Cannot get rid of supposed self signed cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cprcommunity.net

I ran this command: certbot

It produced this output: It allowed me to choose www,cprcommunity.net and cprcommunity.net domains to instal cert on, and says cert was successfully installed.

My web server is (include version): Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: allowed me to choose

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0.

I’ve had a LE cert running on this site for months with no issue and just moved the site, along with a few others, of to a GC VM. (all clean install including apache and then migrate web files over). Somehow, possibly in my exhaustion I seem to have ended up getting a self assigned cert.

This did not happen on any of the other sites I migrated doing the same process. There’s no other sites running on this server so while apache is configured with Virtual Hosts, there’s not other VH configs.

I’ve tried revoking and reissuing and somehow thre self assigned one keeps coming back.

I’ve followed help articles that say to disable VH and Listening in /etc/httpd/conf.d/ssl.conf

Output of trying to renew showscorrect response:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/cprcommunity.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/cprcommunity.net/privkey.pem
Your cert will expire on 2020-04-21. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew all of
your certificates, run “certbot renew”

I’m at my wits end, please assist.

Please show output of:

apachectl -S
grep -Eri 'virtualhost|servername|serveralias|sslcert|include' /etc/apache2/
certbot certificates
cat /etc/apache2/sites-available/default-ssl.conf
ls -l /etc/apache2/sites-enabled/*

  • Thank you in advance*

Found the following certs:
Certificate Name: cprcommunity.net
Domains: cprcommunity.net www.cprcommunity.net
Expiry Date: 2020-04-21 04:13:08+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/cprcommunity.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cprcommunity.net/privkey.pem


That’s good.
Can you get the other four requested?
[you may need to use sudo]

[root@cprcommunity jbeauchaine]# apachectl -S
[root@cprcommunity jbeauchaine]# cat /etc/apache2/sites-available/default-ssl.conf
cat: /etc/apache2/sites-available/default-ssl.conf: No such file or directory
[root@cprcommunity jbeauchaine]# grep -Eri ‘virtualhost|servername|serveralias|sslcert|include’ /etc/apache2/
grep: /etc/apache2/: No such file or directory
[root@cprcommunity jbeauchaine]# ls -l /etc/apache2/sites-enabled/*
ls: cannot access /etc/apache2/sites-enabled/*: No such file or directory
[root@cprcommunity jbeauchaine]#

OK so your apache isn’t in the default deirectory ("/etc/apache2/")…
Let’s find where it’s @:

which apache2
find / -name sites-enabled

Oh, it’s centos so it’s under “httpd” not “apache2”

[root@cprcommunity /]# find / -name sites-enabled
/etc/httpd/sites-enabled
[root@cprcommunity /]# which httpd
/sbin/httpd
[root@cprcommunity /]#

DOH! CentOS!

Try:
grep -Eri 'virtualhost|servername|serveralias|sslcert|include' /etc/httpd/
ls -l /etc/httpd/sites-enabled/*

