[SOLVED] F29 certbot and apache - renew problem
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 8 of 8
  1. #1
    Join Date
    Nov 2016
    Location
    Germany
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    F29 certbot and apache - renew problem

    Hi,

    renewing my certificate with certbot i run into troubles with apachectl:

    [root@xxx letsencrypt]# more letsencrypt.log
    2019-04-13 12:56:23,866:DEBUG:certbot.main:certbot version: 0.31.0
    2019-04-13 12:56:23,866:DEBUG:certbot.main:Arguments: ['--dry-run']
    2019-04-13 12:56:23,867:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntr yPoint#manual,Pl
    uginEntryPoint#null,PluginEntryPoint#standalone,Pl uginEntryPoint#webroot)
    2019-04-13 12:56:23,893:DEBUG:certbot.log:Root logging level set at 20
    2019-04-13 12:56:23,894:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2019-04-13 12:56:23,945:DEBUG:certbot.plugins.selection:Reque sted authenticator <certbot.cli._Default object at 0xb5feafec> and i
    nstaller <certbot.cli._Default object at 0xb5feafec>
    2019-04-13 12:56:23,945:DEBUG:certbot.cli:Var dry_run=True (set by user).
    2019-04-13 12:56:23,945:DEBUG:certbot.cli:Var server={'staging', 'dry_run'} (set by user).
    2019-04-13 12:56:23,945:DEBUG:certbot.cli:Var dry_run=True (set by user).
    2019-04-13 12:56:23,946:DEBUG:certbot.cli:Var server={'staging', 'dry_run'} (set by user).
    2019-04-13 12:56:23,946:DEBUG:certbot.cli:Var account={'server'} (set by user).
    2019-04-13 12:56:23,996:INFO:certbot.renewal:Cert not due for renewal, but simulating renewal for dry run
    2019-04-13 12:56:23,996:DEBUG:certbot.plugins.selection:Reque sted authenticator apache and installer None
    2019-04-13 12:56:24,149:ERROR:certbot.util:Error while running apachectl -v.

    apachectl: The "-v" option is not supported.

    Thanks for Your help!

    Frank
    Last edited by fbuschbeck; 13th April 2019 at 12:07 PM. Reason: wrong smilies

  2. #2
    Join Date
    Nov 2016
    Location
    Germany
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: F29 certbot and apache - renew problem

    OK, found something here:
    https://github.com/certbot/certbot/issues/6940
    Will there be an update in F29 soon?

  3. #3
    Join Date
    Nov 2016
    Location
    Germany
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: F29 certbot and apache - renew problem

    As nobody here can help me, i found help at letsencrypt community:
    https://community.letsencrypt.org/t/...-problem/91569
    My problem is solved but F29 certbot --apache still doesn't work. The bug should be fixed ... ?

  4. #4
    Join Date
    Dec 2013
    Location
    United Kingdom
    Posts
    7,156
    Mentioned
    6 Post(s)
    Tagged
    1 Thread(s)

    Re: F29 certbot and apache - renew problem

    Quote Originally Posted by fbuschbeck
    As nobody here can help me, i found help at letsencrypt community:
    https://community.letsencrypt.org/t/...-problem/91569
    My problem is solved but F29 certbot --apache still doesn't work. The bug should be fixed ... ?
    thanks for sharing the link to the letsencrypt thread. you can report it at https://bugzilla.redhat.com

    please remember this forum is a user community and not an official support channel, so if nobody has encountered the same problem (or even uses the same resources without any issues) then they cannot give you any help solving it.

