Unable to find an SSLCertificateFile directive

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: 8 domains + www. for each: cloverpatch.org.uk communitygroat.co.uk communitygroat.org.uk devotoo.org.uk dominame.net hereticus-economicus.info jeffgordon.me.uk mikegoodman.uk osspix.co.uk

I ran this command: certbot --apache

It produced this output: Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloverpatch.org.uk
http-01 challenge for dominame.net
http-01 challenge for hereticus-economicus.info
http-01 challenge for osspix.co.uk
http-01 challenge for www.cloverpatch.org.uk
http-01 challenge for www.dominame.net
http-01 challenge for www.hereticus-economicus.info
http-01 challenge for www.osspix.co.uk
http-01 challenge for communitygroat.co.uk
http-01 challenge for communitygroat.org.uk
http-01 challenge for devotoo.org.uk
http-01 challenge for jeffgordon.me.uk
http-01 challenge for mikegoodman.uk
http-01 challenge for www.communitygroat.co.uk
http-01 challenge for www.communitygroat.org.uk
http-01 challenge for www.devotoo.org.uk
http-01 challenge for www.jeffgordon.me.uk
http-01 challenge for www.mikegoodman.uk
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf/vhosts/communitygroat.co.uk-le-ssl.conf
Cannot find an SSLCertificateFile directive in /files/etc/httpd/conf/vhosts/communitygroat.co.uk-le-ssl.conf/IfModule/VirtualHost. VirtualHost was not modified
Unable to find an SSLCertificateFile directive

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/communitygroat.co.uk/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/communitygroat.co.uk/privkey.pem
    Your cert will expire on 2020-08-14. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

My web server is (include version): apache 2.4.43.1

The operating system my web server runs on is (include version): Arch 5.6.13-arch1-1

My hosting provider, if applicable, is: rented dedicated server

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.4.0

“Cannot find an SSLCertificateFile directive in /files/etc/httpd/conf/vhosts/communitygroat.co.uk-le-ssl.conf/IfModule/VirtualHost. VirtualHost was not modified” - I don’t know how to fix this and uncommenting the modules and include command in /etc/httpd/conf/httpd.conf as directed in the Arch Wiki Apache page means I cannot restart the httpd.service without switching it all back again.
It seems I’m caught in a circular trap because reading all the docs I could find and several web searches have not helped.

TIA

Mike

Please show the file:
/etc/httpd/conf/vhosts/communitygroat.co.uk-le-ssl.conf

~]$ cat /etc/httpd/conf/vhosts/communitygroat.co.uk-le-ssl.conf

Thanks for the question, rg305. I’d better explain things more clearly. :slight_smile:

cat: /etc/httpd/conf/vhosts/communitygroat.co.uk-le-ssl.conf: No such file or directory

As it says in the certbot error message in my OP,

Cannot find an SSLCertificateFile directive in /files/etc/httpd/conf/vhosts/communitygroat.co.uk-le-ssl.conf/IfModule/VirtualHost. *VirtualHost was not modified*

In fact none of the files were modified. How is a SSLCertificateFile directive inserted? Is that a Certbot or Apache function? My understanding from reading the docs was that the Apache plugin run with the --apache flag would add the https vhost working from the standard http version.

I have never seen vhosts built or modified directly by a script so really not sure what to expect. It’s also my first time using Arch as a web server, although I’ve been running Arch on desktop and laptop for years.

