Installing Let's Encrypt certificate

Installation Info

  • WordPress 4.7.5
  • AWS

Issue

So, I followed the instructions as documented. However, I get the point where I’m trying to link the certificate files using:

sudo ln -s /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/server.crt

NB. DOMAIN removed to hide actual domain.

I get the following output:

ln: failed to create symbolic link ‘/opt/bitnami/apache2/conf/server.crt’: File exists

Attempted solution: I tried “removing” the files server.crt & server.key (I added .bak extension), but that didn’t help either. It caused an error when restarting Apache.

Unmonitored apache
AH00526: Syntax error on line 47 of /opt/bitnami/apache2/conf/bitnami/bitnami.conf:
SSLCertificateKeyFile: file '/opt/bitnami/apache2/conf/server.key' does not exist or is empty
apache config test fails, aborting
AH00526: Syntax error on line 47 of /opt/bitnami/apache2/conf/bitnami/bitnami.conf:
SSLCertificateKeyFile: file '/opt/bitnami/apache2/conf/server.key' does not exist or is empty
apache config test fails, aborting
Monitored apache

What am I missing?

I didn’t look at my directory’s properly. I was following the WordPress instructions, which don’t detail how to actually install the certificate. After which I moved to the Apache instructions.

For those who come across the same issue, at the point you link your SSL certificate and certificate key:

$ sudo ln -s /opt/bitnami/apps/wordpress/letsencrypt/live/[DOMAIN]/fullchain.pem /opt/bitnami/apache2/conf/server.crt
$ sudo ln -s /opt/bitnami/apps/wordpress/letsencrypt/live/[DOMAIN]/privkey.pem /opt/bitnami/apache2/conf/server.key

Maybe update the info in the WordPress installation documentation?

EDIT: This still didn’t solve my problem.

Hey!

Link the certificate directly from the LE directory.
What you’re trying to do is create an alias of the file.
AFAIK those files (server.crt and server.key) already exist.
You can either try a sudo cp, but i’d suggest linking directly, so that you can retain the renew functionality of certbot.

Hi @bulgaru,

I’m still getting the same response. I don’t want to use sudo cp for the reasons you mentioned, I don’t want to be manually updating every 3 months. I already have the certificate renew on autoupdate.

EDIT: I also attempted doing this as a root user, still no success.

AFAIK the path is something like
/etc/letsencrypt/live/[domain_name]/fullchain.pem

Yours looks like inside WP folder.

It is. I’m using a WP plugin to generate my certificates and they live in the WP folder. The plugin auto-renews the certificate when it expires.

HI,

Could you provide us with the following log files?

/opt/bitnami/apache2/logs/error_log
/opt/bitnami/apache2/logs/access_log

Best regards,
Silvio Fernández

Hi @silvio,

Access log
Error log

There’s nothing in the access_log, but the error_log shows the following relating to when I try and activate the certificates.

[Fri Apr 28 04:17:56.871187 2017] [ssl:warn] [pid 2655:tid 139845498488640] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Fri Apr 28 04:17:56.917031 2017] [ssl:warn] [pid 2656:tid 139845498488640] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Fri Apr 28 04:17:56.936823 2017] [mpm_event:notice] [pid 2656:tid 139845498488640] AH00489: Apache/2.4.25 (Unix) OpenSSL/1.0.2k configured -- resuming normal operations
[Fri Apr 28 04:17:56.936857 2017] [core:notice] [pid 2656:tid 139845498488640] AH00094: Command line: '/opt/bitnami/apache2/bin/httpd.bin -f /opt/bitnami/apache2/conf/httpd.conf'
[Fri Apr 28 04:19:08.175397 2017] [mpm_event:notice] [pid 2656:tid 139845498488640] AH00491: caught SIGTERM, shutting down

Any help would be appreciated.

Hi @peterluu,

The ln command is showing that the server.crt file already exists, you only need to remove it and run the command again. In this case, you can also back up those files in case you want to use it in the future.

This is the error message Apache is throwing. It seems you didn’t copy the file properly, you can run the following commands to check if those files exists.

ls -la /opt/bitnami/apache2/conf/server.key
ls -la /opt/bitnami/apache2/conf/server.crt

You should get an output like the following one:

lrwxrwxrwx 1 bitnami bitnami 6 May 29 11:07 firstFile -> secondFile

Where first file is the file that is in the conf folder of Apache and secondFile is the one that is at /etc/letsencrypt/live/DOMAIN/.

In case you don’t have those files, you could run the following commands to copy them properly.

sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.backup
sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.backup
sudo ln -s /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/server.crt
sudo ln -s /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key

I hope this information helps.
Jota

Hi @jota,

Thanks for that. I followed those instructions already but they weren’t helping, but the ls -la command has shown something which might point to the cause of the issue.

