.selection:No candidate plugin
2020-02-22 09:40:23,336:DEBUG:certbot._internal.plugins.selection:Selected authenticator None and installer None

1 Like

Hi @jvo203

first try

apachectl -S

not apache2ctl.

Then: If the --apache doesn’t work, switch to webroot. Then the config files are ignored.

1 Like

Hi, I tried apachectl -S, here is the output:
[Sat Feb 22 10:03:44.147841 2020] [so:warn] [pid 9227:tid 140172451716032] AH01574: module auth_basic_module is already loaded, skipping
[Sat Feb 22 10:03:44.148977 2020] [so:warn] [pid 9227:tid 140172451716032] AH01574: module http2_module is already loaded, skipping
[Sat Feb 22 10:03:44.149088 2020] [so:warn] [pid 9227:tid 140172451716032] AH01574: module proxy_module is already loaded, skipping
VirtualHost configuration:
*:80 physworx.com (/etc/httpd/conf.d/httpd.conf:9)
ServerRoot: “/usr”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/httpd/error_log”
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/usr/logs/" mechanism=default
Mutex ssl-stapling-refresh: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“httpd” id=80 not_used
Group: name=“httpd” id=80 not_used

Unfortunately sudo certbot --apache still gives an error.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(‘Could not find configuration root’)

Since I have an existing nginx secured with certboot (but nginx does not work well with my web application…), I tried to set up Apache to use the existing certbot certificates from nginx but it did not work.

Here is a partial apache config file but somehow it does not seem to work. Hence the need to use certbot --apache in order to get a proper working apache2 config… Would you happen to have an example of a proper apache2 config?

ServerName physworx.com

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/physworx.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/physworx.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/physworx.com/chain.pem

(…)

1 Like

Read your output.

You use a non-standard configuration root.

So use the --apache-server-root parameter:

Is it really a good idea to use /usr as ServerRoot?

1 Like

There is one warning with in the Apache when trying to use the existing nginx-obtained certbox certificates:

[Sat Feb 22 10:12:50.909629 2020] [ssl:warn] [pid 9276:tid 140336360037312] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]

Would you happen to know how to set it up in Apache with certbot? Perhaps this is the reason why my manual Apache2 config does not work???

1 Like

This is a default setting provided by the out-of-the-box Apache2 installation in Intel Clear Linux.

1 Like

If you use an out-of-the-box installation, the standard apache plugin can’t work.

1 Like

OK. As per your advice the following command seems to do the trick, certbot proceeds with the usual process:

sudo certbot --apache --apache-server-root /usr/share/defaults/httpd

Saving debug log to /var/log/letsencrypt/letsencrypt.log
/etc/letsencrypt/options-ssl-apache.conf has been manually modified; updated file saved to /usr/lib/python3.8/site-packages/certbot_apache/_internal/options-ssl-apache.conf. We recommend updating /etc/letsencrypt/options-ssl-apache.conf for security purposes.
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel):

Thank you!

2 Likes

The installation finished OK, SSL-protected website is working OK. Thank you, it was such a simple fix, just an extra --apache-server-root parameter to certbot…

2 Likes

For “posterity”, here is a full solution without a need to symlink apache2ctl -> /usr/bin/apachectl, plus it handles www/non-www multi-domains (getting around the error FileNotFoundError: [Errno 2] No such file or directory: ‘/etc/apache2/le_http_01_challenge_pre.conf’):

sudo certbot --apache --apache-server-root /usr/share/defaults/httpd --apache-ctl /usr/bin/apachectl --apache-challenge-location /etc/letsencrypt -d www.physworx.com -d physworx.com

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.