Switching from DNS to Webroot results in Apache unable to start

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: 66tr.ee

I ran this command: apache2 -S

It produced this output: [Tue Dec 28 09:28:37.699108 2021] [alias:warn] [pid 666042:tid 140680892185664] AH00671: The Alias directive in /etc/apache2/sites-enabled/100-letsencrypt.conf at line 1 will probably never match because it overlaps an earlier Alias.
AH00526: Syntax error on line 77 of /etc/apache2/sites-enabled/66tr.ee.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/66tr.ee/fullchain.pem' does not exist or is empty

My web server is (include version): Apache/2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

Hello, I have been using certbot manually using DNS for over a year and really would like to automate my renewal process. I have a simple website running Apache and a XMPP service for my family running from my home.
Last night I tried to convert my setup to use my local Apache server for renewal instead of manually adding DNS records through my DNS provider.
I started by adding subdomains to Apache, then listing them in letsencrypt's renewal .conf files. I issued a

sudo certbot renew --dry-run -a webroot -i apache -w /var/www/66tr.ee

thinking this would convert my setup from the dns method to the webroot method as long as I had the webroots for each certificate created and configured in each renewal.conf file.

Well I thought I had to restart Apache to get Apache to recognize the folders I had created for each subdomain (each subdomain has it's own certificate). So I restarted Apache and haven't been able to bring it back up since.

I removed the subdomain configuration I had added to Apache to see if that would help it start. Didn't do anything.

apache2 -S yields:

[Tue Dec 28 09:02:33.556049 2021] [alias:warn] [pid 665905:tid 140068711533632] AH00671: The Alias directive in /etc/apache2/sites-enabled/100-letsencrypt.conf at line 1 will probably never match because it overlaps an earlier Alias.
AH00526: Syntax error on line 77 of /etc/apache2/sites-enabled/66tr.ee.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/66tr.ee/fullchain.pem' does not exist or is empty

I commented out the two lines it was complaining about. Now apache2 -S shows a larger error:

[Tue Dec 28 10:51:16.558666 2021] [alias:warn] [pid 666394:tid 140108533443648] AH00671: The Alias directive in /etc/apache2/sites-enabled/100-letsencrypt.conf at line 1 will probably never match because it overlaps an earlier Alias. VirtualHost configuration: *:80 66tr.ee (/etc/apache2/sites-enabled/66tr.ee.conf:1) *:443 is a NameVirtualHost default server 66tr.ee (/etc/apache2/sites-enabled/66tr.ee.conf:58) port 443 namevhost 66tr.ee (/etc/apache2/sites-enabled/66tr.ee.conf:58) alias www.66tr.ee port 443 namevhost fungi.66tr.ee (/etc/apache2/sites-enabled/default-ssl.conf:2) ServerRoot: "/etc/apache2" Main DocumentRoot: "/var/www/html" Main ErrorLog: "/var/log/apache2/error.log" Mutex default: dir="/var/run/apache2/" mechanism=default Mutex watchdog-callback: using_defaults Mutex rewrite-map: using_defaults Mutex ssl-stapling-refresh: using_defaults Mutex ssl-stapling: using_defaults Mutex proxy: using_defaults Mutex ssl-cache: using_defaults PidFile: "/var/run/apache2/apache2.pid" Define: DUMP_VHOSTS Define: DUMP_RUN_CFG User: name="www-data" id=33 not_used Group: name="www-data" id=33 not_used

This message worries me because I haven't touched default-ssl.conf at all during this or previous renewal attempts. Can someone offer some insight?

