The apache plugin is not working

daniluski · September 21, 2019, 9:05pm

Hi,
After my Centos 7 update and the httpd update to the last version 2.4.41 my Certbot is not working anymore.

It is showing…

certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error in checking parameter list:
The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(‘Apache is unable to check whether or not the module is loaded because Apache is misconfigured.’,)

The website old is working fine… but i can’t add new certificates and renew.

Could you help me please?

_az · September 21, 2019, 9:19pm

Where did you install httpd 2.4.41 from? I don’t think it’s packaged with CentOS 7.7.

Could you please also provide the output of:

certbot --version
httpd -V
httpd -t -D DUMP_MODULES

daniluski · September 21, 2019, 9:33pm

Hi, I’m using httpd from CodeIT REPO https://codeit.guru/en_US/
All was fine before the last update… =/

certbot --version
certbot 0.37.2

httpd -V
Server version: Apache/2.4.41 (codeit)
Server built: Sep 19 2019 17:35:40
Server’s Module Magic Number: 20120211:88
Server loaded: APR 1.5.2, APR-UTIL 1.5.2
Compiled using: APR 1.5.2, APR-UTIL 1.5.2
Architecture: 64-bit
Server MPM: event
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with…
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG=“run/httpd.pid”
-D DEFAULT_SCOREBOARD=“logs/apache_runtime_status”
-D DEFAULT_ERRORLOG=“logs/error_log”
-D AP_TYPES_CONFIG_FILE=“conf/mime.types”
-D SERVER_CONFIG_FILE=“conf/httpd.conf”

httpd -t -D DUMP_MODULES
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
access_compat_module (shared)
actions_module (shared)
alias_module (shared)
allowmethods_module (shared)
auth_basic_module (shared)
auth_digest_module (shared)
authn_anon_module (shared)
authn_core_module (shared)
authn_dbd_module (shared)
authn_dbm_module (shared)
authn_file_module (shared)
authn_socache_module (shared)
authz_core_module (shared)
authz_dbd_module (shared)
authz_dbm_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_owner_module (shared)
authz_user_module (shared)
autoindex_module (shared)
brotli_module (shared)
cache_module (shared)
cache_disk_module (shared)
cache_socache_module (shared)
data_module (shared)
dbd_module (shared)
deflate_module (shared)
dir_module (shared)
dumpio_module (shared)
echo_module (shared)
env_module (shared)
expires_module (shared)
ext_filter_module (shared)
filter_module (shared)
headers_module (shared)
include_module (shared)
info_module (shared)
log_config_module (shared)
logio_module (shared)
macro_module (shared)
mime_magic_module (shared)
mime_module (shared)
negotiation_module (shared)
remoteip_module (shared)
reqtimeout_module (shared)
request_module (shared)
rewrite_module (shared)
setenvif_module (shared)
slotmem_plain_module (shared)
slotmem_shm_module (shared)
socache_dbm_module (shared)
socache_memcache_module (shared)
socache_redis_module (shared)
socache_shmcb_module (shared)
status_module (shared)
substitute_module (shared)
suexec_module (shared)
unique_id_module (shared)
unixd_module (shared)
userdir_module (shared)
version_module (shared)
vhost_alias_module (shared)
watchdog_module (shared)
mpm_event_module (shared)
ssl_module (shared)
systemd_module (shared)
cgid_module (shared)
fcgid_module (shared)
http2_module (shared)
php7_module (shared)
ruid2_module (shared)

_az · September 21, 2019, 9:51pm

I can reproduce your issue when using httpd from that repository.

From some investigation, it looks like the build that CodeIT produces does not support the right combination of apachectl/httpd commands that Certbot is expecting.

For instance, on the normal CentOS 7 build of httpd, the below command works:

apachectl -t -D DUMP_RUN_CFG

But in the CodeIT build, it goes badly:

# apachectl -t -D DUMP_RUN_CFG
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
To pass extra arguments to httpd, see the httpd.service(8)
man page.

Now, usually, you can change the "ctl" command used by Certbot by passing --apache-ctl httpd, for example. But in this case, it produces yet another error, because Certbot tries to run:

httpd configtest

but the CodeIT build doesn't support that either - it expects the old command (apachectl configtest) to be used.

Here's a link to the CentOS platform overrides in the Certbot Apache plugin: https://github.com/certbot/certbot/blob/754c34c12043bbbe3ceb12fb5660f841d09e3690/certbot-apache/certbot_apache/override_centos.py#L26-L44

I'm not sure what you should do, other than not use the Apache plugin and switch to webroot. This bug seems like a bit of a nightmare to solve to me, since fixing it in Certbot would basically require special support for the CodeIT build, from what I can see right now.

Edit: Maybe it's possible to create some kind of "wrapper" --apache-ctl script that routes each subcommand to the right CodeIT httpd binary, but you're on your own for that.

