No vhost was selected

[hugo-connery]

Firstly, I ran a successful certonly -d ... type run yesterday, and deployed that to https://sec.it.env.dtu.dk So, well done LetsEncrypt for that.

Today, with the release of 0.5.0 I wanted to re-try the --apache plugin, as it failed yesterday.

I'm running RHEL 7 with IPv6 as a virtual machine over a Windows HyperV installation (just to make stuff interesting ;).

$ uname -a
Linux vwww3.env.dtu.dk 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31 16:04:38 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
$ httpd -V
Server version: Apache/2.4.6 (CentOS)
Server built: Nov 19 2015 21:43:13
Server's Module Magic Number: 20120211:24
Server loaded: APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture: 64-bit
Server MPM: prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
$ ./letsencrypt-auto --version
Checking for new version...
Requesting root privileges to run letsencrypt...
/root/.local/share/letsencrypt/bin/letsencrypt --version
letsencrypt 0.5.0

$ ./letsencrypt-auto --apache -d sec.it.env.dtu.dk
ncurses display .... No names were found in your configuration files.\nYou should specify ServerNames...

Config:
<VirtualHost 192.38.76.15:443 [2001:878:200:2000:0003::2]:443>
ServerAdmin webmaster@env.dtu.dk
DocumentRoot /var/www/html/sec.it.env.dtu.dk
ServerName sec.it.env.dtu.dk
ErrorLog logs/sec.it.env.dtu.dk-error_log
CustomLog logs/sec.it.env.dtu.dk-access_log common
DirectoryIndex index.html
#
# SSL Config
#
SSLEngine on
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
SSLCertificateKeyFile /etc/letsencrypt/live/sec.it.env.dtu.dk/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/sec.it.env.dtu.dk/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/sec.it.env.dtu.dk/chain.pem
# HSTS
Header add Strict-Transport-Security "max-age=15768000"
<Directory /var/www/html/sec.it.env.dtu.dk>
AllowOverride none
Require all granted
Options +Indexes

As you can verify the site works, thus the config is fine. Apache 2.4.6 does not seem to need NameVirtualHost directives, and they are not in the config.

I dont have a problem as the cert isn't expiring soon, and the "certonly" method works fine and I can easily install them. But, it is funny that the client cant see this obvious virtual host. IPv6 ??

Thanks all for the LE efforts.

/Hugo

[pde]

@joohoi want to take this?

[pde]

@hugo-connery the fact that you have a ServerName directive should be enough for this config to work, so I think this is definitely a bug...

[joohoi]

Yeah, I'll take this.

@hugo-connery thanks for extensive information about the environment! However if you could send us the output of:

python -c 'import platform;print([platform.system(),platform.linux_distribution()[0]])'

to make sure we end up using the correct system layout and defaults for your distribution (want to verify that we are actually searching correct paths for the vhosts)

[hugo-connery]

Hi,

No problem. Will do. I appreciate the fast response.

Long live LE.

Hugo Connery

Head of IT, DTU Environment, http://www.env.dtu.dk
Reduce the risk of using IT by understanding it.

---

From: Joona Hoikkala [notifications@github.com]
Sent: Wednesday, 6 April 2016 19:46
To: letsencrypt/letsencrypt
Cc: Hugo Maxwell Connery
Subject: Re: [letsencrypt/letsencrypt] No vhost was selected (#2776)

Yeah, I'll take this. @hugo-conneryhttps://github.com/hugo-connery thanks for extensive information about the environment! However if you could send us the output of:

python -c 'import platform;print([platform.system(),platform.linux_distribution()[0]])'

to make sure we end up using the correct system layout and defaults for your distribution (want to verify that we are actually searching correct paths for the vhosts)

�
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHubhttps://github.com//issues/2776#issuecomment-206484850

[hugo-connery]

Hi,

I'm not sure that this is going to help you much, but

['Linux', 'CentOS Linux']

is the output of the command you wished me to run.

I would think that this is a sub-set of the information
I already supplied.

Whatever.

Hugo Connery

Head of IT, DTU Environment, http://www.env.dtu.dk
Reduce the risk of using IT by understanding it.

