My web server is set up like this:
Certbot is giving me an error like this when I try to run it:
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
I've looked at other answers people posted on their blogs etc... but they were were not specifically for the EC2 Linux AMI or were made more complicated than they need be.
Most of them seem to have something to do with /sites-available or enabled... but the main .conf file already has a line in it that points to additional .conf files. No need to add a line there.
This all assumes that you have Apache installed and are trying to use Certbot. First, make sure an A record is set to your IP address in DNS. Also, as a basic introduction here, in CentOS, Apache is called "httpd", while in Ubuntu, Apache is called "apache2".
Short Answer for CentOS
cd /etc/httpd/conf.d
sudo nano yourDomainName.conf
Paste, edit, and save the following:
<VirtualHost *:80>
ServerName yourDomainName.com
DocumentRoot /var/www/html
ServerAlias www.yourDomainName.com
ErrorLog /var/www/error.log
CustomLog /var/www/requests.log combined
</VirtualHost>
Then:
sudo service httpd restart
And with this you should see the virtual host:
httpd -D DUMP_VHOSTS
Short Answer for Ubuntu
sudo su (so that you can cd to apache directory)
cd /etc/apache2/sites-available
vim yourDomainName.com.conf (this file needs to end with ".conf")
Paste, edit, and save the following:
<VirtualHost *:80>
ServerName yourDomainName.com
DocumentRoot /var/www/html
ServerAlias www.yourDomainName.com
ErrorLog /var/www/error.log
CustomLog /var/www/requests.log combined
</VirtualHost>
Then:
a2ensite yourDomainName
service apache2 restart
ctrl-d to exit root
To install certbot ****Updated, since certbot-auto is no longer available:
It used to be that you would download certbot-auto and just run that script to get your ssl certs. Let's encrypt no longer supports this. There are now two different supported methods. One method is installing certbot with Snap, which requires that you install Snap first. I'm not going to go over that method here, there are plenty of instructions for it on their site. The other method is with the Certbot Docker image. This is much lighter in weight, since Snap is a big install.
sudo service apache2 stop / sudo service httpd stop
sudo docker run -it --rm --name certbot -p 80:80 -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" certbot/certbot certonly
sudo service apache2 start / sudo service httpd start
You're temporarily turning off Apache and running a special Certbot server to get the certificate, but you will still need the virtual host, after you get the cert, as that's just how Apache works.
...
Additional info for once you have your cert OK. Certbot says it successfully installed the certificate. Now what? Well, it isn't just going to work just yet. You still need to enable ssl in apache, and also add another virtual host for port 443.
Open the same file that you pasted into earlier and add the following:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName yourDomainName.com
DocumentRoot /var/www/html
ServerAlias www.yourDomainName.com
ErrorLog /var/www/error.log
CustomLog /var/www/requests.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
LogLevel alert rewrite:trace3
SSLCertificateFile /etc/letsencrypt/live/yourDomainName.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourDomainName.com/privkey.pem
</VirtualHost>
</IfModule>
For CentOS, you may need to install the ssl module:
sudo yum install mod_ssl
For Ubuntu, you will likely need to enable the ssl module:
sudo a2enmod ssl
For both, restart Apache:
sudo service apache2 restart / sudo service httpd restart
For CentOS, you might need to enable port 443 on your firewall. I'm not going to cover that here, but the "iptables" service (and associated commands) are what you'll be looking at.
Finally, for both: you're going to want to redirect all requests on port 80 (http) to port 443 (https). Apache should already have the rewrite module installed by default, but you'll need to enable it:
sudo a2enmod rewrite
Inside the *:80 virtual host that you added earlier, you'll add some lines that look something like this:
<VirtualHost *:80> (you've already added this line, don't copy this part)
<IfModule mod_rewrite.c>
# Force https secure connection
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
sudo service apache2 restart / sudo service httpd restart