Syntax error on line 13 of /etc/letsencrypt/options-ssl-apache.conf

[Mythlandia]

If you're having trouble using Certbot and aren't sure you've found a bug or
request for a new feature, please first try asking for help at
https://community.letsencrypt.org/. There is a much larger community there of
people familiar with the project who will be able to more quickly answer your
questions.

My operating system is (include version):

MACOS 10.14.4

I installed Certbot with (certbot-auto, OS package manager, pip, etc):

brew install certbot

I ran this command and it produced this output:

sudo certbot --apache

Error while running apachectl configtest.

AH00526: Syntax error on line 13 of /etc/letsencrypt/options-ssl-apache.conf:
Setting Compression mode unsupported; not implemented by the SSL library

Rolling back to previous server configuration...

Certbot's behavior differed from what I expected because:

It did not complete because of the error in a file just installed by Certbot.
I commented out the error (which was setting Compression No) and repeated the installation which proceed without problem.
IT IS A SIGNIFICANT PROBLEM BECAUSE THE FILE WARNS I WILL RECEIVE NO FURTHER SECURITY UPDATES BECAUSE OF THE EDIT.

Here is a Certbot log showing the issue (if available):

Logs are stored in /var/log/letsencrypt by default. Feel free to redact domains, e-mail and IP addresses as you see fit.

Warning: Permanently added the ECDSA host key for IP address '192.168.1.66' to the list of known hosts.
Password:
Last login: Tue May 14 13:03:56 2019 from fe80::c3d:196:32c3:5fc6%en1
sma-server:~ philwigglesworth$ cd /etc/apache2
sma-server:apache2 philwigglesworth$ ls
env.plist httpd-vhosts.conf httpd.conf.pre-update mime.types other
extra httpd.conf magic original users
sma-server:apache2 philwigglesworth$ sudo nano httpd.conf
Password:
sma-server:apache2 philwigglesworth$ sudo apachectl restart
sma-server:apache2 philwigglesworth$ sudo nano /etc/letsencrypt/options-ssl-apache.config
sma-server:apache2 philwigglesworth$ cd /etc/letsencrypt
sma-server:letsencrypt philwigglesworth$ ls
accounts csr live renewal
archive keys options-ssl-apache.conf renewal-hooks
sma-server:letsencrypt philwigglesworth$ sudo nano options-ssl-apache.conf
sma-server:letsencrypt philwigglesworth$ cd /var/log/letsencrypt
-bash: cd: /var/log/letsencrypt: Permission denied
sma-server:letsencrypt philwigglesworth$ sudo bash
Password:
bash-3.2# cd /var/log/letsencrypt
bash-3.2# ls
letsencrypt.log letsencrypt.log.1 letsencrypt.log.2 letsencrypt.log.3
bash-3.2# ls -l
total 160
-rw-r--r-- 1 root wheel 6114 May 14 13:17 letsencrypt.log
-rw-r--r-- 1 root wheel 9520 May 14 13:12 letsencrypt.log.1
-rw-r--r-- 1 root wheel 59918 May 14 13:09 letsencrypt.log.2
-rw-r--r-- 1 root wheel 0 May 14 13:08 letsencrypt.log.3
bash-3.2# nano letsencrypt.log.1

GNU nano 2.0.6 File: letsencrypt.log.1

"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2019-05-14 13:12:01,209:INFO:certbot.renewal:Cert not yet due for renewal
2019-05-14 13:12:10,883:INFO:certbot.main:Keeping the existing certificate
2019-05-14 13:12:10,884:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/spanishdrills.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/spanishdrills.com/privkey.pem
Your cert will expire on 2019-08-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly"$
2019-05-14 13:12:10,906:INFO:certbot_apache.configurator:Created an SSL vhost at /private/etc/apache2/httpd-vhosts-le-ssl.conf
2019-05-14 13:12:10,923:DEBUG:certbot.reverter:Creating backup of /private/etc/apache2/httpd-vhosts-le-ssl.conf
2019-05-14 13:12:11,016:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /private/etc/apache2/httpd-vhosts-le-ssl.conf
2019-05-14 13:12:11,016:INFO:certbot_apache.configurator:Enabling site /private/etc/apache2/httpd-vhosts-le-ssl.conf by adding Include to root configur$
2019-05-14 13:12:11,069:DEBUG:certbot_apache.parser:Adding Include /private/etc/apache2/httpd-vhosts-le-ssl.conf to /files/etc/apache2/httpd.conf
2019-05-14 13:12:11,141:DEBUG:certbot.reverter:Creating backup of /etc/apache2/httpd.conf
2019-05-14 13:12:11,273:INFO:certbot_apache.configurator:Created an SSL vhost at /private/etc/apache2/httpd-vhosts-le-ssl.conf
2019-05-14 13:12:11,395:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /private/etc/apache2/httpd-vhosts-le-ssl.conf
2019-05-14 13:12:11,445:INFO:certbot_apache.configurator:Created an SSL vhost at /private/etc/apache2/httpd-vhosts-le-ssl.conf
2019-05-14 13:12:11,569:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /private/etc/apache2/httpd-vhosts-le-ssl.conf
2019-05-14 13:12:11,747:ERROR:certbot.util:Error while running apachectl configtest.