---

From: Joona Hoikkala [notifications@github.com]
Sent: Wednesday, 6 April 2016 19:46
To: letsencrypt/letsencrypt
Cc: Hugo Maxwell Connery
Subject: Re: [letsencrypt/letsencrypt] No vhost was selected (#2776)

Yeah, I'll take this. @hugo-conneryhttps://github.com/hugo-connery thanks for extensive information about the environment! However if you could send us the output of:

python -c 'import platform;print([platform.system(),platform.linux_distribution()[0]])'

to make sure we end up using the correct system layout and defaults for your distribution (want to verify that we are actually searching correct paths for the vhosts)

�
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHubhttps://github.com//issues/2776#issuecomment-206484850

[joohoi]

Yeah, it's just the actual calls we're using to get the distribution / os string, so wanted to make sure that it's detected correctly - just like it seems to be.

I confirmed that your VirtualHost configuration parses fine, so it must be something related to configuration layout / distribution defaults.

Does your virtualhost configuration file reside under /etc/httpd/conf.d and does the configuration file that holds the vhost have other vhosts in it?

[bmw]

Perhaps another instance of this?

[bret-miller]

In case it is, here is some information:
Letsencrypt says:

We were unable to find a vhost with a ServerName or Address of www.cbmission.org.
Which virtual host would you like to choose?

/etc/apache2/sites-available/cbmission.org.conf says at the top:

<VirtualHost *:80>
        ServerName cbmission.org
        ServerAlias www.cbmission.org

and later:

</VirtualHost>
<VirtualHost *:443>
        ServerName cbmission.org
        ServerAlias www.cbmission.org

python -c 'import platform;print([platform.system(),platform.linux_distribution()[0]])' says:
['Linux', 'Ubuntu']
Note that this configuration was working perfectly until I updated to client version 0.5.0 today. Now I have to manually edit the apache config files after letsencrypt issues the certificate.

Let me know if there's other information that would be helpful.

[thorstensiefert]

Got the same issue with two vhosts which where perfectly configured before - and destroyed after the renewal process.

Am 07.04.2016 um 21:45 schrieb Bret Miller notifications@github.com:

In case it is, here is some information:
Letsencrypt says:
We were unable to find a vhost with a ServerName or Address of www.cbmission.org.
Which virtual host would you like to choose?

/etc/apache2/sites-available/cbmission.org.conf says at the top:

ServerName cbmission.org
ServerAlias www.cbmission.org

and later:

ServerName cbmission.org
ServerAlias www.cbmission.org

python -c 'import platform;print([platform.system(),platform.linux_distribution()[0]])' says:
['Linux', 'Ubuntu']

Note that this configuration was working perfectly until I updated to client version 0.5.0 today. Now I have to manually edit the apache config files after letsencrypt issues the certificate.

Let me know if there's other information that would be helpful.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub

[joohoi]

@bret-miller & @thorstensiefert & @hugo-connery : could you post the contents of LE log file to a pastebin in case it has some more information on this. The file in question is /var/log/letsencrypt/letsencrypt.log

[bret-miller]

I did several domains on Friday. Here's the log from then:
http://pastebin.com/tZtV9eks

[joohoi]

@bret-miller The log file doesn't seem to have a reference to the failed run you reported earlier, or did the run(s) on the log also result into similarily broken config files? If not, could you check /var/log/letsencrypt/letsencrypt.log.1 letsencrypt.log.2 and so on, for the one that has the information on the run with domain www.cbmission.org

[bret-miller]

@joohoi Every run on that server since has had the same issue. Unfortunately, I'm in the middle of moving a bunch of websites from DreamHost to Google Cloud where the issue occurred. The .10 file is the oldest and it's from 2016-04-08. It had the same issue--just a different domain. A thought occurred to me this morning that I have a couple of default Apache config files in sites-available that aren't linked from sites-enabled. Maybe the fact that those don't contain a ServerName or ServerAlias directive is confusing the LE client. Was going to try deleting them today and trying another domain to see if that worked around the issue... just haven't had a chance yet.

[bret-miller]

OK. That was worse. Having the 000-default.conf and ssl-default.conf in place, the LE client still acquires the certificate for the requested domain, then prompts for which .conf to update. Then I 'c' for cancel and manually update the $domain.conf manually. At least that works around it. When I remove the default .conf files, the LE client doesn't even try to get the certificate. It just fails.