/etc/httpd/conf/httpd.conf:# ports, instead of the default. See also the
/etc/httpd/conf/httpd.conf:Include conf.modules.d/.conf
/etc/httpd/conf/httpd.conf:# definition. These values also provide defaults for
/etc/httpd/conf/httpd.conf:# any containers you may define later in the file.
/etc/httpd/conf/httpd.conf:# All of these directives may appear inside containers,
/etc/httpd/conf/httpd.conf:# ServerName gives the name and port that the server uses to identify itself.
/etc/httpd/conf/httpd.conf:#ServerName www.example.com:80
/etc/httpd/conf/httpd.conf: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
/etc/httpd/conf/httpd.conf:# If you do not specify an ErrorLog directive within a
/etc/httpd/conf/httpd.conf:# logged here. If you do define an error logfile for a
/etc/httpd/conf/httpd.conf:# Possible values include: debug, info, notice, warn, error, crit,
/etc/httpd/conf/httpd.conf: # If you do not define any access logfiles within a
/etc/httpd/conf/httpd.conf: # define per- access logfiles, transactions will be
/etc/httpd/conf/httpd.conf: # If you include a trailing / on /webpath then the server will
/etc/httpd/conf/httpd.conf: # To parse .shtml files for server-side includes (SSI):
/etc/httpd/conf/httpd.conf: # (You will also need to add “Includes” to the “Options” directive.)
/etc/httpd/conf/httpd.conf: AddOutputFilter INCLUDES .shtml
/etc/httpd/conf/httpd.conf:IncludeOptional conf.d/
.conf
/etc/httpd/conf/httpd.conf:IncludeOptional sites-enabled/*.conf
/etc/httpd/conf/httpd.conf:Include /etc/httpd/sites-available/cprcommunity.net-le-ssl.conf
/etc/httpd/conf.d/autoindex.conf:# directory must include “Indexes”, and the directory must not contain
/etc/httpd/conf.d/autoindex.conf:# We include the /icons/ alias for FancyIndexed directory listings. If
/etc/httpd/conf.d/autoindex.conf:# and not include in the listing. Shell-style wildcarding is permitted.
/etc/httpd/conf.d/userdir.conf: Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
/etc/httpd/conf.d/ssl.conf:
/etc/httpd/conf.d/ssl.conf:#ServerName www.example.com:443
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateChainFile at a file containing the
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/ssl.conf:#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
/etc/httpd/conf.d/ssl.conf:
/etc/httpd/conf.modules.d/00-base.conf:# This file loads most of the modules included with the Apache HTTP
/etc/httpd/conf.modules.d/00-base.conf:LoadModule include_module modules/mod_include.so
/etc/httpd/sites-available/cprcommunity.net.conf:<VirtualHost *:80>
/etc/httpd/sites-available/cprcommunity.net.conf: ServerName cprcommunity.net
/etc/httpd/sites-available/cprcommunity.net.conf: ServerAlias www.cprcommunity.net
/etc/httpd/sites-available/cprcommunity.net.conf:
/etc/httpd/sites-available/cprcommunity.net-le-ssl.conf:<VirtualHost *:443>
/etc/httpd/sites-available/cprcommunity.net-le-ssl.conf: ServerName cprcommunity.net
/etc/httpd/sites-available/cprcommunity.net-le-ssl.conf: ServerAlias www.cprcommunity.net
/etc/httpd/sites-available/cprcommunity.net-le-ssl.conf:Include /etc/letsencrypt/options-ssl-apache.conf
/etc/httpd/sites-available/cprcommunity.net-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/cprcommunity.net/c
ert.pem
/etc/httpd/sites-available/cprcommunity.net-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/cprcommunity.ne
t/privkey.pem
/etc/httpd/sites-available/cprcommunity.net-le-ssl.conf:SSLCertificateChainFile /etc/letsencrypt/live/cprcommunity.
net/chain.pem
/etc/httpd/sites-available/cprcommunity.net-le-ssl.conf:

lrwxrwxrwx. 1 root root 48 Jan 22 03:21 /etc/httpd/sites-enabled/cprcommunity.net.conf -> /etc/httpd/sites-available/cprcommunity.net.conf

Ok I see:
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
[most likely the self-signed cert]

Can you show:
ls -l /etc/httpd/sites-enabled/*

If sites-enabled only has:
/etc/httpd/sites-enabled/cprcommunity.net.conf
That is the problem!

You need to enable the site:
/etc/httpd/sites-available/cprcommunity.net-le-ssl.conf
[which has the cert you need]

lrwxrwxrwx. 1 root root 48 Jan 22 03:21 /etc/httpd/sites-enabled/cprcommunity.net.conf -> /etc/httpd/sites-available/cprcommunity.net.conf

Try:
sudo a2ensite cprcommunity.net

[then restart apache/httpd]

Ahh! I think I follow you, OK. Let me give that a shot.

If you can’t “enable” it, just mv it to the folder /etc/httpd/conf.d/
[all the files in there are automatically included]

Or go all old-school on it:

sudo ln -s /etc/httpd/sites-available/cprcommunity.net-le-ssl.conf /etc/httpd/sites-enabled/cprcommunity.net-le-ssl.conf

yup, that what I did, alas that hasn’t resolved :frowning: even restarted httpd and reran certbot

OK there is NO need to rerun certbot.
certbot certificates shows the cert is ready for use.

It must be a really old version of apache…

Let me re-review the included folders.
in the meantime, please show:
ls -l /etc/httpd/conf.d/*

-rw-r–r--. 1 root root 2926 Aug 8 11:41 /etc/httpd/conf.d/autoindex.conf
-rw-r–r--. 1 root root 1252 Jan 21 11:35 /etc/httpd/conf.d/php.conf
-rw-r–r--. 1 root root 366 Aug 8 11:42 /etc/httpd/conf.d/README
-rw-r–r--. 1 root root 9443 Jan 22 05:15 /etc/httpd/conf.d/ssl.conf
-rw-r–r--. 1 root root 1252 Aug 6 13:44 /etc/httpd/conf.d/userdir.conf
-rw-r–r--. 1 root root 824 Aug 6 13:44 /etc/httpd/conf.d/welcome.conf

Which did you do?
[I don’t see the file in the conf.d folder]

So I repeat myself:

as per (from above):
/etc/httpd/conf/httpd.conf:IncludeOptional conf.d/*.conf

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.