On Sat, Apr 22, 2023 at 8:13 AM Patrick O'Callaghan <pocallaghan@xxxxxxxxx> wrote: > > I'm trying to set up a simple web server for personal use, using > Apache, and want to enable HTTPS access. This involves getting an SSL > certificate and I'll be using LetsEncrypt (www.letsencrypt.org). > > The recommended way to do this is with Certbot, but I can't get past > this error: > > # certbot --apache -d bree.org.uk > Saving debug log to /var/log/letsencrypt/letsencrypt.log > Requesting a certificate for bree.org.uk > Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80. > Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. > > Note that the httpd server is online and reachable from outside my > local net, i.e. this doesn't appear to be a firewall issue. > > I've reported the problem upstream and followed a number of > suggestions, but nothing seems to make any difference: > > https://community.letsencrypt.org/t/certbot-fails-with-cant-find-virtual-host-error/196800/29 > > Any thoughts on this would be welcome, but please review the above link > before replying. No. If there's information needed, it needs to be provided here. I'm not going to grind through some off-site Q&A. We run an Apache server on Ubuntu 22.04, and we use Certbot for cryptopp.com. (Our VPS host does not provide Fedora Server, so we use Ubuntu Server). Our server config files are as follows. The first two are most important: ~# find /etc/ -name 'cryptopp*' /etc/apache2/sites-enabled/cryptopp.conf /etc/apache2/sites-available/cryptopp.conf /etc/ssl/private/cryptopp-com.chain.pem /etc/ssl/private/cryptopp-com.pem.rsa /etc/ssl/private/cryptopp-com.key.pem.ec /etc/ssl/private/cryptopp-com.cert.pem /etc/ssl/private/cryptopp-com.chain.pem.rsa /etc/ssl/private/cryptopp-com.key.pem /etc/ssl/private/cryptopp-com.key.pem.rsa So the question is, do you have a *.conf file in sites-available? And is there a link to it in sites-enabled? (You enable a site with a2ensite. Once enabled, there is a symlink from sites-available to sites-enabled). Jeff ======================================== Here is sites-enabled. It is a symlink: # ls -Al /etc/apache2/sites-enabled/cryptopp.conf lrwxrwxrwx 1 root root 32 Apr 6 2021 /etc/apache2/sites-enabled/cryptopp.conf -> ../sites-available/cryptopp.conf Here is sites-available/cryptopp.conf: # cat /etc/apache2/sites-available/cryptopp.conf <VirtualHost *:80> # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com ServerName cryptopp.com ServerAlias www.cryptopp.com *.cryptopp.com # https://linuxize.com/post/redirect-http-to-https-in-apache/ Redirect permanent / https://cryptopp.com/ ServerAdmin webmaster@xxxxxxxxxxxx DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf </VirtualHost> <VirtualHost *:443> # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on ServerName cryptopp.com ServerAlias www.cryptopp.com *.cryptopp.com ServerAdmin webmaster@xxxxxxxxxxxx DocumentRoot /var/www/html # Use separate log files for the SSL virtual host; note that LogLevel # is not inherited from httpd.conf. ErrorLog ${APACHE_LOG_DIR}/error.log TransferLog ${APACHE_LOG_DIR}/access.log LogLevel warn # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: # SSLProtocol all -SSLv2 SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.3 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. # SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 SSLCipherSuite HIGH:!aNULL:!kRSA:!MD5:!RC4 # We are always going to be better configured than most user agents. # In this case, we want to take the server's preferences. However, # let the clients decide since its not worth arguing over. # SSLHonorCipherOrder on # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. SSLCertificateFile /etc/ssl/private/cryptopp-com.cert.pem # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/ssl/private/cryptopp-com.key.pem # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convenience. SSLCertificateChainFile /etc/ssl/private/cryptopp-com.chain.pem # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) #SSLCACertificateFile /etc/ssl/... # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require SSLVerifyClient none # Add HSTS header. 7776000=3 Months; 15552000=6 Months; etc. # Header set Strict-Transport-Security "max-age=15552001; includeSubdomains;" </VirtualHost> _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
