Unable to find a virtual host listening on port 80 on Mac Catalina 10.15.7 running apache 2.4.48

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.ocetacea.net

I ran this command: sudo certbot --apache -v

It produced this output:

Saving debug log to /usr/local/etc/certbot/logs/letsencrypt.log
Could not find OpenSSL version; not disabling session tickets.
Plugins selected: Authenticator apache, Installer apache
Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): ocetacea.net www.ocetacea.net
Requesting a certificate for ocetacea.net and www.ocetacea.net
Performing the following challenges:
http-01 challenge for ocetacea.net
http-01 challenge for www.ocetacea.net
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /usr/local/etc/certbot/logs/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.48 (Unix)

The operating system my web server runs on is (include version): Mac Catalina 10.15.7

My hosting provider, if applicable, is: self-serving on a Mac mini (Late 2012)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.20.0

My router does not allow for NAT reflection; I run the under the VPN Global Protect, so my http-vhosts.conf looks like:

# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#

Listen 80

<VirtualHost 192.168.0.15 63.228.176.120>
    ServerAdmin pjamesnorris25@gmail.com
    DocumentRoot "/Library/WebServer/Documents/"
    ServerName ocetacea.net
    ServerAlias www.ocetacea.net
    ErrorLog "/private/var/log/apache2/ocetacea.net-error_log"
    CustomLog "/private/var/log/apache2/ocetacea.netaccess_log" common
</VirtualHost>

My /usr/local/etc/certbot/logs/letsencrypt.log looks like:

2021-10-10 06:47:59,777:DEBUG:certbot._internal.main:certbot version: 1.20.0

2021-10-10 06:47:59,778:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot

2021-10-10 06:47:59,778:DEBUG:certbot._internal.main:Arguments: ['--apache', '-v']

2021-10-10 06:47:59,779:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)

2021-10-10 06:47:59,860:DEBUG:certbot._internal.log:Root logging level set at 20

2021-10-10 06:47:59,862:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache

2021-10-10 06:48:00,140:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.48

2021-10-10 06:48:00,675:WARNING:certbot_apache._internal.configurator:Could not find OpenSSL version; not disabling session tickets.

2021-10-10 06:48:00,697:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache

Description: Apache Web Server plugin

Interfaces: Installer, Authenticator, Plugin

Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT

Initialized: <certbot_apache._internal.override_darwin.DarwinConfigurator object at 0x111a6a130>

Prep: True

2021-10-10 06:48:00,699:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_darwin.DarwinConfigurator object at 0x111a6a130> and installer <certbot_apache._internal.override_darwin.DarwinConfigurator object at 0x111a6a130>

2021-10-10 06:48:00,699:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache

2021-10-10 06:48:00,730:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/233054570', new_authzr_uri=None, terms_of_service=None), b28e3310e 505c4b25b05ce4bfb135edb, Meta(creation_dt=datetime.datetime(2021, 10, 9, 23, 8, 12, tzinfo=<UTC>), creation_host='jnorrisMM.local', register_to_eff='pjamesnorris25@gmail.com'))>

2021-10-10 06:48:00,749:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.

2021-10-10 06:48:03,350:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443

2021-10-10 06:48:03,746:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658

2021-10-10 06:48:03,747:DEBUG:acme.client:Received response:

