[<bitnami wordpress multisite>] <bncert-tool errorred while adding a domain a ssl cert. now apache will not start>

[dw2QIS]

Platform

AWS

bndiagnostic ID know more about bndiagnostic ID

b58c4f95-22d8-f285-abcf-1b42b0eb0335

bndiagnostic output

===== Begin of bndiagnostic tool output =====

? Apache: Found possible issues
✓ Mariadb: No issues found
? Connectivity: Found possible issues
✓ Wordpress: No issues found
✓ Resources: No issues found
✓ Processes: No issues found
✓ Php: No issues found

bndiagnostic was not useful. Could you please tell us why?

I need more information to determine how to fix the issue

Describe your issue as much as you can

I was attempting to add another domain SSL cert to my bitnami wordpress multisite hosted on aws:lightsail using the bncert-tool. During the execution, I was able to revoke the existing cert. then encountered and error during the new cert being created. I executed the following bncert-tool "sudo /opt/bitnami/bncert-tool --perform_public_ip_validation 0 --perform_dns_validation 0".

[gongomgra]

Hi @dw2QIS,

Can you share with us the error message you got trying to generate the new certificate with both domains?

Apart from that, the only error message I can find in Apache configuration is that the certificate file is missing on your system, but I can't find the filename mentioned in the Apache config on your system. It looks like the .crt file that exists on your system is drcherylolson.com.key. Can you double-check the filename is correct and update the Apache configuration? After that, restart Apache service for changes to take effect

Syntax error on line 5 of /opt/bitnami/apache/conf/vhosts/wordpress-https-vhost.conf:
SSLCertificateFile: file '/opt/bitnami/apache/conf/quantumintsoft.co.crt' does not exist or is empty

[dw2QIS]

bitnami@ip-172-26-1-58:~$ sudo /opt/bitnami/bncert-tool
Warning: Custom redirections are not supported in the Bitnami package for 
WordPress Multisite. This tool will not be able to enable/disable redirections.
Press [Enter] to continue:
----------------------------------------------------------------------------
Welcome to the Bitnami HTTPS Configuration tool.

----------------------------------------------------------------------------
Domains

Please provide a valid space-separated list of domains for which you wish to 
configure your web server.

Domain list []: topnotch-detailing.com globaldefsecsol.com

The following domains were not included: www.topnotch-detailing.com www.globaldefsecsol.com
. Do you want to add them? [Y/n]: 

Warning: The domain 'topnotch-detailing.com' resolves to a different IP address 
than the one detected for this machine, which is '54.85.113.97'. Please fix its 
DNS entries or remove it. For more info see: 
https://docs.bitnami.com/general/faq/configuration/configure-custom-domain/
Press [Enter] to continue:
----------------------------------------------------------------------------
Domains

Please provide a valid space-separated list of domains for which you wish to 
configure your web server.

Domain list [topnotch-detailing.com globaldefsecsol.com www.topnotch-detailing.com www.glob
aldefsecsol.com]: 

Warning: The domain 'topnotch-detailing.com' resolves to a different IP address 
than the one detected for this machine, which is '54.85.113.97'. Please fix its 
DNS entries or remove it. For more info see: 
https://docs.bitnami.com/general/faq/configuration/configure-custom-domain/

bitnami@ip-172-26-1-58:~$ sudo /opt/bitnami/bncert-tool --perform_public_ip_validation 0 --
perform_dns_validation 0
Warning: Custom redirections are not supported in the Bitnami package for 
WordPress Multisite. This tool will not be able to enable/disable redirections.
Press [Enter] to continue:
----------------------------------------------------------------------------
Welcome to the Bitnami HTTPS Configuration tool.

----------------------------------------------------------------------------
Domains

Please provide a valid space-separated list of domains for which you wish to 
configure your web server.

Domain list []: topnotch-detailing.com globaldefsecsol.com

The following domains were not included: www.topnotch-detailing.com www.globaldefsecsol.com
. Do you want to add them? [Y/n]: Y

----------------------------------------------------------------------------
Changes to perform

The following changes will be performed to your Bitnami installation:

1. Stop web server
2. Configure web server to use a free Let's Encrypt certificate for the domains: 
topnotch-detailing.com globaldefsecsol.com www.topnotch-detailing.com 
www.globaldefsecsol.com
3. Configure a cron job to automatically renew the certificate each month
4. Configure web server name to: topnotch-detailing.com
5. Start web server once all changes have been performed

Do you agree to these changes? [Y/n]: Y

Create a free HTTPS certificate with Let's Encrypt

Please provide a valid e-mail address for which to associate your Let's Encrypt 
certificate.