[joohoi]

@bret-miller I still can't reproduce the problem, any chance you could provide me with an tarball of your
/etc/apache2 directory along with an .ini file you are using?

[hugo-connery]

As requested by Joona Hoikkala, here are some more details.

I re-ran letsencrypt-auto --apache -d sec.it.env.dtu.dk and selected 'update' the existing cert (which I got using --certonly).

Error:

No vhost exists with servername or alias of: sec.it.env.dtu.dk. No vhost was selected. Please specify servernames in the Apache config

The config is unchanged from above (and as you can see does declare the vhost).

letsencrypt.log

2016-04-12 07:10:02,451:DEBUG:letsencrypt.main:Root logging level set at 30
2016-04-12 07:10:02,451:INFO:letsencrypt.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-04-12 07:10:02,451:DEBUG:letsencrypt.main:letsencrypt version: 0.5.0
2016-04-12 07:10:02,451:DEBUG:letsencrypt.main:Arguments: ['--apache', '-d', 'sec.it.env.dtu.dk']
2016-04-12 07:10:02,451:DEBUG:letsencrypt.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-04-12 07:10:02,453:DEBUG:letsencrypt.plugins.selection:Requested authenticator apache and installer apache
2016-04-12 07:10:03,575:DEBUG:letsencrypt.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = letsencrypt_apache.configurator:ApacheConfigurator
Initialized: <letsencrypt_apache.configurator.ApacheConfigurator object at 0x1bd6f90>
Prep: True
2016-04-12 07:10:03,575:DEBUG:letsencrypt.plugins.selection:Selected authenticator <letsencrypt_apache.configurator.ApacheConfigurator object at 0x1bd6f90> and installer <letsencrypt_apache.configurator.ApacheConfigurator object at 0x1bd6f90>
2016-04-12 07:10:04,183:DEBUG:letsencrypt.main:Picked account: <Account(2bf28aade9e403bc7540b670abb17a66)>
2016-04-12 07:10:04,184:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-04-12 07:10:04,248:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-12 07:10:04,645:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 263
2016-04-12 07:10:04,649:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '263', 'Expires': 'Tue, 12 Apr 2016 07:09:55 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 12 Apr 2016 07:09:55 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'uZ1qOeS_-ByB8yCdku41VFfi8_Q5FZf3OysUL15fy6E'}. Content: '{"new-authz":"https://acme-v01.api.letsencrypt.org/acme/new-authz","new-cert":"https://acme-v01.api.letsencrypt.org/acme/new-cert","new-reg":"https://acme-v01.api.letsencrypt.org/acme/new-reg","revoke-cert":"https://acme-v01.api.letsencrypt.org/acme/revoke-cert"}'
2016-04-12 07:10:04,650:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '263', 'Expires': 'Tue, 12 Apr 2016 07:09:55 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 12 Apr 2016 07:09:55 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'uZ1qOeS_-ByB8yCdku41VFfi8_Q5FZf3OysUL15fy6E'}): '{"new-authz":"https://acme-v01.api.letsencrypt.org/acme/new-authz","new-cert":"https://acme-v01.api.letsencrypt.org/acme/new-cert","new-reg":"https://acme-v01.api.letsencrypt.org/acme/new-reg","revoke-cert":"https://acme-v01.api.letsencrypt.org/acme/revoke-cert"}'
2016-04-12 07:10:04,682:INFO:letsencrypt.renewal:Cert not yet due for renewal
2016-04-12 07:10:10,036:DEBUG:root:Requesting fresh nonce
2016-04-12 07:10:10,037:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2016-04-12 07:10:10,040:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-12 07:10:10,280:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2016-04-12 07:10:10,283:DEBUG:root:Received <Response [405]>. Headers: {'Content-Length': '78', 'Pragma': 'no-cache', 'Expires': 'Tue, 12 Apr 2016 07:10:00 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Allow': 'POST', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 12 Apr 2016 07:10:00 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'wiLKCgnEMS9VcF2xzQJL87P5dkN-snd1F9RHPF7oIxM'}. Content: ''
