certbot icon indicating copy to clipboard operation
certbot copied to clipboard
verified publisher icon certbot

Could not reverse map the HTTPS VirtualHost to the original when whitespace in End of File

Open ghost opened this issue 4 years ago • 14 comments

Certbot throws "Could not reverse map the HTTPS VirtualHost to the original" when trying to parse a vhost file where the last lines after the closing tag are empty (newline) and/or contain a single space in one of those lines.

This error is really unspecific and i spent lots of time trying to fix it. Also the parser should be able to handle it better. There should be a more specific warning on what file and why its failing.

The Issue and resolving it can be found here https://community.letsencrypt.org/t/could-not-reverse-map-the-https-virtualhost-to-the-original/168559/5 but someone else ran into a similar issue earlier here https://community.letsencrypt.org/t/why-cant-i-certbot-d-toastmastervoice-com-and-create-a-new-virtualhost-and-certificate/131544

This seems to work

<VirtualHost *:80>
    ServerName md.thorgerjansen.de
    DocumentRoot /var/www/html/test
</VirtualHost>

Something like this seems to fail (not sure anymore where the space was, just removed the tailing lines and it suddenly worked)

<VirtualHost *:80>
    ServerName md.thorgerjansen.de
    DocumentRoot /var/www/html/test
</VirtualHost>

This error is really hard to find and debug and can be really frustrating. Thanks to the people over at community.letsencrypt i solved within 2h what i couldnt solve the day before.

ghost avatar Dec 29 '21 13:12 ghost

I had a little trouble consistently reproducing this, but I was able to do so. It'd be nice to fix this at some point.

bmw avatar Jan 18 '22 22:01 bmw

Wow...getting rid of the extra lines at the end worked for me too. Very annoying. Thanks for posting this.

sprice-HE avatar Jan 27 '22 17:01 sprice-HE

I think this problem might be more extensive. My conf file looked like this:

<VirtualHost *:80>
...
</VirtualHost>

<Directory "/var/www1">
...
</Directory>

the final '>' was followed by a blank line (just 0x0a), and a comment with no preceding WS. The last char in the file was the 0x0a terminating the comment. If I removed the final two lines and ran:

certbot --apache -d example.com -d www.example.com

there was no change; certbot failed with the 'Could not reverse map' message. I then changed the file so that the Directory section came before the VirtualHost section, re-ran certbot, and it succeeded.

EML-github avatar Feb 07 '22 17:02 EML-github

But, interestingly, the original VirtualHost spec was followed by a blank line with a single space in it before the Directory spec, so maybe it is exactly the same thing...

EML-github avatar Feb 07 '22 18:02 EML-github

Thanks for posting this!!

SevenAntares avatar Feb 08 '22 08:02 SevenAntares

I honestly think this bug should have a higher priority or at least a more informative message when appearing to it. I now know of multiple people who wasted a lot of time with this issue.

ghost avatar Feb 08 '22 09:02 ghost

Is anyone aware of a reason this bug is being hit more often? I don't think we've changed anything recently in our Apache plugin that would have caused this.

Regardless, we would accept a well written PR for this. I'm not certain, but I highly suspect the fix here would need to be made to Augeas and/or our Augeas lens.

bmw avatar Feb 08 '22 14:02 bmw

Commented out OSCP Stapling stuff (which doesn't belong in a port 80 host, but was preparing it from a working TLS config from another of my sites) and OSCP Stapling can't go inside the VirtualHost section.

So this stuff (commented-out settings) appeared below the VirtualHost section, and triggered this bug, before I found this issue and temporarily put these comments inside the VirtualHost section, (marking them with a reminder to move back outside on the TLS config, post-install).

jimmiedave avatar Mar 11 '22 17:03 jimmiedave

We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed.

github-actions[bot] avatar Mar 12 '23 01:03 github-actions[bot]

It's not straightforward to test if this is still borken b/c people would have to be setting up a new Certbot-enabled site. Once I have everything working, I'm loathe to touch it, for fear of having it fail when the cert expires.

I see it's prioritized "unplanned". Seems mighty easy to trip over, but not easy to solve without help. Maybe put info in instructions? Maybe have Certbot ignore-but-preserve everything after the VirtualHost section?

jimmiedave avatar Mar 19 '23 23:03 jimmiedave

On 19/03/2023 23:21, David Cain wrote:

It's not straightforward to test if this is still borken b/c people would have to be setting up a new Certbot-enabled site. Once I have everything working, I'm loathe to touch it, for fear of having it fail when the cert expires.

True. And I'm afraid that I had to drop Certbot from my server images anyway, when cleaning out anything that required Snap installation. I've been using apache-md instead without problems.Message ID: @.***>

EML-github avatar Mar 20 '23 09:03 EML-github

We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed.

I came across the same error "Could not reverse map the HTTPS VirtualHost to the original" while setting a new domain in a LAMP server.

After some time, I realized that for some reason I didn't figure out, the Certbot wasn't creating the file 'mydomainname.com-le-ssl.conf' in the Apache folder /etc/apache2/sites-available (which the Certbot usually does). I was able to fix the issue manually creating the file 'mydomainname.com-le-ssl.conf' and copying/pasting the content from other of other domain I already had configured and working (replacing the domain of course).

Then I run a2ensite domainname-le-ssl.conf (which usually is not necessary), and reloaded Apache with systemctl reload apache2

It worked!

sarahcssiqueira avatar Jul 12 '23 22:07 sarahcssiqueira

Still not resolved?

tkrsh avatar Feb 10 '24 18:02 tkrsh

The solution of @EML-github worked for me (changed the file so that the Directory section came before the VirtualHost section): from:

<VirtualHost *:80>
...
</VirtualHost>

<Directory "/var/www1">
...
</Directory>

to:

<Directory "/var/www1">
...
</Directory>

<VirtualHost *:80>
...
</VirtualHost>

Additionally I checked:

  1. no spaces between te beginning of the line and the opening brackes '<'
  2. no spaces at the end of any line

Than because I already had the certificates, but certbot couldn't install them because of the error. After fixing the above, I only had to rerun:

certbot install --cert-name the.domain.name

tsboh avatar Jun 20 '24 14:06 tsboh