Testing Certbot

I'm on a new AWS server. I have installed Certbot-Auto with

./certbot-auto --apache certonly --debug

The process finished with no errors. I ran
./certbot-auto certificates and received this:


Found the following certs:
Certificate Name: csstix.com
Domains: csstix.com
Expiry Date: 2018-02-06 01:24:51+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/csstix.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/csstix.com/privkey.pem

I issued /etc/init.d/httpd restart to restart the server

However, I went to https://csstix.com and was told the connection was not private. It seems like the server is not working.

Does anyone here know how to troubleshoot, test and fix the certificate?

Bruce

BTW: here is the /var/log/letsencrypt/letsencrypt.log
2017-11-08 02:52:24,211:DEBUG:certbot.main:certbot version: 0.19.0
2017-11-08 02:52:24,211:DEBUG:certbot.main:Arguments:
2017-11-08 02:52:24,211:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-11-08 02:52:24,226:DEBUG:certbot.log:Root logging level set at 20
2017-11-08 02:52:24,226:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-11-08 02:52:24,248:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/csstix.com/cert.pem
2017-11-08 02:52:24,248:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/csstix.com/chain.pem -cert /etc/letsencrypt/live/csstix.com/cert.pem -url http://ocsp.int-x3.letsencrypt.org -CAfile /etc/letsencrypt/live/csstix.com/chain.pem -verify_other /etc/letsencrypt/live/csstix.com/chain.pem -trust_other -header Host ocsp.int-x3.letsencrypt.org
~

certbot certonly” creates a certificate but doesn’t configure anything to use it.

Running “certbot --apache” now should take care of everything. (It should offer to let you use the existing certificate without creating a second one. I think.)

Sounds simple. I’ll try it.

I tried it. I gave these commands:

[root@ip-172-31-26-6 bruce]# ./certbot-auto --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): csstix.com
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/csstix.com.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate

We were unable to find a vhost with a ServerName or Address of csstix.com.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)

1: httpd.conf | | | Enabled
2: zendserver_gui.conf | | | Enabled
3: ssl.conf | | HTTPS | Enabled

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
The selected vhost would conflict with other HTTPS VirtualHosts within Apache. Please select another vhost or add ServerNames to your configuration.
VirtualHost not able to be selected.

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/csstix.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/csstix.com/privkey.pem
    Your cert will expire on 2018-02-06. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again with the "certonly" option. To non-interactively renew all
    of your certificates, run "certbot-auto renew"

Here's the letsencrypt log:
2017-11-08 03:05:51,345:DEBUG:certbot.main:certbot version: 0.19.0
2017-11-08 03:05:51,345:DEBUG:certbot.main:Arguments: ['--apache']
2017-11-08 03:05:51,345:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-11-08 03:05:51,361:DEBUG:certbot.log:Root logging level set at 20
2017-11-08 03:05:51,361:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-11-08 03:05:51,362:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2017-11-08 03:05:51,450:DEBUG:certbot_apache.configurator:Apache version is 2.4.6
2017-11-08 03:05:51,608:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x1023890>
Prep: True
2017-11-08 03:05:51,609:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.configurator.ApacheConfigurator object at 0x1023890> and installer <certbot_apache.configurator.ApacheConfigurator object at 0x1023890>
2017-11-08 03:05:51,609:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2017-11-08 03:05:51,613:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u'mailto:bruce@centerstagesoftware.com',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x1d9f110>)>)), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/23933527', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), 99fdbbdf40b07bb0c3194537d19ed68a, Meta(creation_host=u'ip-172-31-26-6.us-east-2.compute.internal', creation_dt=datetime.datetime(2017, 11, 8, 2, 19, 32, tzinfo=)))>
2017-11-08 03:05:51,614:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-11-08 03:05:51,617:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-11-08 03:05:51,888:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 561
2017-11-08 03:05:51,889:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 561
Replay-Nonce: GSNfv6fhiMivbsoeJwWB4_O0xaV5amHuzejQnW6c82Q
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 08 Nov 2017 03:05:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Nov 2017 03:05:51 GMT
Connection: keep-alive

{
"AMzTwnKdmuM": "Adding random entries to the directory",
"key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
"meta": {
"terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
1,1 Top

Are you still around? Any idea what is wrong?

Are there any virtual hosts with a ServerName or ServerAlias for csstix.com?

Nope. This is a new server. Nothing has been installed.

I wanted to get the certificate installed first. In the last couple days, I have had frustrations that required new servers.