In case it helps, here are the contents of /etc/httpd/conf/vhosts/communitygroat.co.uk:

    <VirtualHost *:80>
    ServerAdmin webmaster@communitygroat.co.uk
    DocumentRoot "/srv/http/communitygroat.co.uk/public"
    ServerName communitygroat.co.uk
    ServerAlias www.communitygroat.co.uk
    ErrorLog "/var/log/httpd/communitygroat.co.uk-error_log"
    CustomLog "/var/log/httpd/communitygroat.co.uk-access_log" common

    <Directory "/srv/http/communitygroat.co.uk">
        AllowOverride All
        Require all granted
    </Directory>

</VirtualHost>

Please show:
find /etc/httpd -name communitygroat*

To answer some of your questions…

Generally by certbot; as the TLS enabled vhost config doesn’t yet exist and is created by certbot.
[which may be where things went wrong - I believe it tried and failed somewhere in that process]

The problem may have arisen from a corrupt HTTP vhost config.
Apache is notorious for running at all cost and will generally overlook things that would stop a horse.
So, if you could, please post the entire file using three backticks before and after your text.
[presumably /etc/httpd/conf/vhosts/communitygroat.co.uk.conf]

Example:
```
Lots of text goes here
and here
and also here
```

Hi Rudy, thanks for coming back to me, shows real patience! :slight_smile: I too expected communitygroat.co.uk.conf as a vhost file but the Arch Wiki example has the .conf missing both in the /conf/vhosts/ directory and in the /conf/httpd.conf vhosts list. Could that be the problem? It would be a very simple matter to fix.
Here it is exactly as in /etc/httpd/conf/vhosts/ and, apart from the fqdn, repeated on each vhost in the vhosts directory:

<VirtualHost *:80>
ServerAdmin webmaster@communitygroat.co.uk
DocumentRoot “/srv/http/communitygroat.co.uk/public”
ServerName communitygroat.co.uk
ServerAlias www.communitygroat.co.uk
ErrorLog “/var/log/httpd/communitygroat.co.uk-error_log”
CustomLog “/var/log/httpd/communitygroat.co.uk-access_log” common

<Directory "/srv/http/communitygroat.co.uk">
    AllowOverride All
    Require all granted
</Directory>
</vhost>

Sorry, I missed the closing vhost tag in the example above but it was copied and pasted directly from the server, as was this example.

Thanks,

Mike

I tried adding the .conf to the end of each file but it made no difference - same error message at the end of the same process.

Is that like that or like this:
</virtualhost>

It is important that the tag be there and spelled correctly.

</VirtualHost>

Sorry, I typed that bit because I missed it with the copy. This is a proper copy.

OK that all seems normal.
then…
Let’s begin at the beginning:
certbot certificates
apachectl -S

~]# apachectl -S
[Sun May 17 15:05:52.391184 2020] [so:warn] [pid 16961] AH01574: module mpm_prefork_module is already loaded, skipping
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server cloverpatch.org.uk (/etc/httpd/conf/vhosts/cloverpatch.org.uk.conf:1)
         port 80 namevhost cloverpatch.org.uk (/etc/httpd/conf/vhosts/cloverpatch.org.uk.conf:1)
                 alias www.cloverpatch.org.uk
         port 80 namevhost communitygroat.co.uk (/etc/httpd/conf/vhosts/communitygroat.co.uk.conf:1)
                 alias www.communitygroat.co.uk
         port 80 namevhost communitygroat.org.uk (/etc/httpd/conf/vhosts/communitygroat.org.uk.conf:1)
                 alias www.communitygroat.org.uk
         port 80 namevhost devotoo.org.uk (/etc/httpd/conf/vhosts/devotoo.org.uk.conf:1)
                 alias www.devotoo.org.uk
         port 80 namevhost dominame.net (/etc/httpd/conf/vhosts/dominame.net.conf:1)
                 alias www.dominame.net
         port 80 namevhost jeffgordon.me.uk (/etc/httpd/conf/vhosts/jeffgordon.me.uk.conf:1)
                 alias www.jeffgordon.me.uk
         port 80 namevhost hereticus-economicus.info (/etc/httpd/conf/vhosts/hereticus-economicus.info.conf:1)
                 alias www.hereticus-economicus.info
         port 80 namevhost mikegoodman.uk (/etc/httpd/conf/vhosts/mikegoodman.uk.conf:1)
                 alias www.mikegoodman.uk
         port 80 namevhost osspix.co.uk (/etc/httpd/conf/vhosts/osspix.co.uk.conf:1)
                 alias www.osspix.co.uk
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/srv/http"
Main ErrorLog: "/var/log/httpd/error_log"
Mutex rewrite-map: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default 
Mutex mpm-accept: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="http" id=33
Group: name="http" id=33

I left the .conf on the end of each after trying it out.

