Apache error with certbot

ℹ️ Support
1

Hi there.

My first attempt at installing Nextcloud on a Rasberry Pi 3
Sort of went O.K…

Then I attempted to get a certificate using certbot, but I failed.
Can anyone put me right here?
When it produced the certificate, everything seemed to go well, and four files went into:
/etc/letsencrypt/live/alistairscloud.org/
cert.pem
chain.pem
fullchain.pem
privkey.pem
That’s all there is in there.

I got confused (probably the drink) and i reckon I’m not using the right key file or I’ve forgotten another config file or something.
Should I be looking for a .key file?
Should I just slit my wrists now or just take some more wood alcohol?

Nextcloud version 12.0.3
Operating system and version:
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 9.1 (stretch)
Release: 9.1
Codename: stretch
Apache version 2.4.25 (Raspbian)
PHP version 5.6.22-2+b3

apachectl -V says:

Syntax error on line 33 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/alistairscloud.org/fullchain.pem’ does not exist or is empty

fullchain.pem exists there, and is definitely not empty.

GNU nano 2.7.4 File: config.php

<?php
$CONFIG = array (
'instanceid' => 'ocrtxgh6xns3',
'passwordsalt' => '(lots of characters)',
'secret' => '(lots more characters)',
'trusted_domains' => 
 array (
 0 => '192.168.1.80',
 1 => 'www.alistairscloud.org',
 2 => 'alistairscloud.org',
'memcache.local' => '\OC\Memcache\APCu',
),
'datadirectory' => '/var/nextcloud/data',
'overwrite.cli.url' => 'https://192.168.1.80/nextcloud',
'dbtype' => 'sqlite3',
'version' => '12.0.3.3',
'installed' => true,
'mail_smtpmode' => 'smtp',
'mail_smtpauthtype' => 'LOGIN',

The log and 000-default-le-ssl.conf are a bit big, so they can be found here:

I would greatly appreciate help.
Sorry if you get this question all the time…
Fitch.

2

About apachectl -V syntax error:

  • On my Raspberry Pi 2 I also faced errors like this with apachectl. Some permissions were missing for just this command or something. Can’t reproduce it anymore now, but still remember this.
  • As it doesn’t necessarily has something to do with the real apache2 service status, please check if it is running by: service apache2 status
  • Otherwise I have no idea what is wrong, as the locations to the certificates are totally right and as you say they are there and not empty. The files itself (names and endings) are totally fine.

If Apache is actually running fine, then you have to reorder your config.php a bid. Also your log.txt shows errors related to this:

  • Close the array bracket before the memcache setting, that is looks like this:
array (
 0 => '192.168.1.80',
 1 => 'www.alistairscloud.org',
 2 => 'alistairscloud.org',
),
'memcache.local' => '\OC\Memcache\APCu',
  • At the end of the config file close the parent $CONFIG = array ( again, that it looks like this:
...
'mail_smtpmode' => 'smtp',
'mail_smtpauthtype' => 'LOGIN',
);

For further help if necessary, please tell us where actually the first things didn’t went as expected. You told, that certbot failed, but it looks like it went perfectly well. Did it give some error message? Are you able to ping the server, open some default page inside web root? As said, Nextcloud might not have been able to open due to the syntax error in config.php.

3

Thanks.
Now then…
Below is the original output before correcting my mistake in config.php (found out that I’d just forgotten to copy the end ); to dropbox - my mistook).

The status afterwards the correction is that the

“raspberrypi apachectl[472]: AH00557: apache2: apr_sockaddr_info_get() failed for raspberrypi”

at the bottom has miraculously disappeared, so that’s good!

I will keep you informed…

pi@raspberrypi:~ $ service apache2 status
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-11-02 00:32:58 UTC; 13h ago
Process: 472 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 599 (apache2)
CGroup: /system.slice/apache2.service
├─ 599 /usr/sbin/apache2 -k start
├─ 634 /usr/sbin/apache2 -k start
├─ 636 /usr/sbin/apache2 -k start
├─ 638 /usr/sbin/apache2 -k start
├─ 639 /usr/sbin/apache2 -k start
├─ 641 /usr/sbin/apache2 -k start
├─1022 /usr/sbin/apache2 -k start
├─1053 /usr/sbin/apache2 -k start
├─1054 /usr/sbin/apache2 -k start
└─1055 /usr/sbin/apache2 -k start

Nov 02 00:32:56 raspberrypi systemd[1]: Starting The Apache HTTP Server…
Nov 02 00:32:58 raspberrypi apachectl[472]: AH00557: apache2: apr_sockaddr_info_get() failed for raspberrypi
Nov 02 00:32:58 raspberrypi apachectl[472]: AH00558: apache2: Could not reliably determine the server’s fully qualified
Nov 02 00:32:58 raspberrypi systemd[1]: Started The Apache HTTP Server.