HTTP 200

Server: nginx

Date: Sun, 10 Oct 2021 12:48:03 GMT

Content-Type: application/json

Content-Length: 658

Connection: keep-alive

Cache-Control: public, max-age=0, no-cache

X-Frame-Options: DENY

Strict-Transport-Security: max-age=604800

{

"74Stx5tPUE8": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",

"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",

"meta": {

"caaIdentities": [

"letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-10-10 06:48:20,126:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for www.ocetacea.net and ocetacea.net
2021-10-10 06:48:20,517:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /usr/local/etc/certbot/certs/keys/0016_key-certbot.pem
2021-10-10 06:48:20,572:DEBUG:certbot.crypto_util:Creating CSR: /usr/local/etc/certbot/certs/csr/0016_csr-certbot.pem
2021-10-10 06:48:20,586:DEBUG:acme.client:Requesting fresh nonce
2021-10-10 06:48:20,586:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-10-10 06:48:20,683:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-10-10 06:48:20,684:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 10 Oct 2021 12:48:20 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001Fv0oEiQIMN6qXv0gDQo9G2CVzbIGgb_yVLPGN4S2Rkg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2021-10-10 06:48:20,685:DEBUG:acme.client:Storing nonce: 0001Fv0oEiQIMN6qXv0gDQo9G2CVzbIGgb_yVLPGN4S2Rkg
2021-10-10 06:48:20,703:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "www.ocetacea.net"\n    },\n    {\n      "type": "dns",\n      "value": "ocetacea.net"\n    }\n  ]\n}'
2021-10-10 06:48:20,708:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjMzMDU0NTcwIiwgIm5vbmNlIjogIjAwMDFGdjBvRWlRSU1ONnFYdjBnRFFvOUcyQ1Z6YklHZ2JfeVZMUEdONFMyUmtnIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "oULgcglqVGtbY-QOkOV-fBSuaQMb1Os_BOInh0-1MLWjr_6OUXEeNhiDBHWXrBT_m87dfUTkR33uxmczMvhtXCoaamzpKQTis7Qdk1zEj_YoY1ru6LzlWPflewVCQwKIlqRqGN5UMx2fiKXAoKqNUAperhzT0zSo2MvLOtOO48_P-00X0HwZmeaVEgxg2dsy_7rfPfeIC7x8wrVHZkUalRHur-wvylciMR3TOsZLzBklFHY5TXNjOx37VOzUjyGrX2qggqhP6MmYDmPOvBEHlu-JZAUX-7vEvde3FybqvE00wQiyMg4dzGEwkXhA9oKZGboao1qIuut4lR7q8o3huw",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInd3dy5vY2V0YWNlYS5uZXQiCiAgICB9LAogICAgewogICAgICAidHlwZSI6ICJkbnMiLAogICAgICAidmFsdWUiOiAib2NldGFjZWEubmV0IgogICAgfQogIF0KfQ"
}
2021-10-10 06:48:20,844:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1"
 201 473
2021-10-10 06:48:20,845:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Sun, 10 Oct 2021 12:48:20 GMT
Content-Type: application/json
Content-Length: 473
Connection: keep-alive
Boulder-Requester: 233054570
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/233054570/30855990870
Replay-Nonce: 0001FfAkKVAr0qBGUK17OluC_LzevUMmIcvv_lW7s05Upls
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2021-10-16T23:08:46Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "ocetacea.net"
    },
    {
      "type": "dns",
      "value": "www.ocetacea.net"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/38547876510",
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/38549211240"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/233054570/30855990870"
}
2021-10-10 06:48:20,845:DEBUG:acme.client:Storing nonce: 0001FfAkKVAr0qBGUK17OluC_LzevUMmIcvv_lW7s05Upls
2021-10-10 06:48:20,845:DEBUG:acme.client:JWS payload:
b''
2021-10-10 06:48:20,848:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/38547876510:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjMzMDU0NTcwIiwgIm5vbmNlIjogIjAwMDFGZkFrS1ZBcjBxQkdVSzE3T2x1Q19MemV2VU1tSWN2dl9sVzdzMDVVcGxzIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zODU0Nzg3NjUxMCJ9",
  "signature": "GMOv5jGoLcyerSOdvGESQaQ0uvHMHmV83IuCKq7DuHC8MmVxSlW5vSiEwaIg73bCMahfpTklOjiCVyjB7l0MFeS5ekp9Qp-2enXaWQUDRXtzU00dDNaa_bSBLg3ToW_jiWsbbNBMFMFMFU4MBOqR1Gt4b2FppOk0UrrFWwoKiO6YijW-MvZWgoq7qW9e6_GhzRPf1p5nPyBTPbC0HZXCaoLx3RJH9TBH2Ao97FXPs8
4bfOnRWKFsmigzwudZ3QPHJc9Or4Fz3ZziHiGs7jz4Frx-K5IapFtZAhEU17FufHWHQdr2rr7wzlUI77CX9IivNSApORkHsO2PKW8p3-isnA",

