Search code examples
amazon-ec2virtualhostcertbot

Unable to find a virtual host listening on port 80.... Please add a virtual host for port 80


My web server is set up like this:

  • Linux
  • Apache 2.4

Certbot is giving me an error like this when I try to run it:

Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.


Solution

  • This all assumes that you have Apache installed and are trying to use Certbot. First, make sure an A record is set to your IP address in DNS. Also, as a basic introduction here, in CentOS, Apache is called "httpd", while in Ubuntu, Apache is called "apache2".

    Short Answer for CentOS

    cd /etc/httpd/conf.d
    sudo nano yourDomainName.conf
    

    Paste, edit, and save the following:

    <VirtualHost *:80>
        ServerName yourDomainName.com
        DocumentRoot /var/www/html
        ServerAlias www.yourDomainName.com
        ErrorLog /var/www/error.log
        CustomLog /var/www/requests.log combined
    </VirtualHost>
    

    Then:

        sudo service httpd restart  
    

    And with this you should see the virtual host:

    httpd -D DUMP_VHOSTS  
    

    Short Answer for Ubuntu

    sudo su  (so that you can cd to apache directory)
    cd /etc/apache2/sites-available
    vim yourDomainName.com.conf         (this file needs to end with ".conf")
    

    Paste, edit, and save the following:

    <VirtualHost *:80>
        ServerName yourDomainName.com
        DocumentRoot /var/www/html
        ServerAlias www.yourDomainName.com
        ErrorLog /var/www/error.log
        CustomLog /var/www/requests.log combined
    </VirtualHost>
    

    Then:

    a2ensite yourDomainName
    service apache2 restart
    ctrl-d to exit root
    

    To install certbot ****Updated, since certbot-auto is no longer available:

    It used to be that you would download certbot-auto and just run that script to get your ssl certs. Let's encrypt no longer supports this. There are now two different supported methods. One method is installing certbot with Snap, which requires that you install Snap first. I'm not going to go over that method here, there are plenty of instructions for it on their site. The other method is with the Certbot Docker image. This is much lighter in weight, since Snap is a big install.

    Ubuntu

    sudo service apache2 stop
    
    sudo docker run -it --rm --name certbot -p 80:80 -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" certbot/certbot certonly
    sudo service apache2 start / sudo service httpd start
    

    CentOS

    sudo service httpd stop
    
    sudo docker run -it --rm --name certbot -p 80:80 -v "/etc/letsencrypt/live:/etc/letsencrypt/live:z" -v "/etc/letsencrypt/archive:/etc/letsencrypt/archive:z" -v "/var/lib/letsencrypt:/var/lib/letsencrypt:z" certbot/certbot certonly
    
    sudo chcon -R -t cert_t /etc/letsencrypt/archive/host.yourdomain.tld/
    sudo chcon -R -t cert_t /etc/letsencrypt/live/host.yourdomain.tld/
    

    Note that, with SELinux, you need to change the context of the certs after you get them (shown above). Replace host.yourdomain.tld with your own.

    You're temporarily turning off Apache and running a special Certbot server to get the certificate, but you will still need the virtual host, after you get the cert, as that's just how Apache works.

    ...
    

    Additional info for once you have your cert OK. Certbot says it successfully installed the certificate. Now what? Well, it isn't just going to work just yet. You still need to enable ssl in apache, and also add another virtual host for port 443.

    Open the same file that you pasted into earlier and add the following:

    <IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerName yourDomainName.com
        DocumentRoot /var/www/html
        ServerAlias www.yourDomainName.com
        ErrorLog /var/www/error.log
        CustomLog /var/www/requests.log combined
    Include /etc/letsencrypt/options-ssl-apache.conf
    LogLevel alert rewrite:trace3
    SSLCertificateFile /etc/letsencrypt/live/yourDomainName.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/yourDomainName.com/privkey.pem
    </VirtualHost>
    </IfModule>
    

    For CentOS, you may need to install the ssl module:

    sudo yum install mod_ssl
    

    For Ubuntu, you will likely need to enable the ssl module:

    sudo a2enmod ssl
    

    For both, restart Apache:

    sudo service apache2 restart / sudo service httpd restart
    

    For CentOS, you might need to enable port 443 on your firewall. I'm not going to cover that here, but the "iptables" service (and associated commands) are what you'll be looking at.

    Finally, for both: you're going to want to redirect all requests on port 80 (http) to port 443 (https). Apache should already have the rewrite module installed by default, but you'll need to enable it:

    sudo a2enmod rewrite
    

    Inside the *:80 virtual host that you added earlier, you'll add some lines that look something like this:

    <VirtualHost *:80>  (you've already added this line, don't copy this part)
           <IfModule mod_rewrite.c>
            # Force https secure connection
            RewriteEngine On
            RewriteCond %{HTTPS} off
            RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
            </IfModule>
    

    sudo service apache2 restart / sudo service httpd restart