LetsEncrypt fails to parse an Apache config file

[paulschreiber]

LetsEncrypt fails to parse an Apache config file

$ ./letsencrypt-auto --agree-dev-preview --apache 
Updating letsencrypt and virtual environment dependencies......
Running with virtualenv: sudo /home/paul/.local/share/letsencrypt/bin/letsencrypt --agree-dev-preview --apache
The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(('There has been an error in parsing the file (%s): %s', u'/etc/apache2/conf-enabled/roundcube.conf', u'Syntax error'),)

Config file looks clean:

$ sudo apache2ctl configtest
Syntax OK

Configuration file: http://pastebin.com/a1ZLYhAk

[chriscroome]

Is the problem caused by Apache configuration files not being valid SGML or XML and specifically the greater than and less than syntax in the <ifVersion> elements which is causing these issues?

For example:

        <IfVersion >= 2.3>
          Require all denied
        </IfVersion>
        <IfVersion < 2.3>
          Order allow,deny
          Deny from all
        </IfVersion>

Module documentation: https://httpd.apache.org/docs/2.4/mod/mod_version.html

[chriscroome]

I suspect the problem here is the same as #1264 -- augeas appears to error on a less than in a <IfVersion> element:

<IfVersion < 2.3>

[marcusds]

Issue seems to also to extend to elements such as <IfModule mod_ssl.c> or <VirtualHost *:80>, not even just when there is a greater than or less than symbol involved.

[domcleal]

Which OS and version are you on? Can you check the version of Augeas?

[marcusds]

I am on Ubuntu 15.10
Augeas is version 1.3.0

[Clete2]

Marcus pointed me here. Mine is failing on alias.conf and if I comment that out it fails on others too.

See https://community.letsencrypt.org/t/apache-config-parsing-errors/2617

Alias /icons/ "/usr/share/apache2/icons/"

<Directory "/usr/share/apache2/icons">
        Options FollowSymlinks
        AllowOverride None
        Require all granted
</Directory>

[domcleal]

@marcusds sorry, that question was directed at the original bug report from @paulschreiber. Yours may not be the same bug. Please pastebin a full config file that demonstrates the problem, since I can't reproduce it from that single fragment.

@Clete2 works fine for me on Augeas 1.3.0 and above.

[paulschreiber]

@domcleal I'm running Ubuntu 14.04.3 LTS. How do I tell what version of augeas I have?

I have this egg:

letsencrypt/lib/python2.7/site-packages/python_augeas-0.5.0-py2.7.egg-info

and

$ dpkg -l augeas*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                 Version                 Architecture            Description
+++-====================================-=======================-=======================-==============================================================================
un  augeas-doc                           <none>                  <none>                  (no description available)
ii  augeas-lenses                        1.2.0-0ubuntu1.1        all                     Set of lenses needed by libaugeas0 to parse config files
un  augeas-tools                         <none>                  <none>                  (no description available)

[pde]

This was fixed in git master by #1291!

[Clete2]

Hmm, didn't fix it for me. I ran rm -rf ../.local and tried again, but it has the same error.

2015-11-06 02:31:29,060:DEBUG:letsencrypt.cli:Root logging level set at 20 2015-11-06 02:31:29,065:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2015-11-06 02:31:29,094:DEBUG:letsencrypt.cli:letsencrypt version: 0.0.0.dev20151104 2015-11-06 02:31:29,094:DEBUG:letsencrypt.cli:Arguments: ['--agree-dev-preview', '--server', 'https://acme-v01.api.letsencrypt.org/directory2', '--apache', '-v'] 2015-11-06 02:31:29,097:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone) 2015-11-06 02:31:29,111:DEBUG:letsencrypt.cli:Requested authenticator apache and installer apache 2015-11-06 02:31:29,656:DEBUG:letsencrypt.plugins.disco:Other error:(PluginEntryPoint#apache): ('There has been an error in parsing the file (%s): %s', u'/etc/apache2/mods-enabled/alias.conf', u'Syntax error') Traceback (most recent call last): File "/home/clete2/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 103, in prepare self._initialized.prepare() File "/home/clete2/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 153, in prepare self.check_parsing_errors("httpd.aug") File "/home/clete2/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/augeas_configurator.py", line 64, in check_parsing_errors raise errors.PluginError(msg) PluginError: ('There has been an error in parsing the file (%s): %s', u'/etc/apache2/mods-enabled/alias.conf', u'Syntax error') 2015-11-06 02:31:29,698:DEBUG:letsencrypt.display.ops:No candidate plugin 2015-11-06 02:31:29,700:DEBUG:letsencrypt.display.ops:No candidate plugin 2015-11-06 02:31:29,700:DEBUG:letsencrypt.cli:Selected authenticator None and installer None

[bmw]

@Clete2, based on your logs, it appears that you are using letsencrypt-auto. Our changes have landed in our master branch but have not been pushed to PyPI so that they affect letsencrypt-auto. This should happen soon. You can keep an eye on PyPI or wait a few days and try again. The changes should be in place by then.

