/etc/certbot/certbot-auto --debug --apache certonly (had errors so I ran again w/ sudo it seemed to work for installation of certbot)
It produced this output (note that I am not given an option to get a new cert for a domain not listed below):
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: toastmastersclubs.org
2: www.toastmastersclubs.org
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Do you have an existing Apache virtualhost in sites-enabled for this particular name? If so, is it defined within the same Apache configuration file as some other virtualhost?
Could you post the entire Apache configuration file that defines the virtualhost for www.mindfulcommunicators.org?
I am bit new at this server admin stuff, so please bear with me. (the actual server admin is busy)
I am not familiar w/ sites-enabled or where to find it. The conf files that I am aware of are in /etc/httpd/conf & /etc/httpd/conf.d … the former contains httpd.conf and the latter contains the ssl.conf file.
I have been exchanging emails w/ the server admin, and he told me to create a new conf file for each domain that I want to set up ssl for. Does that need to be done before running certbot-auto …? He gave me the following for the conf file… In practice, this would be a template w/ the domain name filled in by my code.
<VirtualHost 50.19.253.65:443>
DocumentRoot /var/www/html
ServerName mindfulcommunicators.org
ServerAlias www.mindfulcommunicators.org
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
RewriteEngine on
RewriteRule ^/([^/]+).html /index.cgi
RewriteRule /calendar.html /index.cgi
Options FollowSymLinks
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/mindfulcommunicators.org.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mindfulcommunicators.org.key
##SSLCertificateChainFile /etc/httpd/conf/ssl.crt/gd_bundle-g2-g1.crt *** not sure if there are additional chain files required ***
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
<Files ~ ".(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
His response regarding using the * instead of specific IP address:
You can try with the * but since we will have multiple certs from different sources each may need their own IP.
This makes sense to me. Our system is probably a bit different than what you are used to dealing with as I alluded to in the related thread I referenced above.
So, to my earlier question... Does the conf file need to be set up on the server before I run cerbot?
If you're using the Apache plugin (with --apache), certbot will analyse the configuration files to extract possible hostnames, so yes, the conf needs to be set up on the server.
If you're using certbot --apache then Certbot will try to configure your Apache to listen for specific HTTPS requests on port 443 (temporarily) as part of the validation process. This does require you to have an existing Apache configuration that works and that's not too confusing to Certbot. It's a little bit complicated to define what "too confusing to Certbot" means. The existing configuration does not necessarily need to be listening on port 443, and it definitely does not need to be set up for the eventual HTTPS configuration that you'll use after getting your cert (indeed, it can't be because Apache wouldn't even be able to start without that cert in place).
If the configuration is, in fact, "too confusing to Certbot", an alternative is --webroot, which works by placing a file in a specified place within the web site's content, instead of by attempting to reconfigure the server.
Ok, a few things… The ssl.conf file I gave above may throw you off. A new observation is that we are using mod_include.c and the main http.conf file is doing wildcard includes for subfolders (under its folder), one of which has the ssl.conf config file in it. There are a lot of config files, but most do not have anything to do with the “websites” as our users would use them.
Also, I think a thing that may be confusing is that we do not set up any config files for custom domain names used for “websites” in the system. Essentially, we do not need to for http access. (We do have config files for the stock/standard/default toastmastersclubs.org domain.) The reason is that the way that the custom domain DNS records are set up by Toastmasters clubs for their particular “website” (keep in mind that websites are essentially virtual, created on fly via templates and content in the db) is that the custom domain names work similar to a redirect, but in such a way that the server code can fetch the original url that was used (for lookup in the db). (They are mapped to our server IP address.) We never access their DNS records, and until now the only place that mention of those domain names exists on the server is the club table in our database that use for looking up the domain names.
This is why I am asking about the config files… they do not already exist for the domains of interest.
I will go ahead and create my config file for my “test” domain and see if certbot is able handle this, given all the includes going on.
Given the need to automate the certificate renewals, you have convinced me that we will need to save additional information on the server for the custom domains… (some progress)
Ok, I set up the .conf file for my test domain, copied it into place and ran certbot-auto again. Got the following (see virtualenv not found at bottom):
[ec2-user@toastmastersclubs ~]$ cd /etc/httpd/conf.d
[ec2-user@toastmastersclubs conf.d]$ ls /var/www/html/templates
mindfulcommunicators.org.conf
[ec2-user@toastmastersclubs conf.d]$ sudo cp /var/www/html/templates/mindfulcommunicators.org.conf
cp: missing destination file operand after ‘/var/www/html/templates/mindfulcommunicators.org.conf’
Try 'cp --help' for more information.
[ec2-user@toastmastersclubs conf.d]$ sudo cp /var/www/html/templates/mindfulcommunicators.org.conf ./
[ec2-user@toastmastersclubs conf.d]$ ls
autoindex.conf notrace.conf ssl.conf.rpmnew
awstats.conf perl.conf svradmin.conf
fcgid.conf README svradmin.conf.hold
geoip.conf ssl.conf userdir.conf
mindfulcommunicators.org.conf ssl.conf.hold welcome.conf
[ec2-user@toastmastersclubs conf.d]$ sudo /etc/certbot/certbot-auto --debug --apache certonly
Upgrading certbot-auto 0.12.0 to 0.13.0...
Replacing certbot-auto...
Creating virtual environment...
/etc/certbot/certbot-auto: line 666: virtualenv: command not found
[ec2-user@toastmastersclubs conf.d]$ cd ..
[ec2-user@toastmastersclubs httpd]$ sudo /etc/certbot/certbot-auto --debug --apache certonly
Bootstrapping dependencies for Amazon... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
Loaded plugins: fastestmirror, priorities, update-motd, upgrade-helper
Loading mirror speeds from cached hostfile
* amzn-main: packages.us-east-1.amazonaws.com
* amzn-updates: packages.us-east-1.amazonaws.com
* rpmforge: mirror.us.leaseweb.net
amzn-main/latest | 2.1 kB 00:00
amzn-updates/latest | 2.3 kB 00:00
572 packages excluded due to repository priority protections
Package gcc-4.8.3-3.20.amzn1.noarch already installed and latest version
Package augeas-libs-1.0.0-5.7.amzn1.x86_64 already installed and latest version
Package 1:openssl-1.0.1k-15.99.amzn1.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.1k-15.99.amzn1.x86_64 already installed and latest version
Package libffi-devel-3.0.13-16.5.amzn1.x86_64 already installed and latest version
Package system-rpm-config-9.0.3-42.28.amzn1.noarch already installed and latest version
Package ca-certificates-2015.2.6-65.0.1.16.amzn1.noarch already installed and latest version
Package python27-2.7.12-2.120.amzn1.x86_64 already installed and latest version
Package python27-devel-2.7.12-2.120.amzn1.x86_64 already installed and latest version
Package python27-virtualenv-12.0.7-1.13.amzn1.noarch already installed and latest version
Package python27-tools-2.7.12-2.120.amzn1.x86_64 already installed and latest version
Package python27-pip-6.1.1-1.23.amzn1.noarch already installed and latest version
Nothing to do
Creating virtual environment...
/etc/certbot/certbot-auto: line 666: virtualenv: command not found
[ec2-user@toastmastersclubs httpd]$