Unanel to find a virtual host listening on port 80

Help
1

Hello
I am trying to change to the new http based domain validation. I have installed the certbot-auto client which supports it but it is not able to validate the domain, because it does not find a virtual host listening on port 80.

We have a Vhost listening in port 80 redirected to its https version in port 443. The port is accesible via telnet or web navigator. We use a single Vhost per .conf file, as I have seen that this could be a problem.

Thank you for your help

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:aholab.ehu.es

I ran this command:certbot-auto --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ā€˜cā€™ to cancel): aholab.ehu.es
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for aholab.ehu.es
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

My web server is (include version): Apache/2.4.10 (Debian)

The operating system my web server runs on is (include version):Debian GNU/Linux 8.6 (jessie)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I donā€™t know):yes

Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if youā€™re using Certbot):0.30.0

2

Hi @aholab

then share this vHost configuration.

PS: Your main configuration ( https://check-your-website.server-daten.de/?q=aholab.ehu.es )

Domainname Http-Status redirect Sec. G
ā€¢ http://aholab.ehu.es/
158.227.67.128 301 https://aholab.ehu.es/ 0.123 A
ā€¢ https://aholab.ehu.es/
158.227.67.128 302 aholab 1.786 B
ā€¢ aholab 301 aholab 1.706 B
ā€¢ aholab 200 2.180 B
ā€¢ http://aholab.ehu.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
158.227.67.128 301 https://aholab.ehu.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.123 A
ā€¢ https://aholab.ehu.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 1.584 A
Not Found

is good, http -> https works, the 404 - not found is ok. So if you use your correct webroot, it should work.

But you have some mixed content warnings:

img

http://aholab.ehu.eus/aholab/wp-content/uploads/2018/12/cruces1-160x300.png
1
yes

link
stylesheet
http://aholab.ehu.eus/aholab/tts/css/tinybox.css
1
yes

link
stylesheet
http://aholab.ehu.eus/aholab/tts/css/tts.css
1
yes

link
stylesheet
http://aholab.ehu.eus/aholab/wp-content/uploads/smile_fonts/Defaults/Defaults.css?ver=4.3.1
1
yes
3

Thank you for your help. Here you have my Vhost configuration;
aholab.conf

<VirtualHost *:80>
_ ServerName aholab.ehu.es_
_ ServerAlias www.aholab.ehu.es www.bips.bi.ehu.es bips.bi.ehu.es u002887.bi.ehu.es_
_ DocumentRoot /var/www/_
_ Redirect permanent / https://aholab.ehu.es/_
_ RedirectMatch ^/$ http://aholab.ehu.es/aholab/_
_ RedirectMatch permanent /phpmyadmin https://aholab.ehu.es/phpmyadmin_
_ RedirectMatch permanent /ahoweb http://aholab.ehu.es/_
_ ErrorLog /var/log/apache2/error.log_
_ CustomLog /var/log/apache2/access.log combined_

<Directory /var/www/phpmyadmin>
SSLRequireSSL

<Directory /var/www>
_ AllowOverride All_

The aholab-ssl.conf file

#NameVirtualHost *:443
<VirtualHost *:443>
_ ServerName aholab.ehu.es_
_ ServerAlias www.aholab.ehu.es www.bips.bi.ehu.es bips.bi.ehu.es aholab.ehu.eus www.aholab.ehu.eus_
_ DocumentRoot /var/www/_
_ RedirectMatch ^/$ /aholab/_
_ ErrorLog /var/log/apache2/error.log_
_ CustomLog /var/log/apache2/access.log combined_
_ SSLEngine on_
_ SSLCertificateFile /etc/letsencrypt/live/aholab.ehu.es/fullchain.pem_
SSLCertificateKeyFile /etc/letsencrypt/live/aholab.ehu.es/privkey.pem
_ SSLCertificateChainFile /etc/letsencrypt/live/aholab.ehu.es/fullchain.pem_

We have other sites enabled, but I donā€™t think they are relevant for the problem.

Once again thank you for your help.

4

This is a config with aholab.ehu.es_ as ServerName, there is one _ too much.

Your config with all these _ looks curious. Or completely wrong.

1 Like
6

Sorry, the _ lines were added by the web editor when I tried to put that lines in italicsā€¦ they are not in the original files. The http-like syntax of the .conf files is misunderstood by the web editor, so I have uploaded the text files.I hope you will recive them without problems.
Thanks

aholab.conf.txt (699 Bytes)
aholab-ssl.conf.txt (635 Bytes)

7

Your config looks ok.

Whatā€™t the content of

/etc/apache2/sites-available
/etc/apache2/sites-enabled

Your file should be in the first directory, in the second, there should be a symlink.

What says

apachectl -t -D DUMP_VHOSTS
1 Like
8

It is like you say: the .conf files are in sites-available and symlinks in sites-enabled
The output of apachectl follows (as I told you there are other vhosts)

VirtualHost configuration:
*:443 aholab.ehu.es (/etc/apache2/sites-enabled/000-aholab-ssl.conf:4)
*:80 is a NameVirtualHost
default server aholab.ehu.es (/etc/apache2/sites-enabled/000-aholab.conf:2)
port 80 namevhost aholab.ehu.es (/etc/apache2/sites-enabled/000-aholab.conf:2)
alias www.aholab.ehu.es
alias www.bips.bi.ehu.es
alias bips.bi.ehu.es
alias u002887.bi.ehu.es
port 80 namevhost fundacion.sharerip.com (/etc/apache2/sites-enabled/fundacion.conf:3)
alias www.fundacion.sharerip.com
port 80 namevhost jth2008.ehu.es (/etc/apache2/sites-enabled/jth2008.conf:3)
alias jth2008.ehu.es
port 80 namevhost tool.jth2008.aholab.ehu.es (/etc/apache2/sites-enabled/jth2008.conftool.conf:3)
alias tool.jth2008.aholab.ehu.es

9

Upps - that may be your problem.

