Unable to find an SSLCertificateFile directive

mike-uk · May 16, 2020, 7:00pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: 8 domains + www. for each: cloverpatch.org.uk communitygroat.co.uk communitygroat.org.uk devotoo.org.uk dominame.net hereticus-economicus.info jeffgordon.me.uk mikegoodman.uk osspix.co.uk

I ran this command: certbot --apache

It produced this output: Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloverpatch.org.uk
http-01 challenge for dominame.net
http-01 challenge for hereticus-economicus.info
http-01 challenge for osspix.co.uk
http-01 challenge for www.cloverpatch.org.uk
http-01 challenge for www.dominame.net
http-01 challenge for www.hereticus-economicus.info
http-01 challenge for www.osspix.co.uk
http-01 challenge for communitygroat.co.uk
http-01 challenge for communitygroat.org.uk
http-01 challenge for devotoo.org.uk
http-01 challenge for jeffgordon.me.uk
http-01 challenge for mikegoodman.uk
http-01 challenge for www.communitygroat.co.uk
http-01 challenge for www.communitygroat.org.uk
http-01 challenge for www.devotoo.org.uk
http-01 challenge for www.jeffgordon.me.uk
http-01 challenge for www.mikegoodman.uk
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf/vhosts/communitygroat.co.uk-le-ssl.conf
Cannot find an SSLCertificateFile directive in /files/etc/httpd/conf/vhosts/communitygroat.co.uk-le-ssl.conf/IfModule/VirtualHost. VirtualHost was not modified
Unable to find an SSLCertificateFile directive

IMPORTANT NOTES:

Unable to install the certificate
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/communitygroat.co.uk/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/communitygroat.co.uk/privkey.pem
Your cert will expire on 2020-08-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew all of
your certificates, run “certbot renew”

My web server is (include version): apache 2.4.43.1

The operating system my web server runs on is (include version): Arch 5.6.13-arch1-1

My hosting provider, if applicable, is: rented dedicated server

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.4.0

“Cannot find an SSLCertificateFile directive in /files/etc/httpd/conf/vhosts/communitygroat.co.uk-le-ssl.conf/IfModule/VirtualHost. VirtualHost was not modified” - I don’t know how to fix this and uncommenting the modules and include command in /etc/httpd/conf/httpd.conf as directed in the Arch Wiki Apache page means I cannot restart the httpd.service without switching it all back again.
It seems I’m caught in a circular trap because reading all the docs I could find and several web searches have not helped.

TIA

Mike

rg305 · May 17, 2020, 3:17am

Please show the file:
/etc/httpd/conf/vhosts/communitygroat.co.uk-le-ssl.conf

mike-uk · May 17, 2020, 12:14pm

~]$ cat /etc/httpd/conf/vhosts/communitygroat.co.uk-le-ssl.conf

Thanks for the question, rg305. I’d better explain things more clearly.

cat: /etc/httpd/conf/vhosts/communitygroat.co.uk-le-ssl.conf: No such file or directory

As it says in the certbot error message in my OP,

Cannot find an SSLCertificateFile directive in /files/etc/httpd/conf/vhosts/communitygroat.co.uk-le-ssl.conf/IfModule/VirtualHost. *VirtualHost was not modified*

In fact none of the files were modified. How is a SSLCertificateFile directive inserted? Is that a Certbot or Apache function? My understanding from reading the docs was that the Apache plugin run with the --apache flag would add the https vhost working from the standard http version.

I have never seen vhosts built or modified directly by a script so really not sure what to expect. It’s also my first time using Arch as a web server, although I’ve been running Arch on desktop and laptop for years.

In case it helps, here are the contents of /etc/httpd/conf/vhosts/communitygroat.co.uk:

    <VirtualHost *:80>
    ServerAdmin webmaster@communitygroat.co.uk
    DocumentRoot "/srv/http/communitygroat.co.uk/public"
    ServerName communitygroat.co.uk
    ServerAlias www.communitygroat.co.uk
    ErrorLog "/var/log/httpd/communitygroat.co.uk-error_log"
    CustomLog "/var/log/httpd/communitygroat.co.uk-access_log" common

    <Directory "/srv/http/communitygroat.co.uk">
        AllowOverride All
        Require all granted
    </Directory>