"payload": ""

}

2021-10-10 06:48:20,953:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/38547876510 HTTP/1.1" 200 793

2021-10-10 06:48:20,954:DEBUG:acme.client:Received response:

HTTP 200

Server: nginx

Date: Sun, 10 Oct 2021 12:48:20 GMT

Content-Type: application/json

Content-Length: 793

Connection: keep-alive

Boulder-Requester: 233054570

Cache-Control: public, max-age=0, no-cache

Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"

Replay-Nonce: 00015-Ig8NWCUo_vKfZAj7PMOHcI_BKdi-DxjTi-5oO8myo

X-Frame-Options: DENY

Strict-Transport-Security: max-age=604800

{

"identifier": {

"type": "dns",

"value": "ocetacea.net"
  },
  "status": "pending",
  "expires": "2021-10-16T23:08:46Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/38547876510/VC8Seg",
      "token": "DtiNdr-elZIj8K7E9MTEQeFyaO5Kz38RAq8ucxzpXb8"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/38547876510/J2FNCA",
      "token": "DtiNdr-elZIj8K7E9MTEQeFyaO5Kz38RAq8ucxzpXb8"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/38547876510/s2yQNA",
      "token": "DtiNdr-elZIj8K7E9MTEQeFyaO5Kz38RAq8ucxzpXb8"
    }
  ]
}

2021-10-10 06:48:20,954:DEBUG:acme.client:Storing nonce: 00015-Ig8NWCUo_vKfZAj7PMOHcI_BKdi-DxjTi-5oO8myo

2021-10-10 06:48:20,955:DEBUG:acme.client:JWS payload:

b''

2021-10-10 06:48:20,958:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/38549211240:

{

"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjMzMDU0NTcwIiwgIm5vbmNlIjogIjAwMDE1LUlnOE5XQ1VvX3ZLZlpBajdQTU9IY0lfQktkaS1EeGpUaS01b084bXlvIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zODU0OTIxMTI0MCJ9",

"signature": "FYfYcQ7tkZeIri-9bfESN-sZ6L-uG9jnJXLNgna8jNNkUr0C_UBwfybUfuOJid6h6k5lXFBn9r-RLYCzbICpLXmgLmzGUrna5UBPZX87W8zQbwZV9pBWAEIIgQ1W3hxZSxG1EFrI7229HkHn6v2T0-M31GsuN-MqbGzXUzcBrFxTCEv_yHDT_d0QK8K3Sa3wJ31sVdd3fdFOnt0SsVmnIoEuIP-Fvvaz5rbwgaUle-ppA1IQWnZ5vhMQL5vBakm0Cdr60VmKzLWS70L2t9leKsApJgV9vIZRx44XTaFjdam83-rB_-ydTbFGUyBN8XwKZXhjSWmNLz_liIQTuOBv0g",

"payload": ""

}

2021-10-10 06:48:21,066:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/38549211240 HTTP/1.1" 200 797

2021-10-10 06:48:21,067:DEBUG:acme.client:Received response:

