Trouble getting started after following certbot instructions


#1

I followed the instructions at certbot at https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache
$ sudo certbot --apache

I did not see any error messages.
I now have a key in my /etc/letsencrypt/keys directory and a certificate in my /etc/letsencrypt/csr directory

Attempting to see my site at https://ophed.net results in a “Your connection is not private” error.
Following to the site anyway leads me to the Apache2 Ubuntu Default Page.
I can still reach my site at http://ophed.net
BTW it’s a Drupal based site

Help!
What’d I do wrong?

My domain is: ophed.net

My web server is (include version): apache2

The operating system my web server runs on is (include version): Ubuntu 16

My hosting provider, if applicable, is: linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Jake Waxman


Apachectl -S says fullchain.pem does not exist or is empty but certbot says it has been saved
#2

Hi @jwaxman,

Was there any output at all from this command, or did it just return immediately?

These aren’t useful; the item in the /etc/letsencrypt/csr is a certificate signing request rather than a certificate. Do you have an /etc/letsencrypt/live directory?


#3

Have you restarted Apache?
service apache2 restart


#4

Thanks for asking.
Yes.
A few times.
Jake


#5

There was quite a bit of output.
It seemed to indicate success.
There’s no live directory though.
Should I just run certbot again?


#6

Yes please and can you capture the output this time and post it here? It probably contains clues as to what’s gone wrong.


#7

There seems to also be a self-signed cert somewhere in the system:
https://www.ssllabs.com/ssltest/analyze.html?d=ophed.net&ignoreMismatch=on


#8

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ophed.com
http-01 challenge for ophed.net
http-01 challenge for www.ophed.com
http-01 challenge for www.ophed.net
http-01 challenge for pittlions.org
http-01 challenge for www.pittlions.org
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/ophed.net-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/ophed.net-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/ophed.net-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/ophed.net-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/ophed.net-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/ophed.net-le-ssl.conf
Created an SSL vhost at /etc/apache2/sites-available/pittlions.org-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/pittlions.org-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/pittlions.org-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/pittlions.org-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/ophed.net.conf to ssl vhost in /etc/apache2/sites-available/ophed.net-le-ssl.conf
Redirecting vhost in /etc/apache2/sites-enabled/pittlions.org.conf to ssl vhost in /etc/apache2/sites-available/pittlions.org-le-ssl.conf


Congratulations! You have successfully enabled https://ophed.com,
https://ophed.net, https://www.ophed.com, https://www.ophed.net,
https://pittlions.org, and https://www.pittlions.org

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ophed.com
https://www.ssllabs.com/ssltest/analyze.html?d=ophed.net
https://www.ssllabs.com/ssltest/analyze.html?d=www.ophed.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.ophed.net
https://www.ssllabs.com/ssltest/analyze.html?d=pittlions.org
https://www.ssllabs.com/ssltest/analyze.html?d=www.pittlions.org

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/ophed.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/ophed.com/privkey.pem
    Your cert will expire on 2018-08-29. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


#9

I don’t remember creating one. How do I track it down and kill it?


#10

Does this file now exist?


#11

Yes. The fullchain.pem exists in that directory.
I’ve restarted apache.
New symptom.
Now I can’t get to the site via http.


#12

The other names on your certificate (www.ophed.net, pittlions.org etc) all seem to be working; only ophed.net is still returning the wrong certificate.

Maybe you have a second VirtualHost for that server name?

Check the output of
apachectl -S

You can’t access the site via HTTP because it’s redirecting to HTTPS (since you selected 2); of course fixing the HTTPS version will fix that, but if you want to access HTTP before then, you can remove the redirect - it’s a few lines certbot added at the end of your HTTP virtual host config.


#13

VirtualHost configuration:
*:443 is a NameVirtualHost
default server ophed.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost ophed.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost ophed.net (/etc/apache2/sites-enabled/ophed.net-le-ssl.conf:2)
alias www.ophed.net
alias ophed.com
alias www.ophed.com
port 443 namevhost pittlions.org (/etc/apache2/sites-enabled/pittlions.org-le-ssl.conf:2)
alias www.pittlions.org
*:80 is a NameVirtualHost
default server aupomse.org (/etc/apache2/sites-enabled/aupomse.org.conf:1)
port 80 namevhost aupomse.org (/etc/apache2/sites-enabled/aupomse.org.conf:1)
alias www.aupomse.org
port 80 namevhost ophed.net (/etc/apache2/sites-enabled/ophed.net.conf:1)
alias www.ophed.net
alias ophed.com
alias www.ophed.com
port 80 namevhost ophed.us (/etc/apache2/sites-enabled/ophed.us.conf:1)
alias www.ophed.us
port 80 namevhost pittlions.org (/etc/apache2/sites-enabled/pittlions.org.conf:1)
alias www.pittlions.org


#14

This is probably what’s overriding the config for ophed.net and referencing the self-signed certificate.

If you’re not using that for anything you can probably just disable it:
sudo a2dissite default-ssl


#15

Woo hoo! Thanks to both of you!


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.