LetsEncrypt / Certbot – Virtualhost vs VirtualHost

Certbot, formerly letsencrypt is a great tool for setting up SSL certificates on websites. I love being able to quickly, easily and for free, setup a HTTPS SSL (TLS) certificate.

I use apache to host lots of WordPress sites, custom sites (e.g Symfony) and the like and Certbot helps keep them secure. Except when it doesn’t understand the <VirtualHost> config.

 

Here is a virtual host entry that works. running /opt/certbot-auto sees it and lets you create an SSL cert for it.

<VirtualHost *:80>
 ServerAdmin kublermdk@gmail.com
 ServerName www.kublermdk.com
 ServerSignature On

 DocumentRoot /var/www/kublermdk/www/
 CustomLog /var/log/apache2/www.kublermdk.com.log vhost_combined
 ErrorLog /var/log/apache2/www.kublermdk.com.error.log
 <Directory /var/www/kublermdk/www/>
 Options Indexes FollowSymLinks
 AllowOverride All
 Require all granted
 </Directory>
</VirtualHost>

 

Here’s a similar virtualhost entry. Apache happily uses it and it looks fine but Certbot can’t see it. See the difference? I’ve bolded the two characters that have changed.

<Virtualhost *:80>
 ServerAdmin kublermdk@gmail.com
 ServerName www.kublermdk.com
 ServerSignature On

 DocumentRoot /var/www/kublermdk/www/
 CustomLog /var/log/apache2/www.kublermdk.com.log vhost_combined
 ErrorLog /var/log/apache2/www.kublermdk.com.error.log
 <Directory /var/www/kublermdk/www/>
 Options Indexes FollowSymLinks
 AllowOverride All
 Require all granted
 </Directory>
</Virtualhost>

That’s right, the certbot apache plugin doesn’t understand <Virtualhost> with a lowercase h, only <VirtualHost> with an uppercase H, but Apache accepts both versions.

It took me 2 hours and lots of struggling to realise this. Hopefully this post saves you some time and maybe Certbot will be updated to work with either.

Also, if you are trying to get it to work with multiple ServerAlias’s that won’t work. So if you have www.kublermdk.com kublermdk.com and resume.kublermdk.com they all need their own site config file and to be configured individually, which is a bit of a pain.

 

More info :

I’m using certbot v0.11.1

https://certbot.eff.org/

https://github.com/certbot/certbot/issues/3545- I got a touch of help reading this and understanding that the apache plugin reads the sites-available folder for the HTTP version of the site not HTTPS and after reading through some of the actual certbot apache plugin code I found out it uses a specific parsing engine and there was a reference to how they parse VirtualHosts needing more work.

https://github.com/certbot/certbot/issues/4183 I posted a bug report about the issue.

Leave a Comment