Renewing SSL Certificates for Apache Virtual Domains

You are here:
< All Topics

The procedure for renewing SSL certificates for an Apache virtual domain is described below.




There are some problems here which we need to be aware of:



  • 1. We have to activate port 80 for the virtual domain in apache in order for the letsencrypt certbot server to communicate with the domain to approve the certificate renewal.


  • 2. We are using sslh multiplexer which listens for all traffic coming in on port 443. It sends ssh traffic on to 22 and apache traffic on to 444. Thus we are running apache on 444 instead of the conventional standard 443, this is so apache does not conflict with sslh multiplexer 


  • 3. The certbot process automatically reconfigures our apache ports.conf file port to the standard 443 for https/SSL whih causes problems. So we have to manually edit this file afterward and change it back to 444.


  • 4. And finally after the SSL certificate has been successfully renewed we must then change back the apache config to disable port 80 so apache only then listens once again on port 444




Here is the process in practice:



root@gemini:/etc/apache2/sites-enabled# certbot –apache -d
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.





Activate Port 80


You need to activate port 80 for in the /etc/apache2/sites-available/


to do this use the config file:




as follows:


a2dissite 000-default.conf


a2ensite 000-default.conf.use.this.for.port.80.nextcloud.ssl.certificate.renewal.conf


systemctl restart apache2



Obtain the new ssl certificate


To do this, run certbot:


root@gemini:/etc/apache2/sites-enabled# certbot –apache -d
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default.conf


Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: No redirect – Make no further changes to the webserver configuration.
2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 3

** Invalid input **
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Future versions of Certbot will automatically configure the webserver so that all requests redirect to secure HTTPS access. You can control this behavior and disable this warning with the –redirect and –no-redirect flags.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains:

You should test your configuration at:
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –


– Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2022-10-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew *all* of
your certificates, run “certbot renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt:
Donating to EFF:





Put the new certificate in the proper location on our server


Note the location of the new certificate and the name it is given. We prefer to change this to our standard location folder and file name.


So move the new keys to the folder already in use for SSL certificates to /etc/letsenrypt/live/


(instead of using /etc/letsencrypt/live/ as source created by certbot during the renewal process).



You also have to rename the certificates from privkey2.pem etc, because they are symbolic links and we don’t use them for the standard location:


Remove the symlinks and replace with the actual certificate files at /etc/letsenrypt/live/


Next, Apache Port Reconfiguration:


Certbot changes the standard apache https port from 444 to 443 in /etc/apache2/ports.conf.


As we use an sslh multiplexer on gemini to listen on 443 and split ssh traffic to ssh 22 and https traffic to 444…we need to change this back.

So, set correctly for our sslh config it will look like this:


root@gemini:/etc/apache2# cat ports.conf
#NOTE! gemini: running sslh with apache and ssh!

#after running the certbot app to renew the SSL certificates for apache domains, certbot changes the port designations to the standard 443

#this will not work for my configuration as we use sslh on port 443 on gemini which forwards to port 444 on apache. ie, we have to use port 444 for apache
#and not the standard 443. Otherwise apache will not start.

#So, make sure to change back the ports.conf configuration from port 443 to port 444: as below.


/etc/apache2/ports.conf should look like this:

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

#Listen 80
##Listen 8080

#<IfModule ssl_module>
# Listen 443
#Listen 444

<IfModule mod_ssl.c>
#Listen 443
Listen 444

<IfModule mod_gnutls.c>
Listen 444
# Listen 443

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet



Next, reactivate the correct sites-available config for apache and restart the webserver:


Disable the temporary /etc/apache2/sites-available/000-default.conf.use.this.for.port.80.nextcloud.ssl.certificate.renewal.conf


(this was needed to activate on port http 80 for the purpose of renewing the ssl certificate from letsencrypt using certbot).


Finally, reactivate the main sites-available file ie 000-default.conf and then restart apache:


a2dissite 000-default.conf.use.this.for.port.80.nextcloud.ssl.certificate.renewal.conf
a2ensite 000-default.conf
systemctl start apache2


Apache should then be running correctly on 444 and should be reachable via https on 443 from sslh


(you enter in browser as per usual, NOT




Table of Contents