Lets Encrypt: Unable to install the certificate

You’ve heard it’s important to install Let’s Encrypt (LE). You spin up your Ubuntu 18.04 machine and try to use https://certbot.eff.org/.

You run the command:

certbot –apache -d domain.com

You are greeted with:

IMPORTANT NOTES: – Unable to install the certificate – Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domain.com/fullchain.pem

Your key file has been saved at: /etc/letsencrypt/live/domain.com/privkey.pem

Your cert will expire on 2019-02-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew"  - Some rewrite rules copied from /etc/apache2/sites-enabled/domain.com.conf were disabled in the vhost for your HTTPS site located at /etc/apache2/sites-available/domain.com-le-ssl.conf because they have the potential to create redirection loops.

Yup, that’s pretty annoying: Unable to install the certificate. The good new is that the certs themselves were created, but the required conf wasn’t.

I’m not 100% sure why this happens, but it could boil down to a permission issue or issue with the formatting in the virtual hosts file.

What I have found helpful is to use a vanilla Vhosts file. Something like the following:

ServerAdmin webmaster@domain.com 
ServerName domain.com 
ServerAlias www.domain.com 
DocumentRoot /var/www/domain.com 

ErrorLog ${APACHE_LOG_DIR}/domain.com.error.log 
CustomLog ${APACHE_LOG_DIR}/domain.com.access.log combined 

RewriteEngine on 
RewriteCond %{SERVER_NAME} =domain.com 
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] 

Options Indexes FollowSymLinks MultiViews 
AllowOverride All 
Require all granted

I then manually create the required LE conf file inside of /etc/apache/sites-available/. I title it appropriately, domain.com-le-ssl.conf. Inside the file I use the following:

ServerAdmin webmaster@domain.com 
ServerName domain.com 
DocumentRoot /var/www/domain.com 
ErrorLog ${APACHE_LOG_DIR}/domain.com.error.log 
CustomLog ${APACHE_LOG_DIR}/domain.com.access.log combined 

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem

You’ll notice a few key changes. You set the port to 443 and you included the SSL options module for Apache (e.g., Include /etc/letsencrypt/options-ssl-apache.conf).

You also identify the PEM files required for the SSL certificate to work.

Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile
/etc/letsencrypt/live/domain.com/fullchain.pem SSLCertificateKeyFile
/etc/letsencrypt/live/domain.com/privkey.pem

Once this is done, you have to create the sym link in the /etc/apache/sites-enabled folder. You normally do this using a2ensite, but can also do it manually doing the following:

ln -sf /etc/apache2/sites-available/domain.com-le-ssl.conf /etc/apache2/sites-enabled/domain.com-le-ssl.conf

One you have this sym link set up, reload and restart apache (I think I overkill with the restart, but it makes me feel better).

systemctl reload apache2 
systemctl restart apache2

This should do the trick. If you’ve been working on Chrome, be mindful of its cache; probably best to try another browser that hasn’t cached any results.

Leave a Reply