_az · September 21, 2019, 10:01pm

Maybe something like this (executable script in /root/codeit-apachectl.sh):

#!/usr/bin/env bash

if [[ "$1" =~ ^(configtest|graceful|restart)$ ]]; then
  /usr/sbin/apachectl "$@"
else
  /usr/sbin/httpd "$@"
fi

and then:

certbot renew --apache-ctl=/root/codeit-apachectl.sh --dry-run

daniluski · September 21, 2019, 10:02pm

Oh Thank you for help me.
I don’t know what to do now… My VPS update and it is not working…
Maybe i could try to reverse to another old httpd and run it until it be fixed…

Thank You

daniluski · September 21, 2019, 10:03pm

I wil try this solution

daniluski · September 21, 2019, 10:21pm

No... It doesn't work. =/

_az · September 21, 2019, 10:37pm

It worked fine for me.

Apache Version:

[root@prime-chance ~]# httpd -V
Server version: Apache/2.4.41 (codeit)
Server built:   Sep 19 2019 17:35:40
Server's Module Magic Number: 20120211:88
Server loaded:  APR 1.5.2, APR-UTIL 1.5.2
Compiled using: APR 1.5.2, APR-UTIL 1.5.2
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="run/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Apache plugin with /root/codeit-apachectl.sh script:

[root@prime-chance ~]# certbot --apache --apache-ctl=/root/codeit-apachectl.sh --register-unsafely-without-email --agree-tos
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Registering without email!
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: prime-chance.bnr.la
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for prime-chance.bnr.la
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/prime-chance.bnr.la-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/prime-chance.bnr.la-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf.d/prime-chance.bnr.la.conf to ssl vhost in /etc/httpd/conf.d/prime-chance.bnr.la-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://prime-chance.bnr.la

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=prime-chance.bnr.la
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/prime-chance.bnr.la/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/prime-chance.bnr.la/privkey.pem
  Your cert will expire on 2019-12-20. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot again
  with the "certonly" option. To non-interactively renew *all* of
  your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
  configuration directory at /etc/letsencrypt. You should make a
  secure backup of this folder now. This configuration directory will
  also contain certificates and private keys obtained by Certbot so
  making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
  Donating to EFF:                    https://eff.org/donate-le

daniluski · September 21, 2019, 10:42pm

maybe could I be anything wrong here...

certbot --apache --apache-ctl=/root/codeit-apachectl.sh --register-unsafely-without-email --agree-tos
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError('Cannot find Apache executable /root/codeit-apachectl.sh',)

_az · September 21, 2019, 10:42pm

Did you create that file and make it executable?

daniluski · September 21, 2019, 10:49pm

Yeah, I’ll try do it again.

daniluski · September 21, 2019, 11:03pm

I got it

certbot --apache --apache-ctl=/root/codeit-apachectl.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Unable to run the command: /root/codeit-apachectl.sh configtest
The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Unable to run the command: /root/codeit-apachectl.sh configtest',)

_az · September 21, 2019, 11:05pm

And what happens when you just try run that command?

/root/codeit-apachectl.sh configtest

maybe also to check you created it correctly:

ls -lah /root/codeit-apachectl.sh
cat /root/codeit-apachectl.sh

daniluski · September 21, 2019, 11:08pm

Not yet …

[root@server ~]# /root/codeit-apachectl.sh configtest
-bash: /root/codeit-apachectl.sh: /usr/bin/env: bad interpreter: Text file busy
[root@server ~]# ls -lah /root/codeit-apachectl.sh
-rwxrwxrwx 1 root root 141 Sep 21 19:58 /root/codeit-apachectl.sh
[root@server ~]# cat /root/codeit-apachectl.sh
#!/usr/bin/env bash

if [[ "1" =~ ^(configtest|graceful|restart) ]]; then
/usr/sbin/apachectl “@" else /usr/sbin/httpd "@”
fi
[root@server ~]#

_az · September 21, 2019, 11:13pm

If you have that file open in a text editor, close it.

If you're using Windows to edit it, maybe you snuck in some invisible control characters. Try also:

dos2unix /root/codeit-apachectl.sh

and try run the configtest command again.

daniluski · September 21, 2019, 11:54pm

Perfect! It is working so nice now.
Thank You so much for your help.

When you want to have a coffee in Brazil you are very welcome! Hehehe

I’m thankfull.

The last problem was my editor (Sublime Text) in windows 10… So i resolved it using the Editor VI in the VPS and it is ok now.

Pascal666 · September 22, 2019, 7:49pm

Is this an issue with CodeIT’s rpm or with Apache/2.4.41?

_az · September 22, 2019, 9:00pm

Well, I think it’s an issue with Certbot’s platform overrides more than anything else. I didn’t mean to assign blame to CodeIT.

But I don’t think it’s just a 2.4.41 thing.

I tried installing Apache httpd 2.4.41 from buster-backports, and apachectl -t -D DUMP_RUN_CFG still works just fine.

So it’s either the combination of 2.4.41 + EL, or the CodeIT build specifically.

CentOS 8 is coming out in a couple of days I think? That might give a better clue.

AlexanderGerasimov · September 23, 2019, 11:42am

Thanks for pointing out. I see that newest Fedora RPMs have apachectl.sh scripts that do not allow passing httpd arguments anymore.
We removed apachectl.sh from builds and left original redhat patched version.
Can you test upgrading from testing repository (fixed in 2.4.41-4)?
Please provide feedback and we will push updates to regular repo if it works fine for you.