2 domains have correctly generated certificates, 3rd failed


#1

My domain is: support.vahynetto.cz

I ran this command: certbot --apache -d support.vahynetto.cz

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for support.vahynetto.cz
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0005_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0005_csr-certbot.pem
Created an SSL vhost at /etc/httpd/conf.d/support.vahynetto.cz-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/support.vahynetto.cz-le-ssl.conf

Please choose whether HTTPS access is required or optional.

1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting vhost in /etc/httpd/conf.d/support.vahynetto.cz.conf to ssl vhost in /etc/httpd/conf.d/support.vahynetto.cz-le-ssl.conf


Congratulations! You have successfully enabled https://support.vahynetto.cz

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=support.vahynetto.cz

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/support.vahynetto.cz/fullchain.pem. Your cert
    will expire on 2017-06-29. To obtain a new or tweaked version of
    this certificate in the future, simply run certbot again with the
    "certonly" option. To non-interactively renew all of your
    certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My operating system is (include version): Fedora 25

My web server is (include version): Apache/2.4.25 (Fedora)

My hosting provider, if applicable, is: Self-hosted

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Two other domains (and vhosts), kb.vahynetto.cz and help.nettocontrol.cz, had their certificates generated on March 11th and everything went fine. When I tried to generate certificate for domain support.vahynetto.cz using certbot, it gets certificate where the domain is help.nettocontrol.cz and all browsers start to scream at me. What can I do to get proper certificate?

Thank you.


#2

How did you install the previous certificates? Exactly the same? If so, could you upload the following files to something like https://pastebin.com and paste the URL’s here?:

  • /etc/httpd/conf.d/kb.vahynetto.cz-le-ssl.conf
  • /etc/httpd/conf.d/help.nettocontrol.cz-le-ssl.conf
  • /etc/httpd/conf.d/support.vahynetto.cz-le-ssl.conf

#3

Exactly same…

Here are those config files you requested:

help.nettocontrol.cz https://pastebin.com/dmHPZwBM
kb.vahynetto.cz https://pastebin.com/P260FgEJ
support.vahynetto.cz https://pastebin.com/Mn08X5f3


#4

Hmm, those configuration files look fine indeed…

There’s something strange going on IMHO… When I ask the server for support.vahynetto.cz (with the -servername option for SNI), it sends the “podpora” certificate:

osiris@desktop ~ $ echo -n "" | openssl s_client -connect support.vahynetto.cz:443 -servername support.vahynetto.cz 2>/dev/null | openssl x509 -noout -text | grep Subject:
        Subject: C=cz, L=Prague, O=NETTO Electronics, s.r.o., CN=podpora/emailAddress=info@vahynetto.cz
osiris@desktop ~ $ 

But when I ask for a completely random virtualhost which (most likely) doesn’t exist, it replies with the certificate for help.nettocontrol.cz?:

osiris@desktop ~ $ echo -n "" | openssl s_client -connect support.vahynetto.cz:443 -servername foobar 2>/dev/null | openssl x509 -noout -text | grep Subject:
        Subject: CN=help.nettocontrol.cz
osiris@desktop ~ $ 

This leads me to believe that the VirtualHost for help.nettocontrol.cz is the “default”. But how and why does your server serve a self-signed certificate for “podpora” when asked for the domain “support.vahynetto.cz”? That’s a complete mystery!

Perhaps you could pastebin every other Apache configuration file which isn’t pasted above?


#5

podpora is the name of Linux machine (BTW that means support in Czech).

And nevermind… I have rearranged .conf files to have support.vahynetto.cz as default website and voila! Everything works and browsers no more yell at me. Thanks for your help!

# echo -n "" | openssl s_client -connect support.vahynetto.cz:443 -servername support.vahynetto.cz 2>/dev/null | openssl x509 -noout -text | grep Subject:
        Subject: CN=support.vahynetto.cz
# echo -n "" | openssl s_client -connect support.vahynetto.cz:443 -servername foobar 2>/dev/null | openssl x509 -noout -text | grep Subject:
        Subject: CN=support.vahynetto.cz

#6

Glad you’ve managed to get it working! Although I’m still not sure where the podpora certificate came from :stuck_out_tongue:


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.