Browser not trusting cert after moving my server (Solved - cert expired by coincidence)


#1

I moved my server today to a new location and my HTTPS site stopped working. I’d love some help.

  • Running ‘Can you see me’ on the server I get 443 open
  • I can make an exception in my browser and view the site from a remote address (the Cert is from Let’s Encrypt). Drilling in and Firefox tells me the cert has expired yesterday. Possibly a red herring.
  • I reissued the certificate to make sure (and it said it worked)
  • Visiting my site from the server itself (I have no loopback and rely on a host redirect) the address is redirected from my domain address to a strange address https://my_external_IP/html/pub/redirect.asp?origin=aHR0cHM6Ly9id45645645Vjb2xsZWN57645LmNvbS8=

I can’t think of anything that would have broken other than the presence of my new router/ONT having some web facing SSL UI getting in the way. But if that were the case I’d get some other issuer probably, or a self signed error. It’s literally the same machine. It was working, I picked it up and moved to a new location and plugged it in and set up port forwarding on the router. My non SSH sites all work.

The site is budgiecollective.com if someone want to take a look it would be great.


#2

Well, as the message says, the certificate that your web server is using is expired. If you successfully renewed the cert, perhaps your browser configuration is pointing to the wrong file. If you’re using certbot, your browser configuration should point to files in /etc/letsencrypt/live/budgiecollective.com/.

Second, your server isn’t serving the intermediate Let’s Encrypt certificate, which will cause trust issues. Your Apache configuration should point to /etc/letsencrypt/live/budgiecollective.com/fullchain.pem as the certificate file, not to cert.pem.

Have you reloaded apache since you renewed the certificate? The command would be something like “service httpd reload” on Linux, but it appears you’re using Windows, which might complicate things.


#3

Well you were right. I had reloaded the server after my first renewal, which must have failed. It looks like my second renewal attempt worked but I never reloaded Apache. It worked straight off the bat this morning. An amazing coincidence that it expired in the exact 1hr maintenance window of me moving the machine. Complicated by the fact that I thought I had renewed it, to rule that out. That weird internal redirect IP above, I realise too now, only happens on my local network (on a machine where the hosts file is not configured), so that’s the loopback interface of the router (or lack-of) doing something lame. Thanks for the tips about linking to the cert better. I’ll look in to that today.


#4

Glad it’s working now.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.