After upgrade (F36), Lets Encrypt certificates not recognized

I just completed an upgrade on my Fedora 35 server to Fedora 36 - all seemed to proceed fine until the final boot.

I received an error that the Let Encrypt certificates were invalid.

I did a certbot dry run to check on the certificates and received a message back that certbot could not find a virtual host listening on port 80. Checked my httpd config and both port 80 and 443 are listed in the definitions on the virtual hosts. Also tried to connect with just the host ip but that resulted in the message the server was not found on this host. (I can get the stock Fedora page that the web service is running but content hasn’t been installed - but when I check it is there!) That made me wonder if the firewall rules were still intact but both ports 80 and 443 were listed as available. I am able to remotely connect to the server with port 9090.

This leads me to believe that something is blocking communications.

Not sure what else to check. Did I miss something in the upgrade, is Network Manager a suspect?

It doesn’t sound like an issue with NetworkManager but rather than certbot is failing to grok your httpd config. Have your changed or refactored it recently? I have a very much working httpd server that certbot has never correctly parsed the VirtualHost config for that I’ve had to use the standalone option on for renewal.

Hi - the last changes to the httpd.config were back in the spring (March or April) and it was running fine with Fedora 35 up to today. This problem just started after upgrading to Fedora 36 today.

1 Like

Doing more investigation, I see the ports as listening but TCP6 is listed. The Apache config indicates that it may be possible for TCP4 address to be mapped to use the TCP6. Does anyone know if this was a change in Fedora 36, i.e. only IPv6 addresses are now valid for Apache?

I have apache running on my PC and am able to connect to with no issues. Thus it seems that it still connects with IPv4 without problems.

I think you may need to look at /etc/httpd/conf/httpd.conf and at ip addr to see if the IPv4 address is available as well as checking to see what the firewall allows.

I can confirm that this is not the case. I have a public facing Fedora 36 server running Apache solely over IPv4.

Thanks for the feedback guys. I think I was the source of my own grief on this one! I restored from my backup and redid the upgrade. This time however, I did not run the optional step of running rpmconf. The machine booted, Let’s encrypt certificates were recognized and I’m able to again reach the webserver. Just goes to prove the old adage …just enough knowledge to be dangerous!