Noted:

Now please:
certbot certificates

~]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: communitygroat.co.uk
    Serial Number: 372eca1d5095b78a40decd807b2154c7636
    Domains: communitygroat.co.uk cloverpatch.org.uk communitygroat.org.uk devotoo.org.uk dominame.net hereticus-economicus.info jeffgordon.me.uk mikegoodman.uk osspix.co.uk www.cloverpatch.org.uk www.communitygroat.co.uk www.communitygroat.org.uk www.devotoo.org.uk www.dominame.net www.hereticus-economicus.info www.jeffgordon.me.uk www.mikegoodman.uk www.osspix.co.uk
    Expiry Date: 2020-08-14 17:14:42+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/communitygroat.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/communitygroat.co.uk/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Wow!
So there is ONE certificate with all those names on it.
OK.
Noted.

Now let’s have a look at the renewal file for communitygroat
We can find it in the folder /etc/letsencrypt/renewal/
[if there are two, let’s see the .co not the .org]

~]# tail /var/log/letsencrypt/letsencrypt.log
2020-05-17 15:13:20,851:DEBUG:certbot._internal.main:certbot version: 1.4.0
2020-05-17 15:13:20,852:DEBUG:certbot._internal.main:Arguments: []
2020-05-17 15:13:20,852:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-05-17 15:13:20,860:DEBUG:certbot._internal.log:Root logging level set at 20
2020-05-17 15:13:20,860:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-05-17 15:13:20,864:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): ocsp.int-x3.letsencrypt.org:80
2020-05-17 15:13:21,015:DEBUG:urllib3.connectionpool:http://ocsp.int-x3.letsencrypt.org:80 "POST / HTTP/1.1" 200 527
2020-05-17 15:13:21,016:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/live/communitygroat.co.uk/cert.pem is signed by the certificate's issuer.
2020-05-17 15:13:21,018:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/live/communitygroat.co.uk/cert.pem is: OCSPCertStatus.GOOD

Thought it may be helpful. I can’t see anything in there though.

that’s all fine.
I need:
ls -l /etc/letsencrypt/renewal/
cat the file for communitygroat.co.uk

~]# ls -l /etc/letsencrypt/renewal/
total 4
-rw-r--r-- 1 root root 558 May 16 20:14 communitygroat.co.uk.conf

Do you mean the file in vhosts?

I don’t understand how that can fix this problem.

The problem (so far) seems to be that you are trying to have certbot create a single vhost config file for all those domains - but it should be nine different vhost config files.

No; we have seen that vhost config file already.
Please show:
cat /etc/letsencrypt/renewal/communitygroat.co.uk.conf

It would be simple, if long winded, to create separate files. Instead I simply read the docs and ran certbot --apache after installing certbot-apache as a plugin. I have used certbot with one cert on multiple domains on mail servers before but that was mostly on Debian, Stretch and Buster (9 and 10).

Do you want me to continue helping or are you going to follow other sources?
[a simple YES or NO will do]

~]# cat /etc/letsencrypt/renewal/communitygroat.co.uk.conf
# renew_before_expiry = 30 days
version = 1.4.0
archive_dir = /etc/letsencrypt/archive/communitygroat.co.uk
cert = /etc/letsencrypt/live/communitygroat.co.uk/cert.pem
privkey = /etc/letsencrypt/live/communitygroat.co.uk/privkey.pem
chain = /etc/letsencrypt/live/communitygroat.co.uk/chain.pem
fullchain = /etc/letsencrypt/live/communitygroat.co.uk/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 2fb3803ccd9939047524cc37d8be8e40
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

Please continue. I just thought of what the Arch Wiki was saying to show how I got to this place and add clarification if possible, not to confuse or to offend.