Trouble setting up Apache2 with CertBot


#1

Hello, Newbie here :slight_smile: OK first the boiler plate stuff -

 the full domain name of your site (this will be made public upon issuance anyhow)

www.marcchamberlin.com

the command line you ran

./certbot-auto --apache -v

the output of that command

http://pastebin.com/gbe7gMTB

name and version of your operating system and your web server

openSuSE Leap 42.1, Apache 2.4

what type of hosting provider you are using, if applicable

self hosting

This is my first time attempt at incorporating SSL into my Apache webserver, so please bear with me if I am asking dumb questions or doing something stupid…
I am hosting a few virtual domains on my server (as opposed to what I think are virtual hosts) so I want to make it clear that all my domain names that I host are actually mapped to the same IP address.
I wish to add SSL encryption to each of these domains, but for simplicity sakes, I am starting out with just attempting to do so with my own 2 domains, www.marcchamberlin.com and marcchamberlin.com. I have generated a test certificate and installed it, which appears to have worked fine, i.e. I can reach https://www.marcchamberlin.com if I allow an exception for the test certificate.

At this point my first question is, should I remove this test certificate before I attempt to use certbot to generate and set up the rest of my certificates? I tried that but no joy… In what state should Apache be in before I use certbot? Do I go ahead and enable SSL in the config files first, or does certbot expect to do that for me? Do I do anything special for setting up the virtual hosts and configuring them for SSL? It seems like this is a chicken or egg problem… (I have opened port 443 on my firewall already) Since this works with the test certificate, it seems like certbot should at least be able to connect to my Apache webserver as well, but I am getting these error messages, so this is confusing…

  • The following errors were reported by the server:

    Domain: www.marcchamberlin.com
    Type: connection
    Detail: Failed to connect to 23.236.36.11:443 for TLS-SNI-01
    challenge

    Domain: marcchamberlin.com
    Type: connection
    Detail: Failed to connect to 23.236.36.11:443 for TLS-SNI-01
    challenge

I found these related postings, but again no joy in groking what is going wrong -




In my hunting for a solution I did discover what appears to be one issue - certbot creates a vhost file called le_tls_sni_01_cert_challenge.conf that it uses to create temporary virtual hosts to use during the challenge process. I discovered that these in turn expect a document root at /var/lib/letsencrypt/tls_sni_01_page The Apache log files show complaints about this being missing and indeed I never see it being created while running the certbot script. So I tried to create this directory manually but still no joy getting certbot to work.

So I dunno what to try next, I am sure I am doing something wrong being as this is all new to me… Any ideas? Thanks in advance for any and all offers of help… Marc.


#2

Do you firstly have an A record in your domain’s DNS firstly pointing to your IP address?

Secondly run the command actually specifying the domain name you wan to generate a certificate for

./certbot-auto --apache -d marcchamberlin.com -d www.marcchamberlin.com -v --dry-run

PLEASE NOTE: I have added the --dry-run flag … this allows you test and see the output and errors before generate a certificate. If you see favourable output running the above then remove --dry-run and it will then generate the certificate for you.


#3

Yes

In order to get the --dry-run flag to work I had to add the certonly subcommand as well, i.e. -

./certbot-auto certonly --apache -d marcchamberlin.com -d www.marcchamberlin.com -v --dry-run

That worked, so on that happy note I removed the --dry-run and reran this command to generate the certificate but not have it automagically installed on the apache server for me… I guess I will now try and figure out how to do that manually…

Thanks MitchellK for getting me a bit further down the path, hopefully I will now be able to figure out the next steps on how to create and install certificates for all my virtual domains…

Marc…


#4

No problem Marc, glad I could get you a step closer. To get the automation of using the --apache command you are going to need to keep running command line’s using --webroot and --dry-run so that you can then monitor your apache logs to see where it is actually failing. It is normally just incorrect permissions and incorrect Allow/Deny statements in your apache.conf file. Installing the certs manually is rather easy, shout if you need further help.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.