2016-04-12 07:10:10,285:DEBUG:acme.client:Storing nonce: '\xc2"\xca\n\t\xc41/Up]\xb1\xcd\x02K\xf3\xb3\xf9vC~\xb2wu\x17\xd4G<^\xe8#\x13'
2016-04-12 07:10:10,285:DEBUG:acme.jose.json_util:Omitted empty fields: expires=None, challenges=None, combinations=None, status=None
2016-04-12 07:10:10,286:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "sec.it.env.dtu.dk"}, "resource": "new-authz"}
2016-04-12 07:10:10,288:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, jwk=None, x5u=None, kid=None, alg=None, cty=None, x5tS256=None, jku=None, x5t=None
2016-04-12 07:10:10,293:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), nonce=None, x5u=None, typ=None, kid=None, cty=None, x5tS256=None, jku=None, x5t=None
2016-04-12 07:10:10,294:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "sS5EWUuYMMINfHPACFSu6N5aJpOngpp0wiCQkOgTa5Hf3bEslF6H0kAiBFhGYFqOC7vYW9ONYIjmZNRcBSPy4gY2cF5XH5Hzy7iFd5Tyiitl1qe-11VKs-haizb_vA_jDWaUy4n60QyO2RWnxxkUuwZRyWDPX9Et7c5PlEaPKqJPLqZgExRonT6JLudyVpNGVFSxnCNzCBkdBm5KxvhHYzXPijmI4QIjW8e-DHwjKPVXMd6fqe_JtIspaf5R4UJ9DFTVeVxW0n2_m7uP1RbzDPP3tnkGUDk5buIu6fTrmkKH-gvdnVTGJ7vbwPAfdwfl9nA5wOdKGGHl4IJqsk1qoQ"}}, "protected": "eyJub25jZSI6ICJ3aUxLQ2duRU1TOVZjRjJ4elFKTDg3UDVka04tc25kMUY5UkhQRjdvSXhNIn0", "payload": "eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJzZWMuaXQuZW52LmR0dS5kayJ9LCAicmVzb3VyY2UiOiAibmV3LWF1dGh6In0", "signature": "Jp93M4cl3kwa4Z_vAtJPMFue4GfLE2PA4GQk25FZyn17009Njdk52q_IJLRPmzDM58F_NiDPPvHbdzPIKAP6b_6Wi4yFcDCwvvfT-3RTShkwhe6kilP6THnsBDMM08eCxEES1HpC5GG2SSiJxXZOLGNr02xYg00QKAx8zrZje3nSBCxko2SGhV830Fm6qyZrt_bGyoOMVPF6sP0b-gYxGpVixMWGYdhsMJ6KP15qTPKZZO1d3kALFmNvLH5Smke3VVtpcU46FcbMrTPeyQT36a61VRePVCgQPsfpWghn62vt2VXqfsicSsGxhMjTWdeU8lHHla0Q0FliNNBZ6DLetg"}'}
2016-04-12 07:10:10,296:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-12 07:10:10,562:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 780
2016-04-12 07:10:10,565:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '780', 'Expires': 'Tue, 12 Apr 2016 07:10:01 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': 'https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/Tjv85TyFktAUaDNDehng3JOosWv0MvHIrhztzunumUo', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 12 Apr 2016 07:10:01 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'fGGpEQr0l0V1yZtwScm8JFLGTeG10smEeoHl2Te5vaA'}. Content: '{"identifier":{"type":"dns","value":"sec.it.env.dtu.dk"},"status":"pending","expires":"2016-04-19T07:10:01.172374272Z","challenges":[{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Tjv85TyFktAUaDNDehng3JOosWv0MvHIrhztzunumUo/47903457","token":"3dsjmpzTwQs95dBsAbEMFzE6Y0c-wS_RuWknva-xq4k"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Tjv85TyFktAUaDNDehng3JOosWv0MvHIrhztzunumUo/47903458","token":"4A0kV-GrPZ0e85gmZKLsyn3mECz7vub1KrWnk93KvJc"},{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Tjv85TyFktAUaDNDehng3JOosWv0MvHIrhztzunumUo/47903459","token":"hcNVoS5oE2un6UiQUJsI68xbE4-HAFSl6Mpqf5gvCVE"}],"combinations":[[2],[0],[1]]}'
2016-04-12 07:10:10,567:DEBUG:acme.client:Storing nonce: '|a\xa9\x11\n\xf4\x97Eu\xc9\x9bpI\xc9\xbc$R\xc6M\xe1\xb5\xd2\xc9\x84z\x81\xe5\xd97\xb9\xbd\xa0'
2016-04-12 07:10:10,567:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '780', 'Expires': 'Tue, 12 Apr 2016 07:10:01 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': 'https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/Tjv85TyFktAUaDNDehng3JOosWv0MvHIrhztzunumUo', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 12 Apr 2016 07:10:01 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'fGGpEQr0l0V1yZtwScm8JFLGTeG10smEeoHl2Te5vaA'}): '{"identifier":{"type":"dns","value":"sec.it.env.dtu.dk"},"status":"pending","expires":"2016-04-19T07:10:01.172374272Z","challenges":[{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Tjv85TyFktAUaDNDehng3JOosWv0MvHIrhztzunumUo/47903457","token":"3dsjmpzTwQs95dBsAbEMFzE6Y0c-wS_RuWknva-xq4k"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Tjv85TyFktAUaDNDehng3JOosWv0MvHIrhztzunumUo/47903458","token":"4A0kV-GrPZ0e85gmZKLsyn3mECz7vub1KrWnk93KvJc"},{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Tjv85TyFktAUaDNDehng3JOosWv0MvHIrhztzunumUo/47903459","token":"hcNVoS5oE2un6UiQUJsI68xbE4-HAFSl6Mpqf5gvCVE"}],"combinations":[[2],[0],[1]]}'