Domain list: topnotch-detailing.com globaldefsecsol.com 
www.topnotch-detailing.com www.globaldefsecsol.com

Server name: topnotch-detailing.com

E-mail address []: YOUR_EMAIL@YOUR_DOMAIN

The Let's Encrypt Subscriber Agreement can be found at:

https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf

Do you agree to the Let's Encrypt Subscriber Agreement? [Y/n]: 

----------------------------------------------------------------------------
Performing changes to your installation

The Bitnami HTTPS Configuration Tool will perform any necessary actions to your 
Bitnami installation. This may take some time, please be patient.

/

An error occurred creating certificates with Let's Encrypt:

private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2024/01/25 17:09:23 No key found for account 
demetrius.washington2@quantumintsoft.com. Generating a P256 key.
2024/01/25 17:09:23 Saved key to 
/opt/bitnami/letsencrypt/accounts/acme-v02.api.letsencrypt.org/YOUR_EMAIL/keys/YOUR_EMAIL.key
2024/01/25 17:09:24 [INFO] acme: Registering account for 
demetrius.washington2@quantumintsoft.com
2024/01/25 17:09:24 [INFO] [topnotch-detailing.com, globaldefsecsol.com, 
www.topnotch-detailing.com, www.globaldefsecsol.com] acme: Obtaining bundled SAN 
certificate
2024/01/25 17:09:24 [INFO] [globaldefsecsol.com] AuthURL: 
https://acme-v02.api.letsencrypt.org/acme/authz-v3/308041641416
2024/01/25 17:09:24 [INFO] [topnotch-detailing.com] AuthURL: 
https://acme-v02.api.letsencrypt.org/acme/authz-v3/308041641426
2024/01/25 17:09:24 [INFO] [www.globaldefsecsol.com] AuthURL: 
https://acme-v02.api.letsencrypt.org/acme/authz-v3/308041641436
2024/01/25 17:09:24 [INFO] [www.topnotch-detailing.com] AuthURL: 
https://acme-v02.api.letsencrypt.org/acme/authz-v3/308041641446
Press [Enter] to continue:

[dw2QIS]

Where are the backups of the certs stored? I do not see the cert files (crt, key json) for quantumintsoft.co in the /opt/bitnami/letsencrypt/certificates directory

[gongomgra]

Hi @dw2QIS,

Thanks for sharing the information. I think you should better resolve the DNS issue than skipping the IP validations. Additionally, try to manually install latest lego tool and try again. If the bncert tool keeps failing, please try the manual approach also present in the guide below.

https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#step-1-install-the-lego-client

[dw2QIS]

Thank you for the response. I think the tool has a bug when comes to detecting the IP address. bncert-tool would give an error on the IP address for the domain. The domain had the correct IP and the tool displayed the correct IP address. I've installed the latest lego version and am still getting the error. I've also tried the manual installation. Seems the main issue is the quantumintsoft.co cert files are missing from apache. I noticed there are backups for the certs for the other domains, but can not locate backup for quantumintsoft.co. This is strange to me, considering that this the main domain for the WordPress multisite. I've manually revoked the quantumintsoft.co certs and then generated new certs for that domain.

On 2024-01-29 11:10, Gonzalo Gómez Gracia wrote:

Hi @dw2QIS [1],

Thanks for sharing the information. I think you should better resolve the DNS issue than skipping the IP validations. Additionally, try to manually install latest lego tool and try again. If the bncert tool keeps failing, please try the manual approach also present in the guide below.

https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#step-1-install-the-lego-client

-- Reply to this email directly, view it on GitHub [2], or unsubscribe [3]. You are receiving this because you were mentioned.Message ID: @.***>

Links:

[1] https://github.com/dw2QIS [2] https://github.com/bitnami/vms/issues/1380#issuecomment-1915035544 [3] https://github.com/notifications/unsubscribe-auth/AXU4XAGOA7DZI3VC36LPKFTYQ7CXFAVCNFSM6AAAAABCFSMCZ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJVGAZTKNJUGQ

-- Demetrius Washington, Jr. CTO/CIO @.*** www.quantumintsoft.com

[gongomgra]

Hi @dw2QIS,

The bncert tool uses system's getent hosts <domain> command under the hood to verify domain configuration and that it point's to server IP address. Can you manually run that command and verify the results? In case the output is not the expected one, please verify your DNS registries and take into account changes propagation may take up to 72 hours.

