After enabling SSL, my web site is borked

I ran certbot-auto to configure Apache 2.4 on Amazon Linux (RHEL 6 clone). Everything worked, except that when I view my web site over http it looks fine, but over SSL all the tables and images are screwed up and missing. I have no idea why. Is this something that needs to be changed in the HTML, or is it a config issue? I let certbot-auto configure everything.

My domain is:

I ran this command: certbot-auto --apache --debug

It produced this output: (didn’t save it, sorry)

My web server is (include version): Apache 2.4 (httpd24-2.4.37-1.83.amzn1.x86_64)

The operating system my web server runs on is (include version): Amazon Linux 1 (RHEL 6 clone)

My hosting provider, if applicable, is: Amazon

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

There should be a log file.

if neither, try locating it with:
find / -name letsencrypt.log

A couple of things have gone wrong:
The cert is for only “
So it will NOT cover “
Secure access to that domain will throw security errors (as expected).
[the fix to this is to get a new cert that has both names on it - or two certs (one for each name)]
[this depends on how your virtual host config is setup - the cert(s) should match it]

And the site has mixed content (http + https).
You need to remove self-referencing links/images (especially those that start with http://).
[a reversed mix may not be noticed - when the URL is http:// but some content is https://]

You can check your progress on that with sites like:

[root@ip-172-31-46-198 letsencrypt]# cat letsencrypt.log
2019-02-21 04:22:44,129:DEBUG:certbot.main:certbot version: 0.31.0
2019-02-21 04:22:44,130:DEBUG:certbot.main:Arguments: [’–apache’, ‘–no-redirect’]
2019-02-21 04:22:44,130:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-02-21 04:22:44,168:DEBUG:certbot.log:Root logging level set at 20
2019-02-21 04:22:44,169:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-21 04:22:44,169:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2019-02-21 04:22:44,330:DEBUG:certbot_apache.configurator:Apache version is 2.4.37
2019-02-21 04:22:44,932:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_centos.CentOSConfigurator object at 0x7f02b3b19910>
Prep: True
2019-02-21 04:22:44,933:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_centos.CentOSConfigurator object at 0x7f02b3b19910> and installer <certbot_apache.override_centos.CentOSConfigurator object at 0x7f02b3b19910>
2019-02-21 04:22:44,933:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2019-02-21 04:22:44,951:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’’, new_authzr_uri=None, terms_of_service=None), ed841308734fc6dac76d86dee0da4332, Meta(creation_host=u’’, creation_dt=datetime.datetime(2019, 2, 21, 3, 49, 37, tzinfo=)))>
2019-02-21 04:22:44,952:DEBUG:acme.client:Sending GET request to
2019-02-21 04:22:44,954:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1):
2019-02-21 04:22:45,377:DEBUG:urllib3.connectionpool: “GET /directory HTTP/1.1” 200 658
2019-02-21 04:22:45,378:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 21 Feb 2019 04:22:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Feb 2019 04:22:45 GMT
Connection: keep-alive

“Bfo1wi8G7g0”: “Adding random entries to the directory”,
“keyChange”: “”,
“meta”: {
“caaIdentities”: [
“termsOfService”: “”,
“website”: “
“newAccount”: “”,
“newNonce”: “”,
“newOrder”: “”,
“revokeCert”: “
2019-02-21 04:22:58,690:INFO:certbot.renewal:Cert not yet due for renewal
2019-02-21 04:23:05,948:INFO:certbot.main:Keeping the existing certificate
2019-02-21 04:23:05,949:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2019-05-22. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again with the “certonly” option. To non-interactively renew all of your certificates, run “certbot-auto renew”
2019-02-21 04:23:06,126:DEBUG:certbot.reverter:Creating backup of /etc/httpd/conf.d/ssl.conf
2019-02-21 04:23:06,576:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf
2019-02-21 04:23:06,969:DEBUG:certbot.reporter:Reporting to user: If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt:
Donating to EFF:

So do I just re-run certbot-auto but define both sites?

If using the --apache plugin didn’t present you with multiple options, then your apache config may not be correctly understood by certbot-auto or you haven’t included both names in a vhost config.

Please show:
certbot-auto certificates
grep -Eri 'virtualhost|servername|serveralias|listen|cert' /etc/apache2
cat /etc/httpd/conf.d/ssl.conf

I re-ran it and chose both and SSL seems to be working on both now.

As to the other part, the insecure links seem to live inside of a database. The HTML appears to be created out of a database, not static html files. I’ll bug the web developer tomorrow, see if he can fix this. I am pretty sure my part is done.

One last check:
certbot-auto renew --dryrun -vv
[so there are no surprises come time to renew]

and for good measure:
certbot-auto certificates

and also confirm there exists a job that will run certbot-auto renew
check your:
crontab -l
sudo crontab -l
systemctl list-timers | grep cert

No renewal failures, and the certs are good for and
Thanks a million for your help. It is very much appreciated.

1 Like

But do you have one cert or two?
Please just show:
certbot-auto certificates
[looking for possible name overlap issues]

[root@ip-172-31-46-198 ~]# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name:
Expiry Date: 2019-05-22 04:57:50+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

[just one cert - that’s all you need]

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.