2016-04-12 07:10:10,568:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'hcNVoS5oE2un6UiQUJsI68xbE4-HAFSl6Mpqf5gvCVE', u'type': u'dns-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/Tjv85TyFktAUaDNDehng3JOosWv0MvHIrhztzunumUo/47903459'}
2016-04-12 07:10:10,569:INFO:letsencrypt.auth_handler:Performing the following challenges:
2016-04-12 07:10:10,570:INFO:letsencrypt.auth_handler:tls-sni-01 challenge for sec.it.env.dtu.dk
2016-04-12 07:10:10,854:ERROR:letsencrypt_apache.configurator:No vhost exists with servername or alias of: sec.it.env.dtu.dk. No vhost was selected. Please specify servernames in the Apache config
2016-04-12 07:10:10,895:DEBUG:letsencrypt.error_handler:Encountered exception:
Traceback (most recent call last):
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 108, in _solve_challenges
resp = self.auth.perform(self.achalls)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 1555, in perform
sni_response = chall_doer.perform()
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt_apache/tls_sni_01.py", line 78, in perform
addrs = self._mod_config()
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt_apache/tls_sni_01.py", line 100, in _mod_config
achall_addrs = self._get_addrs(achall)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt_apache/tls_sni_01.py", line 119, in _get_addrs
vhost = self.configurator.choose_vhost(achall.domain, temp=True)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 314, in choose_vhost
return self._choose_vhost_from_list(target_name, temp)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 324, in _choose_vhost_from_list
raise errors.PluginError("No vhost selected")
PluginError: No vhost selected
2016-04-12 07:10:10,896:DEBUG:letsencrypt.error_handler:Calling registered functions
2016-04-12 07:10:10,896:INFO:letsencrypt.auth_handler:Cleaning up challenges
2016-04-12 07:10:11,899:DEBUG:letsencrypt.main:Exiting abnormally:
Traceback (most recent call last):
File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in
sys.exit(main())
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/main.py", line 692, in main
return config.func(config, plugins)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/main.py", line 457, in run
lineage, action = _auth_from_domains(le_client, config, domains)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/main.py", line 90, in _auth_from_domains
renewal.renew_cert(config, domains, le_client, lineage)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/renewal.py", line 236, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 246, in obtain_certificate
self.config.allow_subset_of_names)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 70, in get_authorizations
resp = self._solve_challenges()
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 108, in _solve_challenges
resp = self.auth.perform(self.achalls)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 1555, in perform
sni_response = chall_doer.perform()
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt_apache/tls_sni_01.py", line 78, in perform
addrs = self._mod_config()
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt_apache/tls_sni_01.py", line 100, in _mod_config
achall_addrs = self._get_addrs(achall)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt_apache/tls_sni_01.py", line 119, in _get_addrs
vhost = self.configurator.choose_vhost(achall.domain, temp=True)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 314, in choose_vhost
return self._choose_vhost_from_list(target_name, temp)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 324, in _choose_vhost_from_list
raise errors.PluginError("No vhost selected")
PluginError: No vhost selected

