Using certbot for the very first time


#1

I set up a server from scratch to test out certbot for new installations.
Ubuntu 16.04
Standard install for LAMP

I kept getting error messages about

  • Unable to install the certificate <-- ERROR I AM REPORTING
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/[DOMAIN]/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/[DOMAIN]/privkey.pem
    Your cert will expire on [DATE]. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

Corrective steps:
a2enmod ssl
Edit the /etc/apache2/sites-enabled/ssl-[DOMAIN].conf file to point to the certificates.
EG: the
SSLCertificateFile
SS:CertificateKeyfile
directives to point to the correct path, and to change the permissions of those files to be 600

Steps to reproduce:
Fire up a new server
Add LAMP
Add certbot and install.
Create DNS entries to point to the new server
run certbot --apache
Observe errors
Correct as above


#2

Hi @sean_e6,

Could you give us the output of certbot --version and the associated log file from /var/log/letsencrypt? Then we can figure out whether this is a known issue or not.

It’s possible that this has been fixed in a later release, since I believe Ubuntu 16.04 has a very old version of Certbot. However, I wouldn’t expect that the version they ship routinely fails this way in a default configuration, so maybe it’s also a bug that we or the Ubuntu packagers aren’t aware of.

Thanks!


#3

Hi, Seth,

Version is 0.21.1, and the log file is attached.
Thanks for taking a look! If you can’t verify it’s a known bug, I’ll
send a pull request for patches once I set up a new github.
Also, if you would like me to reconfirm the bug and steps to replicate,
just let me know. I have a few domains I can use that won’t cause my any
problem, and I’ll have a few hours over the weekend.

Sean Embry
Infrastructure Operations Engineer II


#4

Could you please try again? I think the attachment was discarded because your user account was too new.


#5

Seth,

To route around any possible issues, I’ve uploaded the log to
http://seanembry.com/letsencrypt-log.txt
Let me know if you still have issues getting it. Next step would be to
ask you to create a ssh key and I’ll get you an account to down load it.
Remember to include a user name! :slight_smile:

Sean


#6

Thanks!

It looks like the reason for the installer failure was

2018-03-06 15:20:46,501:WARNING:certbot_apache.parser:Error in checking parameter list: AH00526: Syntax error on line 33 of /etc/apache2/sites-enabled/s-discusspolitics.net.conf:
SSLCertificateFile: file '/etc/ssl/certs/discusspolitics.net' does not exist or is empty

Did you create this file (/etc/apache2/sites-enabled/s-discusspolitics.net.conf) yourself? Did you previously have some other certificate or previously try to manually enable HTTPS on the site?


#7

Hello Seth,

I did create the directory manually, however, it still didn’t work
subsequently until I also manually linked the cert to the location in
the config.
I will schedule some time over the weekend and do it again, and keep notes.

Thanks,

Sean


#8

I didn’t understand whether you had working HTTPS before, or never did. But your configuration file was pointing to a nonexistent certificate, which is why it initially didn’t work until you created that link.


#9

Hello Seth,

It was a fresh kick never before set up. Bare metal, standard install,
apt-get update, then apt-get apache and certbot,
certbot --apache I think. But if I can get some time this weekend, I’ll
rerun everything and get you the logs configs, and bash history.
If I’m able, I’ll analyze it, then submit a pull request with the patch,
or if it was my mistake, why I made it.

Sean


#10

Hmmm, Certbot never uses the path /etc/ssl/certs, so that must have been some other HTTPS-related software of some sort.


#11

Hello Seth,

No - it was a clean install, nothing else ever was there first from the
OS on down - I am sure of that. However, I will rekick and retry things,
document it pretty well. I am more than capable of being stupid, so let
me make sure I’m not being stupid.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.