Unable to set ssl

My domain is: oceanwars.fr

I ran this command: sudo certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: oceanwars.fr
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/oceanwars.fr.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/001-oceanwars.fr.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Failed redirect for oceanwars.fr
Unable to set enhancement redirect for oceanwars.fr
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

IMPORTANT NOTES:
 - We were unable to set up enhancement redirect for your server,
   however, we successfully installed your certificate.
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/oceanwars.fr/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/oceanwars.fr/privkey.pem
   Your cert will expire on 2021-04-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

My web server is (include version): apache2

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: CubixServ (VPS)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.28.0

My issue, is that even after this, I get "Problem loading page" when I am going to https://oceanwars.fr :frowning:

Even on the website: https://cheapsslsecurity.com/ssltools/ssl-checker.php#results it says that there is no SSL confirmation.

I have tried to also use acmesh, still didnt worked, tried manual installation of the certificate with certbot, didn't worked.

Its been since 7AM, since I am trying to create this certificate and didn't succeeded to :frowning:

Here is my 001-oceanwars.fr.conf in /ect/apache2/sites-available:

<Virtualhost *:80>
	ServerName oceanwars.fr
	DocumentRoot /var/www/html

	SSLEngine on
	SSLCertificateFile /etc/letsencrypt/live/oceanwars.fr/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/oceanwars.fr/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</Virtualhost>

Can someone please help me :slight_smile:

2 Likes

You can't turn SSL on inside the vhost configuration for port 80.
That one is for HTTP.

You should have another vhost config for port 443.
That one is for HTTPS.

4 Likes

This indicates your Apache is not correctly configured. Please run apachectl -S to see your virtualhost configuration. It probably shows some weird results.

3 Likes

@Lockface77

Welcome to the Let's Encrypt Community :slightly_smiling_face:

@rg305

Oh, you can, but you certainly shouldn't. :grin:

That mistake should be named Lost in Translation.

2 Likes

Thank you all for your answers :slight_smile:

I have copied my 001-oceanwars.fr.conf to a 002-oceanwars.fr.conf
I have changed the vhost port of 002-oceanwars.fr.conf to be 443 and removed all lines of 001-oceanwars.fr.conf that are about ssl.

Now I can connect with https to my server, thank you :slight_smile:

But I have another question, how can I remove http access to my server (I mean to force users to use https instead of http).

Because now you can still access using http to my server :frowning:

2 Likes

I have also tried to have automatic renewal of my certificate, but running sudo certbot renew --dry-run produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/oceanwars.fr.conf


Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (oceanwars.fr) from /etc/letsencrypt/renewal/oceanwars.fr.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/oceanwars.fr/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/oceanwars.fr/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

1 Like

Certbot already attempted to add a redirect for HTTP to HTTPS, but was unable to according to your first post in this thread. However, that could have been caused due to the configuration issues you might have fixed now.

This suggests the current certificate was not issued with the apache plugin (as your command tells is in your first post), but with the manual plugin. The manual plugin cannot be used to automatically renew, as it requires, well, manual steps to authorize the hostnames again.

Please show the contents of /etc/letsencrypt/renewal/oceanwars.fr.conf

You might try to renew by running certbot renew --dry-run --apache --cert-name oceanwars.fr to force the use of the apache plugin for authentication. I'm not sure if it will also use the apache installer plugin though, so you might need to reload Apache afterwards. Note that running --dry-run does not actually update your renewal configuration file, so when the time comes, you might want to run the renewal command without --dry-run to set everything correctly. (While this can also be done manually in the renewal configuration file, this isn't advised for novice users.)

3 Likes

Thank you for your answer :slight_smile:

Is there any fix that I can do to force it? http://oceanwars.fr is still accessible.

Here it is:
# renew_before_expiry = 30 days
version = 0.28.0
archive_dir = /etc/letsencrypt/archive/oceanwars.fr
cert = /etc/letsencrypt/live/oceanwars.fr/cert.pem
privkey = /etc/letsencrypt/live/oceanwars.fr/privkey.pem
chain = /etc/letsencrypt/live/oceanwars.fr/chain.pem
fullchain = /etc/letsencrypt/live/oceanwars.fr/fullchain.pem

# Options used in the renewal process
[renewalparams]
pref_challs = dns-01,
manual_public_ip_logging_ok = True
authenticator = manual
server = https://acme-v02.api.letsencrypt.org/directory
account = (some hash that I don't know if I should show)

Trying to run certbot renew --dry-run --apache --cert-name oceanwars.fr produced the following output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/oceanwars.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
Attempting to renew cert (oceanwars.fr) from /etc/letsencrypt/renewal/oceanwars.fr.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/oceanwars.fr/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/oceanwars.fr/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
2 Likes

Possibly. You can try to re-run the certbot command which issued your certificate in the first place. It will recognise you already have a valid certificate and will ask you what to do. You want to answer "Install" there. However, I'm not convinced you got the certificate in a "correct" manner to begin with. See below:

Why is certbot using the dns-01 plugin? Did you request a wildcard certificate?

That's to be expected, as the apache plugin can't handle the dns-01 challenge type.

Could you please run certbot certificates?

2 Likes

I don't know what I did at this point xd

I have generated a certificate with acmesh at first place, but didn't succeeded.
Then I have generated a certificate with certbot that I have to add manually.
Then I used the automatic command of certbot
And now I manually changed the port of the second file to enable the certificate there.

