Apache error letsencrypt error

Question

Hi

I followed all steps for installing letsencrypt

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04

But i get this error.

apache2: Syntax error on line 219 of /etc/apache2/apache2.conf: Syntax error on line 13 of /etc/apache2/sites-enabled/domainname.com-le-ssl.con f: Expected </VirtualHost> but saw </VirtualHost></IfModule>

Im extreme new to this . worked only on shared hosting cpanls etc

May be someone can help me

Thanks for support

Answer 1

jtittle1 June 10, 2016

@SwissCheese

Would you mind posting your VirtualHost configuration block (from <VirtualHost …> to </VirtualHost>). This will allow us to take a look at potential issues that are hard to take a stab at when an error isn’t all that clear.

Reply Report

SwissCheese June 10, 2016

Hi Thanks for the help

Im a complete newbee on this

i have set up my domain all fine all works db dns and so on

i just need that ssl to get working. but i have no clue why it does not work.

I followed all this
https://cloud.digitalocean.com/support/suggestions?article=how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04&page=1&query=encrept

here the vhost

<VirtualHost *:80>
ServerAdmin admin@xxxxxx.com
ServerName xxxxx.com
ServerAlias www.xxxxx.com
DocumentRoot /var/www/html/xxxxx.com/
ErrorLog ${APACHELOGDIR}/error.log
CustomLog ${APACHELOGDIR}/access.log combined
</VirtualHost>
Reply Report
SwissCheese June 10, 2016

i thing i fixed it

needs a new line after </VirtualHost>
Reply Report
- jtittle1 June 10, 2016
  
  @SwissCheese
  
  That could have definitely been the issue :).
  
  All VirtualHost blocks should indeed be separated by a new line – one after the initial block definition and then following each setting.
  
  Think of each line as its own argument and think of line separation as a way of simplified organization that allows for easier interpretation by those who follow along.
  
  Another very common mistake is in the initial opening tag of the VirtualHost block. As an example, this is a rather common misplacement of the :
  
  <VirtualHost: *80>
  
  Above you’ll notice that the : comes after VirtualHost which triggers an error as a valid port doesn’t exist at *80 and Apache doesn’t allow WildCards to be used in this way. If this was indeed valid, we’d be allowing access to [min-max]80, which means that incoming requests would be served on any port that ends with 80.
  
  Your block doesn’t suffer from this common issue, so no need to worry. I simply provided this due to the number of times I’ve seen it pop up in the past.
  
  Reply Report
  
  SwissCheese June 10, 2016
  
  Thank you for all your info.
  
  It helps a lot!
  
  My background is im a pure user since beginning of the internet.... argh damn makes me old. Anyways i do many years webdesign wordpress theme install sell to client. and so on. but the last 2-3 years wordpress got so thick with all those fancy plugin every client wants to have. the normal 3.99 shared managed webhosting companies offer can not handle that anymore. many times its simple issues which can be fixed from increase memory url upload time etc. But hosts , sorry no go..
  
  So I thought i jump myself in and see if i can manage this by my self, better for me better for my clients. And how much giving this community is . I really thinking to jump in and move many many of my clients here
  
  For me i need just a fast system in the end
  To have a domain ready with my specs i need.
  
  Anyway sorry to bla bla to much. But i was really surprised how people are giving back here their knowledge. I hope i can do that one day as well.
  
  Have a nice Weekend
  
  Reply Report
  
  jtittle1 July 3, 2016
  
  @SwissCheese
  
  Always happy to help!
  
  I got my start about 16 years ago, so I know how you feel :-). One word of advice is to begin researching server security. By default, DigitalOcean provides a bare OS, so you’re really on your own and will need to ensure that proper OS updates are maintained, upgrades are performed when security patches are released, etc.
  
  The OS package manager makes this rather easy for the most part, though there will come a time where experience with the CLI is the only way to handle an issue.
  
  A prime example is when dealing with software that isn’t in the OS repository or a third-party repo (i.e. compiling from source), managing logs (server, firewall, ect), mitigating an incoming attack (see rate-limiting requests) and various other items (far too many for a reply as everything is its own subject or sub-category).
  
  Starting out, I’d secure SSH by locking it down as much as possible. The base port, 22, is well-known and will be the first port that someone tries to hit in an attempt to break in to your server. Changing the port is security through obscurity and not the most recommended route, though it’s a simple step to help when combined with a firewall and a firewall rule to block any/all access on 22 and only allow SSH through the new port.
  
  Ideally, you’ll want to setup firewall rules to deny all access by default and only allow access to ports that you specifically allow using individual rules.
  
  Setting Up UFW on Ubuntu
  
  For example, Ubuntu offers a simple firewall that overlays iptables (the standard firewall) – it’s called ufw (short for Uncomplicated Firewall). What I’d recommend is running the following to get started.
  
