Unable to install certificate


#1

Hi,
A month ago I successfully installed a cert. for a vhost.
certbot-auto added a VirtualHost listening to port 443 at bottom of httpd.conf
Today I could install a second cert for another vhost but this time a new file was created and
Include /etc/httpd/conf/httpd-le-ssl.conf
included at bottom of httpd.conf
This file contains the section of the second vhost listening to port 443.
My problem is with the third vhost. Cert and chain have been saved but unable to install it.
No vhost listening to port 443 was created.
These are the existing vhost directives:

<VirtualHost :80>
SuexecUserGroup #629 #539
ServerName mail.mydomain.com
ServerAlias www.mail.mydomain.com
DocumentRoot /home/mail.mydomain.com/public_html
ErrorLog /var/log/virtualmin/mail.mydomain.com_error_log
CustomLog /var/log/virtualmin/mail.mydomain.com_access_log combined
ScriptAlias /cgi-bin/ /home/mail.mydomain.com/cgi-bin/
ScriptAlias /awstats/ /home/mail.mydomain.com/cgi-bin/
#DirectoryIndex index.html index.htm index.php index.php4 index.php5
DirectoryIndex index.php index.html index.html.var index.htm index.php4 index.php5
<Directory /home/mail.mydomain.com/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksifOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php5.6
AddHandler fcgid-script .php7.0
FCGIWrapper /home/mail.mydomain.com/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/mail.mydomain.com/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/mail.mydomain.com/fcgi-bin/php5.6.fcgi .php5.6
FCGIWrapper /home/mail.mydomain.com/fcgi-bin/php7.0.fcgi .php7.0
AddType application/x-httpd-php .php

<Directory /home/mail.mydomain.com/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch

RewriteEngine on
#Recom de seositecheckup.com
RewriteCond %{HTTP_USER_AGENT} libwww-perl.

RewriteRule .* – [F,L]

RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php5.6
RemoveHandler .php7.0
php_admin_value engine Off
#IPCCommTimeout 31
IPCCommTimeout 61

AuthName “mail.mydomain.com statistics”
AuthType Basic
AuthUserFile /home/mail.mydomain.com/.awstats-htpasswd
require valid-user

php_value memory_limit 32M
FcgidMaxRequestLen 1073741824

Centos 6.9


#2

Hi,

Here are one tutorial from the web:

You could also use the below link to find more about how to install a certificate on apache.
https://www.google.com/search?q=apache+install+ssl+certificate+centos+6.9

Thank you


#3

Hi,

My question is more about why certbot-auto worked first two times and not in the third.
Cert and chain have been saved.

Could not reverse map the HTTPS VirtualHost to the original

IMPORTANT NOTES:
_ - Unable to install the certificate_

So I don’t realize why this time I have to manually install the certificate.
Thanks.


#4

I hope that logic will prevail and a solution will be found.


#5

Could you post your Apache configuration?


#6

Hi!
Do you mean global configuration?
I manually installed that certificate.
What I did was to

  • Copy Virtualhost settings
  • pasted them in an included conf inside
  • Changed port to 443
  • Commented some Rewrite directives “because they have the potential to create redirection loops” in VS *:80
  • Deleted the same directives from VS *:80
  • Added to VS *:443
    SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem
  • Added to VS *:80 something like
    RewriteCond %{SERVER_NAME} =domain.com [OR]
    RewriteCond %{SERVER_NAME} =www.domain.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R=permanent]
    to redirect http to https
  • Added to VS *:443 (if no subdomains)
    Header always set Strict-Transport-Security "max-age=31536000"
  • Restart httpd

Evaluation from www.ssllabs.com was grade A+


#7

Hi,

Are you using a control panel to manage your site? Specifically, virtualmin?

Thank you


#8

I mean all of the Apache configuration files before you manually installed the certificate (in order to understand why Certbot said it couldn’t reverse map the virtual host).


#9

Yes, Webmin-Virtualmin.
After I installed certbot I realized Webmin has a Let’s encrypt module.
Trying to manage certs from here was not possible because of previous manual installation


#10

The part of the VS is in my first post.

/ETC/HTTPD/CONF/HTTPD.CONF NON SPECIFIC VS SETTINGS

ServerTokens Prod
ServerRoot “/etc/httpd”
PidFile run/httpd.pid
Timeout 60
KeepAlive On
MaxKeepAliveRequests 200
KeepAliveTimeout 15

StartServers 16
MinSpareServers 5
MaxSpareServers 20
ServerLimit 350
MaxClients 350
MaxRequestsPerChild 500


StartServers 4
MaxClients 300
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0

Listen 80
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule version_module modules/mod_version.so
Include conf.d/.conf
ExtendedStatus On
User apache
Group apache
ServerAdmin …
ServerName …com:80
UseCanonicalName Off
DocumentRoot “/var/www/html”

Options FollowSymLinks
AllowOverride None

<Directory “/var/www/html”>
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all

DirectoryIndex index.php index.html index.html.var index.htm
AccessFileName .htaccess
<Files ~ “^.ht”>
Order allow,deny
Deny from all
Satisfy All

TypesConfig /etc/mime.types
DefaultType text/plain

MIMEMagicFile conf/magic

HostnameLookups Off
ErrorLog logs/error_log
LogLevel warn
LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-Agent}i”” combined
LogFormat “%h %l %u %t “%r” %>s %b” common
LogFormat “%{Referer}i -> %U” referer
LogFormat “%{User-agent}i” agent
LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-Agent}i” %T %{mod_php_memory_usage}n” combineddebug
LogFormat “%h %l %u %t “%r” %>s %b %T %{mod_php_memory_usage}n” commondebug
CustomLog logs/access_log combined
ServerSignature Off
Alias /icons/ “/var/www/icons/”
<Directory “/var/www/icons”>
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all


