Switching Comodo SSL to Let's Encrypt

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jumar.lowell.edu

I ran this command: certbot-auto certonly --apache

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘There has been an error in parsing the file /etc/httpd/conf/httpd.conf on line 1029: Syntax error’,)
The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘There has been an error in parsing the file /etc/httpd/conf/httpd.conf on line 1029: Syntax error’,)

My web server is (include version): Apache 2.2.15-39

The operating system my web server runs on is (include version): CentOS 6.6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.1.0

jumar.lowell.edu/confluence & jumar.lowell.edu/jira uses Comodo SSL and I want to switch it over to Let’sEncrypt.

I suspect when I ran the command, the error is pointing to /etc/httpd/conf/httpd.conf, however, I think it might need to be looking in /etc/httpd/conf.d/ssl.conf? I could be wrong.

Any help is greatly appreciated.

Thanks,
Scott -

Hi @scott_do

what’s the content of that line?

A working port 80 is required, not port 443.

Content of that line:
1024 AddHandler php5-script .php .html .htm
1025 AddType text/html .php .html .htm
1026 AddType video/ogg .ogv
1027 AddType video/mp4 .mp4
1028 AddType video/webm .webm

There’s nothing on line 1029.

A working port 80 is required, not port 443.
Port 80 is allowed. jumar.lowell.edu/BinaryStars - that is not running SSL

Not really? May be too old, that’s EOL.

Fix that parse error. Or try webroot, so the error may be ignored.

How should I approach using the webroot route?

certbot-auto certonly --webroot …is that correct? Do I need to add anything else?

I’ve figured out the solution, ran the followed command:

certbot-auto certonly --standalone -d server.whatever.com --pre-hook “service httpd stop” --post-hook "service httpd start**

Afterward, just point the SSL cert in my ssl.conf file and restart httpd daemon.

Thanks for your assistant!

@scott_do, if you’re willing to share your /etc/httpd/conf/httpd.conf file in its entirety, it’s possible that you found a bug in Certbot’s parsing of Apache configuration files (which is certainly something that’s happened a number of times in the past). Your current workaround is perfectly practical, but if you’re interested in helping debug this problem, we might be able to improve Certbot for other Apache users in the future.

1 Like

@schoen - Sure, below is the httpd.conf file contents. Had to cut it in half due to limitation I got: “Body is limited to 32000 characters; you entered 35630.”

This is the main Apache server configuration file. It contains the

configuration directives that give the server its instructions.

See URL:http://httpd.apache.org/docs/2.2/ for detailed information.

In particular, see

URL:http://httpd.apache.org/docs/2.2/mod/directives.html

for a discussion of each configuration directive.

Do NOT simply read the instructions in here without understanding

what they do. They’re here only as hints or reminders. If you are unsure

consult the online docs. You have been warned.

The configuration directives are grouped into three basic sections:

1. Directives that control the operation of the Apache server process as a

whole (the ‘global environment’).

2. Directives that define the parameters of the ‘main’ or ‘default’ server,

which responds to requests that aren’t handled by a virtual host.

These directives also provide default values for the settings

of all virtual hosts.

3. Settings for virtual hosts, which allow Web requests to be sent to

different IP addresses or hostnames and have them handled by the

same Apache server process.

Configuration and logfile names: If the filenames you specify for many

of the server’s control files begin with “/” (or “drive:/” for Win32), the

server will use that explicit path. If the filenames do not begin

with “/”, the value of ServerRoot is prepended – so “logs/foo.log”

with ServerRoot set to “/etc/httpd” will be interpreted by the

server as “/etc/httpd/logs/foo.log”.

Section 1: Global Environment

The directives in this section affect the overall operation of Apache,

such as the number of concurrent requests it can handle or where it

can find its configuration files.

Don’t give away too much information about all the subcomponents

we are running. Comment out this line if you don’t mind remote sites

finding out what major optional modules you are running

ServerTokens OS

ServerRoot: The top of the directory tree under which the server’s

configuration, error, and log files are kept.

NOTE! If you intend to place this on an NFS (or otherwise network)

mounted filesystem then please read the LockFile documentation

(available at URL:http://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile);

you will save yourself a lot of trouble.

Do NOT add a slash at the end of the directory path.

ServerRoot “/etc/httpd”

PidFile: The file in which the server should record its process

identification number when it starts. Note the PIDFILE variable in

/etc/sysconfig/httpd must be set appropriately if this location is

changed.

PidFile run/httpd.pid

Timeout: The number of seconds before receives and sends time out.

Timeout 60

KeepAlive: Whether or not to allow persistent connections (more than

one request per connection). Set to “Off” to deactivate.

KeepAlive Off

MaxKeepAliveRequests: The maximum number of requests to allow

during a persistent connection. Set to 0 to allow an unlimited amount.

