Hello
I am trying to change to the new http based domain validation. I have installed the certbot-auto client which supports it but it is not able to validate the domain, because it does not find a virtual host listening on port 80.
We have a Vhost listening in port 80 redirected to its https version in port 443. The port is accesible via telnet or web navigator. We use a single Vhost per .conf file, as I have seen that this could be a problem.
Thank you for your help
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:aholab.ehu.es
I ran this command:certbot-auto --apache
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ācā to cancel): aholab.ehu.es
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for aholab.ehu.es
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
My web server is (include version): Apache/2.4.10 (Debian)
The operating system my web server runs on is (include version):Debian GNU/Linux 8.6 (jessie)
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I donāt know):yes
Iām using a control panel to manage my site (no, or provide the name and version of the control panel):no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if youāre using Certbot):0.30.0
link
stylesheet
http://aholab.ehu.eus/aholab/tts/css/tts.css
1
yes
link
stylesheet
http://aholab.ehu.eus/aholab/wp-content/uploads/smile_fonts/Defaults/Defaults.css?ver=4.3.1
1
yes
Sorry, the _ lines were added by the web editor when I tried to put that lines in italics⦠they are not in the original files. The http-like syntax of the .conf files is misunderstood by the web editor, so I have uploaded the text files.I hope you will recive them without problems.
Thanks
It is like you say: the .conf files are in sites-available and symlinks in sites-enabled
The output of apachectl follows (as I told you there are other vhosts)
VirtualHost configuration:
*:443 aholab.ehu.es (/etc/apache2/sites-enabled/000-aholab-ssl.conf:4)
*:80 is a NameVirtualHost
default server aholab.ehu.es (/etc/apache2/sites-enabled/000-aholab.conf:2)
port 80 namevhost aholab.ehu.es (/etc/apache2/sites-enabled/000-aholab.conf:2)
alias www.aholab.ehu.es
alias www.bips.bi.ehu.es
alias bips.bi.ehu.es
alias u002887.bi.ehu.es
port 80 namevhost fundacion.sharerip.com (/etc/apache2/sites-enabled/fundacion.conf:3)
alias www.fundacion.sharerip.com
port 80 namevhost jth2008.ehu.es (/etc/apache2/sites-enabled/jth2008.conf:3)
alias jth2008.ehu.es
port 80 namevhost tool.jth2008.aholab.ehu.es (/etc/apache2/sites-enabled/jth2008.conftool.conf:3)
alias tool.jth2008.aholab.ehu.es
I think the problem may be in your redirection statements: Redirect permanent / https://aholab.ehu.es/
redirects (correctly) to https.
So, http://aholab.ehu.es/.well-known/acme-challenge/1234
forwards to: https://aholab.ehu.es/.well-known/acme-challenge/1234
But the TLS server block also has a redirection statement: RedirectMatch ^/$ /aholab/
So, now the (new) request to: https://aholab.ehu.es/.well-known/acme-challenge/1234
is āmangledā to?: https://aholab.ehu.es/aholab/.well-known/acme-challenge/1234
Which should get the content from /var/ww/aholab/.well-known/acme-challenge/1234
But the --webroot specifies /var/www
So the challenge files end up at: /var/www/.well-known/acme-challenge/1234
Not where that are actually being server from (/var/www/aholab/.well-known/acme-challenge/1234).
You can try updating the command with -w /var/www/aholab
[to force them to match]
If this fails, the we need to exclude the /.well-known/acme-challenge from RedirectMatch ^/$ /aholab/
Or ensure the redirection doesnāt cause other problems (like truncating the full URL)
[edit - corrected my dyslexia and added this thought]
Since it seems that 100% of the connections will go to the redirected pathā¦
Why not remove the redirection and just update the document root?
from:
Thank you both for your help. Actually, I donāt see any way to remove the default server. As far as I know, the first vhost of the config files is automatically assumed by apache as the default server. I suppose I could change the .conf file name so as apache reads first another vhost file, and thus takes another vhost as the default one, but I donāt think I can remove it.
Both servers use the same file, both servers have aholab.ehu.es as name.
So Certbot doesn't know which is used. And I don't know the same.
So create a new file (perhaps empty), use this as file with your default server. And change the name of your default server (another name, not relevant).
So this
port 80 namevhost aholab.ehu.es (/etc/apache2/sites-enabled/000-aholab.conf:2)
is unique.
PS: Perhaps the error message is wrong. Not "unable to find a vHost", instead "opps, there are two vHosts - which is the correct?"