I don't have any clue what even is dns-01 lol. I only know that I have changed at lws in "zone dns", I have done so oceanwars.fr points to the ip of my vps.

certbot certificates produce this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: oceanwars.fr
    Domains: oceanwars.fr
    Expiry Date: 2021-04-15 12:17:19+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/oceanwars.fr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/oceanwars.fr/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Re-run the command

sudo certbot --apache

Worked with automatic redirection thanks :slight_smile:

Now http://oceanwars.fr redirect to https://oceanwars.fr :slight_smile:

Then I tried to run

sudo certbot renew --dry-run

But I still got the same output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/oceanwars.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (oceanwars.fr) from /etc/letsencrypt/renewal/oceanwars.fr.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/oceanwars.fr/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/oceanwars.fr/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

I think automatic renewal is not working :frowning: and knowing myself I will forget to renew it or again will spend 2 days to do it :frowning:

1 Like

Try running this (only once):

sudo certbot run --cert-name oceanwars.fr --apache --preferred-challenges http -d "oceanwars.fr" --force-renewal

Then try running this:

sudo certbot renew --dry-run


Certificate History
2 Likes

Please read the Let's Encrypt documentation, in this case the Challenge Type page.

It probably said you already had a valid certificate and you used certbot to install it without renewing the certificate.

Probably because the renewal file hasn't been updated. It still tries to use the manual plugin.

However, luckily, as you managed to actually install the certificate with the apache plugin, this means the apache authenticator plugin probably also works out of the box! So if we simply edit your renewal configuration file, it should all work just fine. Please run:

cp /etc/letsencrypt/renewal/oceanwars.fr.conf /tmp/oceanwars.fr-backup.conf
sed -i 's/pref_challs = dns-01,/installer = apache/' /etc/letsencrypt/renewal/oceanwars.fr.conf
sed -i 's/authenticator = manual/authenticator = apache/' /etc/letsencrypt/renewal/oceanwars.fr.conf

This removes the preference for the dns-01 challenge (it's not necessary to have a preference for the http-01 challenge actually stated in the configuration file) and replaces it with the apache installer option. The second sed command changes the authenticator plugin to apache too. (It probably would have sufficed to do s/manual/apache, but to make sure it doesn't modify anything else by accident, I've done it like this :stuck_out_tongue:)

2 Likes

@Osiris

Please don't have him edit his configuration. The command I gave him will update it correctly for him.

2 Likes

Using sed removes the issue of user error. Your command will unnecessary issue a new certificate. How credible can we complain about users running into rate limits and with that unnecessarily waste precious Let's Encrypt resources if we advise to unnecessary re-issue certificates ourselves?

Ideally certbot would have "change renewal configuration parameters" options to do the same without sed.. Perhaps @certbot-devs has an opinion about this matter?

2 Likes

Until the user makes a typo. :wink:

That's one of my big concerns with certbot. I wish there were a way to update the configuration from a successful --dry-run (and that --dry-run worked with... wait for it... run).

Agreed. :slightly_smiling_face:

2 Likes

Hello,

Thank you @griffin

I have tried to run the above command, it created the following output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

I agree that we should not waste resources from letsencrypt, but I would like to be fixed once and for all thats why I tried to run the command you gave. But still didn't worked :frowning:

So then I tried the sed commands:

I just ran the commands above, what should I do next? Do I need to reload apache? Or re-run:

sudo certbot renew --dry-run

Or it is all set?

here is how look my /etc/letsencrypt/renewal/oceanwars.fr.conf
# renew_before_expiry = 30 days
version = 0.28.0
archive_dir = /etc/letsencrypt/archive/oceanwars.fr
cert = /etc/letsencrypt/live/oceanwars.fr/cert.pem
privkey = /etc/letsencrypt/live/oceanwars.fr/privkey.pem
chain = /etc/letsencrypt/live/oceanwars.fr/chain.pem
fullchain = /etc/letsencrypt/live/oceanwars.fr/fullchain.pem

# Options used in the renewal process
[renewalparams]
installer = apache
manual_public_ip_logging_ok = True
authenticator = apache
server = https://acme-v02.api.letsencrypt.org/directory
account = the weird hash

And thank you for that, now I understand from where it comes:
When I was trying everything to make work my ssl, I followed a youtube totorial where he added a txt to his domain to prouve that it belongs to him. I did the same thing thats why he had set the options.

And sorry for this last question, but how do I make it work in www.oceanwars.fr also?

Yet http://www.oceanwars.fr is working, but not forcing https and when I go to https it says that the connection is not secured :frowning:

3 Likes

sudo certbot run --cert-name oceanwars.fr --apache -d "oceanwars.fr,www.oceanwars.fr" --keep

sudo certbot renew --dry-run

After those, show your renewal configuration file and the output of this:

sudo certbot certificates


Current apache redirects:

http://oceanwars.fr
301 Moved Permanently
https://oceanwars.fr/
200 OK
http://www.oceanwars.fr
200 OK
https://www.oceanwars.fr
200 OK

You also seem to have a redirect from https://www.oceanwars.fr to https://oceanwars.fr at the application level.

2 Likes

It's all set for you to run sudo certbot renew --dry-run yes :wink:

--dry-run is just a test to see if everything is working OK.

True.

2 Likes

@Osiris

He needs to add www using the command I gave him first.

2 Likes

@Osiris

That

is a bad sign for the command that I gave him to run. That should not have happened. I feel like there's more going on here than we're seeing.

edit: :poop: We're dealing with certbot 0.28.0. That's a known issue with that version. No wonder we've seen such troubles. You can probably remove your call to the devs. I'm fairly certain we both know what they're going to say here.


@Lockface77

Your certbot version is ancient and buggy. Please try to update it if you can.

2 Likes