Trying to run certbot--having issues


#1

Please fill out the fields below so we can help you better.

Reference following thread for background on my system setup:
https://community.letsencrypt.org/t/questions-about-le-multiple-domain-capabilities/31092

My domain is:
Already have wildcard certs for *.toastmastersclubs.org and www.toastmastersclubs.org via non-LE approach

Trying to test out LE now for www.mindfulcommunicators.org

I ran this command:

/etc/certbot/certbot-auto --debug --apache certonly (had errors so I ran again w/ sudo it seemed to work for installation of certbot)

It produced this output (note that I am not given an option to get a new cert for a domain not listed below):

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: toastmastersclubs.org
2: www.toastmastersclubs.org
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

My operating system is (include version):
CentOS 6 (?)
https://aws.amazon.com/amazon-linux-ami/2016.09-release-notes/

My web server is (include version):
AWS EC2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes via PuTTY (I am not the sysadmin though… he is busy)

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi @SteveTheTechie,

Do you have an existing Apache virtualhost in sites-enabled for this particular name? If so, is it defined within the same Apache configuration file as some other virtualhost?

Could you post the entire Apache configuration file that defines the virtualhost for www.mindfulcommunicators.org?


#3

@schoen, thanks much for your reply.

I am bit new at this server admin stuff, so please bear with me. (the actual server admin is busy)

I am not familiar w/ sites-enabled or where to find it. The conf files that I am aware of are in /etc/httpd/conf & /etc/httpd/conf.d … the former contains httpd.conf and the latter contains the ssl.conf file.

I have been exchanging emails w/ the server admin, and he told me to create a new conf file for each domain that I want to set up ssl for. Does that need to be done before running certbot-auto …? He gave me the following for the conf file… In practice, this would be a template w/ the domain name filled in by my code.

<VirtualHost 50.19.253.65:443>
	DocumentRoot /var/www/html
	ServerName mindfulcommunicators.org
	ServerAlias www.mindfulcommunicators.org
	ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

	RewriteEngine on
	RewriteRule ^/([^/]+).html /index.cgi
	RewriteRule /calendar.html /index.cgi

	Options FollowSymLinks
	SSLEngine on
	SSLCertificateFile /etc/httpd/conf/ssl.crt/mindfulcommunicators.org.crt
	SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mindfulcommunicators.org.key
	##SSLCertificateChainFile /etc/httpd/conf/ssl.crt/gd_bundle-g2-g1.crt *** not sure if there are additional chain files required ***
	LogLevel warn
	SSLEngine on
	SSLProtocol all -SSLv2
	SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
	<Files ~ ".(cgi|shtml|phtml|php3?)$">
		 SSLOptions +StdEnvVars
	</Files>
	<Directory "/var/www/cgi-bin">
		 SSLOptions +StdEnvVars
	</Directory>
	SetEnvIf User-Agent ".*MSIE.*" \
				nokeepalive ssl-unclean-shutdown \
				downgrade-1.0 force-response-1.0
</VirtualHost>

#4

I’m not sure this is the only concern, but where did the “.tld” part come from? Is that actually a part of your domain name?


#5

No the .tld is not part of the domain name but that is what the server admin had in the email he sent me.

Now that you mention it, it is probably an error. He had some other things that were obvious errors that I already caught.

So I will get rid of the tld part… thx! Note that I took them out above.

What other things come to mind?


#6

It’s somewhat unusual to use the specific IP address in the definition of the VirtualHost; we usually see * instead.


#7

Ok I have emailed the admin about the IP address question…


#8

His response regarding using the * instead of specific IP address:

You can try with the * but since we will have multiple certs from different sources each may need their own IP.

This makes sense to me. Our system is probably a bit different than what you are used to dealing with as I alluded to in the related thread I referenced above.

So, to my earlier question… Does the conf file need to be set up on the server before I run cerbot?

Thanks for all your assistance!


#9

If you’re using the Apache plugin (with --apache), certbot will analyse the configuration files to extract possible hostnames, so yes, the conf needs to be set up on the server.


#10

If you’re using certbot --apache then Certbot will try to configure your Apache to listen for specific HTTPS requests on port 443 (temporarily) as part of the validation process. This does require you to have an existing Apache configuration that works and that’s not too confusing to Certbot. It’s a little bit complicated to define what “too confusing to Certbot” means. The existing configuration does not necessarily need to be listening on port 443, and it definitely does not need to be set up for the eventual HTTPS configuration that you’ll use after getting your cert (indeed, it can’t be because Apache wouldn’t even be able to start without that cert in place).

If the configuration is, in fact, “too confusing to Certbot”, an alternative is --webroot, which works by placing a file in a specified place within the web site’s content, instead of by attempting to reconfigure the server.


