Hi ! Everyone there, how are you ?

Let me introduce me, I am a complete newbie to Security Layer or encryption or Security Certificate. But I need to learn them now. Please patient about me, First of all, what is the difference of letsencrypt vs. certbot? Both can make a certificate? I see similar topic three of them. I will read them through.

Let’s Encrypt provides the security certificates for your domain (the certificate authority), while Certbot is a tool that simplifies the process of obtaining and renewing certificates (the program that communicates between your machine and Let’s Encrypt).

I got the certbot package at pkgs.org, (Do a search for certbot and you’ll see an rpm for RHEL10 and clones, including rocky. So, install certbot and also get a package for whatever web server you’re using (e.g., python3-certbot-apache) from pkgs.org. Then, assuming you have your DNS set up so that your website is reachable, including settting up your firewall to allow ports 80 and 443, go to https://certbot.eff.org/ and click the link for certbot instructions. That takes you to a page where you choose what web server you’re running on what system. I chose Linux (pip). (The only Linux choices are pip and snap). They then give you the command to run. Though they made it, if I remember correctly, more complicated then it had to be, I skipped to the part where they said run certbot manually, which was just
certbot certonly --apache
And then rely on the python3-certbot-apache plugin to keep it updated.

In my case, the plugin worked automatically, I didn’t need to configure it.
You can check with
systemctl list-timers certbot-renew

At that point, you’ll be asked the domain name, etc.

(or just do systemctl list-timers all to see all your timers.)

Pretty much all the certbot packages are in EPEL, so it would be enough to do:

dnf install epel-release
dnf install certbot

plus any of the other packages you may need, you can then search with:

dnf list available *certbot*

Yup, just checked on an RHEL10 install and the packages are now available. (They weren’t at the time I checked, which is why I mentioned pkgs.org.

Hi ! Everyone, there, so nice to read many of yours comments and replies. I studied “Let’s Encrypt” article at Wikipedia, and now I understood “letsencrypt” and “certbot” are almost the same program. I have been maintaining two WER servers with two different IPS (Internet Service Provider), One located at Tokyo-Hachioji, and the other stayed in Los Angeles. From a certain technology service guy, I obtained the following command lines of instructions.

sudo dnf update -y
sudo dnf install epel-release -y
sudo dnf upgrade -y

sudo dnf install firewalld fail2ban mod_ssl -y
sudo systemctl enable --now firewalld
----- Firewall set up,
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
----- Please configure SElinux
sudo setsebool -P httpd_can_network_connect on
----- Install Apache
sudo dnf install httpd -y
sudo systemctl enable --now httpd
----- Set up SSL
sudo dnf install certbot python3-certbot-apache -y
sudo certbot --apache

Around here, I messed up one of WEB-servers. The WEB - server’s error messages are as below.

=== One WEB-Server
[root@localhost ~]# certbot --apache -d tunefind.info
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apachectl configtest.

AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file ‘/etc/pki/tls/certs/localhost.crt’ does not exist or is empty

Enter email address (used for urgent renewal and security notices)
(Enter ‘c’ to cancel): c
An e-mail address or --register-unsafely-without-email must be provided.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

=================================================
=== The Other WEB-Server
[root@localhost ~]# certbot --apache -d tunefind.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter ‘c’ to cancel): mkidolosangeles@gmail.com

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must
agree in order to register with the ACME server. Do you agree?

(Y)es/(N)o: Y

Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let’s Encrypt project and the non-profit organization that
develops Certbot? We’d like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: Y
Account registered.
Requesting a certificate for tunefind.org
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[root@localhost ~]# certbot --apache -d tunefind.info
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for tunefind.info
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[root@localhost ~]#

Here above are the all results I got up to now. Both of WEB Server didn’t work out to obtain the Certificate, because of ERROR messages. In addition to that ERROR message, one of WEB Server’s apache died with wrong port number assigment or overlapped port numbers. I am planning to re-set the latter WEB -server by a new WEB-server replacement in a few weeks. Meanwhile, if you may understand the ERROR comment’s meaning, and navigate me to where to fix, or where to look at, I will check them up.

Additional Information by nmap
[[[ tunefind.ORG ]]]
[root@localhost ~]# nmap tunefind.org
Starting Nmap 7.92 ( https://nmap.org ) at 2025-05-29 14:39 EDT
Nmap scan report for tunefind.org (45.25.216.45)
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
Nmap done: 1 IP address (1 host up) scanned in 9.48 seconds
This WEB-server is dead now.

==========
[[[ tunefind.INFO ]]]
[root@localhost ~]# nmap tunefind.info
Nmap scan report for tunefind.info (110.3.33.130)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
9090/tcp open zeus-admin
10000/tcp open snet-sensor-mgmt
20000/tcp open dnp
Nmap done: 1 IP address (1 host up) scanned in 6.11 seconds
This WEB-server is working now.
M.K.

I fixed the [ AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file ‘/etc/pki/tls/certs/localhost.crt’ does not exist or is empty ]

I took out the comment (#) mark from this line, so that SSLCertificateFile location is designated.

Still I will get the following ERROR message, and have’t reached to the goal.

=====
[root@svr1 ~]# certbot --apache -d tunefind.info
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for tunefind.info
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

M.K.

