Cerbot creates invalid certificates

My domain is: truecloud.ddns.net

I ran this command: sudo certbot --apache

It produced this output:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/truecloud.ddns.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/truecloud.ddns.net/privkey.pem
This certificate expires on 2021-12-03.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

My web server is (include version): Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version): ubuntu 20.04.

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.18.0

I created a certificate with the command above, but if I connect to the url, Google chrome says that the certificate is invalid and thus not trusted.
Also, for some reason, Common Name (CN) is set to ubuntu.station instead of the correct address.

I really can't find out why my certificates are invalid and none of the solutions to similar problems I've found has been of any help.

2 Likes

Welcome to the Let's Encrypt Community, Leonardo :slightly_smiling_face:

Your webserver is currently serving a default self-signed "snake oil" certificate for truecloud.ddns.net.

While you have successfully acquired many Let's Encrypt certificates:

https://crt.sh/?q=truecloud.ddns.net

none of them have been successfully installed.

1 Like

What are the outputs of:

sudo apachectl -S
sudo ls -lRa /etc/apache2
sudo ls -lRa /etc/letsencrypt
sudo certbot certificates

Please put 3 backticks above and below each output, like this:

```
output
```

1 Like
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server truecloud.ddns.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
         port 443 namevhost truecloud.ddns.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
         port 443 namevhost truecloud.ddns.net (/etc/apache2/sites-enabled/truecloud.ddns.net-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server truecloud.ddns.net (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost truecloud.ddns.net (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost truecloud.ddns.net (/etc/apache2/sites-enabled/truecloud.ddns.net.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
/etc/apache2:
total 88
drwxr-xr-x   8 root root  4096 Sep  4 17:12 .
drwxr-xr-x 112 root root  4096 Sep  4 17:42 ..
-rw-r--r--   1 root root  7253 Aug 22 15:35 apache2.conf
drwxr-xr-x   2 root root  4096 Sep  4 17:34 conf-available
drwxr-xr-x   2 root root  4096 Sep  4 17:07 conf-enabled
-rw-r--r--   1 root root  1782 Jul  5 07:11 envvars
-rw-r--r--   1 root root 31063 Jul  5 07:11 magic
drwxr-xr-x   2 root root 12288 Sep  4 17:03 mods-available
drwxr-xr-x   2 root root  4096 Sep  4 17:03 mods-enabled
-rw-r--r--   1 root root   320 Jul  5 07:11 ports.conf
drwxr-xr-x   2 root root  4096 Sep  4 17:08 sites-available
drwxr-xr-x   2 root root  4096 Sep  4 17:08 sites-enabled

/etc/apache2/conf-available:
total 36
drwxr-xr-x 2 root root 4096 Sep  4 17:34 .
drwxr-xr-x 8 root root 4096 Sep  4 17:12 ..
-rw-r--r-- 1 root root  315 Jul  5 07:11 charset.conf
-rw-r--r-- 1 root root  127 Aug 11  2013 javascript-common.conf
-rw-r--r-- 1 root root 3224 Jul  5 07:11 localized-error-pages.conf
-rw-r--r-- 1 root root  189 Jul  5 07:11 other-vhosts-access-log.conf
-rw-r--r-- 1 root root 1139 Jul  5 15:13 php7.4-cgi.conf
lrwxrwxrwx 1 root root   28 Sep  4 17:34 phpmyadmin.conf -> ../../phpmyadmin/apache.conf
-rw-r--r-- 1 root root 2176 Sep  4 17:02 security.conf
-rw-r--r-- 1 root root  455 Jul  5 07:11 serve-cgi-bin.conf

/etc/apache2/conf-enabled:
total 8
drwxr-xr-x 2 root root 4096 Sep  4 17:07 .
drwxr-xr-x 8 root root 4096 Sep  4 17:12 ..
lrwxrwxrwx 1 root root   30 Aug 22 15:00 charset.conf -> ../conf-available/charset.conf
lrwxrwxrwx 1 root root   40 Aug 24 16:20 javascript-common.conf -> ../conf-available/javascript-common.conf
lrwxrwxrwx 1 root root   44 Aug 22 15:00 localized-error-pages.conf -> ../conf-available/localized-error-pages.conf
lrwxrwxrwx 1 root root   46 Aug 22 15:00 other-vhosts-access-log.conf -> ../conf-available/other-vhosts-access-log.conf
lrwxrwxrwx 1 root root   33 Sep  4 17:04 php7.4-cgi.conf -> ../conf-available/php7.4-cgi.conf
lrwxrwxrwx 1 root root   33 Sep  4 17:07 phpmyadmin.conf -> ../conf-available/phpmyadmin.conf
lrwxrwxrwx 1 root root   31 Aug 22 15:00 security.conf -> ../conf-available/security.conf
lrwxrwxrwx 1 root root   36 Aug 22 15:00 serve-cgi-bin.conf -> ../conf-available/serve-cgi-bin.conf