Regarding the files generated in the filesystem, notice the lego execution only generates one file, I guess named after the first domain name provided, but it will cover both domains. Please update the Apache config to point to the new filename and restart the service for changes to take effect.

Hope it helps!

[dw2QIS]

Thank you for looking into this issue.

Lego execution generated 4 files .crt, .key, .json, and issuer.crt.
These files are stored in /opt/bitnami/letsencrypt/certificates. There are also files created in /etc/letsencrypt/live/DOMAIN "quantumintsoft.com"/ the files are cert.pem -> ../../archive/topnotch-detailing.com/cert1.pem chain.pem -> ../../archive/topnotch-detailing.com/chain1.pem fullchain.pem -> ../../archive/topnotch-detailing.com/fullchain1.pem privkey.pem -> ../../archive/topnotch-detailing.com/privkey1.pem

I followed the instructions in https://docs.bitnami.com/general/how-to/generate-install-lets-encrypt-ssl/#step-1-install-the-lego-client . Step 3 on the Alternative Approach this process

For Apache:

sudo mv /opt/bitnami/apache/conf/bitnami/certs/server.crt /opt/bitnami/apache/conf/bitnami/certs/server.crt.old sudo mv /opt/bitnami/apache/conf/bitnami/certs/server.key /opt/bitnami/apache/conf/bitnami/certs/server.key.old sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/apache/conf/bitnami/certs/server.key sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/apache/conf/bitnami/certs/server.crt sudo chown root:root /opt/bitnami/apache/conf/bitnami/certs/server sudo chmod 600 /opt/bitnami/apache/conf/bitnami/certs/server

I think the 2 ln -sf commands do not create the symbolic link to the correct file and location. After taking a look at another installation of Wordpress Multisite. It appears that the server.crt and server.key files in /opt/bitnami/apache2/conf/bitnami/certs/quantumintsoft.co.crt

server.crt -> /opt/bitnami/letsencrypt/certificates/quantumintsoft.co.crt server.key -> /opt/bitnami/letsencrypt/certificates/quantumintsoft.co.key

server.crt.old -> /etc/letsencrypt/live/quantumintsoft.co/fullchain.pem server.key.old -> /etc/letsencrypt/live/quantumintsoft.co/privkey.pem

I think the symbolic link pointing to the incorrect directory and file is causing my issue with Apache not starting. It's not logged in the Apache error log, but is displayed in systemctl status bitnami.service

@.***:~$ sudo systemctl status bitnami.service ● bitnami.service - LSB: bitnami init script Loaded: loaded (/etc/init.d/bitnami; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2024-01-31 20:39:31 UTC; 44s ago Process: 1072 ExecStart=/etc/init.d/bitnami start (code=exited, status=1/FAILURE) Tasks: 29 (limit: 2373) Memory: 310.7M CGroup: /system.slice/bitnami.service ├─809 php-fpm: master process (/opt/bitnami/php/etc/php-fpm.conf) ├─813 php-fpm: pool www ├─814 php-fpm: pool www ├─815 php-fpm: pool www ├─816 php-fpm: pool www ├─817 php-fpm: pool www ├─818 php-fpm: pool www ├─819 php-fpm: pool www ├─820 php-fpm: pool www ├─821 php-fpm: pool www ├─822 php-fpm: pool www ├─823 php-fpm: pool www ├─824 php-fpm: pool www ├─825 php-fpm: pool www ├─826 php-fpm: pool www ├─827 php-fpm: pool www ├─828 php-fpm: pool www ├─829 php-fpm: pool www ├─830 php-fpm: pool www ├─831 php-fpm: pool www ├─832 php-fpm: pool www └─844 /opt/bitnami/mariadb/sbin/mysqld --defaults-file=/opt/bitnami/mariadb/conf/my.cnf --basedir=/opt/bitnami/mariadb --datadir=/bitnami/ma

