I set up a server from scratch to test out certbot for new installations.
Ubuntu 16.04
Standard install for LAMP
I kept getting error messages about
Unable to install the certificate <-- ERROR I AM REPORTING
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/[DOMAIN]/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/[DOMAIN]/privkey.pem
Your cert will expire on [DATE]. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew all of
your certificates, run “certbot renew”
Corrective steps:
a2enmod ssl
Edit the /etc/apache2/sites-enabled/ssl-[DOMAIN].conf file to point to the certificates.
EG: the
SSLCertificateFile
SS:CertificateKeyfile
directives to point to the correct path, and to change the permissions of those files to be 600
Steps to reproduce:
Fire up a new server
Add LAMP
Add certbot and install.
Create DNS entries to point to the new server
run certbot --apache
Observe errors
Correct as above
Could you give us the output of certbot --version and the associated log file from /var/log/letsencrypt? Then we can figure out whether this is a known issue or not.
It’s possible that this has been fixed in a later release, since I believe Ubuntu 16.04 has a very old version of Certbot. However, I wouldn’t expect that the version they ship routinely fails this way in a default configuration, so maybe it’s also a bug that we or the Ubuntu packagers aren’t aware of.
Version is 0.21.1, and the log file is attached.
Thanks for taking a look! If you can’t verify it’s a known bug, I’ll
send a pull request for patches once I set up a new github.
Also, if you would like me to reconfirm the bug and steps to replicate,
just let me know. I have a few domains I can use that won’t cause my any
problem, and I’ll have a few hours over the weekend.
To route around any possible issues, I’ve uploaded the log to http://seanembry.com/letsencrypt-log.txt
Let me know if you still have issues getting it. Next step would be to
ask you to create a ssh key and I’ll get you an account to down load it.
Remember to include a user name!
It looks like the reason for the installer failure was
2018-03-06 15:20:46,501:WARNING:certbot_apache.parser:Error in checking parameter list: AH00526: Syntax error on line 33 of /etc/apache2/sites-enabled/s-discusspolitics.net.conf:
SSLCertificateFile: file '/etc/ssl/certs/discusspolitics.net' does not exist or is empty
Did you create this file (/etc/apache2/sites-enabled/s-discusspolitics.net.conf) yourself? Did you previously have some other certificate or previously try to manually enable HTTPS on the site?
I did create the directory manually, however, it still didn’t work
subsequently until I also manually linked the cert to the location in
the config.
I will schedule some time over the weekend and do it again, and keep notes.
I didn’t understand whether you had working HTTPS before, or never did. But your configuration file was pointing to a nonexistent certificate, which is why it initially didn’t work until you created that link.
It was a fresh kick never before set up. Bare metal, standard install,
apt-get update, then apt-get apache and certbot,
certbot --apache I think. But if I can get some time this weekend, I’ll
rerun everything and get you the logs configs, and bash history.
If I’m able, I’ll analyze it, then submit a pull request with the patch,
or if it was my mistake, why I made it.
No - it was a clean install, nothing else ever was there first from the
OS on down - I am sure of that. However, I will rekick and retry things,
document it pretty well. I am more than capable of being stupid, so let
me make sure I’m not being stupid.