Broken https on RHEL 7


#1

I am trying to install a certificate on a server running RHEL 7 and Apache 2.4.6. Normally, this server is part of a round-robin DNS rotation and has multiple virtual hostnames. Right now, it is not in the rotation, so I just want to set up the certificate for one hostname. I split /etc/httpd/conf.d/vhosts.conf into multiple files, one per each virtual host. When I ran

certbot --auto

I selected the one hostname when prompted. I was not asked for an email address. I also selected the “Secure” option to forward http to https.

Now, when I go to the https site, I get a warning that the page is not secure, and HTTPS is broken. The error is:

There are issues with the site's certificate chain (net:ERR_CERT_AUTHORITY_INVALID).

When I view the certificate, the certificate is issued by the server’s own hostname, with organization listed as SomeOrganization, and the Oranizational Unit as SomeOrganizationalUnit. In the past, I’ve successfully installed Let’s Encrypt certificates on Apache servers on RHEL 6, and the “issued by” organization was Let’s Encrypt.

When I go to the http site, it does not redirect to the https version.

How do I fix this? I have already tried restarting Apache. I’ve also tried re-running certbot to reinstall the certificate.


#2

It sounds as if the it’s still using a self signed cert. What’s the domain name ?


#3

joffre.gps.caltech.edu


#4

Thanks.

I can see that you obtained a certificate ( always a good first check - https://www.google.com/transparencyreport/https/ct/?hl=en#domain=joffre.gps.caltech.edu&incl_exp=true&incl_sub=true )

however you are still using a different cert, not the one obtained.

First, Id suggest just trying a restart of apache ( in case that’s all that is needed ).

If that doesn’t work, can you check the apache config for that domain ( etc/httpd/conf.d/vhosts.conf hopefully) for what is set as SSLCertificateFile ?


#5

That looks to be using the correct certificate now :slight_smile: Although you haven’t got the chain certificate there ( it needs the chain.pem defined in SSLCertificateChainFile


#6

Looks like it’s working now, after fixing the paths in /etc/httpd/conf.d/ssl.conf and restarting Apache. Thanks!


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.