  Disable UFW If Enabled
  
  You’ll want to run this first and foremost as if ufw is enabled, the next command will lock you out. The output of the last command should read: Status: inactive
  
  ufw disable && ufw status
  
  Deny All Connections
  
  Simply put, this tells the firewall to deny any connection attempt, regardless of port or access level (including root). For that very reason, that’s why we must run the above command to disable ufw before setting a default rule to deny all connections.
  
  ufw default deny
  
  Allow SSH on Port 22
  
  This will allow you to keep your connection once we enable ufw.
  
  ufw allow 22/tcp
  
  Allow HTTP, HTTPS, and DNS
  
  Connections over HTTP and HTTPS are made via tcp, so you’ll definitely want to allow those, otherwise any attempts to access your websites are going to be denied. Standard connections aren’t made via udp, so we don’t need to specifically allow ports 80 and 443 to accept connections via udp, thus only tcp is being specified (and udp attempts will be blocked).
  
  You’ll notice that for 53, the default DNS port, both tcp and udp connections are specified as being allowed. This is because the OS package manager need to be able to resolve requests being made outside the server, otherwise you may run in to issues updating, upgrading and installing packages.
  
  ufw allow 80/tcp \ && ufw allow 443/tcp \ && ufw allow 53/tcp \ && ufw allow 53/udp \
  
  Enable UFW
  
  ufw enable
  
  You’ll see a message:
  
  Command may disrupt existing ssh connections. Proceed with operation (y|n)?
  
  Simply enter y and hit enter. The firewall is now active and will now intercept all incoming requests and unless the access port is 80, 443, 22, or 53, it will be denied and logged.
  
  That’s a very basic start, but any server, regardless of type, should be running a firewall as a first-step measure against unwanted access. This being a very basic and short how-to, you should go beyond the above, if possible. Specifically, if you have a Static IP from your ISP, you can further restrict access on Port 22 by only allowing access from that IP, thus denying any connection period, unless it’s from your IP.
  
  Reply Report
  
  SwissCheese July 4, 2016
  
  Thanks for all your valuable information!
  
  To be honest. I think its all to much for me at the moment. Im looking into companys now who do the server managment for me.
  
  Would love to manage myself, but i just have no time for it
  
  may be you know a company, who is good
  
  Reply Report

Answer 2

SwissCheese June 10, 2016

Hi Thanks for the help

Im a complete newbee on this

i have set up my domain all fine all works db dns and so on

i just need that ssl to get working. but i have no clue why it does not work.

I followed all this
https://cloud.digitalocean.com/support/suggestions?article=how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04&page=1&query=encrept

here the vhost

<VirtualHost *:80>
ServerAdmin admin@xxxxxx.com
ServerName xxxxx.com
ServerAlias www.xxxxx.com
DocumentRoot /var/www/html/xxxxx.com/
ErrorLog ${APACHELOGDIR}/error.log
CustomLog ${APACHELOGDIR}/access.log combined
</VirtualHost>
Reply Report
SwissCheese June 10, 2016

i thing i fixed it

needs a new line after </VirtualHost>
Reply Report
- jtittle1 June 10, 2016
  
  @SwissCheese
  
  That could have definitely been the issue :).
  
  All VirtualHost blocks should indeed be separated by a new line – one after the initial block definition and then following each setting.
  
  Think of each line as its own argument and think of line separation as a way of simplified organization that allows for easier interpretation by those who follow along.
  
  Another very common mistake is in the initial opening tag of the VirtualHost block. As an example, this is a rather common misplacement of the :
  
  <VirtualHost: *80>
  
  Above you’ll notice that the : comes after VirtualHost which triggers an error as a valid port doesn’t exist at *80 and Apache doesn’t allow WildCards to be used in this way. If this was indeed valid, we’d be allowing access to [min-max]80, which means that incoming requests would be served on any port that ends with 80.
  
  Your block doesn’t suffer from this common issue, so no need to worry. I simply provided this due to the number of times I’ve seen it pop up in the past.
  
  Reply Report
  
  SwissCheese June 10, 2016
  
  Thank you for all your info.
  
  It helps a lot!
  
  My background is im a pure user since beginning of the internet.... argh damn makes me old. Anyways i do many years webdesign wordpress theme install sell to client. and so on. but the last 2-3 years wordpress got so thick with all those fancy plugin every client wants to have. the normal 3.99 shared managed webhosting companies offer can not handle that anymore. many times its simple issues which can be fixed from increase memory url upload time etc. But hosts , sorry no go..
  
  So I thought i jump myself in and see if i can manage this by my self, better for me better for my clients. And how much giving this community is . I really thinking to jump in and move many many of my clients here
  
  For me i need just a fast system in the end
  To have a domain ready with my specs i need.
  
  Anyway sorry to bla bla to much. But i was really surprised how people are giving back here their knowledge. I hope i can do that one day as well.
  
  Have a nice Weekend
  
  Reply Report
  
  jtittle1 July 3, 2016
  
  @SwissCheese
  
  Always happy to help!
  