Hi @66tree and welcome to the LE community forum :slight_smile:

Please show the output of:
sudo apachectl -t -D DUMP_VHOSTS

1 Like

sudo apachectl -t -D DUMP_VHOSTS:

[Tue Dec 28 11:37:49.422786 2021] [alias:warn] [pid 666578:tid 139825365556288] AH00671: The Alias directive in /etc/apache2/sites-enabled/100-letsencrypt.conf at line 1 will probably never match because it overlaps an earlier Alias.
VirtualHost configuration:
*:80                   66tr.ee (/etc/apache2/sites-enabled/66tr.ee.conf:1)
*:443                  is a NameVirtualHost
         default server 66tr.ee (/etc/apache2/sites-enabled/66tr.ee.conf:58)
         port 443 namevhost 66tr.ee (/etc/apache2/sites-enabled/66tr.ee.conf:58)
                 alias www.66tr.ee
         port 443 namevhost fungi.66tr.ee (/etc/apache2/sites-enabled/default-ssl.conf:2)

Use three backticks above and below the post.

```
post
```

1 Like

Thank you for the warm welcome! I appreciate the help.
Here's the output of sudo apachectl -t -D DUMP_VHOSTS

[Tue Dec 28 11:37:49.422786 2021] [alias:warn] [pid 666578:tid 139825365556288] AH00671: The Alias directive in /etc/apache2/sites-enabled/100-letsencrypt.conf at line 1 will probably never match because it overlaps an earlier Alias.
VirtualHost configuration:
*:80                   66tr.ee (/etc/apache2/sites-enabled/66tr.ee.conf:1)
*:443                  is a NameVirtualHost
         default server 66tr.ee (/etc/apache2/sites-enabled/66tr.ee.conf:58)
         port 443 namevhost 66tr.ee (/etc/apache2/sites-enabled/66tr.ee.conf:58)
                 alias www.66tr.ee
         port 443 namevhost fungi.66tr.ee (/etc/apache2/sites-enabled/default-ssl.conf:2)

Please show this file:
/etc/apache2/sites-enabled/100-letsencrypt.conf

1 Like

/etc/apache2/sites-enabled/100-letsencrypt.conf:

Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/

# Bypass Auth
<IfModule mod_access_compat.c>
  <Directory /var/www/letsencrypt/.well-known/acme-challenge/>
    Satisfy any
  </Directory>
</IfModule>

# Redirect before other rewrite rules
RewriteCond %{REQUEST_URI} /\.well\-known/acme\-challenge/
RewriteRule (.*) /.well-known/acme-challenge/$1 [L,QSA]

And this file is missing the "www" alias in the HTTP section:

1 Like

There must be another (similar) alias in the main apache file.
You should remove it from this file.
/etc/apache2/sites-enabled/100-letsencrypt.conf

Actually, you should remove the entire file.

Include whatever you need from it within the main config file.

1 Like

I should delete /etc/apache2/sites-enabled/100-letsencrypt.conf entirely?

I believe the rewrite rules from it are already in my 66tr.ee.conf, just commented out

I would.
Place any of that content needed within the main config file (apache2.conf).

It clearly says "sites-enabled", that is NOT a site.

1 Like

Alright, I copied the contents of /etc/apache2/sites-enabled/100-letsencrypt.conf into apache2.conf, and deleted 100-letsencrypt.conf

Please reshow:
sudo apachectl -t -D DUMP_VHOSTS

1 Like

Now I'm getting the same warning from 100-letsencrypt.conf in /etc/apache2/apache2.conf.
sudo apachectl -t -D DUMP_VHOSTS shows:

[Tue Dec 28 11:54:47.386589 2021] [alias:warn] [pid 666653:tid 140462970305600] AH00671: The Alias directive in /etc/apache2/apache2.conf at line 231 will probably never match because it overlaps an earlier Alias.
VirtualHost configuration:
*:80                   66tr.ee (/etc/apache2/sites-enabled/66tr.ee.conf:1)
*:443                  is a NameVirtualHost
         default server 66tr.ee (/etc/apache2/sites-enabled/66tr.ee.conf:58)
         port 443 namevhost 66tr.ee (/etc/apache2/sites-enabled/66tr.ee.conf:58)
                 alias www.66tr.ee
         port 443 namevhost fungi.66tr.ee (/etc/apache2/sites-enabled/default-ssl.conf:2)

There must exist multiple overlapping alias statements within the main config file.

And the HTTP section still omits the "www" alias.

