Trouble getting started after following certbot instructions

Help
1

I followed the instructions at certbot at https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache
$ sudo certbot --apache

I did not see any error messages.
I now have a key in my /etc/letsencrypt/keys directory and a certificate in my /etc/letsencrypt/csr directory

Attempting to see my site at https://ophed.net results in a ā€œYour connection is not privateā€ error.
Following to the site anyway leads me to the Apache2 Ubuntu Default Page.
I can still reach my site at http://ophed.net
BTW itā€™s a Drupal based site

Help!
Whatā€™d I do wrong?

My domain is: ophed.net

My web server is (include version): apache2

The operating system my web server runs on is (include version): Ubuntu 16

My hosting provider, if applicable, is: linode

I can login to a root shell on my machine (yes or no, or I donā€™t know): yes

Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Jake Waxman

2

Hi @jwaxman,

Was there any output at all from this command, or did it just return immediately?

These aren't useful; the item in the /etc/letsencrypt/csr is a certificate signing request rather than a certificate. Do you have an /etc/letsencrypt/live directory?

3

Have you restarted Apache?
service apache2 restart

4

Thanks for asking.
Yes.
A few times.
Jake

5

There was quite a bit of output.
It seemed to indicate success.
Thereā€™s no live directory though.
Should I just run certbot again?

6

Yes please and can you capture the output this time and post it here? It probably contains clues as to what's gone wrong.

7

There seems to also be a self-signed cert somewhere in the system:
https://www.ssllabs.com/ssltest/analyze.html?d=ophed.net&ignoreMismatch=on

8

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ophed.com
http-01 challenge for ophed.net
http-01 challenge for www.ophed.com
http-01 challenge for www.ophed.net
http-01 challenge for pittlions.org
http-01 challenge for www.pittlions.org
Waiting for verificationā€¦
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/ophed.net-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/ophed.net-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/ophed.net-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/ophed.net-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/ophed.net-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/ophed.net-le-ssl.conf
Created an SSL vhost at /etc/apache2/sites-available/pittlions.org-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/pittlions.org-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/pittlions.org-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/pittlions.org-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if youā€™re confident your site works on HTTPS. You can undo this
change by editing your web serverā€™s configuration.

Select the appropriate number [1-2] then [enter] (press ā€˜cā€™ to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/ophed.net.conf to ssl vhost in /etc/apache2/sites-available/ophed.net-le-ssl.conf
Redirecting vhost in /etc/apache2/sites-enabled/pittlions.org.conf to ssl vhost in /etc/apache2/sites-available/pittlions.org-le-ssl.conf

Congratulations! You have successfully enabled https://ophed.com,
https://ophed.net, https://www.ophed.com, https://www.ophed.net,
https://pittlions.org, and https://www.pittlions.org

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ophed.com
https://www.ssllabs.com/ssltest/analyze.html?d=ophed.net
https://www.ssllabs.com/ssltest/analyze.html?d=www.ophed.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.ophed.net
https://www.ssllabs.com/ssltest/analyze.html?d=pittlions.org
https://www.ssllabs.com/ssltest/analyze.html?d=www.pittlions.org

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/ophed.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/ophed.com/privkey.pem
    Your cert will expire on 2018-08-29. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the ā€œcertonlyā€ option. To non-interactively renew all of
    your certificates, run ā€œcertbot renewā€

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Letā€™s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

9

I donā€™t remember creating one. How do I track it down and kill it?

10

Does this file now exist?

11

Yes. The fullchain.pem exists in that directory.
Iā€™ve restarted apache.
New symptom.
Now I canā€™t get to the site via http.

12

The other names on your certificate (www.ophed.net, pittlions.org etc) all seem to be working; only ophed.net is still returning the wrong certificate.

Maybe you have a second VirtualHost for that server name?

Check the output of
apachectl -S

You canā€™t access the site via HTTP because itā€™s redirecting to HTTPS (since you selected 2); of course fixing the HTTPS version will fix that, but if you want to access HTTP before then, you can remove the redirect - itā€™s a few lines certbot added at the end of your HTTP virtual host config.

13

VirtualHost configuration:
*:443 is a NameVirtualHost
default server ophed.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost ophed.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost ophed.net (/etc/apache2/sites-enabled/ophed.net-le-ssl.conf:2)
alias www.ophed.net
alias ophed.com
alias www.ophed.com
port 443 namevhost pittlions.org (/etc/apache2/sites-enabled/pittlions.org-le-ssl.conf:2)
alias www.pittlions.org
*:80 is a NameVirtualHost
default server aupomse.org (/etc/apache2/sites-enabled/aupomse.org.conf:1)
port 80 namevhost aupomse.org (/etc/apache2/sites-enabled/aupomse.org.conf:1)
alias www.aupomse.org
port 80 namevhost ophed.net (/etc/apache2/sites-enabled/ophed.net.conf:1)
alias www.ophed.net
alias ophed.com
alias www.ophed.com
port 80 namevhost ophed.us (/etc/apache2/sites-enabled/ophed.us.conf:1)
alias www.ophed.us
port 80 namevhost pittlions.org (/etc/apache2/sites-enabled/pittlions.org.conf:1)
alias www.pittlions.org

14

This is probably what's overriding the config for ophed.net and referencing the self-signed certificate.

If you're not using that for anything you can probably just disable it:
sudo a2dissite default-ssl

1 Like
15

Woo hoo! Thanks to both of you!

3 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.