Sorry for the trouble!

[Clete2]

Sorry for not realizing! Thanks for the clarification.

[hokascha]

Same here with a fresh install today. I am on Ubuntu 14.04 LTS.

# dpkg -l augeas*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                  Version         Architecture    Description
+++-=====================-===============-===============-===============================================
un  augeas-doc            <none>          <none>          (no description available)
ii  augeas-lenses         1.2.0-0ubuntu1. all             Set of lenses needed by libaugeas0 to parse con
un  augeas-tools          <none>          <none>          (no description available)

# dpkg -l libaugea*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                  Version         Architecture    Description
+++-=====================-===============-===============-===============================================
ii  libaugeas0            1.2.0-0ubuntu1. amd64           Augeas configuration editing library and API

# ./letsencrypt-auto --apache
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --apache
The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(('There has been an error in parsing the file (%s): %s', u'/etc/apache2/sites-enabled/def_ssl.conf', u'Syntax error'),)

# apache2ctl configtest
Syntax OK

# cat /var/log/letsencrypt/letsencrypt.log
2015-12-03 19:34:02,489:DEBUG:letsencrypt.cli:Root logging level set at 20
2015-12-03 19:34:02,489:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2015-12-03 19:34:02,491:DEBUG:letsencrypt.cli:letsencrypt version: 0.1.0
2015-12-03 19:34:02,491:DEBUG:letsencrypt.cli:Arguments: ['-v', '--debug']
2015-12-03 19:34:02,491:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2015-12-03 19:34:02,493:DEBUG:letsencrypt.cli:Requested authenticator None and installer None
2015-12-03 19:34:02,957:DEBUG:letsencrypt.plugins.disco:Other error:(PluginEntryPoint#apache): ('There has been an error in parsing the file (%s): %s', u'/etc/apache2/sites-enabled/def_ssl.conf', u'Syntax error')
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 103, in prepare
    self._initialized.prepare()
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 150, in prepare
    self.check_parsing_errors("httpd.aug")
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/augeas_configurator.py", line 68, in check_parsing_errors
    raise errors.PluginError(msg)
PluginError: ('There has been an error in parsing the file (%s): %s', u'/etc/apache2/sites-enabled/def_ssl.conf', u'Syntax error')
2015-12-03 19:34:02,957:DEBUG:letsencrypt.display.ops:No candidate plugin
2015-12-03 19:34:02,957:DEBUG:letsencrypt.cli:Selected authenticator None and installer None

[sharpless]

Ubuntu 14.04 LTS, exactly the same output as hokascha.

[paulschreiber]

I was eventually able to get this to work. The latest version breaks if the start and end tags don't have the same case: <IfModule> and </ifModule>. I fixed those manually.

[hokascha]

@paulschreiber checked my conf - I have no <IfModule> directives. Also checked other directives for case problems, none found.

[domcleal]

Please note that parsing errors can happen for all sorts of reasons and we've been fixing each case separately, so it's really important to see the contents of each file that's failing.

@hokascha can you gist the contents of /etc/apache2/sites-enabled/def-ssl.conf?

@sharpless which file is failing to parse for you, and can you gist it? Look at the The error was: PluginError [..] line.

@paulschreiber thanks, I've fixed this in Augeas at hercules-team/augeas@ba10b23

[hokascha]

@domcleal Here's the config content: https://gist.github.com/hokascha/87da802584fa2b0675cc
Only change I made for the gist is replacing the domain name.

[domcleal]

@hokascha the missing double quote on the SSLCipherSuite line is causing the failure. If you add it then it should parse. I filed a bug against Augeas at hercules-team/augeas#330.

It's probably useful to the LE devs if you can open new tickets to track each different failure, as the original issue reported here has been fixed.

[sharpless]

I checked the file that was causing the problem, and noted that there were a few bad lines, but since that file wasn't loaded by Apache, I didn't get any errors from configtest. Fixed it, and was able to generate certificates.

Maybe there is a need for a more friendly error message?

[domcleal]

@sharpless indeed, I'd suggest filing a bug for the LE folks showing the actual versus expected output. The output of the PluginError looks a little unfriendly and could show the path more prominently I guess.

[domcleal]

@hokascha I've filed #1724 to track the issue you're experiencing, but I don't have a fix for it at the moment apart from editing the config to add the missing quote.

If anybody else has Apache config file parse failures, please file a new ticket at https://github.com/letsencrypt/letsencrypt/issues/new to avoid more confusion, and feel free to mention @domcleal so I can try and help.

[moisty70]

my error was with compression.conf because there was no ending IfModule tag

Debian7 Apache 2.2