DAVLockDB /var/lib/dav/lockdb

ScriptAlias /cgi-bin/ “/var/www/cgi-bin/”
<Directory “/var/www/cgi-bin”>
AllowOverride None
Options None
Order allow,deny
Allow from all

IndexOptions FancyIndexing VersionSort NameWidth=
HTMLTable Charset=UTF-8
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif …
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
DefaultIcon /icons/unknown.gif
ReadmeName README.html
HeaderName HEADER.html
IndexIgnore .??* ~ # HEADER README RCS CVS *,v *,t
AddLanguage ca .ca


AddLanguage cs .cz .cs
LanguagePriority es en ca cs da de el eo et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW
ForceLanguagePriority Prefer Fallback
AddEncoding gzip .svgz
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType image/svg+xml .svg .svgz
AddType x-font/otf .otf
AddType x-font/ttf .ttf
AddType x-font/eot .eot
AddType x-font/woff .woff
AddType image/x-icon .ico
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
AddHandler type-map var
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
AddType application/x-httpd-php .php .php3
AddType application/x-httpd-php-source .phps
Alias /error/ “/var/www/error/”

AllowOverride None Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var Order allow,deny Allow from all LanguagePriority en es de fr ForceLanguagePriority Prefer Fallback BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully BrowserMatch "MS FrontPage" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully BrowserMatch "^gnome-vfs/1.0" redirect-carefully BrowserMatch "^XML Spy" redirect-carefully BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

SSLProtocol -all +TLSv1.1 +TLSv1.2
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC$
TraceEnable Off

NameVirtualHost ip#:80
NameVirtualHost ip#:443
FcgidMaxRequestsPerProcess 500

Some virtual hosts like

#described in first post

AND SOME OTHER ON PORT 443


Include /etc/httpd/conf/httpd-le-ssl.conf


/ETC/HTTPD/CONF/HTTPD-LE-SSL.CONF

#some VS added by certbot-auto ...

/ETC/HTTPD/CONF.D/SSL.CONF

LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol -all +TLSv1.1 +TLSv1.2
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC$
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ “.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars

<Directory “/var/www/cgi-bin”>
SSLOptions +StdEnvVars

SetEnvIf User-Agent “.MSIE.
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”


#11

I was hoping to see to see all of the configuration files that define virtual hosts of any kind.

I don’t believe there’s any logic in Certbot to do this. Instead it should always create -le-ssl.conf files in every situation.


#12

Hi,
I use Webmin/Virtualmin as a control panel.
I don’t know where those files are.
From the Apache module conf (sets defaults when creating virtual servers) I took a couple of screenshots:


That’s true. My first certificate auto installation was successful. As I said the new VS was created at the end of httpd.conf
I’m completerly sure of that because I keep a httpd.conf backup I saved before starting using certbot.
I was surprised when the second cert installation (also successful) was using an included -le-ssl.conf file.
The problem I faced up was with the third cert as I describe in my first post.


#13

Maybe you could try grep -r VirtualHost /etc/httpd to find relevant files.


#14
  • httpd.conf.BACK is an obvious file

  • httpd.conf:
    httpd.conf:</VirtualHost several of them

  • /etc/httpd/conf/httpd.conf:<VirtualHost xxx.xxx.xxx.xxx:443
    /etc/httpd/conf/httpd.conf: this is the one I told you, the first certbot…

Same as

  • /etc/httpd/conf/httpd-le-ssl.conf:<VirtualHost xxx.xxx.xxx.xxx:443
    /etc/httpd/conf/httpd-le-ssl.conf:</VirtualHost

  • /etc/httpd/conf.d/ssl.conf.rpmnew:<VirtualHost default:443
    /etc/httpd/conf.d/ssl.conf.rpmnew:</VirtualHost

  • /etc/httpd/conf/httpd-le-ssl.conf:<VirtualHost xxx.xxx.xxx.xxx:443
    /etc/httpd/conf/httpd-le-ssl.conf:</VirtualHost some of them

  • Some commented text like
    /etc/httpd/conf/httpd.conf:# <VirtualHost definition. These values also provide defaults for…

  • /etc/httpd/conf/httpd.conf:NameVirtualHost xxx.xxx.xxx.xxx:80
    /etc/httpd/conf/httpd.conf:NameVirtualHost xxx.xxx.xxx.xxx:443

That’s it.


#15

When you use Certbot with certbot --apache, it normally assumes that you have separate existing virtual hosts that listen on port 80 and are configured with the names of your individual sites. It doesn’t look that’s the case for your Apache configuration.

Possibly the way that Webmin is handling things is not particularly compatible with the way that you’re using Certbot.

I would suggest any of

  • Maintaining your Apache configuration entirely manually
  • Maintaining your Apache configuration using only Webmin’s Let’s Encrypt module
  • Not using Webmin at all
  • After configuring your services using Webmin, modifying them to ensure that every virtual host for which you plan to use Certbot to enable HTTPS is a separate virtual host in an entirely separate file

#16

Why do you say that?
All virtual servers have their own section <VirtualHost xxx.xxx.xxx.xxx:80> and their directives

Do you mean having one Include file at httpd.conf for each VS whose directives are in a separate .conf file?
That would be the cause of some unsuccessful cert installation?

Anyway the main part of the procedure is always okay, certificates are created and in case they cannot be auto installed, manual way is not a big issue.
I am curious (and maybe helps you to improve auto-cert) what could be happening.
Thank you (I already made a donation because letsencrypt is very helpful despite this issue)