</VirtualHost>

rg305 · May 17, 2020, 10:57am

Please show:
find /etc/httpd -name communitygroat*

To answer some of your questions…

Generally by certbot; as the TLS enabled vhost config doesn’t yet exist and is created by certbot.
[which may be where things went wrong - I believe it tried and failed somewhere in that process]

The problem may have arisen from a corrupt HTTP vhost config.
Apache is notorious for running at all cost and will generally overlook things that would stop a horse.
So, if you could, please post the entire file using three backticks before and after your text.
[presumably /etc/httpd/conf/vhosts/communitygroat.co.uk.conf]

Example:
```
Lots of text goes here
and here
and also here
```

mike-uk · May 17, 2020, 12:38pm

Hi Rudy, thanks for coming back to me, shows real patience! I too expected communitygroat.co.uk.conf as a vhost file but the Arch Wiki example has the .conf missing both in the /conf/vhosts/ directory and in the /conf/httpd.conf vhosts list. Could that be the problem? It would be a very simple matter to fix.
Here it is exactly as in /etc/httpd/conf/vhosts/ and, apart from the fqdn, repeated on each vhost in the vhosts directory:

<VirtualHost *:80>
ServerAdmin webmaster@communitygroat.co.uk
DocumentRoot “/srv/http/communitygroat.co.uk/public”
ServerName communitygroat.co.uk
ServerAlias www.communitygroat.co.uk
ErrorLog “/var/log/httpd/communitygroat.co.uk-error_log”
CustomLog “/var/log/httpd/communitygroat.co.uk-access_log” common

<Directory "/srv/http/communitygroat.co.uk">
    AllowOverride All
    Require all granted
</Directory>
</vhost>

Sorry, I missed the closing vhost tag in the example above but it was copied and pasted directly from the server, as was this example.

Thanks,

Mike

I tried adding the .conf to the end of each file but it made no difference - same error message at the end of the same process.

rg305 · May 17, 2020, 12:41pm

Is that like that or like this:
</virtualhost>

It is important that the tag be there and spelled correctly.

mike-uk · May 17, 2020, 12:56pm

</VirtualHost>

Sorry, I typed that bit because I missed it with the copy. This is a proper copy.

rg305 · May 17, 2020, 1:12pm

OK that all seems normal.
then…
Let’s begin at the beginning:
certbot certificates
apachectl -S

mike-uk · May 17, 2020, 1:09pm

~]# apachectl -S
[Sun May 17 15:05:52.391184 2020] [so:warn] [pid 16961] AH01574: module mpm_prefork_module is already loaded, skipping
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server cloverpatch.org.uk (/etc/httpd/conf/vhosts/cloverpatch.org.uk.conf:1)
         port 80 namevhost cloverpatch.org.uk (/etc/httpd/conf/vhosts/cloverpatch.org.uk.conf:1)
                 alias www.cloverpatch.org.uk
         port 80 namevhost communitygroat.co.uk (/etc/httpd/conf/vhosts/communitygroat.co.uk.conf:1)
                 alias www.communitygroat.co.uk
         port 80 namevhost communitygroat.org.uk (/etc/httpd/conf/vhosts/communitygroat.org.uk.conf:1)
                 alias www.communitygroat.org.uk
         port 80 namevhost devotoo.org.uk (/etc/httpd/conf/vhosts/devotoo.org.uk.conf:1)
                 alias www.devotoo.org.uk
         port 80 namevhost dominame.net (/etc/httpd/conf/vhosts/dominame.net.conf:1)
                 alias www.dominame.net
         port 80 namevhost jeffgordon.me.uk (/etc/httpd/conf/vhosts/jeffgordon.me.uk.conf:1)
                 alias www.jeffgordon.me.uk
         port 80 namevhost hereticus-economicus.info (/etc/httpd/conf/vhosts/hereticus-economicus.info.conf:1)
                 alias www.hereticus-economicus.info
         port 80 namevhost mikegoodman.uk (/etc/httpd/conf/vhosts/mikegoodman.uk.conf:1)
                 alias www.mikegoodman.uk
         port 80 namevhost osspix.co.uk (/etc/httpd/conf/vhosts/osspix.co.uk.conf:1)
                 alias www.osspix.co.uk
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/srv/http"
Main ErrorLog: "/var/log/httpd/error_log"
Mutex rewrite-map: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default 
Mutex mpm-accept: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="http" id=33
Group: name="http" id=33

