Reputation: 10163
Trying to use certbox to get SSL Certificate, however command sudo certbot --apache failed on ec2 instance
Here are the instructions I was following, and here is the error I'm receiving when I attempt to run sudo certbot --apache
I am ssh'd into my EC2 instance and successfully ran all of the commands in section 2 and 3 of the instructions, but now this command in 4 is failing. Here is the output:
bitnami@ip-172-31-82-209:~/apps/InterSportsGraphs$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): bigleaguegraphs.com www.bigleaguegraphs.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bigleaguegraphs.com
http-01 challenge for www.bigleaguegraphs.com
Enabled Apache rewrite module
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Unable to restart apache using ['apache2ctl', 'graceful']
Cleaning up challenges
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Unable to restart apache using ['apache2ctl', 'graceful']
Encountered exception during recovery:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2185, in _reload
util.run_script(self.option("restart_cmd"))
File "/usr/lib/python3/dist-packages/certbot/util.py", line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
resp = self.auth.perform(all_achalls)
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2287, in perform
self.restart()
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2175, in restart
self._reload()
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2203, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2185, in _reload
util.run_script(self.option("restart_cmd"))
File "/usr/lib/python3/dist-packages/certbot/util.py", line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/error_handler.py", line 108, in _call_registered
self.funcs[-1]()
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 323, in _cleanup_challenges
self.auth.cleanup(achalls)
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2312, in cleanup
self.restart()
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2175, in restart
self._reload()
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2203, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
The meat of the error message, which appears throughout this error, I think is the following:
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
Any direction as to how I can debug this in order to get the SSL Certificate for my website would be great, thanks! I am not a networking person but need to get this done to secure my website. Please let me know if I can share any addt'l info that will help with this, or how I should go about resolving this in general. Thanks!
Edit: I used https://www.ssllabs.com/ssltest/ to test my domain bigleaguegraphs.com but don't quite understand the output here either.
Edit2: Here are two links to other posts:
- https://unix.stackexchange.com/questions/381646/aws-ec2-instance-says-apache2-isnt-running-but-the-server-is-still-up-and-httpd
- https://community.bitnami.com/t/i-unable-to-restart-apache/47636
...that seem like they could be related to my post?
Upvotes: 3
Views: 841
Answers (1)
Reputation: 1766
From your posted log output and comments we know that your website is served by node.js and not Apache. This means you are left with three choices:
Get Apache to work just to get the Let's Encrypt certificate. I wouldn't recommend this approach because it will be troublesome. Apache would conflict with node.js regarding used ports and when you solved that you would still need to integrate the retrieved certificate in node.js.
Instead of retrieving the certificate with Apache and the
--apacheflag you can directly retrieve it through certbot and any other server like for example node.js. Typically this will involve using certbot with thecertonly --webrootoption and you will need to modify your node.js server (just a little bit) to actually use the retrieved certificate and listen on an additional port for SSL/TLS connections. A good starting point for this approach may be this article which is for node.js and express.js (and express.js is the package which is by far the most popular HTTP server package for node.js so it is very likely your website uses it as well or at least a very similar package): https://www.sitepoint.com/how-to-use-ssltls-with-node-js/
This is the approach I would recommend if you have one site or a small number of sites for which you would like to get certificates.Instead of letting Let's Encrypt verify your website via HTTP, which always involves serving the challenge responses via an existing server (like Apache and with with the
--apacheflag) or any other server (with thecertonly --webrootoption) you also can serve these responses via DNS. This also works with thecertonlyoption (and you also will need to modify node.js to actually use the certificate like in previous approaches) but it is a little bit more complicated with additional required options wich may vary depending on your DNS provider. You can find an overview of documentations for popular DNS providers at https://certbot.eff.org/docs/using.html#dns-plugins.
This is the approach I'd absolutely recommend if you have somewhat more websites and if you want wildcard certificates (pro tip: there are ready to use docker images for each DNS provider: https://hub.docker.com/r/certbot/certbot/).
Upvotes: 1
Related Questions
- Error Connection Time Out after Certbot certificate installation
- Certbot unable to locate environment variable credentials
- Certbot not found
- AWS EC2( Apache) cannot be configured for SSL with Cerbot
- AWS: Your system is not supported by certbot-auto anymore
- Error when securing Apache server with SSL (certbot error)
- Certbot Amazon Linux error can't generate ssl cert
- Why on ECS I got certbot: error: unrecognized arguments?
- Apache HTTPS Certbot LetsEncrypt issue
- letsencrypt certbot timeout error