[joohoi]

@hugo-connery Thanks for the additional data, the followup questions:

Does your virtualhost configuration file reside under /etc/httpd/conf.d and does the configuration file that holds the vhost have other vhosts in it?

[joohoi]

@bret-miller Thanks for the apache configuration tarball. I'll investigate the problem and the error messages further with your configuration.

However it should be noted that LE client expects a single virtualhost configuration inside a configuration file, and your setup seems to have both: <VirtualHost *:80> and <VirtualHost *:443> configurations within a file per domain.

For better compatibility as of now, I'd suggest that you'd split the config files in two: one for the HTTP vhost config and one for the HTTPS one.

As said above, we'll continue to look into this matter and at minimum - work to ensure that the config won't get broken.

[joohoi]

@bret-miller for reference, this issue is reported in #1042

We'll keep this issue open as others in the discussion most likely have different issue at hand.

[shaneonabike]

In my case I am not using 000-default but just defined conf files for each tool I am using. Since the upgrade I also cannot get it to detect the different conf files. It keeps wanting me to use 000-default and other default files but not the actual conf files. When I run the renew command it has a record of the proper conf files but resorts to the 000-default again?

[joohoi]

@shaneonabike The client doesn't actually save the config file paths, only the domains. And while default domains don't have ServerName or ServerAlias defined, they actually match them all. This issue is most likely due to your vhost files not being properly parsed.

I would need to get hold of your apache configuration directory to be able to look further into it.

[bret-miller]

OK. So for new domains I will start making separate files for the ssl and non-ssl vhosts. Did my first one. LE client is still not installing the certificate in the configuration. I emailed the log and vhost files to @joohoi again. Command line is:sudo /home/webmaster/.local/share/letsencrypt/bin/letsencrypt -t --agree-tos --apache --config /home/webmaster/bin/letsencrypt-gcimontreal.ini
ini file has only the domain list in it.That is, one line:domains = gcimontreal.ca, www.gcimontreal.ca

[joohoi]

I answered you via email, but I think it's best to continue the discussion here:

The relevant part from logs, anonymized:

2016-04-12 16:31:12,671:INFO:letsencrypt_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/sites-available/domainname-ssl.conf
2016-04-12 16:31:12,672:DEBUG:letsencrypt_apache.configurator:Apache version is 2.4.18
2016-04-12 16:31:12,687:DEBUG:letsencrypt.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/home/user/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 360, in deploy_certificate
    fullchain_path=fullchain_path)
  File "/home/user/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 277, in deploy_cert
    self.enable_site(vhost)
  File "/home/user/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 1385, in enable_site
    os.symlink(vhost.filep, enabled_path)
OSError: [Errno 17] File exists

2016-04-12 16:31:12,687:DEBUG:letsencrypt.error_handler:Calling registered functions
2016-04-12 16:31:12,693:DEBUG:letsencrypt.main:Exiting abnormally:
Traceback (most recent call last):
  File "/home/user/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/home/user/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 692, in main
    return config.func(config, plugins)
  File "/home/user/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 461, in run
    lineage.chain, lineage.fullchain)
  File "/home/user/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 360, in deploy_certificate
    fullchain_path=fullchain_path)
  File "/home/user/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 277, in deploy_cert
    self.enable_site(vhost)
  File "/home/user/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 1385, in enable_site
    os.symlink(vhost.filep, enabled_path)
OSError: [Errno 17] File exists

Unfortunately I’m unable to reproduce the problem. Looking at the logs, it seems like Let’s Encrypt thinks it’s creating a new configuration file, but in reality the file already exists, and is enabled. LE fails when trying to activate an already activated vhost.

Could you describe your setup before, and after. Also were you renewing the domains or getting the initial certificate?

What I suppose your configuration looks before:

Vhost for HTTP : apache/sites-available/domain.conf -> apache/sites-enabled/domain.conf
Vhost for HTTPS: apache/sites-available/domain-ssl.conf -> apache/sites-enabled/domain-ssl.conf

So the both are active before run, right?

