0

I'm setting up my Ubuntu 16.04 VM on Google's Compute Engine. I have Apache installed & it's already hosting my domain on HTTP, and I'd like to enable HTTPS.

Steps taken so far:

  • change the IP from ephemeral to static: Google Cloud Platform > Networking > VPC network > External IP addresses
  • add an "A" record to static IP: domains.google.com > My Domains > Edit DNS
  • the following are the commands run (I've used my real domain, not "example.com")...

commands

sudo mkdir -p /var/www/example.com/html
sudo chmod -R 755 /var/www

cd /etc
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x certbot-auto
cd /etc/apache2/sites-available
sudo cp 000-default.conf example.com.conf

The new conf file has this within:

<VirtualHost *:80 *:443>
    ServerAdmin admin@example.com
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

I've enabled the new Virtual Host file & reloaded

sudo a2ensite example.com.conf
sudo service apache2 reload

And at this point, I should be ready to run Let's Encrypt

sudo certbot --apache -d example.com

The error I get is:

IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: example.com
   Type:   unauthorized
   Detail: Invalid response from
   http://example.com/.well-known/acme-challenge/MFEvXhKDwEPPKmNM1EyGky1YG9mAvH0e7i0Z_gqsbUc:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I'm able to manually create the directory /var/www/example.com/html/.well-known/acme-challenge, and I can write files to it as well.

Any help is greatly appreciated! I've been on this problem for 2 nights.

Solution Update: after following @RalfFriedl's answer to generate the SSL certificate, here are the steps to install that cert:

  • create conf files for your port HTTP traffic and your HTTPS traffic

cd /etc/apache2/sites-available sudo nano example.com.conf

This conf file will have the following contents:

<VirtualHost *:80> ServerAdmin admin@example.com ServerName example.com ServerAlias www.example.com DocumentRoot /var/www/example.com/html # always redirect HTTP traffic to HTTPS Redirect permanent / https://example.com/ ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>

sudo nano example.com-https.conf

This conf file will have the following contents:

<VirtualHost *:443> ServerAdmin admin@example.com DocumentRoot /var/www/example.com/html ServerName example.com ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine On SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost>

  • Ensure you have SSL modules installed, then enable the new conf, and reload the Apache server sudo a2enmod rewrite sudo a2enmod ssl sudo a2ensite example.com-https.conf sudo service apache2 reload
Ryan Loggerythm
  • 103
  • 5

1 Answers1

2

Let's Encrypt verifies that the domain is owned by you. To do that it will retrieve a file from an URL from your domain, in this case http://example.com/.well-known/acme-challenge/MFEvXhKDwEPPKmNM1EyGky1YG9mAvH0e7i0Z_gqsbUc. It seems certbot can't figure this out from your apache configuration.

Try this instead

sudo certbot --webroot --webroot-path /var/www/example.com/html -d example.com
RalfFriedl
  • 3,108
  • 4
  • 13
  • 17
  • Thank you, @RalfFriedl! The exact command I used was `sudo certbot certonly --webroot --webroot-path /var/www/example.com/html -d example.com -d www.example.com --redirect` (needed to add the 'certonly' command) – Ryan Loggerythm Aug 01 '18 at 06:57