HTTP 200

Server: nginx

Date: Sun, 10 Oct 2021 12:48:21 GMT

Content-Type: application/json

Content-Length: 797
Connection: keep-alive
Boulder-Requester: 233054570
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001T1aFASXg3j9SkB4eqKEMegsgAk3ZExjUE9S06ig6S9Y
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.ocetacea.net"
  },
  "status": "pending",
  "expires": "2021-10-16T23:14:54Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/38549211240/B17PhQ",
      "token": "dO6JzfiZ5J3JuJw1qDJRiGDLVzpdj4N7JoTI9Z9NAIs"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/38549211240/0yao8w",
      "token": "dO6JzfiZ5J3JuJw1qDJRiGDLVzpdj4N7JoTI9Z9NAIs"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/38549211240/BjXIxA",
      "token": "dO6JzfiZ5J3JuJw1qDJRiGDLVzpdj4N7JoTI9Z9NAIs"
    }
  ]
}
2021-10-10 06:48:21,067:DEBUG:acme.client:Storing nonce: 0001T1aFASXg3j9SkB4eqKEMegsgAk3ZExjUE9S06ig6S9Y
2021-10-10 06:48:21,068:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-10-10 06:48:21,068:INFO:certbot._internal.auth_handler:http-01 challenge for ocetacea.net
2021-10-10 06:48:21,069:INFO:certbot._internal.auth_handler:http-01 challenge for www.ocetacea.net
2021-10-10 06:48:21,270:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 70, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot_apache/_internal/configurator.py", line 2532, in perform
    http_response = http_doer.perform()
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot_apache/_internal/http_01.py", line 76, in perform
    self._mod_config()
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot_apache/_internal/http_01.py", line 116, in _mod_config
    selected_vhosts += self._relevant_vhosts()
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot_apache/_internal/http_01.py", line 166, in _relevant_vhosts
    raise errors.PluginError(
certbot.errors.PluginError: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

2021-10-10 06:48:21,271:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-10-10 06:48:21,271:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-10-10 06:48:21,882:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.20.0', 'console_scripts', 'certbot')())
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot/_internal/main.py", line 1574, in main
    return config.func(config, plugins)
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot/_internal/main.py", line 1287, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot/_internal/client.py", line 454, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot/_internal/client.py", line 384, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot/_internal/client.py", line 434, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 70, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot_apache/_internal/configurator.py", line 2532, in perform
    http_response = http_doer.perform()
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot_apache/_internal/http_01.py", line 76, in perform
    self._mod_config()
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot_apache/_internal/http_01.py", line 116, in _mod_config
    selected_vhosts += self._relevant_vhosts()
  File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot_apache/_internal/http_01.py", line 166, in _relevant_vhosts
    raise errors.PluginError(
certbot.errors.PluginError: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
2021-10-10 06:48:22,184:ERROR:certbot._internal.log:Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
2021-10-10 06:48:22,184:ERROR:certbot._internal.log:Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

I'm quite comfortable with the command-line so don't be shy with command-line suggestions.

Thank you,
P James Norris

1 Like

That VirtualHost section misses a port option. As certbot will use a HTTP virtualhost to generate a HTTPS virtualhost for port 443, it requires the "source" virtualhost to be defined with a port 80 definition. Otherwise both virtualhosts would not be distinct from each other.

You'd probably need to change the above VirtualHost to:

<VirtualHost 192.168.0.15:80 63.228.176.120:80>

Although one might argue if those IP addresses are really necessary? Doesn't <VirtualHost *:80> work or do you actually need IP based virtualhosts? (Compared to name based virtualhosts..) I also don't know if certbot handles VirtualHosts sections with two IP address:port combinations well.

See core - Apache HTTP Server Version 2.4 for more info.

Osiris,

Thank for the quick reply, but I'm afraid your suggestion didn't fix my problem.

I set up my vhost as per https://httpd.apache.org/docs/2.4/vhosts/examples.html#intraextra because, as I said my posting, my router doesn't allow for NAT reflection so I run under a VPN (Global Protect) so that I can access my website from my computers from my internal network.

