Apache error letsencrypt error

June 10, 2016 620 views
Apache Let's Encrypt


I followed all steps for installing letsencrypt


But i get this error.

apache2: Syntax error on line 219 of /etc/apache2/apache2.conf: Syntax error on line 13 of /etc/apache2/sites-enabled/domainname.com-le-ssl.con f: Expected </VirtualHost> but saw </VirtualHost></IfModule>

Im extreme new to this . worked only on shared hosting cpanls etc

May be someone can help me

Thanks for support

2 Answers


Would you mind posting your VirtualHost configuration block (from <VirtualHost ...> to </VirtualHost>). This will allow us to take a look at potential issues that are hard to take a stab at when an error isn't all that clear.

  • Hi Thanks for the help

    Im a complete newbee on this

    i have set up my domain all fine all works db dns and so on

    i just need that ssl to get working. but i have no clue why it does not work.

    I followed all this

    here the vhost

    <VirtualHost *:80>
    ServerAdmin admin@xxxxxx.com
    ServerName xxxxx.com
    ServerAlias www.xxxxx.com
    DocumentRoot /var/www/html/xxxxx.com/
    ErrorLog ${APACHELOGDIR}/error.log
    CustomLog ${APACHELOGDIR}/access.log combined

  • i thing i fixed it

    needs a new line after </VirtualHost>

    • @SwissCheese

      That could have definitely been the issue :).

      All VirtualHost blocks should indeed be separated by a new line -- one after the initial block definition and then following each setting.

      Think of each line as its own argument and think of line separation as a way of simplified organization that allows for easier interpretation by those who follow along.

      Another very common mistake is in the initial opening tag of the VirtualHost block. As an example, this is a rather common misplacement of the :

      <VirtualHost: *80>

      Above you'll notice that the : comes after VirtualHost which triggers an error as a valid port doesn't exist at *80 and Apache doesn't allow WildCards to be used in this way. If this was indeed valid, we'd be allowing access to [min-max]80, which means that incoming requests would be served on any port that ends with 80.

      Your block doesn't suffer from this common issue, so no need to worry. I simply provided this due to the number of times I've seen it pop up in the past.

      • Thank you for all your info.

        It helps a lot!

        My background is im a pure user since beginning of the internet.... argh damn makes me old. Anyways i do many years webdesign wordpress theme install sell to client. and so on. but the last 2-3 years wordpress got so thick with all those fancy plugin every client wants to have. the normal 3.99 shared managed webhosting companies offer can not handle that anymore. many times its simple issues which can be fixed from increase memory url upload time etc. But hosts , sorry no go..

        So I thought i jump myself in and see if i can manage this by my self, better for me better for my clients. And how much giving this community is . I really thinking to jump in and move many many of my clients here

        For me i need just a fast system in the end
        To have a domain ready with my specs i need.

        Anyway sorry to bla bla to much. But i was really surprised how people are giving back here their knowledge. I hope i can do that one day as well.

        Have a nice Weekend

        • @SwissCheese

          Always happy to help!

          I got my start about 16 years ago, so I know how you feel :-). One word of advice is to begin researching server security. By default, DigitalOcean provides a bare OS, so you're really on your own and will need to ensure that proper OS updates are maintained, upgrades are performed when security patches are released, etc.

          The OS package manager makes this rather easy for the most part, though there will come a time where experience with the CLI is the only way to handle an issue.

          A prime example is when dealing with software that isn't in the OS repository or a third-party repo (i.e. compiling from source), managing logs (server, firewall, ect), mitigating an incoming attack (see rate-limiting requests) and various other items (far too many for a reply as everything is its own subject or sub-category).

          Starting out, I'd secure SSH by locking it down as much as possible. The base port, 22, is well-known and will be the first port that someone tries to hit in an attempt to break in to your server. Changing the port is security through obscurity and not the most recommended route, though it's a simple step to help when combined with a firewall and a firewall rule to block any/all access on 22 and only allow SSH through the new port.

          Ideally, you'll want to setup firewall rules to deny all access by default and only allow access to ports that you specifically allow using individual rules.

          Setting Up UFW on Ubuntu

          For example, Ubuntu offers a simple firewall that overlays iptables (the standard firewall) -- it's called ufw (short for Uncomplicated Firewall). What I'd recommend is running the following to get started.

          Disable UFW If Enabled

          You'll want to run this first and foremost as if ufw is enabled, the next command will lock you out. The output of the last command should read: Status: inactive

          ufw disable && ufw status

          Deny All Connections

          Simply put, this tells the firewall to deny any connection attempt, regardless of port or access level (including root). For that very reason, that's why we must run the above command to disable ufw before setting a default rule to deny all connections.

          ufw default deny

          Allow SSH on Port 22

          This will allow you to keep your connection once we enable ufw.

          ufw allow 22/tcp

          Allow HTTP, HTTPS, and DNS

          Connections over HTTP and HTTPS are made via tcp, so you'll definitely want to allow those, otherwise any attempts to access your websites are going to be denied. Standard connections aren't made via udp, so we don't need to specifically allow ports 80 and 443 to accept connections via udp, thus only tcp is being specified (and udp attempts will be blocked).

          You'll notice that for 53, the default DNS port, both tcp and udp connections are specified as being allowed. This is because the OS package manager need to be able to resolve requests being made outside the server, otherwise you may run in to issues updating, upgrading and installing packages.

          ufw allow 80/tcp \
          && ufw allow 443/tcp \
          && ufw allow 53/tcp \
          && ufw allow 53/udp \

          Enable UFW

          ufw enable

          You'll see a message:

          Command may disrupt existing ssh connections. Proceed with operation (y|n)?

          Simply enter y and hit enter. The firewall is now active and will now intercept all incoming requests and unless the access port is 80, 443, 22, or 53, it will be denied and logged.

          That's a very basic start, but any server, regardless of type, should be running a firewall as a first-step measure against unwanted access. This being a very basic and short how-to, you should go beyond the above, if possible. Specifically, if you have a Static IP from your ISP, you can further restrict access on Port 22 by only allowing access from that IP, thus denying any connection period, unless it's from your IP.

          • Thanks for all your valuable information!

            To be honest. I think its all to much for me at the moment. Im looking into companys now who do the server managment for me.

            Would love to manage myself, but i just have no time for it

            may be you know a company, who is good


We reached the limit on the number of comments for the previous convo, so I'll continue it here :-).

It really depends on what you're looking for. I actually do freelance server administration and would be more than happy to work with you and your needs. If for some reason I'm not able to provide what it is you're looking for, I'll be more than happy to help you to find someone or a company that can.

If you're interested, and so I don't turn this in to an advertisement, shoot me an e-mail at the e-mail below (and change [at] to @) and let me:

1). # of Servers (VPS/Dedicated/etc)
2). What each Server is for (i.e. WordPress site/blog, Database, Web Server, etc)
3). Anything specific that you're wanting or in need of.

jonathan.tittle [at] provisioned.me

If you'll whitelist the above e-mail or the entire domain, that'll ensure that communications are received as well, just so we don't lose anything.

Look forward to hearing from you!

Have another answer? Share your knowledge.