I’m trying to pinpoint why
a) Let’s Encrypt thinks your SSL site isn’t activated even though it is or
b) Symlink exists even though the site isn’t activated

[bret-miller]

I'm not sure what the issue was earlier, but I did have to create the domain-ssl link in sites-enabled manually, so that was probably it. I have been splitting the conf files up to get this working correctly, and the last one I did issued and installed its certificate perfectly. So while combining single domain vhosts in a conf file worked in LE client 0.4.2, it does not in LE client 0.5.0. The answer is split them all up.

[shaneonabike]

Are we still able to use the multiple -d options for one certificate rather than declaring one certificate for each conf file?

Meaning... can I do ./letsencrypt-auto --apache -d beesonabike.com -d www.beesonabike.com -d somethingelse.beesonabike.com

Before this worked properly but I suspect in my case at least this might be the reason that it is now failing because it's trying to find the "one" conf file that matches all of these defined URLS

[bret-miller]

@shaneonabike All of my certificates are issued with at least the domain and www.domain. Several have a dozen or more subdomains in them. However, I recently changed from using -d on the command line to creating a .ini file with domains=domain1,domain2,domain3,... and using -c ini-file on the command line. This makes scripting the command easier when you're adding a domain to an existing certificate. I know it works with 0.5.0 because I used it today.

[shaneonabike]

I could try using the ini file... did you find that in the docs?

[bret-miller]

@shaneonabike Yes, it is mentioned in the docs. It also tells you more about the available parameters in the command-line help. I only use it for the domains= list, but you can pretty much put everything in the .ini file if you want.

[shaneonabike]

@joohoi I can't find your contact info so am unable to fire off a tarball your way

[joohoi]

Oh, sorry. Try joona@kuori.org

[joohoi]

@shaneonabike I checked through your apache configuration, and seems like your issue is similar - you have multiple VirtualHost definitions per file. Split your configuration up to have a single VirtualHost per file and you should be ok.

[joohoi]

@hugo-connery @thorstensiefert If you are still having problems, (and it's not caused by having multiple vhosts in single file), could you provide some more information, for example the tarball of your apache config to enable me to look further into this matter?

[shaneonabike]

@joohoi I can confirm that separating them out makes it work perfectly (although this is a change since the last major release). Can this be documented somewhere unless I missed it previously.

For other users to be clearer:

• It's important to separate all vhost definitions into separate files. This means the port 80 and 443 ports into separate conf files
• So if you have one vhosts file such as mysite.conf

<VirtualHost *:80>
  ServerAlias www.mysite.com
  ServerName mysite.com
</VirtualHost>
<VirtualHost *:443>
    ServerName mysite.com
    ServerAlias www.mysite.com
</VirtualHost>

Then you want to convert this to
mysite.conf

<VirtualHost *:443>
    ServerName mysite.com
    ServerAlias www.mysite.com
</VirtualHost>

and 80-mysite.conf

<VirtualHost *:80>
  ServerAlias www.mysite.com
  ServerName mysite.com
</VirtualHost>

[hugo-connery]

I'll see if I can split the virtual host definitions into separate
files and if that helps.

/Hugo

[shaneonabike]

Or better yet put that into the help documentation of the command-line tool

[thorstensiefert]

I'll give it a try.
Thx

Am 14.04.2016 um 16:47 schrieb Joona Hoikkala notifications@github.com:

@hugo-connery @thorstensiefert If you are still having problems, (and it's not caused by having multiple vhosts in single file), could you provide some more information, for example the tarball of your apache config to enable me to look further into this matter?

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub

[hugo-connery]

Hi,

Much improvement. The cert was renewed and installed and configured.

It complained about:

Unable to add title

IMPORTANT NOTES:

• We were unable to set up enhancement redirect for your server,
  however, we successfully installed your certificate.
• Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/sec.it.env.dtu.dk/fullchain.pem. Your cert
  will expire on 2016-07-14. To obtain a new version of the
  certificate in the future, simply run Let's Encrypt again.

And the certificate configuration lines do not use either
chain.pem or fullchain.pem (which is not a problem, but I
note these things).