Thanks,
P James Norris

1 Like

In this case, then, I would switch from using
--apache
to using
certonly --webroot -w /Library/WebServer/Documents/

For several reasons:

  • Mac Catalina
  • Missing :80
1 Like

rg305,

Thanks. I executed

sudo certbot certonly --webroot -w /Library/WebServer/Documents/

and the output was

Saving debug log to /usr/local/etc/certbot/logs/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): www.ocetacea.net         
Requesting a certificate for www.ocetacea.net

Successfully received certificate.
Certificate is saved at: /usr/local/etc/certbot/certs/live/www.ocetacea.net/fullchain.pem
Key is saved at:         /usr/local/etc/certbot/certs/live/www.ocetacea.net/privkey.pem
This certificate expires on 2022-01-08.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

To install my certificate, I did a google search for certbot install certificate Mac catalina and found https://certbot.eff.org/lets-encrypt/osx-other.html, but it's a little vague on how to actually install the certificate, saying only

5. Install your certificate
You'll need to install your new certificate in the configuration file for your webserver.

Can you offer a few words of guidance on how to install my certificate now that it's been created? Again, so you don't have to scroll-up to find this information:

My web server is (include version): Apache/2.4.48 (Unix)

The operating system my web server runs on is (include version): Mac Catalina 10.15.7

My hosting provider, if applicable, is: self-serving on a Mac mini (Late 2012)

Thank you!
P James Norris

1 Like

Before you go on to the next step.
Please go back and issue a cert to cover both names used in the vhost config file:

sudo certbot certonly --webroot -w /Library/WebServer/Documents/ -d www.ocetacea.net -d ocetacea.net

[if it prompts you, "replace" the current cert]


Based on this vhost section:

I would try something like this:

<VirtualHost *:443>
    ServerAdmin pjamesnorris25@gmail.com
    DocumentRoot "/Library/WebServer/Documents/"
    ServerName ocetacea.net
    ServerAlias www.ocetacea.net
    ErrorLog "/private/var/log/apache2/ocetacea.net-error_log"
    CustomLog "/private/var/log/apache2/ocetacea.netaccess_log" common
  SSLEngine On
  SSLCertificateFile    /usr/local/etc/certbot/certs/live/www.ocetacea.net/fullchain.pem
  SSLCertificateKeyFile /usr/local/etc/certbot/certs/live/www.ocetacea.net/privkey.pem
</VirtualHost>

rg305,

Thanks for all your help...thus far, but things still appear not to be working after executing:

sudo certbot certonly --webroot -w /Library/WebServer/Documents/ -d www.ocetacea.net -d ocetacea.net

which returned:

Saving debug log to /usr/local/etc/certbot/logs/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /usr/local/etc/certbot/certs/renewal/www.ocetacea.net.conf)

It contains these names: www.ocetacea.net

You requested these names for the new certificate: www.ocetacea.net,
ocetacea.net.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate for www.ocetacea.net and ocetacea.net

Successfully received certificate.
Certificate is saved at: /usr/local/etc/certbot/certs/live/www.ocetacea.net/fullchain.pem
Key is saved at:         /usr/local/etc/certbot/certs/live/www.ocetacea.net/privkey.pem
This certificate expires on 2022-01-10.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

which indicates everything worked on certbot's end.

But after adding the vhost stanza you suggested (as opposed to modifying my existing stanza), i.e. my httpd-vhosts.conf now looks like:

 Virtual Hosts                                                                                               
#                                                                                                             
# Required modules: mod_log_config                                                                            

# If you want to maintain multiple domains/hostnames on your                                                  
# machine you can setup VirtualHost containers for them. Most configurations                                  
# use only name-based virtual hosts so the server doesn't need to worry about                                 
# IP addresses. This is indicated by the asterisks in the directives below.                                   
#                                                                                                             
# Please see the documentation at                                                                             
# <URL:http://httpd.apache.org/docs/2.4/vhosts/>                                                              
# for further details before you try to setup virtual hosts.                                                  
#                                                                                                             
# You may use the command line option '-S' to verify your virtual host                                        
# configuration.                                                                                              

#                                                                                                             
# VirtualHost example:                                                                                        
# Almost any Apache directive may go into a VirtualHost container.                                            
# The first VirtualHost section is used for all requests that do not                                          
# match a ServerName or ServerAlias in any <VirtualHost> block.                                               

