Unable to find a virtual host listening on port 80 with two virtual hosts

ste4nari · March 1, 2025, 8:55am

Hi,
I have two virtual hosts running on the same machine on apache server behind NAP. Both have a letsencrypt certificate already and I'd like to renew as needed by running certboot renew.

As per the below output, www.thecampanileproject.org gets renewed without any issue, while www.toosla.me complains there is no a virtual host on 8080.

output of apachectl -t -D DUMP_VHOSTS is:

VirtualHost configuration:
*:443 is a NameVirtualHost
default server thecampanileproject.org (/.../sites-enabled/campanile-le-ssl.conf:2)
port 443 namevhost thecampanileproject.org (/.../sites-enabled/campanile-le-ssl.conf:2)
alias www.thecampanileproject.org
port 443 namevhost toosla.me (/.../sites-enabled/toosla-le-ssl.conf:2)
alias www.toosla.me
*:8080 is a NameVirtualHost
default server thecampanileproject.org (/.../sites-enabled/campanile.conf:4)
port 8080 namevhost thecampanileproject.org (/.../sites-enabled/campanile.conf:4)
alias www.thecampanileproject.org
port 8080 namevhost toosla.me (/.../sites-enabled/toosla.conf:4)
alias www.toosla.me

Both look identical too me, what can it be the problem? Note that if I move toosla virtual host to port 80 I am able to renew.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.thecampanileproject.org
www.toosla.me

I ran this command:
sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.thecampanileproject.org.conf

Simulating renewal of an existing certificate for www.thecampanileproject.org

Processing /etc/letsencrypt/renewal/www.toosla.me.conf

Simulating renewal of an existing certificate for www.toosla.me
Failed to renew certificate www.toosla.me with error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

The following simulated renewals succeeded:
/etc/letsencrypt/live/www.thecampanileproject.org/fullchain.pem (success)

The following simulated renewals failed:
/etc/letsencrypt/live/www.toosla.me/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.2.0

Osiris · March 1, 2025, 9:05am

8080 != 80.

ste4nari · March 1, 2025, 9:42am

of course, but that's not the point. one works the other does not. of course both are NATted and the external port is 80.

Osiris · March 1, 2025, 9:45am

Can you show the contents of /etc/letsencrypt/renewal/www.thecampanileproject.org.conf as well as /etc/letsencrypt/renewal/www.toosla.me.conf?

ste4nari · March 1, 2025, 11:17am

# renew_before_expiry = 30 days
version = 3.2.0
archive_dir = /etc/letsencrypt/archive/www.thecampanileproject.org
cert = /etc/letsencrypt/live/www.thecampanileproject.org/cert.pem
privkey = /etc/letsencrypt/live/www.thecampanileproject.org/privkey.pem
chain = /etc/letsencrypt/live/www.thecampanileproject.org/chain.pem
fullchain = /etc/letsencrypt/live/www.thecampanileproject.org/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 8bca605269b3fe4e71909d77bf5d9a86
http01_port = 8080
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

# renew_before_expiry = 30 days
version = 3.0.1
archive_dir = /etc/letsencrypt/archive/www.toosla.me
cert = /etc/letsencrypt/live/www.toosla.me/cert.pem
privkey = /etc/letsencrypt/live/www.toosla.me/privkey.pem
chain = /etc/letsencrypt/live/www.toosla.me/chain.pem
fullchain = /etc/letsencrypt/live/www.toosla.me/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 8bca605269b3fe4e71909d77bf5d9a86
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

Osiris · March 1, 2025, 11:51am

Apparently this option for the www.thecampanileproject.org cert makes it work. It's missing from the www.toosla.me cert.

You can add it using --http-01-port option.

ste4nari · March 1, 2025, 2:42pm

That worked thanks! can I add it to the conf or I risk it will be overwritten?

Osiris · March 1, 2025, 4:50pm

I think the option should be saved in the renewal configuration file when used to renew the cert.

You can check the file if it is present after renewal.

ste4nari · March 1, 2025, 9:50pm

yep, checked. it does not. I added it manually

Topic		Replies	Views
Newbie - Unable to find a virtual host listening on port 80 with server behind home NAT Help	16	686	November 17, 2023
Unable to Find virtual host listening on port 80 Help	15	662	March 9, 2023
Missed Vhost on Port 80 (after Apache update), but it is there Help	19	1179	June 5, 2022
Moved apache2 and letsencrypt directories (and Sites) from a Mac Intel to a Mac M1 and Certbot now issues the dreaded "Unable to find a virtual host listening on port 80" Help	8	1084	September 11, 2021
Unable to find a virtual host listening on port 80 Help	4	630	September 14, 2022

Unable to find a virtual host listening on port 80 with two virtual hosts

Related topics