Please keep in mind, I’m following the instructions from the WordPress installation, which utilises a plugin to generate the certificates.

lrwxrwxrwx  1 root    root     74 May 29 23:46 server.crt -> /opt/bitnami/apps/wordpress/letsencrypt/live/[DOMAIN]/fullchain.pem
…
lrwxrwxrwx  1 root    root     72 May 29 23:47 server.key -> /opt/bitnami/apps/wordpress/letsencrypt/live/[DOMAIN]/privkey.pem

What should the user permissions be? Should it be root:root?

In addition, when I look at the permissions on the actual [DOMAIN] directory, it returns:

drwx------ 2 daemon  daemon 4096 May 28 08:01 [DOMAIN]

EDIT: I also logged in as root user and checked the certificate file permissions.

-rw-rw-r-- 1 daemon  daemon 2143 May 28 08:01 cert.pem
-rw-rw-r-- 1 daemon  daemon 1647 May 28 08:01 chain.pem
-rw-rw-r-- 1 daemon  daemon 3791 May 28 08:01 fullchain.pem
-rw-rw-r-- 1 daemon  daemon 1756 May 28 08:01 last.csr
-rw-rw-r-- 1 daemon  daemon 3272 May 28 08:01 private.pem
-rw-rw-r-- 1 daemon  daemon  800 May 28 08:01 public.pem

Would this permissions cause the error in trying to link and access the certificate from the server?

Thanks.

Hi @jota, I found your post here.

Managed to find a solution. I think the Let’s Encrypt installation (for WordPress) needs to be updated. Here’s what I did.

The WP plugin (WP Encrypt) generates the certificates under the permissions daemon:daemon. So even though the folder permissions are set recursively, they are not generated as bitnami:daemon.

So, first thing I did was to change user permissions to bitnami:daemon recursively. [To add to installation instructions, needs to be set again after generating certificates.] I also changed the file permissions for good measure:

$ sudo chown -R bitnami:daemon /opt/bitnami/apps/wordpress/letsencrypt
$ sudo find /opt/bitnami/apps/wordpress/letsencrypt -type d -exec chmod 0775 {} \;
$ sudo find /opt/bitnami/apps/wordpress/letsencrypt -type f -exec chmod 0664 {} \;

Secondly, the files generated are a little different from the Apache instructions.

-rw-rw-r-- 1 daemon  daemon 2143 May 28 08:01 cert.pem
-rw-rw-r-- 1 daemon  daemon 1647 May 28 08:01 chain.pem
-rw-rw-r-- 1 daemon  daemon 3791 May 28 08:01 fullchain.pem
-rw-rw-r-- 1 daemon  daemon 1756 May 28 08:01 last.csr
-rw-rw-r-- 1 daemon  daemon 3272 May 28 08:01 private.pem
-rw-rw-r-- 1 daemon  daemon  800 May 28 08:01 public.pem

Instead of privkey.pem the plugin generates the file private.pem instead.

So, the following command is needed instead:

sudo ln -s /etc/letsencrypt/live/DOMAIN/private.pem /opt/bitnami/apache2/conf/server.key

I hope this helps anyone who comes across this issue.

2 Likes

Hi @peterluu,

I’m glad to hear that you solved the issue. Thank you so much for sharing the solution, I’m sure it will help other users :slight_smile:

Don’t hesitate to write us back if you have any other question or suggestion.

Regards,
Jota

Hey @peterluu I followed your instructions in this post and I am still facing the same issue. apache wont restart and it is giving this error

SSLCertificateKeyFile: file ‘/opt/bitnami/apache2/conf/server.key’ does not exist or is empty
apache config test fails, aborting

I have followed all the instructions given in your solution.
this is screen shot of my files
image
I don’t know whats the problem kindly help me out here .
Thanks ,
@jota can you help too ?

Hi @bilalazhar,

The permissions on the certificates aren’t right, I can see in the screenshot they are showing as root:root.

It needs to be changed and updated to bitnami:daemon

If you login to your ssh terminal, you can change user permission with the following commands.

sudo chown -R bitnami:daemon /opt/bitnami/apache2/conf/
$ sudo find /opt/bitnami/apache2/conf/ -type d -exec chmod 0775 {} \;
$ sudo find /opt/bitnami/apache2/conf/ -type f -exec chmod 0664 {} \; 

The commands above assume you are using a WordPress installation using the WP Encrypt plugin. Otherwise, you will need to change the directories in the command.

EDIT: I noticed your directory is slightly different, so I can’t guarantee the previous commands are correct.