AH00526: Syntax error on line 13 of /etc/letsencrypt/options-ssl-apache.conf:
Setting Compression mode unsupported; not implemented by the SSL library

2019-05-14 13:12:11,749:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/local/Cellar/certbot/0.33.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 2199, in config_test
util.run_script(self.option("conftest_cmd"))
File "/usr/local/Cellar/certbot/0.33.1/libexec/lib/python3.7/site-packages/certbot/util.py", line 84, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apachectl configtest.

AH00526: Syntax error on line 13 of /etc/letsencrypt/options-ssl-apache.conf:
Setting Compression mode unsupported; not implemented by the SSL library

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/Cellar/certbot/0.33.1/libexec/lib/python3.7/site-packages/certbot/client.py", line 522, in deploy_certificate
self.installer.restart()
File "/usr/local/Cellar/certbot/0.33.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 2162, in restart
self.config_test()
File "/usr/local/Cellar/certbot/0.33.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 2201, in config_test
raise errors.MisconfigurationError(str(err))
certbot.errors.MisconfigurationError: Error while running apachectl configtest.

AH00526: Syntax error on line 13 of /etc/letsencrypt/options-ssl-apache.conf:
Setting Compression mode unsupported; not implemented by the SSL library

2019-05-14 13:12:11,750:DEBUG:certbot.error_handler:Calling registered functions
2019-05-14 13:12:11,750:CRITICAL:certbot.client:Rolling back to previous server configuration...
2019-05-14 13:12:12,298:DEBUG:certbot.reporter:Reporting to user: We were unable to install your certificate, however, we successfully restored your se$
2019-05-14 13:12:12,299:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/Cellar/certbot/0.33.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 2199, in config_test
util.run_script(self.option("conftest_cmd"))
File "/usr/local/Cellar/certbot/0.33.1/libexec/lib/python3.7/site-packages/certbot/util.py", line 84, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apachectl configtest.

AH00526: Syntax error on line 13 of /etc/letsencrypt/options-ssl-apache.conf:
Setting Compression mode unsupported; not implemented by the SSL library

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/bin/certbot", line 11, in
load_entry_point('certbot==0.33.1', 'console_scripts', 'certbot')()
File "/usr/local/Cellar/certbot/0.33.1/libexec/lib/python3.7/site-packages/certbot/main.py", line 1364, in main
return config.func(config, plugins)
File "/usr/local/Cellar/certbot/0.33.1/libexec/lib/python3.7/site-packages/certbot/main.py", line 1125, in run
_install_cert(config, le_client, domains, new_lineage)
File "/usr/local/Cellar/certbot/0.33.1/libexec/lib/python3.7/site-packages/certbot/main.py", line 759, in _install_cert
path_provider.cert_path, path_provider.chain_path, path_provider.fullchain_path)
File "/usr/local/Cellar/certbot/0.33.1/libexec/lib/python3.7/site-packages/certbot/client.py", line 522, in deploy_certificate
self.installer.restart()
File "/usr/local/Cellar/certbot/0.33.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 2162, in restart
self.config_test()
File "/usr/local/Cellar/certbot/0.33.1/libexec/lib/python3.7/site-packages/certbot_apache/configurator.py", line 2201, in config_test
raise errors.MisconfigurationError(str(err))
certbot.errors.MisconfigurationError: Error while running apachectl configtest.

AH00526: Syntax error on line 13 of /etc/letsencrypt/options-ssl-apache.conf:
Setting Compression mode unsupported; not implemented by the SSL library

Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring:

<VirtualHost *:80>
DocumentRoot /Users/philwigglesworth/Sites/com/spanishdrills
ServerName spanishdrills.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =spanishdrills.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:80>
DocumentRoot /Users/philwigglesworth/Sites/us/wigglesworth
ServerName wigglesworth.us

<VirtualHost *:80>
ServerName vapor.spanishdrills.com
ProxyPreserveHost on
ProxyPass / http://localhost:8082/
ProxyPassReverse / http://localhost:8082/
RewriteEngine on
RewriteCond %{SERVER_NAME} =vapor.spanishdrills.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:80>
ServerName calibre.spanishdrills.com
ProxyPreserveHost on
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
RewriteEngine on
RewriteCond %{SERVER_NAME} =calibre.spanishdrills.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

[joohoi]

This is caused by the SSLCompression configuration directive in our TLS configuration include file. Which version of Apache (and openssl) are you running, as this option should be available in both - Apache 2.4 and 2.5?

[Mythlandia]

I am running macOS 10.14.4 which has Apache 2.4.34 and openssl version LibreSSL 2.6.5 This is the current release version of macOS.

…

On Wed, May 15, 2019 at 1:53 AM Joona Hoikkala ***@***.***> wrote: This is caused by the SSLCompression configuration directive in our TLS configuration include file. Which version of Apache (and openssl) are you running, as this option should be available in both - Apache 2.4 and 2.5? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#7063?email_source=notifications&email_token=ACHB3KVSFUCRRWV7PSSGMI3PVOXPDA5CNFSM4HM4RSM2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVNWDDI#issuecomment-492528013>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACHB3KWUD27D7DJPKICU723PVOXPDANCNFSM4HM4RSMQ> .

[joohoi]

We'll investigate the issue. Meanwhile as a workaround, you should copy /etc/letsencrypt/options-ssl-apache.conf to another location in the filesystem, comment out the SSLCompression directive, and change the Include references in your Apache VirtualHosts. The file in /etc/letsencrypt shouldn't get modified.