/etc/apache2/mods-available:
total 592
drwxr-xr-x 2 root root 12288 Sep  4 17:03 .
drwxr-xr-x 8 root root  4096 Sep  4 17:12 ..
-rw-r--r-- 1 root root   100 Jul  5 07:11 access_compat.load
-rw-r--r-- 1 root root   377 Jul  5 07:11 actions.conf
-rw-r--r-- 1 root root    66 Jul  5 07:11 actions.load
-rw-r--r-- 1 root root   843 Jul  5 07:11 alias.conf
-rw-r--r-- 1 root root    62 Jul  5 07:11 alias.load
-rw-r--r-- 1 root root    76 Jul  5 07:11 allowmethods.load
-rw-r--r-- 1 root root    76 Jul  5 07:11 asis.load
-rw-r--r-- 1 root root    94 Jul  5 07:11 auth_basic.load
-rw-r--r-- 1 root root    96 Jul  5 07:11 auth_digest.load
-rw-r--r-- 1 root root   100 Jul  5 07:11 auth_form.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 authn_anon.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 authn_core.load
-rw-r--r-- 1 root root    85 Jul  5 07:11 authn_dbd.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 authn_dbm.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 authn_file.load
-rw-r--r-- 1 root root    78 Jul  5 07:11 authn_socache.load
-rw-r--r-- 1 root root    74 Jul  5 07:11 authnz_fcgi.load
-rw-r--r-- 1 root root    90 Jul  5 07:11 authnz_ldap.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 authz_core.load
-rw-r--r-- 1 root root    96 Jul  5 07:11 authz_dbd.load
-rw-r--r-- 1 root root    92 Jul  5 07:11 authz_dbm.load
-rw-r--r-- 1 root root   104 Jul  5 07:11 authz_groupfile.load
-rw-r--r-- 1 root root    94 Jul  5 07:11 authz_host.load
-rw-r--r-- 1 root root    74 Jul  5 07:11 authz_owner.load
-rw-r--r-- 1 root root    94 Jul  5 07:11 authz_user.load
-rw-r--r-- 1 root root  3374 Jul  5 07:11 autoindex.conf
-rw-r--r-- 1 root root    70 Jul  5 07:11 autoindex.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 brotli.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 buffer.load
-rw-r--r-- 1 root root    62 Jul  5 07:11 cache.load
-rw-r--r-- 1 root root   889 Jul  5 07:11 cache_disk.conf
-rw-r--r-- 1 root root    89 Jul  5 07:11 cache_disk.load
-rw-r--r-- 1 root root    95 Jul  5 07:11 cache_socache.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 cern_meta.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 cgi.load
-rw-r--r-- 1 root root   115 Jul  5 07:11 cgid.conf
-rw-r--r-- 1 root root    60 Jul  5 07:11 cgid.load
-rw-r--r-- 1 root root    76 Jul  5 07:11 charset_lite.load
-rw-r--r-- 1 root root    60 Jul  5 07:11 data.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 dav.load
-rw-r--r-- 1 root root    83 Jul  5 07:11 dav_fs.conf
-rw-r--r-- 1 root root    79 Jul  5 07:11 dav_fs.load
-rw-r--r-- 1 root root    68 Jul  5 07:11 dav_lock.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 dbd.load
-rw-r--r-- 1 root root   395 Jul  5 07:11 deflate.conf
-rw-r--r-- 1 root root    84 Jul  5 07:11 deflate.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 dialup.load
-rw-r--r-- 1 root root   157 Jul  5 07:11 dir.conf
-rw-r--r-- 1 root root    58 Jul  5 07:11 dir.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 dump_io.load
-rw-r--r-- 1 root root    60 Jul  5 07:11 echo.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 env.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 expires.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 ext_filter.load
-rw-r--r-- 1 root root    89 Jul  5 07:11 file_cache.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 filter.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 headers.load
-rw-r--r-- 1 root root   176 Jul  5 07:11 heartbeat.load
-rw-r--r-- 1 root root   182 Jul  5 07:11 heartmonitor.load
-rw-r--r-- 1 root root  1240 Jul  5 07:11 http2.conf
-rw-r--r-- 1 root root    62 Jul  5 07:11 http2.load
-rw-r--r-- 1 root root    62 Jul  5 07:11 ident.load
-rw-r--r-- 1 root root    68 Jul  5 07:11 imagemap.load
-rw-r--r-- 1 root root    82 Jul  5 07:11 include.load
-rw-r--r-- 1 root root   402 Jul  5 07:11 info.conf
-rw-r--r-- 1 root root    60 Jul  5 07:11 info.load
-rw-r--r-- 1 root root   116 Jul  5 07:11 lbmethod_bybusyness.load
-rw-r--r-- 1 root root   116 Jul  5 07:11 lbmethod_byrequests.load
-rw-r--r-- 1 root root   114 Jul  5 07:11 lbmethod_bytraffic.load
-rw-r--r-- 1 root root   114 Jul  5 07:11 lbmethod_heartbeat.load
-rw-r--r-- 1 root root   121 Jul  5 07:11 ldap.conf