To issue a certificate via certbot to Apache, as per your command, the server must be accessible from the internet. LetsEncrypt needs to connect to your server to verify that you own it before issuing the certificate. If the connection is blocked, or you have not made the server accessible, then the certificate will not be issued.

This is why you have an error.

Hi, Mr. iwalker, this server is accessible from the internet.

How may I prove to LetsEncrypt that I am a owner?

What kind of connection is blocked? How to unblock it?. What is the likely cause of blocking? I am totally in dismay, Really I don’t understand anything as far as this blocking talk goes. Excuse me, be patient with me. M.K.

If the IP address for tunefind.info is your web server that you are trying to configure the certificate on, then this should work. Check your Apache logs just in case it’s trying to create a file in .well-known and cannot due to permissions. If this is the case, then you need to chown the website directory to be owned by the Apache user. That way, certbot when it connects to verify should be able to do everything what is required.

I’ve just visited tunefind.info so that would confirm it is open and accessible. I expect now the problem is the Apache config. You may also need to provide the web root, eg:

certbot --apache -d tunefind.info --webroot /var/www/html

assuming your website is under /var/www/html. If not, change the directory to match how your website is configured in Apache.

I just checked both .INFO and .ORG WEB sites, and found that httpd(apache) access LOG files’ owner. [INFO] showed mkido:mkido ownership, meanwhile [ORG] showed root:root owner. Do you think it is better to adjust the ownership to apache:apache ? Or root:root ownership is good enough ? If I want to change access LOG file’s owner from mkido:mkido to apache:apache OR root:root, what part of configuration revision is appropriate? Inside of httpd.conf ? Or ownership of httpd(apache)?

At /var/log/httpd, other than access_logs and error_logs, I don’t find any DOT folder or any DOT file. Should I better to create .well-known folder in /var/log/httpd with ownership apache:apache ?

I just ran this command line, and it replied,

certbot: error: unrecognized arguments: /var/www/html

Although, this is the correct WEB root of tunefind.info. M.K.

I meant check in your log files to see if something tried connecting to your website and gave errors in that it couldn’t connect. LetsEncrypt needs to create a directory called .well-known inside your web directory, so under /var/www/html or wherever your site is. If it cannot create it, then it cannot verify and activate your certificate. But if we cannot see the errors, then it can be hard to find where the problem is.

I mean ensure your files/directories where your website is are owned by the apache user, eg:

chown -R apache:apache /var/www/html

obviously change /var/www/html to the correct directory where you put the website.

Dear, Dear iwalker, I never heard of this. It’s the first time I got this instruction. chown has the -R recursive option, so that the entire WEB site files will changes to apache:apache OWNERSHIP. Yes, my WEB runs under /var/www/html.

Yes, that’s correct. And in some cases it’s required. You may also want to check the LetsEncrypt/certbot documentation since the problems you are experiencing are not unique to Rocky Linux, but can happen on any Linux distribution. There is something wrong either with your web server configuration or the permissions to the web directory in that the certificate is not being created for some reason.

I just run this apache:apache OWNERWHIP command line with -R (Recursive option). As supposed to the ENTIRE WEB FILEs have changed to apache;apache OWNERSHIP. Great preparation. By the way, many files have various permission such as 644 or 777 or else. PERMISSION does not matter, whichever ? Right ?

Is it better for LetsEncrypt to create the directory called ‘.well-known’ inside my web directory, /var/www/html, isn’t it? I can make it in a second, but rather LetsEncrypt to create, that is the standard procedure, isn’t it ?

By the way, how to post the screen-shot. I would like to show you the error message in red colour. In black and white font, it is,
" Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80. "

I have seen this error message several times up to now by command line,

certbot --apache -d tunefind.info

Virtual host 80? What is this ?

2025-06-02.Virtual_host_for_port_80_error1366×768 118 KB

I reminded that one of my WEB co-administrator liked Virtualmin, and strongly recommended me to install Virtualmin. I was on the way a little bit, and tunefind.info WEB server computer has the Virtualmin installed already somewhere. Then my another WEB co-administrator told me that “I don’t like Virtualmin, but I rather prefer to LetsEncrypt.” Therefore, tunefind.info got Virtual domain set up by the instruction of Virtualmin loading, but in the middle Virtualmin was abandoned, but rather switch to LetsEncrypt. I am trying to tell you, I messed up tunefind.info domain with the partial set up with Virtualmin. And I don’t know how to REMOVE Virtualmin in oder to restore the ORIGINAL status before Virtualmin loading.

777 is unsafe, that’s full read-write execute. If the files were uploaded from Windows then this could explain it. It’s very easy to reset the permissions:

find /var/www/html -type f -exec chmod 664 {} \;
find /var/www/html -type d -exec chmod 755 {} \;

then it will be much safer. I’ve just checked this against mine for default permissions on files that I’ve created.

File usually have permissions of rw-rw-r and so 664. Directory usually rwx-rx-rx and so 755.

Do not use those commands on your entire system, as that could cause your system to break. Using the exact path that I provided, eg: /var/www/html is OK. If you did it on other directories like system ones, you can cause everything to fail and your server would no longer work.