#11

@schoen / @Osiris

Ok, a few things… The ssl.conf file I gave above may throw you off. A new observation is that we are using mod_include.c and the main http.conf file is doing wildcard includes for subfolders (under its folder), one of which has the ssl.conf config file in it. There are a lot of config files, but most do not have anything to do with the “websites” as our users would use them.

Also, I think a thing that may be confusing is that we do not set up any config files for custom domain names used for “websites” in the system. Essentially, we do not need to for http access. (We do have config files for the stock/standard/default toastmastersclubs.org domain.) The reason is that the way that the custom domain DNS records are set up by Toastmasters clubs for their particular “website” (keep in mind that websites are essentially virtual, created on fly via templates and content in the db) is that the custom domain names work similar to a redirect, but in such a way that the server code can fetch the original url that was used (for lookup in the db). (They are mapped to our server IP address.) We never access their DNS records, and until now the only place that mention of those domain names exists on the server is the club table in our database that use for looking up the domain names.

This is why I am asking about the config files… they do not already exist for the domains of interest.

I will go ahead and create my config file for my “test” domain and see if certbot is able handle this, given all the includes going on.

Given the need to automate the certificate renewals, you have convinced me that we will need to save additional information on the server for the custom domains… (some progress)


#12

Ok, I set up the .conf file for my test domain, copied it into place and ran certbot-auto again. Got the following (see virtualenv not found at bottom):

[ec2-user@toastmastersclubs ~]$ cd /etc/httpd/conf.d
[ec2-user@toastmastersclubs conf.d]$ ls /var/www/html/templates
   mindfulcommunicators.org.conf
[ec2-user@toastmastersclubs conf.d]$ sudo cp /var/www/html/templates/mindfulcommunicators.org.conf
cp: missing destination file operand after ‘/var/www/html/templates/mindfulcommunicators.org.conf’
Try 'cp --help' for more information.
[ec2-user@toastmastersclubs conf.d]$ sudo cp /var/www/html/templates/mindfulcommunicators.org.conf ./
[ec2-user@toastmastersclubs conf.d]$ ls
autoindex.conf                 notrace.conf   ssl.conf.rpmnew
awstats.conf                   perl.conf      svradmin.conf
fcgid.conf                     README         svradmin.conf.hold
geoip.conf                     ssl.conf       userdir.conf
mindfulcommunicators.org.conf  ssl.conf.hold  welcome.conf
[ec2-user@toastmastersclubs conf.d]$ sudo /etc/certbot/certbot-auto --debug --apache certonly
Upgrading certbot-auto 0.12.0 to 0.13.0...
Replacing certbot-auto...
Creating virtual environment...
/etc/certbot/certbot-auto: line 666: virtualenv: command not found
[ec2-user@toastmastersclubs conf.d]$ cd ..
[ec2-user@toastmastersclubs httpd]$ sudo /etc/certbot/certbot-auto --debug --apache certonly
Bootstrapping dependencies for Amazon... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
Loaded plugins: fastestmirror, priorities, update-motd, upgrade-helper
Loading mirror speeds from cached hostfile
 * amzn-main: packages.us-east-1.amazonaws.com
 * amzn-updates: packages.us-east-1.amazonaws.com
 * rpmforge: mirror.us.leaseweb.net
amzn-main/latest                                         | 2.1 kB     00:00
amzn-updates/latest                                      | 2.3 kB     00:00
572 packages excluded due to repository priority protections
Package gcc-4.8.3-3.20.amzn1.noarch already installed and latest version
Package augeas-libs-1.0.0-5.7.amzn1.x86_64 already installed and latest version
Package 1:openssl-1.0.1k-15.99.amzn1.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.1k-15.99.amzn1.x86_64 already installed and latest version
Package libffi-devel-3.0.13-16.5.amzn1.x86_64 already installed and latest version
Package system-rpm-config-9.0.3-42.28.amzn1.noarch already installed and latest version
Package ca-certificates-2015.2.6-65.0.1.16.amzn1.noarch already installed and latest version
Package python27-2.7.12-2.120.amzn1.x86_64 already installed and latest version
Package python27-devel-2.7.12-2.120.amzn1.x86_64 already installed and latest version
Package python27-virtualenv-12.0.7-1.13.amzn1.noarch already installed and latest version
Package python27-tools-2.7.12-2.120.amzn1.x86_64 already installed and latest version
Package python27-pip-6.1.1-1.23.amzn1.noarch already installed and latest version
Nothing to do
Creating virtual environment...
/etc/certbot/certbot-auto: line 666: virtualenv: command not found
[ec2-user@toastmastersclubs httpd]$

#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.