Cheers, Hugo

[thorstensiefert]

@joohoi I tried (#2776 (comment)) and it works fine for me.
Thx!

[hugo-connery]

Where to put the documentation?

I suggest a page at letsencrypt.org which talks about the recommended structure for vhost definitions under /etc/httpd/conf.d/

That page, which should show a minimal server config with two sites, can be linked to from the getting started page in the section where it discusses Apache.

Secondly, it can be issued as an information message if someone uses letsencrypt-auto --apache.

i.e "Please use our recommended configuration layout for virtual hosts for better results: https://letsencrypt.org/apache-vhost-config.html"

or equivalent.

Thanks to all who have contributed to the thread. I'm happy to have a working model which I can then use for all my other sites and servers :)

/Hugo

[joohoi]

@thorstensiefert awesome!

@hugo-connery I think that the correct place would actually be a notification that the client emits when it stumbles across a vhost file with more than one VirtualHost definition. I'll create a new issue for that, because this issue is too long to quickly get a glimpse of what's going on.

Another thing: that message "Unable to add title" is emitted by reverter, which handles config rollbacks, and it basically gets printed when the reverer is unable to add a checkpoint for a file. Might be worthwhile to investigate further, if on the next run it still gets displayed, but I wouldn't worry for it as of now.

[joohoi]

Reason: User has multiple VirtualHost configurations per file. 0.5.0 enforces stricter rules on vhost configuration, so the client is unable to find correct VirtualHost configurations.

Solution: Split VirtualHost configurations to one vhost per file.

I think this issue is pretty much solved. @hugo-connery I think you can close this for now, and open a new one for the reverter error if you stumble upon it again, it's outside of the scope of this issue.

[hugo-connery]

Yes. Issue is closed.

Source of problem (multiple vhosts in a config file) identified and fixing this fixes the problem.

/Hugo

[Gn13l]

I also had the same issue with the same resolution. My HTTP and HTTPS vhosts were defined in the same config file. Separating them solved the issue.

[timbru31]

I've experienced the same issue and was very sad to see that the support for multiple vhosts per config file was removed - and even worse no correct error message was displayed :(
My config files were working fine for years and personally I prefer multiple vhosts per config.

[zertrin]

Everything was working fine with multiple VHosts per config file provided that they weren't for the same port (i.e. VHost:80 and VHost:443 in the same config file was ok, whereas Vhost:443 + VHost:443 was not supported).

And now this doesn't work anymore? Why?

That's quite a PITA since I have a long list of conf files for each subdomain which combines the VHost 80 and the VHost 443 and now I have to split all of them in two...

I know that multiple HTTPS VHosts per file was never supported, but one HTTPS VHost + the HTTP one did work fine before. And now it's not supported anymore apparently? To me that looks like a regression...

[zertrin]

In case it may be useful to someone else, I've used a small bash script to help me split my numerous config files:

#!/bin/bash
set -e

NAME=$1

#csplit -f $NAME.conf $NAME.conf '/^<VirtualHost \*:443>$/'
csplit -f $NAME.conf $NAME.conf '/^<IfModule mod_ssl\.c>$/'
mv $NAME.conf00 $NAME-80.conf
mv $NAME.conf01 $NAME-443.conf
a2dissite $NAME.conf
a2ensite $NAME-80.conf
a2ensite $NAME-443.conf

It uses the csplit program (in the coreutils package in Debian jessie for example) to find a pattern where the file is to be split.

Depending on your config files, the pattern can be /^<VirtualHost \*:443>$/ or /^<IfModule mod_ssl\.c>$/ or something else. (adapt the csplit line in the script accordingly)

The convention assumed here is that:

• the original filename of the config is mysite.conf
• you call the script above as follow ./split_vhosts.sh mysite
• the resulting files are called mysite-80.conf and mysite-443.conf (assuming the first VHost in the original config file was for port 80 and the second for port 443)
• It calls a2dissite mysite.conf to deactivate the original conf file
• it calls a2ensite for each of the split files.

Now it's still your job to check that the resulting files are correct and to reload apache. The original config files are not deleted, you may want to do it manually once you've made sure everything works.

[pde]

The fix for this shipped today. Please open a new ticket if you're seeing this problem in Certbot 0.6.0!