1 Like

Forgive my ignorance here, but in /etc/apache2/sites-enabled/66tr.ee.conf the <VirtualHost *:80> has ServerName 66tr.ee and the next line is ServerAlias www.66tr.ee then under the <VirtualHost *:443> section it also has ServerName 66tr.ee and the next line is ServerAlias www.66tr.ee

66tr.ee.conf also has several sections that are all commented out. They all look like:

#<VirtualHost *:80>
        #ServerName xmpp.66tr.ee
        #ServerAdmin myemail@email.com
        #DocumentRoot /var/www/66tr.ee/xmpp
        #AddType text/css .css
        #AddType text/javascript .js
#</VirtualHost>

Since they are all commented out I didn't think they'd be the issue.

hmm...
That's not shown in the output.

Please show that file.

Yes, anything # commented is ignored.

1 Like

sudo cat /etc/apache2/sites-enabled/66tr.ee.conf:

<VirtualHost *:80>
	ServerName 66tr.ee
	ServerAlias www.66tr.ee
	#ServerAdmin 
	#DocumentRoot /var/www/66tr.ee
	#AddType text/css .css
	#AddType text/javascript .js

	#RewriteEngine on
	#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

	#Redirect permanent / https://66tr.ee/
	
	#ErrorLog ${APACHE_LOG_DIR}/error.log
	#CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

#<VirtualHost *:80>
        #ServerName proxy.66tr.ee
        #ServerAdmin 
        #DocumentRoot /var/www/66tr.ee/proxy
        #AddType text/css .css
        #AddType text/javascript .js
#</VirtualHost>

#<VirtualHost *:80>
        #ServerName rooms.66tr.ee
        #ServerAdmin 
        #DocumentRoot /var/www/66tr.ee/rooms
        #AddType text/css .css
        #AddType text/javascript .js
#</VirtualHost>

#<VirtualHost *:80>
        #ServerName turn.66tr.ee
        #ServerAdmin 
        #DocumentRoot /var/www/66tr.ee/turn
        #AddType text/css .css
        #AddType text/javascript .js
#</VirtualHost>

#<VirtualHost *:80>
        #ServerName upload.66tr.ee
        #ServerAdmin 
        #DocumentRoot /var/www/66tr.ee/upload
        #AddType text/css .css
        #AddType text/javascript .js
#</VirtualHost>

#<VirtualHost *:80>
        #ServerName xmpp.66tr.ee
        #ServerAdmin 
        #DocumentRoot /var/www/66tr.ee/xmpp
        #AddType text/css .css
        #AddType text/javascript .js
#</VirtualHost>

<VirtualHost *:443>
	ServerName 66tr.ee
        ServerAlias www.66tr.ee
        #ServerAdmin 
        AddType text/css .css
        AddType text/javascript .js

	Protocols h2 http/1.1

	#<If "%{HTTP_HOST} == 'www.66tr.ee'">
	#	Redirect permanent / https://66tr.ee/
	#</If>

	DocumentRoot /var/www/66tr.ee
	ErrorLog ${APACHE_LOG_DIR}/66tr.ee-error.log
	CustomLog ${APACHE_LOG_DIR}/66tr.ee-access.log combined

	#SSLEngine On
	#Include /etc/letsencrypt/options-ssl-apache.conf
	#SSLCertificateFile /etc/letsencrypt/live/66tr.ee/fullchain.pem
	#SSLCertificateKeyFile /etc/letsencrypt/live/66tr.ee/privkey.pem

	#ErrorDocument 404 /404.html 
        #ErrorDocument 403 /path/of/custom/error/file
        #ErrorDocument 500 /path/of/custom/error/file
        #ErrorDocument 503 /path/of/custom/error/file
        #ErrorDocument 504 /path/of/custom/error/file

</VirtualHost>

<Location /http-bind>
	Order allow,deny
	Allow from all
</Location>
RewriteEngine On
RewriteRule ^/http-bind$ localhost:5280/http-bind [P,L]

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet