Apache vhost Results in A Self Signed Cert instead of LetsEncrypt Cert Being Used

OS Env:

Apache version: Apache/2.4.6 (CentOS 7.3.1611)
Apache built: Apr 12 2017 21:03:28
Box: 2 core Xeon E5-V4 + 2 GB memory VPS

#### Symptom ####

I got 4 virtual hosts in a CentOS 7.3 + Apache 2.4 VPS,
just ran certbot --apache

(1) Always got SEC_ERROR_CA_CERT_INVALID failed at specific host, say "example-failed.com"
failed as well in Google Chrome & Firefox latest.

(2) However, the other 3 hosts looks just perfect, say “example-good.com

#### Have tried ####

(a) restart httpd
(b) re-issue or re-install by certbot ==> Looks not working
© MD5sum good vs. failed chain ==> These chain.pem are exact the same

(d) awk -v cmd=‘openssl x509 -noout -subject’ ‘/BEGIN/{close(cmd)};{print | cmd}’ < /etc/letsencrypt/live/example-failed.com/cert.pem
awk -v cmd=‘openssl x509 -noout -issuer’ ‘/BEGIN/{close(cmd)};{print | cmd}’ < /etc/letsencrypt/live/example-failed.com/cert.pem

The openssl-awk result just looked as normal as those in example-good.com

==> subject= /CN=example-failed.com
==> issuer= /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3


curl -v https://example-failed.com

* About to connect() to example-failed.com port 443 (#0)
*   Trying ipv6...
* Connected to example-failed.com (ipv6) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: E=root@example-failed.com,CN=example-failed.com,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
*       start date:  Apr 24 04:57:32 2017 GMT
*       expire date:  Apr 24 04:57:32 2018 GMT
*       common name: example-failed.com
*       issuer: E=root@example-failed.com,CN=example-failed.com,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
* Issuer certificate is invalid.
* Closing connection 0

It seemed that “subject / issuer” fields by curl -v are WRONG,
which differed from OpenSSL command line,
Any advise?

Thank you :slight_smile:

Firstly, you can just input the whole certificate into openssl x509, no need for all those awk stuff. You can even pipe the output of openssl s_client to openssl x509 and it will ignore all the other output and filter out the certificate automatically;)

Secondly, the certificate is probably fine, but your Apache configuration probably isn’t. Can you verify your Apache configuration for example-failed.com to see the SSLCertificateFile points to the right symbolic link in /etc/letsencrypt/live/example-failed.com/? And can you double or perhaps triple check if there’s only one VirtualHost for example-failed.com (HTTPS)?


Dear Osiris,

Thanks for the feedback.

I didn’t touch the SSLCertificateFile directives generated by certbot
and double-checked and triple-reinstalled, (e.g. now cert4)

still no luck so far.

Apr 28 03:26 /etc/letsencrypt/live/example-failed.com/cert.pem -> …/…/archive/example-failed.com/cert4.pem

file /etc/letsencrypt/archive/example-failed.com/cert?*.pem
/etc/letsencrypt/archive/example-failed.com/cert1.pem: PEM certificate
/etc/letsencrypt/archive/example-failed.com/cert2.pem: PEM certificate
/etc/letsencrypt/archive/example-failed.com/cert3.pem: PEM certificate
/etc/letsencrypt/archive/example-failed.com/cert4.pem: PEM certificate

It would be great if you could tell us the domain name in question and/or post the content of cert4.pem. (While private keys should never be posted to a forum, certificates can be posted because they contain only public information.)

Thank you for the quick support,

Hi @thwutype,

The certificate you pasted is fine, it was issued yesterday 27th April and is valid for your domain example-failed.com (I will respect your privacy and will use example-failed.com instead of your real domain).

I’ve checked your site vía ipv4 and ipv6 and your https version always presents the same certificate, a self-signed certificate issued on 24th April and valid during a year and only for your domain example-failed.com.

Also, the https version of your site points to a Centos Apache default webpage. You should double check the https Apache conf for your example-failed.com domain.


Dear Team,

Thank you, resolved.
A vhost in conf.d/ssl.conf generated automatically leads to such issue.

this only happened in CentOS,
looks fine on Ubuntu server which already enabled SSL manually

Thank you

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.