Virtual host listening on port 80 needed to prove that you control your domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gibhenry.com

I ran this command: sudo certbot renew

It produced this output:

virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/gibhenry.com-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/gibhenry.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.gibhenry.com/fullchain.pem (failure)

My web server is (include version): apache

The operating system my web server runs on is (include version): MacOS 10.15.7 Catalina

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.3.0

Haven't really changed anything since the last renewal; how do I add such a virtual host? (Also wondering about gibhenry.com-0001…is that normal?) Thank you in advance for any insight you can offer.

That seems understated.
Where did the virtual host listening on port 80 go?

Those are active certs:

Please show the output of:
certbot certificates

[I'm betting one cert has the base name, one cert has the www name, and one cert has both names]

Thanks for jumping in there! The website works at port 80, but all of a sudden, for reasons that I don't understand, it's no longer working on https…anyway, here's the output:

Found the following certs:
  Certificate Name: gibhenry.com-0001
    Domains: gibhenry.com
    Expiry Date: 2021-07-03 22:33:56+00:00 (VALID: 17 days)
    Certificate Path: /etc/letsencrypt/live/gibhenry.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gibhenry.com-0001/privkey.pem
  Certificate Name: gibhenry.com
    Domains: gibhenry.com www.gibhenry.com
    Expiry Date: 2021-07-03 22:34:05+00:00 (VALID: 17 days)
    Certificate Path: /etc/letsencrypt/live/gibhenry.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gibhenry.com/privkey.pem
  Certificate Name: www.gibhenry.com
    Domains: www.gibhenry.com
    Expiry Date: 2021-07-03 22:37:38+00:00 (VALID: 17 days)
    Certificate Path: /etc/letsencrypt/live/www.gibhenry.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.gibhenry.com/privkey.pem

Winner, winner, chicken dinner!

I'm seeing ports 80 (http) and 443 (https) closed for both gibhenry.com and www.gibhenry.com.

It's unusual to have wildcard DNS records:

*.gibhenry.com. 1799 IN A 24.158.238.42

especially when there are CNAME records:

www.gibhenry.com. 10799 IN CNAME gibhenry.com

Yeah!
The certs are just as I suspected:

Okay…but where's the problem with renewal?

Yeah…sorry, Synology router is constantly issuing notices that it blocked stuff. What IP address are you coming from, and I'll make sure it's unblocked.

You simply can't operate by blocking random IP addresses and expect an http-01 challenge to succeed.

I'm not blocking anything, the router uses several services (Google Safe Browsing and Threat Intelligence databases among others) to block known or suspected malicious sites. But oddly, I can connect to http from the server machine itself, but NOT https. I have no idea why; last time I tried it a month or so ago, it worked fine. It doesn't make sense to me. Any insight?

I suspect some issues in the webserver configuration.

What are the outputs of these commands?

sudo ls -lRa /etc/letsencrypt
sudo apachectl -S
sudo ls -lRa /etc/apache2/sites-available
sudo ls -lRa /etc/apache2/sites-enabled

Please put 3 backticks above and below each output, like this:

```
output
```

> VirtualHost configuration:
> ServerRoot: "/usr"
> Main DocumentRoot: "/Library/WebServer/Documents"
> Main ErrorLog: "/private/var/log/apache2/error_log"
> Mutex default: dir="/private/var/run/" mechanism=default 
> Mutex mpm-accept: using_defaults
> PidFile: "/private/var/run/httpd.pid"
> Define: DUMP_VHOSTS
> Define: DUMP_RUN_CFG
> User: name="_www" id=70
> Group: name="_www" id=70

Yep. You have no VirtualHosts. Please post the outputs of the other commands.

Oops, you edited that, and I missed this:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using iGib.local. Set the 'ServerName' directive globally to suppress this message

Interestingly, the apache.conf file has not been edited since June 2020…at least 3 successful renewals ago.

Did you lose your configuration files out of sites-available?

With your current configuration I don't see how your website could even function, nonetheless have a certificate renewal succeed.

A locate search reveals no hits on "sites-available"…?!

ls: /etc/apache2/sites-available: No such file or directory

This is a Mac thing.

What are the contents of this file? (Please wrap with 3 backticks as before.)

/etc/apache2/httpd.conf

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.