Ubuntu with Apache2 on AWS - can't get cert

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
mylifetalks.org

I ran this command:
sudo certbot --apache

It produced this output:

Requesting a certificate for `app-api-1022.mylifetalks.org`
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: `app-api-1022.mylifetalks.org`
Type: unauthorized
Detail: 13.235.121.134: Invalid response from `http://app-api-1022.mylifetalks.org/.well-known/acme-challenge/(redacted)` 404
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Unable to restart apache using ['apache2ctl', 'graceful']
Encountered exception during recovery: certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Some challenges have failed.

My web server is (include version):
Apache2 2.4.29

The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:
GoDaddy

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 1.29.0

I've already implemented the suggestion shown here: server - Why am I getting "Permission denied: make_sock: could not bind to address" when starting Apache2? - Ask Ubuntu as far as changing port numbers in ports.conf, but no luck.

2

Hi @Nola, and welcome to the LE community forum :slight_smile:

Let's have a look at:
[sudo] netstat -pant | grep -i listen

3 Likes
3

Hi @rg305 thanks for your reply! Here is the output for the netstat command:

tcp     0   0 0.0.0.0:443        0.0.0.0:*       LISTEN    1037/nginx: master  
tcp     0   0 0.0.0.0:3306       0.0.0.0:*       LISTEN    1051/mysqld         
tcp     0   0 0.0.0.0:80         0.0.0.0:*       LISTEN    1037/nginx: master  
tcp     0   0 127.0.0.53:53      0.0.0.0:*       LISTEN    811/systemd-resolve 
tcp     0   0 0.0.0.0:22         0.0.0.0:*       LISTEN    1008/sshd           
tcp6    0   0 :::22              :::*            LISTEN    1008/sshd
4

You are trying to use Apache [which appears to be installed]
But nginx is already running.

Which of the two are you planning to use?

3 Likes
5

Ah I see - apologies, as I'm definitely new to this. I was planning on using Apache per instructions I've been reading, and in fact I didn't realize AWS images came with nginx already installed. Is there a preference/recommendation between the two? Since nginx is already running, I'm certainly happy to use that. Thanks for your help!

1 Like
6

Since you asked...
My personal preference would be for you to keep nginx [and uninstall Apache].

3 Likes
7

Thanks @rg305 I'm very happy to listen to the experts, and can definitely uninstall Apache and use nginx. So in the last half hour I've been doing some digging and it seems there is an existing .conf file at etc/nginx/sites-enabled which was setup before I took this over (I was under the impression no SSL work had been done at all yet). In this existing file, I do see references to letsencrypt certificates. So some work has already been done using nginx, but not related to the subdomain I've cited, app-api-1022...

however..

when I then run what I assume is the correct command I should be running, sudo certbot --nginx, I get prompted with a question of which names would I like to activate https for? And it gives me one option, just the one from the aforementioned pre-existing .conf file. Whereas when I did sudo certbot --apache it actually asked me to type in the domain name I need the cert for. So my question is, how do I explicitly pass the app-api-1022.mylifetalks.org domain to the certbot nginx command?

1 Like
8

You just need to setup a "starter" server block with the name you want. You would have had to do this with Apache too you just didn't get that far.

For example

    server {
        listen       80;
        listen       [::]:80;     # if you have IPv6 available
        server_name  app-api-1022.mylifetalks.org;
        root         /your/server/root/folder;
    }

Place this in sites-available and enable it so it has a symlink in sites-enabled just like you did for your original server block.

Then run

sudo certbot --nginx -d app-api-1022.mylifetalks.org

Certbot will create a server block for listen 443 (https) based on this starter block. You then customize this https block as needed. The starter http block will be modified to just become a redirect to the https server.

4 Likes
9

Thank you so kindly @MikeMcQ I will try this shortly!

1 Like
10

Why? It looks like you have a working Apache setup. That's what you wanted originally.

3 Likes
11

I don't have a working Apache setup, as it was determined through this thread that nginx is already running and using the ports that Apache would have been using. Further, my original intent to use Apache was before 1) I realized someone had already done some work on this box using nginx 2) user rg305 suggested he prefers nginx over Apache anyway.

So I'm a bit confused by your last post asking "why?". I was going to do exactly what you've suggested but you're asking me why I'm going to implement your suggestion? Just want to make sure I'm not missing something here... :slight_smile:

12

Because when I try a curl to your domain Apache responds:

[TEST ~]> curl -I https://app-api-1022.mylifetalks.org
HTTP/1.1 200 OK
Date: Fri, 15 Jul 2022 15:20:44 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Tue, 23 Nov 2021 23:46:36 GMT
ETag: "6c3-5d17d5a2033ae"
Accept-Ranges: bytes
Content-Length: 1731

And, with a valid cert which you can see on this SSL Decoder website

I prefer nginx too but many people prefer Apache. You originally tried to use Apache while nginx was running and you asked how best to proceed. But, now Apache is running so the situation has changed.

3 Likes
13

This back and forth may continue as long as both (Apache and nginx) are installed.
Please choose one and uninstall the other.

3 Likes
14

@MikeMcQ @rg305 thank you both very much for your help on this.

2 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.