Listen 80

<VirtualHost 192.168.0.15:80 63.228.176.120:80>
    ServerAdmin pjamesnorris25@gmail.com
    DocumentRoot "/Library/WebServer/Documents/"
    ServerName ocetacea.net
    ServerAlias www.ocetacea.net
    ErrorLog "/private/var/log/apache2/ocetacea.net-error_log"
    CustomLog "/private/var/log/apache2/ocetacea.netaccess_log" common
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin pjamesnorris25@gmail.com
    DocumentRoot "/Library/WebServer/Documents/"
    ServerName ocetacea.net
    ServerAlias www.ocetacea.net
    ErrorLog "/private/var/log/apache2/ocetacea.net-error_log"
    CustomLog "/private/var/log/apache2/ocetacea.netaccess_log" common
    SSLEngine On
    SSLCertificateFile    /usr/local/etc/certbot/certs/live/www.ocetacea.net/fullchain.pem
    SSLCertificateKeyFile /usr/local/etc/certbot/certs/live/www.ocetacea.net/privkey.pem
</VirtualHost>

(I tried commenting out the Listen 80 and the first stanza to no avail.)

I continue to receive an error in Safari (and all other I have installed on my machine, Firefow, Chrome, opera, and MS Edge) to the effect of:

This site can’t be reached
www.ocetacea.net refused to connect.

Try:
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED
Check your internet connection.
Check any cables and reboot any routers, modems, or other network devices you may be using.

I have confirmed that I am port forwarding on my modem correctly (just as I always have in the past when "things" worked as they should):

Can you give me some words of wisdom?

Have a care,
P James Norris

Let's check and see if the web service is running on both ports (80 and 443), with:
netstat -pant | grep -i listen

1 Like

rg305,

Is it possible that you fat-fingered the "-" and the "p" and meant to type simply

netstat -ant | grep -I listen

because what you typed results in:

netstat: ant: unknown or uninstrumented protocol

On the other hand,

netstat -ant | grep -I listen

results in:

tcp46      0      0  *.8080                 *.*                    LISTEN     
tcp4       0      0  192.168.0.15.80        *.*                    LISTEN     
tcp4       0      0  127.0.0.1.4767         *.*                    LISTEN     
tcp4       0      0  *.88                   *.*                    LISTEN     
tcp6       0      0  *.88                   *.*                    LISTEN     
tcp4       0      0  *.548                  *.*                    LISTEN     
tcp6       0      0  *.548                  *.*                    LISTEN     
tcp4       0      0  *.445                  *.*                    LISTEN     
tcp6       0      0  *.445                  *.*                    LISTEN     
tcp4       0      0  *.22                   *.*                    LISTEN     
tcp6       0      0  *.22                   *.*                    LISTEN     
22557b7a5a642a87 stream      0      0 22557b7a5ab1e6f7                0                0                0 /private/tmp/com.apple.launchd.aysCC5WCqN/Listeners

which seems to indicate that my machine 192.168.0.15 is not listening to port 443 (but is listening to port 80).

I also tried:

nc -vz 192.168.0.15 443

and the result was:

nc: connectx to 192.168.0.15 port 443 (tcp) failed: Connection refused

Just for fun, I turned off my firewall, but I still cannot securely connect to my homepage https://www.ocetacea.net/pjamesnorris/

Any more words of wisdom?

Thank you,
P James Norris

1 Like

No, I use that just fine:

netstat -pant | grep -i listen
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      21442/systemd-resol
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      17115/sshd
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      993/nginx: master p
tcp6       0      0 :::81                   :::*                    LISTEN      78265/apache2
tcp6       0      0 :::22                   :::*                    LISTEN      17115/sshd
tcp6       0      0 :::80                   :::*                    LISTEN      993/nginx: master p
1 Like

Are you able to manage the Apache server?
If so, try maybe including "Listen 443" in the server block I provided.

1 Like