On Sun, 2023-04-23 at 00:26 +0930, Tim via users wrote:
On Sat, 2023-04-22 at 13:11 +0100, Patrick O'Callaghan wrote:
> I'm trying to set up a simple web server for personal use, using
> Apache, and want to enable HTTPS access. This involves getting an
> SSL
> certificate and I'll be using LetsEncrypt (
www.letsencrypt.org).
>
> The recommended way to do this is with Certbot, but I can't get
> past
> this error:
>
> # certbot --apache -d bree.org.uk
> Saving debug log to /var/log/letsencrypt/letsencrypt.log
> Requesting a certificate for bree.org.uk
> Unable to find a virtual host listening on port 80 which is
> currently
> needed for Certbot to prove to the CA that you control your domain.
> Please add a virtual host for port 80.
> Ask for help or search for solutions at
>
https://community.letsencrypt.org.
> See the logfile /var/log/letsencrypt/letsencrypt.log or re-run
> Certbot
> with -v for more details.
>
> Note that the httpd server is online and reachable from outside my
> local net, i.e. this doesn't appear to be a firewall issue.
>
> I've reported the problem upstream and followed a number of
> suggestions, but nothing seems to make any difference:
>
>
https://community.letsencrypt.org/t/certbot-fails-with-cant-find-virtual-...
I wonder does Certbot read the Apache config files directly, or is it
doing HTTP/HTTPS access of the webserver?
Looking at some of your results it is probing port 80, though it
might
be doing more than one thing.
Assuming that Certbot runs inside your LAN, does the domain name
resolve internally to an IP that can be reached internally?
Yes.
e.g. Can you browse to that address staying entirely within your LAN?
Yes.
If it reads the config files, might SELinux be denying it?
No. I disabled SElinux and it made no difference.
Looking at my Apache configuration, the virtual hosts ServerName and
ServerAlias entries just have the host names without any port
numbers.
<VirtualHost *:80>
ServerName
www.example.com
ServerAlias
example.com
The port number is optional. I've since removed it. It makes no
difference.
Interesting that it wants a port 80 virtual host, for something
(HTTPS)
that's going to be running through port 443. I would have thought
you'd need something along the lines of:
<VirtualHost *:443>
ServerName
www.example.com
ServerAlias
example.com
as well.
My understanding is that it needs port 80 for the initial token
negotiation to get the certificate to set up HTTPS. Requiring port 443
would be a circular dependency.
poc