Jan 31 20:39:31 ip-172-26-6-17 bitnami[1072]: SSLCertificateFile: file '/opt/bitnami/apache2/conf/bitnami/certs/quantumintsoft.co.crt' does not exist o Jan 31 20:39:31 ip-172-26-6-17 bitnami[1072]: 2024-01-31T20:39:31.546Z - error: Unable to perform start operation Export start for apache failed with e Jan 31 20:39:31 ip-172-26-6-17 bitnami[1072]: ## 2024-01-31 20:39:31+00:00 ## INFO ## Running /opt/bitnami/var/init/post-start/010_bitnami_agent_extra. Jan 31 20:39:31 ip-172-26-6-17 bitnami[1072]: ## 2024-01-31 20:39:31+00:00 ## INFO ## Running /opt/bitnami/var/init/post-start/020_bitnami_agent... Jan 31 20:39:31 ip-172-26-6-17 bitnami[1072]: ## 2024-01-31 20:39:31+00:00 ## INFO ## Running /opt/bitnami/var/init/post-start/030_update_welcome_file. Jan 31 20:39:31 ip-172-26-6-17 bitnami[1072]: ## 2024-01-31 20:39:31+00:00 ## INFO ## Running /opt/bitnami/var/init/post-start/040_bitnamicredentials Jan 31 20:39:31 ip-172-26-6-17 bitnami[1072]: ## 2024-01-31 20:39:31+00:00 ## INFO ## Running /opt/bitnami/var/init/post-start/050_clean_metadata... Jan 31 20:39:31 ip-172-26-6-17 systemd[1]: bitnami.service: Control process exited, code=exited, status=1/FAILURE Jan 31 20:39:31 ip-172-26-6-17 systemd[1]: bitnami.service: Failed with result 'exit-code'. Jan 31 20:39:31 ip-172-26-6-17 systemd[1]: Failed to start LSB: bitnami init script. lines 4-40/40 (END)

On 2024-01-31 11:10, Gonzalo Gómez Gracia wrote:

Hi @dw2QIS [1],

The bncert tool uses system's getent hosts command under the hood to verify domain configuration and that it point's to server IP address. Can you manually run that command and verify the results? In case the output is not the expected one, please verify your DNS registries and take into account changes propagation may take up to 72 hours.

Regarding the files generated in the filesystem, notice the lego execution only generates one file, I guess named after the first domain name provided, but it will cover both domains. Please update the Apache config to point to the new filename and restart the service for changes to take effect.

Hope it helps!

-- Reply to this email directly, view it on GitHub [2], or unsubscribe [3]. You are receiving this because you were mentioned.Message ID: @.***>

Links:

[1] https://github.com/dw2QIS [2] https://github.com/bitnami/vms/issues/1380#issuecomment-1919425878 [3] https://github.com/notifications/unsubscribe-auth/AXU4XADTHNVSAJMZR3YRRLLYRJUHLAVCNFSM6AAAAABCFSMCZ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJZGQZDKOBXHA

-- Demetrius Washington, Jr. CTO/CIO @.*** www.quantumintsoft.com

[dw2QIS]

I tried changing the symbolic link for server.crt and server.key

ls -s /opt/bitnami/apache/conf/bitnami/certs/server.crt /etc/letsencrypt/archive/quantumintsoft.co/fullchain3.pem

ln -s /opt/bitnami/apache/conf/bitnami/certs/server.key /etc/letsencrypt/live/quantumintsoft.co/privkey.pem

As sudo su and the files do not appear in the directory.

On 2024-01-31 11:10, Gonzalo Gómez Gracia wrote:

Hi @dw2QIS [1],

The bncert tool uses system's getent hosts command under the hood to verify domain configuration and that it point's to server IP address. Can you manually run that command and verify the results? In case the output is not the expected one, please verify your DNS registries and take into account changes propagation may take up to 72 hours.

Regarding the files generated in the filesystem, notice the lego execution only generates one file, I guess named after the first domain name provided, but it will cover both domains. Please update the Apache config to point to the new filename and restart the service for changes to take effect.

Hope it helps!

-- Reply to this email directly, view it on GitHub [2], or unsubscribe [3]. You are receiving this because you were mentioned.Message ID: @.***>

Links:

[1] https://github.com/dw2QIS [2] https://github.com/bitnami/vms/issues/1380#issuecomment-1919425878 [3] https://github.com/notifications/unsubscribe-auth/AXU4XADTHNVSAJMZR3YRRLLYRJUHLAVCNFSM6AAAAABCFSMCZ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJZGQZDKOBXHA

-- Demetrius Washington, Jr. CTO/CIO @.*** www.quantumintsoft.com

[gongomgra]

Hi @dw2QIS,

The instructions in the manual approach are probed to work for other users, including the symlink commands. Can you follow the manual approach completely from scratch? Notice it uses the lego tool directly to generate the certificates instead of bncert. Let's see if you get any error generating the SSL certificates or with Apache configuration.

Once you have finished updating Apache configuration, please run the command below and share the output with us

apachectl -t

In case the configuration is fine, restart the Apache service for changes to take effect.

[github-actions[bot]]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions[bot]]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.