Unsure about why this is happening when I try a renewal --dry-run


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tracker.linkpc.net

I ran this command: sudo certbot renew --dry-run

It produced this output: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/tracker.linkpc.net.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for tracker.linkpc.net
Cleaning up challenges
Attempting to renew cert (tracker.linkpc.net) from /etc/letsencrypt/renewal/tracker.linkpc.net.conf produced an unexpected error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/tracker.linkpc.net/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/tracker.linkpc.net/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): ubuntu 16.04

My hosting provider, if applicable, is: redirect from dns servers at dnsexit.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot - 0.28.0

I have ports open for both 80 and 443, I thought it may have been because on port 80 I just has a redirect up to https: but having put the original Apache2/Ubuntu index.html back it is not that.

I Apache I have also restricted access to just /var/www/ I was just prompted to try seeing an email on other posts and now wonder what I have done wroing.

I have tried stopping programs like fail2ban on theprts etc all with seemingly no effect.

The original set up would have been a proxy redirect from localhost:8082 and in

            ServerName tracker.linkpc.net
            ServerAdmin webmaster@localhost

            DocumentRoot /var/www/html

            ProxyPass /api/socket ws://localhost:8082/api/socket
            ProxyPassReverse /api/socket ws://localhost:8082/api/socket

            ProxyPass / http://localhost:8082/
            ProxyPassReverse / http://localhost:8082/

            SSLEngine on
            SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
            SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    </VirtualHost>
And then run the certbot from yourselves to change as required.

Thanks

Adrian


#2

Hi @Adrian_H

Certbot can’t find a VirtualHost with your domain name.

You may have

  • only a default host or
  • more then one VirtualHost with the same name.

If you have no vHost, create one. Perhaps copy your existing vHost and add the ServerName:

<VirtualHost *:80>
    DocumentRoot "/www/example1"
    ServerName www.example.com

    # Other directives here
</VirtualHost>

#3

Sorry i was adding more to the initial post, you may have to forgive me a bit here, but I am sure it worked last month as it was, so I now have to add another proxy?


#4

You’ve only pasted a part of the VirtualHost section. Is that the :443 section? Do you also have a :80 VirtualHost section? I.e., a section with <VirtualHost *:80> with ServerName tracker.linkpc.net inside it.

It doesn’t need to have the reverse proxy part, most port 80 virtualhosts are used for redirecting to HTTPS.


#5

Sorry Osiris I may need a bit of hand holding here, I will paste the current section from my server
in /etc/apache2/sites-available
there are two conf files,
one called traccar.conf which is this one:

<VirtualHost _default_:443>

                ServerName tracker.linkpc.net
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                ProxyPass /api/socket ws://localhost:8082/api/socket
                ProxyPassreverse /api/socket ws://localhost:8082/api/socket

                ProxyPass / http://localhost:8082/
                ProxyPassReverse / http://localhost:8082/

                SSLEngine on

                SSLCertificateFile /etc/letsencrypt/live/tracker.linkpc.net/fullchain.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/tracker.linkpc.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
        </VirtualHost>

and one called
le-redirect-tracker.linkpc.net.conf
which has

<VirtualHost _default_:80>
ServerName tracker.linkpc.net 
 
ServerSignature Off

RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

ErrorLog /var/log/apache2/redirect.error.log
LogLevel warn
</VirtualHost>

Now I also had a simple redirect page if someone went in to port 80 by by using http:/linkpc.net then
they got this

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="refresh" content="0; url=https://tracker.linkpc.net/" />
  </head>
</html>

to send over to port 443:

Please let me know what I have got wrong, at the moment I have the default Apache header page active?

Adrian


#6

Apologies as I keep forgetting the code tags


#7

Test it: Copy this VirtualHost, but not as default.

Use as ServerName of the default another name (doesn’t need to exist - intern.linkpc.net).

So that you have two VirtualHosts - default with another (new) name and one with tracker.linkpc.net


#8

Looks like you are sending everything to port 8082:

How does that handle the /.well-known/acme-challenge/ requests?
[or maybe you should handle then in the port 80 vhost config]


#9

Sorry , one has to appreciate I am trying to understand all this, probably a bit late in the day, but trying.

I have an application java based that would normally output on port 8082, so the traccar.conf, should I believe pick up from port 8082 and redirect to 443 with the lets encrypt section in there to serve as an encrypted site.

Now the virtual host on port 80 is not active for some reason and the le-redirect etc.conf is only in /etc/apache2/sites-available and not in /etc/apache2/sites-enabled

So I am just reading up and trying to decide why, but I think I may have missed some config at some time to apply the redirect, hence why I had my own redirect page.

This may take me a few hours :slight_smile:
Adrian


#10

OK all sorted, I hope my mistakes help some other people.
I now get


Processing /etc/letsencrypt/renewal/tracker.linkpc.net.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for tracker.linkpc.net
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/tracker.linkpc.net/fullchain.pem



** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/tracker.linkpc.net/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


What I did not realise was that lets encrypt generated the redirect for me as a virtual site, but that I still needed to enable the site by running the command

sudo a2ensite le-redirect-tracker.linkpc.net

From within the /etc/apache2/sites-available directory, then a simple matter or reloading apache and I had two virtual sites covering port 80 and 443.
My mistake and sometimes I need a prompt to find these things, thank you for all your assistance.

I have one last general question then, I assume from trying to renew that port 80 also has to stay open to the outside world inable for the renewal to happen, it does not occour on port 443?

Closing off port 80 would shut another port to the hackers.

Thanks all

Adrian


#11

An open port 80 should not really being a security problem.

You can add a redirect http -> https, so port 80 sends only redirects.

If http + /.well-known/acme-challenge/1234 redirected to https + /.well-known/acme-challenge/1234, all is ok.

Letsencrypt follows these redirects.


#12

OK thank you , my home server is a proving ground as I learn.

Thank you all.

Adrian


closed #13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.