I left the .conf on the end of each after trying it out.

rg305 · May 17, 2020, 1:12pm

Noted:

Now please:
certbot certificates

mike-uk · May 17, 2020, 1:15pm

~]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: communitygroat.co.uk
    Serial Number: 372eca1d5095b78a40decd807b2154c7636
    Domains: communitygroat.co.uk cloverpatch.org.uk communitygroat.org.uk devotoo.org.uk dominame.net hereticus-economicus.info jeffgordon.me.uk mikegoodman.uk osspix.co.uk www.cloverpatch.org.uk www.communitygroat.co.uk www.communitygroat.org.uk www.devotoo.org.uk www.dominame.net www.hereticus-economicus.info www.jeffgordon.me.uk www.mikegoodman.uk www.osspix.co.uk
    Expiry Date: 2020-08-14 17:14:42+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/communitygroat.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/communitygroat.co.uk/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

rg305 · May 17, 2020, 1:19pm

Wow!
So there is ONE certificate with all those names on it.
OK.
Noted.

Now let’s have a look at the renewal file for communitygroat
We can find it in the folder /etc/letsencrypt/renewal/
[if there are two, let’s see the .co not the .org]

mike-uk · May 17, 2020, 1:19pm

~]# tail /var/log/letsencrypt/letsencrypt.log
2020-05-17 15:13:20,851:DEBUG:certbot._internal.main:certbot version: 1.4.0
2020-05-17 15:13:20,852:DEBUG:certbot._internal.main:Arguments: []
2020-05-17 15:13:20,852:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-05-17 15:13:20,860:DEBUG:certbot._internal.log:Root logging level set at 20
2020-05-17 15:13:20,860:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-05-17 15:13:20,864:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): ocsp.int-x3.letsencrypt.org:80
2020-05-17 15:13:21,015:DEBUG:urllib3.connectionpool:http://ocsp.int-x3.letsencrypt.org:80 "POST / HTTP/1.1" 200 527
2020-05-17 15:13:21,016:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/live/communitygroat.co.uk/cert.pem is signed by the certificate's issuer.
2020-05-17 15:13:21,018:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/live/communitygroat.co.uk/cert.pem is: OCSPCertStatus.GOOD

Thought it may be helpful. I can’t see anything in there though.

rg305 · May 17, 2020, 1:21pm

that’s all fine.
I need:
ls -l /etc/letsencrypt/renewal/
cat the file for communitygroat.co.uk

mike-uk · May 17, 2020, 1:25pm

~]# ls -l /etc/letsencrypt/renewal/
total 4
-rw-r--r-- 1 root root 558 May 16 20:14 communitygroat.co.uk.conf

Do you mean the file in vhosts?

rg305 · May 17, 2020, 1:29pm

I don’t understand how that can fix this problem.

The problem (so far) seems to be that you are trying to have certbot create a single vhost config file for all those domains - but it should be nine different vhost config files.

rg305 · May 17, 2020, 1:28pm

No; we have seen that vhost config file already.
Please show:
cat /etc/letsencrypt/renewal/communitygroat.co.uk.conf

mike-uk · May 17, 2020, 1:30pm

It would be simple, if long winded, to create separate files. Instead I simply read the docs and ran certbot --apache after installing certbot-apache as a plugin. I have used certbot with one cert on multiple domains on mail servers before but that was mostly on Debian, Stretch and Buster (9 and 10).

rg305 · May 17, 2020, 1:32pm

Do you want me to continue helping or are you going to follow other sources?
[a simple YES or NO will do]

mike-uk · May 17, 2020, 1:33pm

~]# cat /etc/letsencrypt/renewal/communitygroat.co.uk.conf
# renew_before_expiry = 30 days
version = 1.4.0
archive_dir = /etc/letsencrypt/archive/communitygroat.co.uk
cert = /etc/letsencrypt/live/communitygroat.co.uk/cert.pem
privkey = /etc/letsencrypt/live/communitygroat.co.uk/privkey.pem
chain = /etc/letsencrypt/live/communitygroat.co.uk/chain.pem
fullchain = /etc/letsencrypt/live/communitygroat.co.uk/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 2fb3803ccd9939047524cc37d8be8e40
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

Please continue. I just thought of what the Arch Wiki was saying to show how I got to this place and add clarification if possible, not to confuse or to offend.