Hi @peterluu I ran these commands still the issue did not go. I am using WP Encrypt plugin. Kindly tell me what to do because I am really stuck . Can I repeat all the procedure from start or what else should I do . I am attaching screenshots of letsencrypt folder and apache2 conf folder after changing permissions .
https://drive.google.com/open?id=0B3gaXIyF8NY5NnFmT3FDX3IySlU

image
kindly tell me what to do next.
Thanks

Hi @bilalazhar,

How comfortable are you working in the ssh/shell teminal?

Can you please give me the output for the command ls -lh for the directory /opt/bitnami/apache2/conf/?

Could you do the same for the directory /opt/bitnami/wordpress/letsencrypt/live/[site name].

Thanks.

(It’s almost bedtime for me, so apologies if I don’t respond immediately.)

Hi @peterluu thanks for your immediate replies ,
I can only run commands and understand some of them not very comfortable with the ssh/shell. Here are the outputs of the following commands . Also after this problem is solved what is next step to go and change my site address from http to https in wp-config file or something else as instructions were not very clear what to do so kindly help me out
this is output for ls -lh /opt/bitnami/apache2/conf/

total 280K
drwxrwxr-x 2 bitnami daemon 4.0K Aug 24 12:26 bitnami
-rw-rw-r-- 1 bitnami daemon 289 Aug 4 12:16 deflate.conf
drwxrwxr-x 2 bitnami daemon 4.0K Aug 4 12:13 extra
-rw-rw-r-- 1 bitnami daemon 20K Aug 4 12:19 httpd.conf
-rw-rw-r-- 1 bitnami daemon 13K Jul 28 11:30 magic
-rw-rw-r-- 1 bitnami daemon 60K Jul 28 11:30 mime.types
-rw-rw-r-- 1 bitnami daemon 7.3K Aug 2 2012 modsecurity.conf
drwxrwxr-x 3 bitnami daemon 4.0K Aug 4 12:13 original
-rw-rw-r-- 1 bitnami daemon 17K Aug 4 12:16 pagespeed.conf
-rw-rw-r-- 1 bitnami daemon 119K Aug 4 12:13 pagespeed_libraries.conf
-rw-rw-r-- 1 bitnami daemon 199 Aug 4 12:14 php-fpm-apache.conf
-rw-rw-r-- 1 bitnami daemon 1.8K Aug 4 12:16 privkey.pem
lrwxrwxrwx 1 bitnami daemon 73 Sep 24 06:51 server.crt -> /opt/bitnami/apps/wo rdpress/letsencrypt/live/agirlsshop.com/fullchain.pem
lrwxrwxrwx 1 bitnami daemon 50 Sep 23 10:56 server.crt.backup -> /etc/letsencr ypt/live/agirlsshop.com/fullchain.pem
-rw-rw-r-- 1 bitnami daemon 899 Aug 4 12:16 server.csr
lrwxrwxrwx 1 bitnami daemon 48 Sep 24 07:24 server.key -> /etc/letsencrypt/liv e/agirlsshop.com/private.pem
lrwxrwxrwx 1 bitnami daemon 48 Sep 23 10:57 server.key.backup -> /etc/letsencr ypt/live/agirlsshop.com/private.pem
-rw-rw-r-- 1 bitnami daemon 204 Aug 4 12:15 ssi.conf

and output for ls -lh /opt/bitnami/apps/wordpress/letsencrypt/live/[sitename]

total 24K
-rw-rw-r-- 1 bitnami daemon 2.2K Sep 23 11:18 cert.pem
-rw-rw-r-- 1 bitnami daemon 1.7K Sep 23 11:18 chain.pem
-rw-rw-r-- 1 bitnami daemon 3.8K Sep 23 11:18 fullchain.pem
-rw-rw-r-- 1 bitnami daemon 1.8K Sep 23 11:18 last.csr
-rw-rw-r-- 1 bitnami daemon 3.2K Sep 23 10:29 private.pem
-rw-rw-r-- 1 bitnami daemon 800 Sep 23 10:29 public.pem

let me know what to do next Thanks

hi @peterluu still waiting for your answer as I am stuck on this. kindly help me out
Thanks

Hi @peterluu thanks for your answers I do realize that you do not work for Bitnami . You have been of great help though it did not solve my problem while running this command

sudo chown root:root /opt/bitnami/apache2/conf/server.key
I got output
chown: cannot dereference ‘/opt/bitnami/apache2/conf/server.key’: No such file or directory
so apparently I cannot change owner as it says no file or directory but the file exists I have double checked .
I don’t know what to do from this point. Thanks for your great help anyway .

HI @jota would you be kind enough to see my problem and help me solve it as @peterluu helped me but we were unable to solve the problem . all the information is in this thread
Thanks