  5. #5
    Join Date
    Jan 2009
    Location
    New Zealand
    Posts
    86
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: F29 certbot and apache - renew problem

    You are correct in that the certbot and certbot-apache combo installed from the fedora repositories.just don't work. And for the reason posted, apachectl does not support the -v option.
    Obviously the certbot-apache plugin is incompatible with fedora, it should not rely on "apachectl -v" when that is simply not an available option on fedora.
    It does mean fedora users have no easy way of using LetsEncrypt to obtain certificates in an automated way which is an issue for fedora users.
    It is theoretically possible to obtain the certificate with "certbot certonly --webroot -w /var/www/html -d yourdomain.somewhere.org" , you could try that and if it works for you put it in a cron job that also moved the certificate into place on your webserver.
    As nobody seems concerned by the issue I guess there are no fedora users that use the LetsEncrypt service.

  6. #6
    Join Date
    Feb 2015
    Location
    Colorado
    Posts
    49
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: F29 certbot and apache - renew problem

    Quote Originally Posted by markdk
    As nobody seems concerned by the issue I guess there are no fedora users that use the LetsEncrypt service.
    I use LetsEncrypt with Fedora 30 and nginx. Works fine now. I did have a problem renewing about 9 months ago. I searched around and found this command:

    certbot renew --preferred-challenges http

    This has worked like a champ for the last 3 renewals with nginx. I don't know if this will work with Apache.
    I never responded to this thread before as previous posts said it was a Fedora / Apache problem. I hope by chance this helps.
    I try to think, but nothin' happens!

  7. #7
    Join Date
    Jan 2009
    Location
    New Zealand
    Posts
    86
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: F29 certbot and apache - renew problem

    Just an update on my earlier reply, the --webroot option does work as I have just used it myself to replace the self signed certificates I use.
    Output as below, after globally replacing the hostname in the output of course

    -------------------------------
    [root@vosprey2 httpd]# certbot certonly --webroot -w /home/httpd/newsite/html -d replaces.my.hostname
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for replaces.my.hostname
    Using the webroot path /home/httpd/newsite/html for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges

    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/replaces.my.hostname/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/replaces.my.hostname/privkey.pem
    Your cert will expire on 2019-08-13. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew *all* of your certificates, run
    "certbot renew"
    - If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le
    -----------------------
    I altered my /etc/httpd/conf.d/ssl.conf to use the files in the location cryptbot placed them and restarted httpd, and it worked, I now don't have to use self-signed certs.

    So I guess remove the python3-certbot-apache package/plugin and use the --webroot method to get the first pem files, then stuff a "certbot renew" into cron to run every three months. As long as apache is configured to look for them where certbot puts them you are back to a completely hands off update method.

    Completely off track but thank you for your question, I had always avoided letsencrypt as my personal web url is from dynamic dns and xxxx.dyndns.org I assumed I could not get a cert for as I do not have any ownership of dyndns.org. It was a wrong assumption as with the --webroot method as long as the letsencrypt servers can resolve the name and contact the server on port 80 they will issue a cert.
    Because of my curiosity in your question I have learnt something new which is useful to me.
    These forums are a great learning tool.

  8. #8
    Join Date
    Jul 2005
    Age
    58
    Posts
    1,218
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: F29 certbot and apache - renew problem

    You can also temporarily downgrade httpd and then upgrade it after the letsencrypt update is done. Once every 3 months isn't awful, but it still should be fixed so apache renewal works. If you add a --nodeps and --oldpackage to the rpm command you can do the downgrade/letsencrypt/upgrade sequence pretty fast.

Similar Threads

  1. F28 Server Certbot vs Lets Encrypt packages
    By tnsupport in forum Servers & Networking
    Replies: 1
    Last Post: 27th October 2018, 05:44 AM
  2. How do I renew my IP lease on p2p1?
    By ToddAndMargo in forum Servers & Networking
    Replies: 2
    Last Post: 2nd December 2011, 03:55 AM
  3. Static IP? Renew IP? Just a different IP in general?
    By steveyos666 in forum Servers & Networking
    Replies: 24
    Last Post: 21st July 2006, 04:17 AM
  4. Relece and renew ip
    By ghostofra in forum Servers & Networking
    Replies: 2
    Last Post: 25th October 2005, 06:05 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •