Unanel to find a virtual host listening on port 80

aholab · 2019-01-23 14:47:17 UTC

Hello
I am trying to change to the new http based domain validation. I have installed the certbot-auto client which supports it but it is not able to validate the domain, because it does not find a virtual host listening on port 80.

We have a Vhost listening in port 80 redirected to its https version in port 443. The port is accesible via telnet or web navigator. We use a single Vhost per .conf file, as I have seen that this could be a problem.

Thank you for your help

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:aholab.ehu.es

I ran this command:certbot-auto --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): aholab.ehu.es
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for aholab.ehu.es
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

My web server is (include version): Apache/2.4.10 (Debian)

The operating system my web server runs on is (include version):Debian GNU/Linux 8.6 (jessie)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):0.30.0

JuergenAuer · 2019-01-23 15:10:17 UTC

Hi @aholab

then share this vHost configuration.

PS: Your main configuration ( https://check-your-website.server-daten.de/?q=aholab.ehu.es )

Domainname	Http-Status	redirect	Sec.	G
• http://aholab.ehu.es/
158.227.67.128	301	https://aholab.ehu.es/	0.123	A

• https://aholab.ehu.es/
158.227.67.128	302	https://aholab.ehu.es/aholab/	1.786	B

• https://aholab.ehu.es/aholab/	301	https://aholab.ehu.eus/aholab/	1.706	B

• https://aholab.ehu.eus/aholab/	200		2.180	B

• http://aholab.ehu.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
158.227.67.128	301	https://aholab.ehu.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de	0.123	A

• https://aholab.ehu.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de	404		1.584	A
Not Found

is good, http -> https works, the 404 - not found is ok. So if you use your correct webroot, it should work.

But you have some mixed content warnings:

img

http://aholab.ehu.eus/aholab/wp-content/uploads/2018/12/cruces1-160x300.png
1
yes

link
stylesheet
http://aholab.ehu.eus/aholab/tts/css/tinybox.css
1
yes

link
stylesheet
http://aholab.ehu.eus/aholab/tts/css/tts.css
1
yes

link
stylesheet
http://aholab.ehu.eus/aholab/wp-content/uploads/smile_fonts/Defaults/Defaults.css?ver=4.3.1
1
yes

aholab · 2019-01-23 18:36:20 UTC

Thank you for your help. Here you have my Vhost configuration;
aholab.conf

<VirtualHost *:80>
_ ServerName aholab.ehu.es_
_ ServerAlias www.aholab.ehu.es www.bips.bi.ehu.es bips.bi.ehu.es u002887.bi.ehu.es_
_ DocumentRoot /var/www/_
_ Redirect permanent / https://aholab.ehu.es/_
_ RedirectMatch ^/$ http://aholab.ehu.es/aholab/_
_ RedirectMatch permanent /phpmyadmin https://aholab.ehu.es/phpmyadmin_
_ RedirectMatch permanent /ahoweb http://aholab.ehu.es/_
_ ErrorLog /var/log/apache2/error.log_
_ CustomLog /var/log/apache2/access.log combined_

<Directory /var/www/phpmyadmin>
SSLRequireSSL

<Directory /var/www>
_ AllowOverride All_

The aholab-ssl.conf file

#NameVirtualHost *:443
<VirtualHost *:443>
_ ServerName aholab.ehu.es_
_ ServerAlias www.aholab.ehu.es www.bips.bi.ehu.es bips.bi.ehu.es aholab.ehu.eus www.aholab.ehu.eus_
_ DocumentRoot /var/www/_
_ RedirectMatch ^/$ /aholab/_
_ ErrorLog /var/log/apache2/error.log_
_ CustomLog /var/log/apache2/access.log combined_
_ SSLEngine on_
_ SSLCertificateFile /etc/letsencrypt/live/aholab.ehu.es/fullchain.pem_
SSLCertificateKeyFile /etc/letsencrypt/live/aholab.ehu.es/privkey.pem
_ SSLCertificateChainFile /etc/letsencrypt/live/aholab.ehu.es/fullchain.pem_

We have other sites enabled, but I don’t think they are relevant for the problem.

Once again thank you for your help.

JuergenAuer · 2019-01-23 18:43:32 UTC

This is a config with aholab.ehu.es_ as ServerName, there is one _ too much.

Your config with all these _ looks curious. Or completely wrong.

aholab · 2019-01-23 19:07:06 UTC

Sorry, the _ lines were added by the web editor when I tried to put that lines in italics… they are not in the original files. The http-like syntax of the .conf files is misunderstood by the web editor, so I have uploaded the text files.I hope you will recive them without problems.
Thanks

aholab.conf.txt (699 Bytes)
aholab-ssl.conf.txt (635 Bytes)

JuergenAuer · 2019-01-23 19:28:06 UTC

Your config looks ok.

What’t the content of

/etc/apache2/sites-available
/etc/apache2/sites-enabled

Your file should be in the first directory, in the second, there should be a symlink.

What says

apachectl -t -D DUMP_VHOSTS

aholab · 2019-01-23 23:00:28 UTC

It is like you say: the .conf files are in sites-available and symlinks in sites-enabled
The output of apachectl follows (as I told you there are other vhosts)

VirtualHost configuration:
*:443 aholab.ehu.es (/etc/apache2/sites-enabled/000-aholab-ssl.conf:4)
*:80 is a NameVirtualHost
default server aholab.ehu.es (/etc/apache2/sites-enabled/000-aholab.conf:2)
port 80 namevhost aholab.ehu.es (/etc/apache2/sites-enabled/000-aholab.conf:2)
alias www.aholab.ehu.es
alias www.bips.bi.ehu.es
alias bips.bi.ehu.es
alias u002887.bi.ehu.es
port 80 namevhost fundacion.sharerip.com (/etc/apache2/sites-enabled/fundacion.conf:3)
alias www.fundacion.sharerip.com
port 80 namevhost jth2008.ehu.es (/etc/apache2/sites-enabled/jth2008.conf:3)
alias jth2008.ehu.es
port 80 namevhost tool.jth2008.aholab.ehu.es (/etc/apache2/sites-enabled/jth2008.conftool.conf:3)
alias tool.jth2008.aholab.ehu.es

JuergenAuer · 2019-01-23 23:15:06 UTC

Upps - that may be your problem.

You have two server with the same name. Remove the default.

rg305 · 2019-01-23 23:15:11 UTC

I think the problem may be in your redirection statements:
Redirect permanent / https://aholab.ehu.es/
redirects (correctly) to https.
So, http://aholab.ehu.es/.well-known/acme-challenge/1234
forwards to: https://aholab.ehu.es/.well-known/acme-challenge/1234
But the TLS server block also has a redirection statement:
RedirectMatch ^/$ /aholab/
So, now the (new) request to: https://aholab.ehu.es/.well-known/acme-challenge/1234
is “mangled” to?: https://aholab.ehu.es/aholab/.well-known/acme-challenge/1234
Which should get the content from /var/ww/aholab/.well-known/acme-challenge/1234
But the --webroot specifies /var/www
So the challenge files end up at: /var/www/.well-known/acme-challenge/1234
Not where that are actually being server from (/var/www/aholab/.well-known/acme-challenge/1234).

You can try updating the command with -w /var/www/aholab
[to force them to match]
If this fails, the we need to exclude the /.well-known/acme-challenge from
RedirectMatch ^/$ /aholab/
Or ensure the redirection doesn’t cause other problems (like truncating the full URL)

[edit - corrected my dyslexia and added this thought]
Since it seems that 100% of the connections will go to the redirected path…
Why not remove the redirection and just update the document root?
from:

        DocumentRoot /var/www/
        RedirectMatch ^/$ /aholab/

to:

        DocumentRoot /var/www/aholab/
        #RedirectMatch ^/$ /aholab/

JuergenAuer · 2019-01-23 23:17:31 UTC

The current problem: Certbot doesn’t want to start, because Certbot doesn’t find a vHost.

So no challenge file is created.

rg305 · 2019-01-23 23:19:10 UTC

Maybe I didn’t read back far enough…
But I thought the use of --webroot overrides that kind of checking.

aholab · 2019-01-24 09:12:29 UTC

Thank you both for your help. Actually, I don’t see any way to remove the default server. As far as I know, the first vhost of the config files is automatically assumed by apache as the default server. I suppose I could change the .conf file name so as apache reads first another vhost file, and thus takes another vhost as the default one, but I don’t think I can remove it.

rg305 · 2019-01-24 09:19:44 UTC

I think he meant for you to remove (or change) the repeated name in that file.

rg305 · 2019-01-24 09:22:34 UTC

Can you show this file?:
/etc/apache2/sites-enabled/000-aholab.conf

aholab · 2019-01-24 09:22:54 UTC

But there is not a duplicated name anywhere. That was the output of apachectl -t -D DUMP_VHOST. The actual .conf files only define each vhost once

rg305 · 2019-01-24 09:24:27 UTC

I think you may be right.
[I’m not too familiar with that output]

aholab · 2019-01-24 09:25:23 UTC

I uploaded it

Blockquote
it is the first one, aholab.conf.txt
I had problems pasting the contents in your web editor and that’s why I had to upload it

rg305 · 2019-01-24 09:28:02 UTC

OK I agree with you; the output can be misread too easily it seems.
Did you read through post #10?: Unanel to find a virtual host listening on port 80

JuergenAuer · 2019-01-24 09:33:39 UTC

Sorry, wrong words. Change your default server.

Both servers use the same file, both servers have aholab.ehu.es as name.

So Certbot doesn’t know which is used. And I don’t know the same.

So create a new file (perhaps empty), use this as file with your default server. And change the name of your default server (another name, not relevant).

So this

port 80 namevhost aholab.ehu.es (/etc/apache2/sites-enabled/000-aholab.conf:2)

is unique.

PS: Perhaps the error message is wrong. Not “unable to find a vHost”, instead “opps, there are two vHosts - which is the correct?”

aholab · 2019-01-24 10:11:45 UTC

I have created a 000-default.conf file

<VirtualHost _default_:80>
<Location />
Deny from all
Options None
ErrorDocument 403 Forbidden.
</Location>
</VirtualHost>

*The indentation is lost due to your web editor…

and now apachectl -t -S gives:

VirtualHost configuration:
*:443 aholab.ehu.es (/etc/apache2/sites-enabled/010-aholab-ssl.conf:4)
*:80 is a NameVirtualHost
default server aholab.ehu.es (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost aholab.ehu.es (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost aholab.ehu.es (/etc/apache2/sites-enabled/010-aholab.conf:2)
alias www.aholab.ehu.es
alias www.bips.bi.ehu.es
alias bips.bi.ehu.es
alias u002887.bi.ehu.es
port 80 namevhost fundacion.sharerip.com (/etc/apache2/sites-enabled/fundacion.conf:3)
alias www.fundacion.sharerip.com
port 80 namevhost jth2008.ehu.es (/etc/apache2/sites-enabled/jth2008.conf:3)
alias jth2008.ehu.es
port 80 namevhost tool.jth2008.aholab.ehu.es (/etc/apache2/sites-enabled/jth2008.conftool.conf:3)
alias tool.jth2008.aholab.ehu.es
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex fcgid-pipe: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: MODPERL2
Define: ENABLE_USR_LIB_CGI_BIN
User: name=“www-data” id=33
Group: name=“www-data” id=33

certbot-auto gives the same error
Unable to find a virtual host listening on port 80