You have two server with the same name. Remove the default.

10

I think the problem may be in your redirection statements:
Redirect permanent / https://aholab.ehu.es/
redirects (correctly) to https.
So, http://aholab.ehu.es/.well-known/acme-challenge/1234
forwards to: https://aholab.ehu.es/.well-known/acme-challenge/1234
But the TLS server block also has a redirection statement:
RedirectMatch ^/$ /aholab/
So, now the (new) request to: https://aholab.ehu.es/.well-known/acme-challenge/1234
is ā€œmangledā€ to?: https://aholab.ehu.es/aholab/.well-known/acme-challenge/1234
Which should get the content from /var/ww/aholab/.well-known/acme-challenge/1234
But the --webroot specifies /var/www
So the challenge files end up at: /var/www/.well-known/acme-challenge/1234
Not where that are actually being server from (/var/www/aholab/.well-known/acme-challenge/1234).

You can try updating the command with -w /var/www/aholab
[to force them to match]
If this fails, the we need to exclude the /.well-known/acme-challenge from
RedirectMatch ^/$ /aholab/
Or ensure the redirection doesnā€™t cause other problems (like truncating the full URL)

[edit - corrected my dyslexia and added this thought]
Since it seems that 100% of the connections will go to the redirected pathā€¦
Why not remove the redirection and just update the document root?
from:

        DocumentRoot /var/www/
        RedirectMatch ^/$ /aholab/

to:

        DocumentRoot /var/www/aholab/
        #RedirectMatch ^/$ /aholab/
11

The current problem: Certbot doesn't want to start, because Certbot doesn't find a vHost.

So no challenge file is created.

12

Maybe I didnā€™t read back far enoughā€¦
But I thought the use of --webroot overrides that kind of checking.

13

Thank you both for your help. Actually, I donā€™t see any way to remove the default server. As far as I know, the first vhost of the config files is automatically assumed by apache as the default server. I suppose I could change the .conf file name so as apache reads first another vhost file, and thus takes another vhost as the default one, but I donā€™t think I can remove it.

1 Like
14

I think he meant for you to remove (or change) the repeated name in that file.

15

Can you show this file?:
/etc/apache2/sites-enabled/000-aholab.conf

16

But there is not a duplicated name anywhere. That was the output of apachectl -t -D DUMP_VHOST. The actual .conf files only define each vhost once

17

I think you may be right.
[Iā€™m not too familiar with that output]

18

I uploaded it

Blockquote
it is the first one, aholab.conf.txt
I had problems pasting the contents in your web editor and that's why I had to upload it

19

OK I agree with you; the output can be misread too easily it seems.
Did you read through post #10?: Unanel to find a virtual host listening on port 80

20

Sorry, wrong words. Change your default server.

Both servers use the same file, both servers have aholab.ehu.es as name.

So Certbot doesn't know which is used. And I don't know the same.

So create a new file (perhaps empty), use this as file with your default server. And change the name of your default server (another name, not relevant).

So this

port 80 namevhost aholab.ehu.es (/etc/apache2/sites-enabled/000-aholab.conf:2)

is unique.

PS: Perhaps the error message is wrong. Not "unable to find a vHost", instead "opps, there are two vHosts - which is the correct?"

21

I have created a 000-default.conf file

<VirtualHost _default_:80>
<Location />
Deny from all
Options None
ErrorDocument 403 Forbidden.
</Location>
</VirtualHost>

*The indentation is lost due to your web editorā€¦

and now apachectl -t -S gives:

VirtualHost configuration:
*:443 aholab.ehu.es (/etc/apache2/sites-enabled/010-aholab-ssl.conf:4)
*:80 is a NameVirtualHost
default server aholab.ehu.es (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost aholab.ehu.es (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost aholab.ehu.es (/etc/apache2/sites-enabled/010-aholab.conf:2)
alias www.aholab.ehu.es
alias www.bips.bi.ehu.es
alias bips.bi.ehu.es
alias u002887.bi.ehu.es
port 80 namevhost fundacion.sharerip.com (/etc/apache2/sites-enabled/fundacion.conf:3)
alias www.fundacion.sharerip.com
port 80 namevhost jth2008.ehu.es (/etc/apache2/sites-enabled/jth2008.conf:3)
alias jth2008.ehu.es
port 80 namevhost tool.jth2008.aholab.ehu.es (/etc/apache2/sites-enabled/jth2008.conftool.conf:3)
alias tool.jth2008.aholab.ehu.es
ServerRoot: ā€œ/etc/apache2ā€
Main DocumentRoot: ā€œ/var/wwwā€
Main ErrorLog: ā€œ/var/log/apache2/error.logā€
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex fcgid-pipe: using_defaults
PidFile: ā€œ/var/run/apache2/apache2.pidā€
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: MODPERL2
Define: ENABLE_USR_LIB_CGI_BIN
User: name=ā€œwww-dataā€ id=33
Group: name=ā€œwww-dataā€ id=33

certbot-auto gives the same error
Unable to find a virtual host listening on port 80