Would I be right in saying that the " Could not reliably determine the server’s fully qualified" whatever, is not a lot to worry about?

Fitch.

ADDENDUM:

[Thu Nov 02 14:17:38.468787 2017] [mpm_prefork:notice] [pid 1182] AH00169: caught SIGTERM, shutting down
[Thu Nov 02 14:17:46.177269 2017] [ssl:warn] [pid 466] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Thu Nov 02 14:17:48.112935 2017] [ssl:warn] [pid 575] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Thu Nov 02 14:17:48.142212 2017] [mpm_prefork:notice] [pid 575] AH00163: Apache/2.4.25 (Raspbian) OpenSSL/1.0.2l configured – resuming normal operations
[Thu Nov 02 14:17:48.142428 2017] [core:notice] [pid 575] AH00094: Command line: ‘/usr/sbin/apache2’

This looks much better, except…
That bit about the server certificate not including blah, blah.

Oh, and:

Syntax error on line 33 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/alistairscloud.org/fullchain.pem’ does not exist or is empty

still exists.

4

I tested your URL and it works ! Good job.

About this error : Could not reliably determine the server’s fully qualified

Do you have in your apache vhost file normal one and le-ssl.conf one this ?
(/etc/apache2/sites-avialable/yourfile.conf)
ServerName alistairscloud.org

Normally you have it in the firsts lines.

Close, save and restart apache2

5

Thanks.

It’s certainly in the le-ssl.conf file. (at the bottom as it happens…)

But which vhost file do I alter?
/etc/apache2/conf-enabled/other-vhosts-access-log.conf
/etc/apache2/mods-available/vhost_alias.load
/etc/apache2/conf-available/other-vhosts-access-log.conf
/var/lib/apache2/conf/enabled_by_maint/other-vhosts-access-log
/var/log/apache2/other_vhosts_access.log
/usr/include/linux/vhost.h
/usr/lib/apache2/modules/mod_vhost_alias.so

and huge amounts of vhost files in the /opt directories

pi@raspberrypi:/etc/apache2/sites-enabled $ ls
000-default.conf 000-default-le-ssl.conf default-ssl.conf

6

The ones who runs nextcloud in /etc/apache2/sites-avialable

7

You can do this to know witch conf file is your nextcloud :
a2dissite 000-default.conf

Do that for the 4 conf files
Restart apache
Then
a2ensite (1 one of the four files)
Restart apache and see if it work.

Imagine it’s 000-default.conf that work, the a2ensite 000-default-le-ssl.conf

8

sites-available as opposed to sites-enabled?
There are only three files in each. Am I missing one?
000-default.conf
000-default-le-ssl.conf
default-ssl.conf

9

When you start apache2 it puts conf files that are enaled by a2ensite from avialable to enabled. Then when you modify a file you have to restart apache for taking changes

10

From what i see your nextcloud is in 000-default fils

11

Aaah good point. Must remember that…

I disabled and enabled the files one by one. No difference.

I put ServerName alistairscloud.org
in the 2 files that didn’t have it (le-ssl did)
Still get
[Thu Nov 02 22:25:40.630696 2017] [mpm_prefork:notice] [pid 1166] AH00171: Graceful restart requested, doing restart
AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message
[Thu Nov 02 22:25:41.018283 2017] [mpm_prefork:notice] [pid 1166] AH00163: Apache/2.4.25 (Raspbian) OpenSSL/1.0.2l configured – resuming normal operations
[Thu Nov 02 22:25:41.018386 2017] [core:notice] [pid 1166] AH00094: Command line: ‘/usr/sbin/apache2’

Oh well…

12

You should get an answer

13

By default your system contains 000-default.conf as port 80 vhost and default-ssl.conf as port 443 vhost, which is not enabled (not linked to sites-enabled) by default. If you install certbot with apache extension and run it with auto webserver configuration, it creates 000-default-le-ssl.conf as new port 443 vhost, I guess to prevent overwrite/user input on apache upgrade. Thus just 000-default and 000-default-le-ssl should be enabled, while default-ssl should remain unused, not linked to sites-enabled.

It is advised to use another conf file, just for nextcloud, which contains some fixes, use of .htaccess files etc, that is active on ssl and non-ssl. See Installation on Linux — Nextcloud 12 Server Administration Manual 12 documentation example apache configuration for this. You could of course just use default-ssl for this, but to prevent confusion with wording and keep things well separated, create an additional nextcloud.conf.

14

Thanks.
I’ve done all the stuff in the link and now there is no server name error.
Briliant!

Just the original ,pem problem left now…

SSLCertificateFile: file ‘/etc/letsencrypt/live/alistairscloud.org/fullchain.pem’ does not exist or is empty