We recommend you leave this number high, for maximum performance.

MaxKeepAliveRequests 100

KeepAliveTimeout: Number of seconds to wait for the next request from the

same client on the same connection.

KeepAliveTimeout 15

Server-Pool Size Regulation (MPM specific)

prefork MPM

StartServers: number of server processes to start

MinSpareServers: minimum number of server processes which are kept spare

MaxSpareServers: maximum number of server processes which are kept spare

ServerLimit: maximum value for MaxClients for the lifetime of the server

MaxClients: maximum number of server processes allowed to start

MaxRequestsPerChild: maximum number of requests a server process serves

StartServers 8 MinSpareServers 5 MaxSpareServers 20 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 4000

worker MPM

StartServers: initial number of server processes to start

MaxClients: maximum number of simultaneous client connections

MinSpareThreads: minimum number of worker threads which are kept spare

MaxSpareThreads: maximum number of worker threads which are kept spare

ThreadsPerChild: constant number of worker threads in each server process

MaxRequestsPerChild: maximum number of requests a server process serves

StartServers 4 MaxClients 300 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0

Listen: Allows you to bind Apache to specific IP addresses and/or

ports, in addition to the default. See also the

directive.

Change this to Listen on specific IP addresses as shown below to

prevent Apache from glomming onto all bound IP addresses (0.0.0.0)

#Listen 12.34.56.78:80
Listen 80

Dynamic Shared Object (DSO) Support

To be able to use the functionality of a module which was built as a DSO you

have to place corresponding `LoadModule’ lines at this location so the

directives contained in it are actually available before they are used.

Statically compiled modules (those listed by `httpd -l’) do not need

to be loaded here.

Example:

LoadModule foo_module modules/mod_foo.so

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule version_module modules/mod_version.so

The following modules are not loaded by default:

#LoadModule asis_module modules/mod_asis.so
#LoadModule authn_dbd_module modules/mod_authn_dbd.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
#LoadModule cgid_module modules/mod_cgid.so
#LoadModule dbd_module modules/mod_dbd.so
#LoadModule dumpio_module modules/mod_dumpio.so
#LoadModule filter_module modules/mod_filter.so
#LoadModule ident_module modules/mod_ident.so
#LoadModule log_forensic_module modules/mod_log_forensic.so
#LoadModule unique_id_module modules/mod_unique_id.so

Load config files from the config directory “/etc/httpd/conf.d”.

Include conf.d/*.conf

ExtendedStatus controls whether Apache will generate “full” status

information (ExtendedStatus On) or just basic information (ExtendedStatus

Off) when the “server-status” handler is called. The default is Off.

#ExtendedStatus On

If you wish httpd to run as a different user or group, you must run

httpd as root initially and it will switch.

User/Group: The name (or #number) of the user/group to run httpd as.

. On SCO (ODT 3) use “User nouser” and “Group nogroup”.

. On HPUX you may not be able to use shared memory as nobody, and the

suggested workaround is to create a user www and use that user.

NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)

when the value of (unsigned)Group is above 60000;

don’t use Group #-1 on these systems!

User apache
Group apache

Section 2: ‘Main’ server configuration

The directives in this section set up the values used by the ‘main’

server, which responds to any requests that aren’t handled by a

definition. These values also provide defaults for

any containers you may define later in the file.

All of these directives may appear inside containers,

in which case these default settings will be overridden for the

virtual host being defined.

ServerAdmin: Your address, where problems with the server should be

e-mailed. This address appears on some server-generated pages, such

as error documents. e.g. admin@your-domain.com

ServerAdmin root@localhost

ServerName gives the name and port that the server uses to identify itself.

This can often be determined automatically, but we recommend you specify

it explicitly to prevent problems during startup.

If this is not set to valid DNS name for your host, server-generated

redirections will not work. See also the UseCanonicalName directive.

If your host doesn’t have a registered DNS name, enter its IP address here.

You will have to access it by its address anyway, and this will make

redirections work in a sensible way.

#ServerName www.example.com:80

UseCanonicalName: Determines how Apache constructs self-referencing

URLs and the SERVER_NAME and SERVER_PORT variables.

When set “Off”, Apache will use the Hostname and Port supplied

by the client. When set “On”, Apache will use the value of the

ServerName directive.

UseCanonicalName Off

DocumentRoot: The directory out of which you will serve your

documents. By default, all requests are taken from this directory, but

symbolic links and aliases may be used to point to other locations.

DocumentRoot “/var/www/html”

Each directory to which Apache has access can be configured with respect

to which services and features are allowed and/or disabled in that

directory (and its subdirectories).

First, we configure the “default” to be a very restrictive set of

features.

Options FollowSymLinks AllowOverride None

Note that from this point forward you must specifically allow

particular features to be enabled - so if something’s not working as

you might expect, make sure that you have specifically enabled it

below.

This should be changed to whatever you set DocumentRoot to.

<Directory “/var/www/html”>

Possible values for the Options directive are “None”, “All”,

or any combination of:

Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews

Note that “MultiViews” must be named explicitly — “Options All”

doesn’t give it to you.

The Options directive is both complicated and important. Please see

http://httpd.apache.org/docs/2.2/mod/core.html#options

for more information.

Options Indexes FollowSymLinks

AllowOverride controls what directives may be placed in .htaccess files.

It can be “All”, “None”, or any combination of the keywords:

Options FileInfo AuthConfig Limit

AllowOverride None

Controls who can get stuff from this server.

Order allow,deny
Allow from all

UserDir: The name of the directory that is appended onto a user’s home

directory if a ~user request is received.

The path to the end user account ‘public_html’ directory must be

accessible to the webserver userid. This usually means that ~userid

must have permissions of 711, ~userid/public_html must have permissions

of 755, and documents contained therein must be world-readable.

Otherwise, the client will only receive a “403 Forbidden” message.

See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden

# # UserDir is disabled by default since it can confirm the presence # of a username on the system (depending on home directory # permissions). # UserDir disabled
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disabled" line above, and uncomment
# the following line instead:
# 
#UserDir public_html

Control access to UserDir directories. The following is an example

for a site where these directories are restricted to read-only.

#<Directory /home/*/public_html>

AllowOverride FileInfo AuthConfig Limit

Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

Order allow,deny

Allow from all

Order deny,allow

Deny from all

#

DirectoryIndex: sets the file that Apache will serve if a directory

is requested.

The index.html.var file (a type-map) is used to deliver content-

negotiated documents. The MultiViews Option can be used for the

same purpose, but it is much slower.

DirectoryIndex index.html index.html.var

AccessFileName: The name of the file to look for in each directory

for additional configuration directives. See also the AllowOverride

directive.

AccessFileName .htaccess

The following lines prevent .htaccess and .htpasswd files from being

viewed by Web clients.

<Files ~ “^.ht”>
Order allow,deny
Deny from all
Satisfy All

TypesConfig describes where the mime.types file (or equivalent) is

to be found.

TypesConfig /etc/mime.types

DefaultType is the default MIME type the server will use for a document

if it cannot otherwise determine one, such as from filename extensions.

If your server contains mostly text or HTML documents, “text/plain” is

a good value. If most of your content is binary, such as applications

or images, you may want to use “application/octet-stream” instead to

keep browsers from trying to display binary files as though they are

text.

DefaultType text/plain

The mod_mime_magic module allows the server to use various hints from the

contents of the file itself to determine its type. The MIMEMagicFile

directive tells the module where the hint definitions are located.

# MIMEMagicFile /usr/share/magic.mime MIMEMagicFile conf/magic

HostnameLookups: Log the names of clients or just their IP addresses

e.g., www.apache.org (on) or 204.62.129.132 (off).

The default is off because it’d be overall better for the net if people

had to knowingly turn this feature on, since enabling it means that

each client request will result in AT LEAST one lookup request to the

nameserver.

HostnameLookups Off

EnableMMAP: Control whether memory-mapping is used to deliver

files (assuming that the underlying OS supports it).

The default is on; turn this off if you serve from NFS-mounted

filesystems. On some systems, turning it off (regardless of

filesystem) can improve performance; for details, please see

http://httpd.apache.org/docs/2.2/mod/core.html#enablemmap

#EnableMMAP off

EnableSendfile: Control whether the sendfile kernel support is

used to deliver files (assuming that the OS supports it).

The default is on; turn this off if you serve from NFS-mounted

filesystems. Please see

http://httpd.apache.org/docs/2.2/mod/core.html#enablesendfile

#EnableSendfile off

ErrorLog: The location of the error log file.

If you do not specify an ErrorLog directive within a

container, error messages relating to that virtual host will be

logged here. If you do define an error logfile for a

container, that host’s errors will be logged there and not here.

ErrorLog logs/error_log

LogLevel: Control the number of messages logged to the error_log.

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

The following directives define some format nicknames for use with

a CustomLog directive (see below).

LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-Agent}i”” combined
LogFormat “%h %l %u %t “%r” %>s %b” common
LogFormat “%{Referer}i -> %U” referer
LogFormat “%{User-agent}i” agent

“combinedio” includes actual counts of actual bytes received (%I) and sent (%O); this

requires the mod_logio module to be loaded.

#LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-Agent}i” %I %O” combinedio

The location and format of the access logfile (Common Logfile Format).

If you do not define any access logfiles within a

container, they will be logged here. Contrariwise, if you do

define per- access logfiles, transactions will be

logged therein and not in this file.

#CustomLog logs/access_log common

If you would like to have separate agent and referer logfiles, uncomment

the following directives.

#CustomLog logs/referer_log referer
#CustomLog logs/agent_log agent

For a single logfile with access, agent, and referer information

(Combined Logfile Format), use the following directive:

CustomLog logs/access_log combined

Optionally add a line containing the server version and virtual host

name to server-generated pages (internal error documents, FTP directory

listings, mod_status and mod_info output etc., but not CGI generated

documents or custom error documents).

Set to “EMail” to also include a mailto: link to the ServerAdmin.

Set to one of: On | Off | EMail

ServerSignature On

Aliases: Add here as many aliases as you need (with no limit). The format is

Alias fakename realname

Note that if you include a trailing / on fakename then the server will

require it to be present in the URL. So “/icons” isn’t aliased in this

example, only “/icons/”. If the fakename is slash-terminated, then the

realname must also be slash terminated, and if the fakename omits the

trailing slash, the realname must also omit it.

We include the /icons/ alias for FancyIndexed directory listings. If you

do not use FancyIndexing, you may comment this out.

Alias /icons/ “/var/www/icons/”

<Directory “/var/www/icons”>
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all

WebDAV module configuration section.

# Location of the WebDAV lock database. DAVLockDB /var/lib/dav/lockdb

ScriptAlias: This controls which directories contain server scripts.

ScriptAliases are essentially the same as Aliases, except that

documents in the realname directory are treated as applications and

run by the server when requested rather than as documents sent to the client.

The same rules about trailing “/” apply to ScriptAlias directives as to

Alias.

ScriptAlias /cgi-bin/ “/var/www/cgi-bin/”

“/var/www/cgi-bin” should be changed to whatever your ScriptAliased

CGI directory exists, if you have that configured.

<Directory “/var/www/cgi-bin”>
AllowOverride None
Options None
Order allow,deny
Allow from all

Redirect allows you to tell clients about documents which used to exist in

your server’s namespace, but do not anymore. This allows you to tell the

clients where to look for the relocated document.

Example:

Redirect permanent /foo http://www.example.com/bar

Redirect permanent /confluence https://jumar.lowell.edu/confluence
Redirect permanent /jira https://jumar.lowell.edu/jira
#Redirect permanent /fisheye https://jumar.lowell.edu/fisheye
#Redirect permanent /BinaryStars http://jumar.lowell.edu/BinaryStars

Directives controlling the display of server-generated directory listings.

Maybe you could paste the file on a pastebin site such as https://pastebin.com/ and then just post the link here?

I don’t think the whole file should be needed unless it might possibly be a conflict. But as it’s just a syntax error, I’m thinking just getting the output of that line:

sed -n '1029 p' /etc/httpd/conf/httpd.conf

Or the section for context:

sed -n '1020,1040 p' /etc/httpd/conf/httpd.conf

I would rather see the whole thing, just because occasionally parsing problems can manifest at some distance away from what caused them, like in the case of open quotes, open parentheses, etc., that don’t close.

Very true, but in most of those cases Apache would also throw a syntax error as well with httpd -t and won’t start/restart or die on reload. Didn’t seem like there were any issues with Apache running. Then again, it won’t register changes until you reload/restart. But I do see the merit in looking at the whole file.

So then, scott, do you get an error when running httpd -t ?

That apparent discrepancy is why I suspect that this could be a Certbot bug. There have been several prior cases in which Apache parsed a configuration successfully and Certbot didn’t.

This is what I get for skimming. I missed the part where he put the line as being blank. But hopefully you can get the full httpd.conf config from @scott_do.

I am inclined to believe the parse error is due to a syntax change in newer versions of apache 2.2.34, or simply something overlooked as being deprecated since 2.2 is EOL as mentioned by Juergen. I mean, sure, there are a whole lot of people still on CentOS6/Apache2.2.x who need to be able to use LE, but I also believe that if you’re running a web server, you should be keeping your system updated and keeping up with current security standards.

Of course there’s a happy medium. I’m SOL on wildcard Certs until the cloudflare DNS plugin is released for CentOS8, and I don’t know when I can slot a time to learn how to setup acme.sh to run ACMEv2 to Cloudflare.

But anyway I digress. Full httpd.conf file contents via pastebin is what you need to debug.

Z

@schoen

Uploaded - https://pastebin.com/kq9PHWUe

Line 948 of the paste has <IfModule mod_proxy.c> but the corresponding </IfModule> on line 984 is commented out.

1 Like

Thanks @scott_do, and good catch, @mnordhoff!

I imagine there’s some reason that Apache is sometimes lenient about these, but officially I believe the matching </IfModule> is always expected to be present, so that doesn’t strike me as something important for Certbot to accept.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.