Unable to get certificate - Filemaker Server on Ubuntu 18.04

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fm.ecjgroup.com

I ran this command: sudo certbot certonly --apache

It produced this output:
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError('Cannot find apache executable apache2ctl')

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.28.0

After further research it appears that apache is not load on my server, and I need to do that before running the certificate request, but can I get a certificate for filemaker server, that is my end goal?

Elliot

Hi @ejolesch, and welcome to the LE community forum :slight_smile:

cerbot is unable to determine where apache lives.

You can either:

  • "teach" certbot where all the apache stuff is
    See:
    image

  • use --webroot authentication with certonly and then manually create the HTTPS server block.

Both methods would equally allow for automated certificate renewals.

9 Likes

You don't require Apache specifically. But Certbot does work the easiest when using an existing webserver, such as Apache or for example nginx. But this isn't required. Certbot can also function as a webserver itself by using the --standalone plugin. So no Apache or nginx required.

So could you perhaps explain a little bit more about your situation? Do you have a webserver such as Apache installed already?

Edit:
It seems your host fm.ecjgroup.com is indeed running an Apache webserver when surfing to it. It responds with some kind of placeholder with the text "FileMaker Database Server Website". So probably the piece of software "FileMaker" runs on Apache?

I don't have experience with "FileMaker", perhaps you can tell us more about it?

4 Likes

I see it there:

curl -Ii fm.ecjgroup.com
HTTP/1.1 200 OK
Date: Mon, 27 Jun 2022 22:39:37 GMT
Server: Apache
10 Likes

Osiris -

Thank you for your reply.

Filemaker is database software developed originally by Apple and then was separated as its own company known as Claris. The server software runs on several different O/Ss.

It currently supports Ubuntu 18.04 and they just announced support for 20.04.

I am running it on Ubuntu 18.04 and it comes with its own self-signed certificate but I want to update it to a CA certificate.

I am not clear about what command options I need to be running just to create the certificate? Once I have the certificate, I can load it using Filemaker Server.

Any information or suggestions for the command options would be helpful.

Thank you
Elliot

3 Likes

I'm not clear also. As I said, it seems there is an Apache running on your host, but the --apache plugin doesn't understand it. You might be able to use the --webroot method as mentioned earlier by Rudy, but without a clear understanding of your webserver setup we can't provide detailled advice.

2 Likes

rg305 -

Thank you for your information. will you explain the webroot authentication method? What or where is my webroot? If I understand it, it's a directory that Certbot must have access to. Are there requirements for that directory, can it be anywhere in my directory, or am I confused?

Thanks
Elliot

2 Likes

@ejolesch, the webroot idea is simple.
Use any existing web server to serve the challenge request.
All you have to do is point certbot to the correct directory.

In order to find that directory, and since you are using apache, I would start with the output of:
apachectl -t -D DUMP_VHOSTS
[but you might need to find it first; if so, do: find / -name apachectl]
[also, you may, or may not, have to run it using sudo (or su)]

From that output, we can find the file that is responsible for servicing the HTTP requests on fm.ecjgroup.com.

And within that file, we should be able to find the DocumentRoot used.

9 Likes

rg305 -

Thank you, I appreciate your guidance with this problem. It's unknown territory for me.

I ran the apachectl -t -D DUMP_VHOSTS and received the following response:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using fm.ecjgroup.com. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 fm.ecjgroup.com (/etc/apache2/sites-enabled/000-default.conf:1)

I also ran find / -name apachectl and the response was: /usr/bin/apachectl

1st, How do I set the 'ServerName' directive globally as it suggests?
2nd. Does this provide the information for the webroot or are there "next" steps.

Thank you
Elliot

1 Like

Can you show us the contents of this file?

Don't worry about the AH00558 warning message. It is common and won't affect what we are doing here.

8 Likes

Mike -
thank you.

Here is the contents of: /etc/apache2/sites-enabled/000-default.conf

root@fm:/home/ubuntu# more /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

Elliot

Mike -

Also here is the ownership and security configuration of the file

lrwxrwxrwx 1 root root 35 Jun 28 14:56 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf

Does the security need to be changed?

Elliot

No.

There is no actual ServerName used in that file; It merely defers to the globally assigned name [bad practice].
You should clean that file up [like: removing all the comment lines] and ensure to correctly use the lines needed. Like: ServerName, DocumentRoot

7 Likes

rg305

Thank you.

I have edited the file and here is what the file looks like now:

<VirtualHost *:80>
        ServerName fm.ecjgroup.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

I assume I should change the ServerAdmin info too? Is that an email address?

Elliot

Yes - but it is not required [it's just being nice]

1 Like

What is the command you use to restart Apache? Based on your first post it looks different than normal. If you don't know, what instructions did you use to install Apache?

Or, try these commands and let us know which one works

sudo systemctl status apache2
sudo systemctl status httpd

The webroot authentication is probably best as Rudy suggested but we still need to know how to reload Apache after getting the certs.

8 Likes

MikeMcQ -

I tried both commands regarding starting apache and the httpd.service could not be found

for - apache2 I received the following error message

root@fm:/# sudo systemctl status apache2
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: failed (Result: exit-code) since Tue 2022-06-28 14:56:09 UTC; 1 day 14h ago

Jun 28 14:56:09 fm.ecjgroup.com apachectl[6545]: AH00558: apache2: Could not reliably determine the server's fully qualifi
Jun 28 14:56:09 fm.ecjgroup.com apachectl[6545]: (98)Address already in use: AH00072: make_sock: could not bind to address
Jun 28 14:56:09 fm.ecjgroup.com apachectl[6545]: (98)Address already in use: AH00072: make_sock: could not bind to address
Jun 28 14:56:09 fm.ecjgroup.com apachectl[6545]: no listening sockets available, shutting down
Jun 28 14:56:09 fm.ecjgroup.com apachectl[6545]: AH00015: Unable to open logs
Jun 28 14:56:09 fm.ecjgroup.com apachectl[6545]: Action 'start' failed.
Jun 28 14:56:09 fm.ecjgroup.com apachectl[6545]: The Apache error log may have more information.
Jun 28 14:56:09 fm.ecjgroup.com systemd[1]: apache2.service: Control process exited, code=exited status=1
Jun 28 14:56:09 fm.ecjgroup.com systemd[1]: apache2.service: Failed with result 'exit-code'.
Jun 28 14:56:09 fm.ecjgroup.com systemd[1]: Failed to start The Apache HTTP Server.

However, if you go to the website fm.ecjgroup.com it does show the webserver is running.
Also, I am not sure how it gets started as it's part of the installation of filemaker server.

Filemaker Server is a database product by Claris (owned by Apple)

It comes with a self-signed certificate but I would like to update that to a letsencrypt certificate so I don't get any warnings when I connect to the website. Also, this server is only being used in a development setup now.

Elliot

1 Like

Please show the output of:
ps -ef | grep -i apache

7 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.