  I got my start about 16 years ago, so I know how you feel :-). One word of advice is to begin researching server security. By default, DigitalOcean provides a bare OS, so you’re really on your own and will need to ensure that proper OS updates are maintained, upgrades are performed when security patches are released, etc.
  
  The OS package manager makes this rather easy for the most part, though there will come a time where experience with the CLI is the only way to handle an issue.
  
  A prime example is when dealing with software that isn’t in the OS repository or a third-party repo (i.e. compiling from source), managing logs (server, firewall, ect), mitigating an incoming attack (see rate-limiting requests) and various other items (far too many for a reply as everything is its own subject or sub-category).
  
  Starting out, I’d secure SSH by locking it down as much as possible. The base port, 22, is well-known and will be the first port that someone tries to hit in an attempt to break in to your server. Changing the port is security through obscurity and not the most recommended route, though it’s a simple step to help when combined with a firewall and a firewall rule to block any/all access on 22 and only allow SSH through the new port.
  
  Ideally, you’ll want to setup firewall rules to deny all access by default and only allow access to ports that you specifically allow using individual rules.
  
  Setting Up UFW on Ubuntu
  
  For example, Ubuntu offers a simple firewall that overlays iptables (the standard firewall) – it’s called ufw (short for Uncomplicated Firewall). What I’d recommend is running the following to get started.
  
  Disable UFW If Enabled
  
  You’ll want to run this first and foremost as if ufw is enabled, the next command will lock you out. The output of the last command should read: Status: inactive
  
  ufw disable && ufw status
  
  Deny All Connections
  
  Simply put, this tells the firewall to deny any connection attempt, regardless of port or access level (including root). For that very reason, that’s why we must run the above command to disable ufw before setting a default rule to deny all connections.
  
  ufw default deny
  
  Allow SSH on Port 22
  
  This will allow you to keep your connection once we enable ufw.
  
  ufw allow 22/tcp
  
  Allow HTTP, HTTPS, and DNS
  
  Connections over HTTP and HTTPS are made via tcp, so you’ll definitely want to allow those, otherwise any attempts to access your websites are going to be denied. Standard connections aren’t made via udp, so we don’t need to specifically allow ports 80 and 443 to accept connections via udp, thus only tcp is being specified (and udp attempts will be blocked).
  
  You’ll notice that for 53, the default DNS port, both tcp and udp connections are specified as being allowed. This is because the OS package manager need to be able to resolve requests being made outside the server, otherwise you may run in to issues updating, upgrading and installing packages.
  
  ufw allow 80/tcp \ && ufw allow 443/tcp \ && ufw allow 53/tcp \ && ufw allow 53/udp \
  
  Enable UFW
  
  ufw enable
  
  You’ll see a message:
  
  Command may disrupt existing ssh connections. Proceed with operation (y|n)?
  
  Simply enter y and hit enter. The firewall is now active and will now intercept all incoming requests and unless the access port is 80, 443, 22, or 53, it will be denied and logged.
  
  That’s a very basic start, but any server, regardless of type, should be running a firewall as a first-step measure against unwanted access. This being a very basic and short how-to, you should go beyond the above, if possible. Specifically, if you have a Static IP from your ISP, you can further restrict access on Port 22 by only allowing access from that IP, thus denying any connection period, unless it’s from your IP.
  
  Reply Report
  
  SwissCheese July 4, 2016
  
  Thanks for all your valuable information!
  
  To be honest. I think its all to much for me at the moment. Im looking into companys now who do the server managment for me.
  
  Would love to manage myself, but i just have no time for it
  
  may be you know a company, who is good
  
  Reply Report

Answer 3

jtittle1 July 4, 2016

@SwissCheese

We reached the limit on the number of comments for the previous convo, so I’ll continue it here :-).

It really depends on what you’re looking for. I actually do freelance server administration and would be more than happy to work with you and your needs. If for some reason I’m not able to provide what it is you’re looking for, I’ll be more than happy to help you to find someone or a company that can.

If you’re interested, and so I don’t turn this in to an advertisement, shoot me an e-mail at the e-mail below (and change [at] to @) and let me:

1). # of Servers (VPS/Dedicated/etc)
2). What each Server is for (i.e. WordPress site/blog, Database, Web Server, etc)
3). Anything specific that you’re wanting or in need of.

jonathan.tittle [at] provisioned.me

If you’ll whitelist the above e-mail or the entire domain, that’ll ensure that communications are received as well, just so we don’t lose anything.

Look forward to hearing from you!

Reply Report

Related

Question

Apache error letsencrypt error

Related

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

Apache error letsencrypt error

Related

Leave a comment

Related

question

Enabling Let's Encrypt SSL certificate on Apache for 2 domain names

question

I can't renew certificates with letsencrypt certificates for my HTTPS ubuntu 16.04.

question

Installed LetsEncrypt and redirects to https work but web pages are no longer reachable

question

How to redirect HTTP TO HTTPS on Mac OS X

Looking for something else?