Certbot Apache error "Name duplicates previous WSGI daemon definition."

It turns out that if my Apache conf file 000-default.conf only declares <VirtualHost *:80>...</VirtualHost>, then Certbot duplicates it and creates a second Apache conf file called 000-default-le-ssl.conf to define <VirtualHost *:443>...</VirtualHost>.

The Name duplicates previous WSGI daemon definition error appears because both Apache conf files have the same line defining WSGIDaemonProcess myprocess.... This appears to be a known Certbot bug.

The workaround I've found is to define both VirtualHosts (80 and 443) in the same Apache conf file (so that Certbot doesn't create a second file), and to define WSGIDaemonProcess outside both VirtualHosts, like this:

WSGIApplicationGroup %{GLOBAL}
WSGIDaemonProcess myprocess user=ubuntu group=ubuntu threads=10 home=/home/ubuntu/myapp
WSGIProcessGroup myprocess

<VirtualHost *:80>
    ServerName example.com
    ...
</VirtualHost>
<VirtualHost *:443>
    ServerName example.com
    ...
</VirtualHost>

As the error says, you cannot use the same name for a WSGIDaemonProcess definition more than once. They have to be unique for the whole Apache instance.

If you have both 80 and 443 instances of the VirtualHost for same ServerName, you shouldn't create a separate WSGIDaemonProcess in the 443 instance. Define it in the 80 instance and reference by name from the 443 instance. That way you share the same daemon process group between 80 and 443 instances of the VirtualHost for the same ServerName.

WSGIApplicationGroup %{GLOBAL}
WSGIRestrictEmbedded On

<VirtualHost *:80>
ServerName example.com
WSGIDaemonProcess myprocess threads=10 home=/home/ubuntu/myapp
WSGIProcessGroup myprocess
...
</VirtualHost>

<VirtualHost *:443>
ServerName example.com
WSGIProcessGroup myprocess
...
</VirtualHost>

The way to get cerbot to do this for you and avoid the error without changing your config structure is to comment out the offending line. After certbot succeeds, you'll then need to edit the config files manually to uncomment the lines and make sure you choose a new daemon process name for the new HTTPS config. So, in this case you should:

  1. Put a # in front of the line starting with WSGIDaemonProcess.
  2. Run cerbot again and ask it to attempt to reinstall the existing cert for you. It will succeed this time.
  3. Edit the original configuration file and uncomment the WSGIDaemonProcess line.
  4. Edit the new configuration file that certbot created for you and uncomment the line (certbot will have copied the entire original config file for you, including any comments).
  5. You'll need to rename the daemon process in this file since you can't use the same name in two different virtual hosts; I'd recommend just adding an s to the name for secure: name -> names
  6. Restart Apache.