-rw-r--r-- 1 root root    60 Jul  5 07:11 ldap.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 log_debug.load
-rw-r--r-- 1 root root    76 Jul  5 07:11 log_forensic.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 lua.load
-rw-r--r-- 1 root root    62 Jul  5 07:11 macro.load
-rw-r--r-- 1 root root    56 Jul  5 07:11 md.load
-rw-r--r-- 1 root root  7676 Jul  5 07:11 mime.conf
-rw-r--r-- 1 root root    60 Jul  5 07:11 mime.load
-rw-r--r-- 1 root root   120 Jul  5 07:11 mime_magic.conf
-rw-r--r-- 1 root root    72 Jul  5 07:11 mime_magic.load
-rw-r--r-- 1 root root   668 Jul  5 07:11 mpm_event.conf
-rw-r--r-- 1 root root   106 Jul  5 07:11 mpm_event.load
-rw-r--r-- 1 root root   571 Jul  5 07:11 mpm_prefork.conf
-rw-r--r-- 1 root root   108 Jul  5 07:11 mpm_prefork.load
-rw-r--r-- 1 root root   836 Jul  5 07:11 mpm_worker.conf
-rw-r--r-- 1 root root   107 Jul  5 07:11 mpm_worker.load
-rw-r--r-- 1 root root   724 Jul  5 07:11 negotiation.conf
-rw-r--r-- 1 root root    74 Jul  5 07:11 negotiation.load
-rw-r--r-- 1 root root   855 Jul  5 15:13 php7.4.conf
-rw-r--r-- 1 root root   102 Jul  5 15:13 php7.4.load
-rw-r--r-- 1 root root   822 Jul  5 07:11 proxy.conf
-rw-r--r-- 1 root root    62 Jul  5 07:11 proxy.load
-rw-r--r-- 1 root root    87 Jul  5 07:11 proxy_ajp.load
-rw-r--r-- 1 root root   347 Jul  5 07:11 proxy_balancer.conf
-rw-r--r-- 1 root root   115 Jul  5 07:11 proxy_balancer.load
-rw-r--r-- 1 root root    95 Jul  5 07:11 proxy_connect.load
-rw-r--r-- 1 root root    95 Jul  5 07:11 proxy_express.load
-rw-r--r-- 1 root root    89 Jul  5 07:11 proxy_fcgi.load
-rw-r--r-- 1 root root    93 Jul  5 07:11 proxy_fdpass.load
-rw-r--r-- 1 root root   189 Jul  5 07:11 proxy_ftp.conf
-rw-r--r-- 1 root root    87 Jul  5 07:11 proxy_ftp.load
-rw-r--r-- 1 root root    93 Jul  5 07:11 proxy_hcheck.load
-rw-r--r-- 1 root root  2511 Jul  5 07:11 proxy_html.conf
-rw-r--r-- 1 root root    97 Jul  5 07:11 proxy_html.load
-rw-r--r-- 1 root root    89 Jul  5 07:11 proxy_http.load
-rw-r--r-- 1 root root    97 Jul  5 07:11 proxy_http2.load
-rw-r--r-- 1 root root    89 Jul  5 07:11 proxy_scgi.load
-rw-r--r-- 1 root root    91 Jul  5 07:11 proxy_uwsgi.load
-rw-r--r-- 1 root root    97 Jul  5 07:11 proxy_wstunnel.load
-rw-r--r-- 1 root root    85 Jul  5 07:11 ratelimit.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 reflector.load
-rw-r--r-- 1 root root    68 Jul  5 07:11 remoteip.load
-rw-r--r-- 1 root root  1190 Jul  5 07:11 reqtimeout.conf
-rw-r--r-- 1 root root    72 Jul  5 07:11 reqtimeout.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 request.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 rewrite.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 sed.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 session.load
-rw-r--r-- 1 root root    99 Jul  5 07:11 session_cookie.load
-rw-r--r-- 1 root root    99 Jul  5 07:11 session_crypto.load
-rw-r--r-- 1 root root    93 Jul  5 07:11 session_dbd.load
-rw-r--r-- 1 root root  1280 Jul  5 07:11 setenvif.conf
-rw-r--r-- 1 root root    68 Jul  5 07:11 setenvif.load
-rw-r--r-- 1 root root    78 Jul  5 07:11 slotmem_plain.load
-rw-r--r-- 1 root root    74 Jul  5 07:11 slotmem_shm.load
-rw-r--r-- 1 root root    74 Jul  5 07:11 socache_dbm.load
-rw-r--r-- 1 root root    84 Jul  5 07:11 socache_memcache.load
-rw-r--r-- 1 root root    78 Jul  5 07:11 socache_redis.load
-rw-r--r-- 1 root root    78 Jul  5 07:11 socache_shmcb.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 speling.load
-rw-r--r-- 1 root root  3110 Jul  5 07:11 ssl.conf
-rw-r--r-- 1 root root    97 Jul  5 07:11 ssl.load
-rw-r--r-- 1 root root   749 Jul  5 07:11 status.conf
-rw-r--r-- 1 root root    64 Jul  5 07:11 status.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 substitute.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 suexec.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 unique_id.load
-rw-r--r-- 1 root root   324 Jul  5 07:11 userdir.conf
-rw-r--r-- 1 root root    66 Jul  5 07:11 userdir.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 usertrack.load
-rw-r--r-- 1 root root    74 Jul  5 07:11 vhost_alias.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 xml2enc.load

