Unable to renew cert

rg305 · September 7, 2020, 2:30am

Yes, you can also use:
sudo systemctl restart apache2

appsellent · September 7, 2020, 3:14am

when I run "apachectl -S", one of the lines in the output was

but it is
"DocumentRoot /var/www/wordpress" in (/etc/apache2/sites-enabled/sankofakids.org.conf

Does that make any difference? In other words, is it ok to have the ff below in the "apachectl -S" output?

rg305 · September 7, 2020, 3:17am

Please show all the output.
And that might just be the default setting - which is usually overridden in the vhost file.

appsellent · September 7, 2020, 3:20am

The output for ‘apachectl -S’?

rg305 · September 7, 2020, 3:20am

yes.

appsellent · September 7, 2020, 3:21am

VirtualHost configuration:
*:80                   sankofakids.org (/etc/apache2/sites-enabled/sankofakids.org.conf:1)
*:443                  sankofakids.org (/etc/apache2/sites-enabled/sankofakids.org.conf:39)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

rg305 · September 7, 2020, 3:22am

Except for the lack of the “www” alias, that all seems correct.

Can we have a look at the current file?:
cat /etc/apache2/sites-enabled/sankofakids.org.conf

appsellent · September 7, 2020, 3:26am

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        # ServerName www.example.com

        ServerAdmin webmaster@localhost
        ServerAlias www.sankofakids.org
        DocumentRoot /var/www/wordpress

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        # LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        # Include conf-available/serve-cgi-bin.conf

ServerName sankofakids.org
SSLCertificateFile /etc/letsencrypt/live/sankofakids.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sankofakids.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
Redirect / https://sankofakids.org/
</VirtualHost>

<VirtualHost *:443>
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/sankofakids.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/sankofakids.org/privkey.pem
    SSLProtocol -all +TLSv1.2
   # SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt  #If using a self-signed certificate, omit this line

    ServerAdmin webmaster@localhost
    ServerName sankofakids.org
    ServerAlias www.sankofakids.org
     DocumentRoot /var/www/wordpress
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

rg305 · September 7, 2020, 3:27am

Please remove the first occurence of:
SSLCertificateFile /etc/letsencrypt/live/sankofakids.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sankofakids.org/privkey.pem

And add after first ServerName:
ServerAlias www.sankofakids.org

rg305 · September 7, 2020, 3:30am

Wait the alias is there - the order is just upside down.

rg305 · September 7, 2020, 3:32am

Just use this:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName sankofakids.org
    ServerAlias www.sankofakids.org
    DocumentRoot /var/www/wordpress
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    Redirect / https://sankofakids.org/
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin webmaster@localhost
    ServerName sankofakids.org
    ServerAlias www.sankofakids.org
    DocumentRoot /var/www/wordpress
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/sankofakids.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/sankofakids.org/privkey.pem
    SSLProtocol -all +TLSv1.2
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

appsellent · September 7, 2020, 3:32am

ok, just remove the 2 lines in :80?

rg305 · September 7, 2020, 3:33am

Unfortunately order (for some things) matters.
Use the reordered file provided above.

appsellent · September 7, 2020, 3:34am

ok, I will use the reordered copy

rg305 · September 7, 2020, 3:38am

Having both HTTP and HTTPS blocks in the same file may throw certbot off - not sure.
I would go ahead and use the --webroot option to ensure it knows where to go and doesn’t have to try to modify your code to obtain a cert.
Try:

sudo certbot --apache --webroot -w /var/www/wordpress -d sankofakids.org -d www.sankofakids.org --dry-run

If the dry run is successful, then remove “--dry-run” parameter and get a real cert.

Note: Cerbot may tell you that you already have a cert with one of those domains and ask you what you want to do - if so, choose EXPAND the current cert with the other name.
[because you only need one cert (with both names on it)]

appsellent · September 7, 2020, 3:43am

I ran the dry run. This is the ouput
cebroot does not exist or is not a directory

rg305 · September 7, 2020, 3:44am

I had a TYPO - missing one dash
Try:

sudo certbot --apache --webroot -w /var/www/wordpress -d sankofakids.org -d www.sankofakids.org --dry-run

appsellent · September 7, 2020, 3:46am

--dry-run currently only works with the 'certonly' or 'renew' subcommands ('run')

rg305 · September 7, 2020, 3:46am

OK, lets add RENEW:

sudo certbot renew --apache --webroot -w /var/www/wordpress -d sankofakids.org -d www.sankofakids.org --dry-run

[you’d think it would be implied - lol]

appsellent · September 7, 2020, 3:50am

Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.