You either need to configure Apache with the vhosts and then run certbot-auto --apache again, or just put the certificate files in your Apache config manually. Certbot isn’t going to configure it for you - it simply doesn’t have the information to do so. All Certbot will do is set up the SSL for matching vhosts from the certificate.

1 Like

There's nothing to install.

Your certificate is already issued and available at /etc/letsencrypt/live/csstix.com/fullchain.pem.

You need a VirtualHost configured in Apache to be able to install a certificate.

This isn't some sort of chicken and egg problem here. You HAVE the certificate. You just need to continu configuring your webserver.

I don't see the issue here to be honest. :slight_smile:

Osiris,

We are talking about the same subject. But our viewpoints are very different. I’m a poor soul wandering through the wilderness. I know where I want to go but I have no way of knowing how an installation works. Some better comments would help.

Configuring the webserver is fine. I’m very willing to do the work. But, I know nothing about Apache and certificates (I’m a programmer). I need to know what the installation looks like. These are simple questions like,

  1. What files are affected?
  2. Where to the files go?
  3. What do they look like?
  4. What does a configured Apache server look like?
  5. What common problems can come up and how do you fix them?

This does not mean a lot of typing. We just need a couple examples. A few diagnostic procedures would also be useful.

Another note: The tech support I experienced here was pretty good. It is certainly the equal of any of the commercial companies. Why not offer some paid help. This could be done via phone. I would say, $100 per hour would be fair. I would be very willing to pay.

That’s my 2 cents.

Okay. Here’s one of my Apache virtual host configuration files. I’ve removed some irrelevant details and added some comments.

# Sometimes you may see an IP address or an asterisk instead of _default_.
<VirtualHost _default_:80>

        # Set the primary domain name and any aliases that should be handled
        # by this configuration file.
        ServerName example.com
        ServerAlias www.example.com

        # Tell Apache where to find the files to serve.
        DocumentRoot /var/www/example.com
        <Directory /var/www/example.com>
                Order allow,deny
                allow from all
        </Directory>

        # Some typical logging configuration. The ServerAdmin address is
        # displayed to the user in some error messages.
        ServerAdmin webmaster@example.com
        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

# Close the tag that was opened at the top of the file.
</VirtualHost>

That’s for HTTP. If you have something like that set up, Certbot should detect it and try to add the corresponding HTTPS configuration automatically.

If you want to do the HTTPS configuration yourself, mine looks something like this:

# This line prevents the SSL directives from breaking your whole Apache
# configuration if mod_ssl is disabled.
<IfModule mod_ssl.c>

# Use 443 instead of 80 for HTTPS.
<VirtualHost _default_:443>

        # These bits are the same...
        ServerName example.com
        ServerAlias www.example.com
        DocumentRoot /var/www/example.com
        <Directory /var/www/example.com>
                Order allow,deny    
                allow from all    
        </Directory>
        ServerAdmin webmaster@example.com
        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        # Enable HTTPS.
        SSLEngine on

        # Tell Apache where to find your certificate and private key.
        SSLCertificateFile    /etc/letsencrypt/live/example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

        # Configure some parameters to make HTTPS work better. Rather than
        # copying this exactly, go here to generate your own:
        # https://mozilla.github.io/server-side-tls/ssl-config-generator/
        SSLProtocol all -SSLv3
        SSLHonorCipherOrder on
        SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"

# Close the tags that were opened at the top of the file.
</VirtualHost>
</IfModule>

One thing that can go wrong is that if you have an older version of Apache you may need to specify the certificate location in a different way:

# Tell Apache where to find your certificate and private key.
SSLCertificateFile    /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

As for where the files go, it varies between operating systems. On Debian-like systems they’re usually put in /etc/apache2/sites-available and activated using the a2ensite command, which places a symbolic link in /etc/apache2/sites-enabled. On Fedora and the like, I believe they’re generally somewhere under /etc/httpd.

Again, Certbot should usually be able to figure all this out automatically, and maybe some other bits I’ve forgotten, so definitely try that first! :slight_smile:

Thank you for your advice, encouragement and best of all, your example.

That goes a long way.

But how is that TLS/certificate/Let's Encrypt related? :slight_smile:

There are probably thousands and thousands of webpages on the internet about the configuration of Apache. TLS/certificates are a (although important, very small) part of that.

You have to keep that in mind. TLS is a part of the configuration of a webserver (or other service using TLS, such as SMTP or IMAP). You can't install/configure TLS without the rest.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.