Virtual host listening on port 80 needed to prove that you control your domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gibhenry.com

I ran this command: sudo certbot renew

It produced this output:

virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/gibhenry.com-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/gibhenry.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.gibhenry.com/fullchain.pem (failure)

My web server is (include version): apache

The operating system my web server runs on is (include version): MacOS 10.15.7 Catalina

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.3.0

Haven't really changed anything since the last renewal; how do I add such a virtual host? (Also wondering about gibhenry.com-0001…is that normal?) Thank you in advance for any insight you can offer.

2 Likes

That seems understated.
Where did the virtual host listening on port 80 go?

Those are active certs:

Please show the output of:
certbot certificates

[I'm betting one cert has the base name, one cert has the www name, and one cert has both names]

2 Likes

Thanks for jumping in there! The website works at port 80, but all of a sudden, for reasons that I don't understand, it's no longer working on https…anyway, here's the output:

Found the following certs:
  Certificate Name: gibhenry.com-0001
    Domains: gibhenry.com
    Expiry Date: 2021-07-03 22:33:56+00:00 (VALID: 17 days)
    Certificate Path: /etc/letsencrypt/live/gibhenry.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gibhenry.com-0001/privkey.pem
  Certificate Name: gibhenry.com
    Domains: gibhenry.com www.gibhenry.com
    Expiry Date: 2021-07-03 22:34:05+00:00 (VALID: 17 days)
    Certificate Path: /etc/letsencrypt/live/gibhenry.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gibhenry.com/privkey.pem
  Certificate Name: www.gibhenry.com
    Domains: www.gibhenry.com
    Expiry Date: 2021-07-03 22:37:38+00:00 (VALID: 17 days)
    Certificate Path: /etc/letsencrypt/live/www.gibhenry.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.gibhenry.com/privkey.pem
2 Likes

Winner, winner, chicken dinner! :chicken:

I'm seeing ports 80 (http) and 443 (https) closed for both gibhenry.com and www.gibhenry.com.

https://www.yougetsignal.com/tools/open-ports/


It's unusual to have wildcard DNS records:

*.gibhenry.com. 1799 IN A 24.158.238.42

especially when there are CNAME records:

www.gibhenry.com. 10799 IN CNAME gibhenry.com

1 Like

Yeah!
The certs are just as I suspected:

2 Likes

Okay…but where's the problem with renewal?

2 Likes

Yeah…sorry, Synology router is constantly issuing notices that it blocked stuff. What IP address are you coming from, and I'll make sure it's unblocked.

2 Likes

You simply can't operate by blocking random IP addresses and expect an http-01 challenge to succeed.

3 Likes

I'm not blocking anything, the router uses several services (Google Safe Browsing and Threat Intelligence databases among others) to block known or suspected malicious sites. But oddly, I can connect to http from the server machine itself, but NOT https. I have no idea why; last time I tried it a month or so ago, it worked fine. It doesn't make sense to me. Any insight?

2 Likes

I suspect some issues in the webserver configuration.

What are the outputs of these commands?

sudo ls -lRa /etc/letsencrypt
sudo apachectl -S
sudo ls -lRa /etc/apache2/sites-available
sudo ls -lRa /etc/apache2/sites-enabled

Please put 3 backticks above and below each output, like this:

```
output
```

2 Likes
> VirtualHost configuration:
> ServerRoot: "/usr"
> Main DocumentRoot: "/Library/WebServer/Documents"
> Main ErrorLog: "/private/var/log/apache2/error_log"
> Mutex default: dir="/private/var/run/" mechanism=default 
> Mutex mpm-accept: using_defaults
> PidFile: "/private/var/run/httpd.pid"
> Define: DUMP_VHOSTS
> Define: DUMP_RUN_CFG
> User: name="_www" id=70
> Group: name="_www" id=70
2 Likes

Yep. You have no VirtualHosts. Please post the outputs of the other commands.

2 Likes

Oops, you edited that, and I missed this:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using iGib.local. Set the 'ServerName' directive globally to suppress this message

2 Likes

Interestingly, the apache.conf file has not been edited since June 2020…at least 3 successful renewals ago.

2 Likes

Did you lose your configuration files out of sites-available?

With your current configuration I don't see how your website could even function, nonetheless have a certificate renewal succeed.

2 Likes

A locate search reveals no hits on "sites-available"…?!

ls: /etc/apache2/sites-available: No such file or directory

2 Likes

This is a Mac thing.

What are the contents of this file? (Please wrap with 3 backticks as before.)

/etc/apache2/httpd.conf

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.