/etc/apache2/mods-enabled:
total 8
drwxr-xr-x 2 root root 4096 Sep  4 17:03 .
drwxr-xr-x 8 root root 4096 Sep  4 17:12 ..
lrwxrwxrwx 1 root root   36 Aug 22 15:00 access_compat.load -> ../mods-available/access_compat.load
lrwxrwxrwx 1 root root   28 Aug 22 15:00 alias.conf -> ../mods-available/alias.conf
lrwxrwxrwx 1 root root   28 Aug 22 15:00 alias.load -> ../mods-available/alias.load
lrwxrwxrwx 1 root root   33 Aug 22 15:00 auth_basic.load -> ../mods-available/auth_basic.load
lrwxrwxrwx 1 root root   33 Aug 22 15:00 authn_core.load -> ../mods-available/authn_core.load
lrwxrwxrwx 1 root root   33 Aug 22 15:00 authn_file.load -> ../mods-available/authn_file.load
lrwxrwxrwx 1 root root   33 Aug 22 15:00 authz_core.load -> ../mods-available/authz_core.load
lrwxrwxrwx 1 root root   33 Aug 22 15:00 authz_host.load -> ../mods-available/authz_host.load
lrwxrwxrwx 1 root root   33 Aug 22 15:00 authz_user.load -> ../mods-available/authz_user.load
lrwxrwxrwx 1 root root   32 Aug 22 15:00 autoindex.conf -> ../mods-available/autoindex.conf
lrwxrwxrwx 1 root root   32 Aug 22 15:00 autoindex.load -> ../mods-available/autoindex.load
lrwxrwxrwx 1 root root   30 Aug 22 15:00 deflate.conf -> ../mods-available/deflate.conf
lrwxrwxrwx 1 root root   30 Aug 22 15:00 deflate.load -> ../mods-available/deflate.load
lrwxrwxrwx 1 root root   26 Aug 22 15:00 dir.conf -> ../mods-available/dir.conf
lrwxrwxrwx 1 root root   26 Aug 22 15:00 dir.load -> ../mods-available/dir.load
lrwxrwxrwx 1 root root   26 Aug 22 15:00 env.load -> ../mods-available/env.load
lrwxrwxrwx 1 root root   29 Aug 22 15:00 filter.load -> ../mods-available/filter.load
lrwxrwxrwx 1 root root   27 Aug 22 15:00 mime.conf -> ../mods-available/mime.conf
lrwxrwxrwx 1 root root   27 Aug 22 15:00 mime.load -> ../mods-available/mime.load
lrwxrwxrwx 1 root root   34 Sep  4 17:03 mpm_prefork.conf -> ../mods-available/mpm_prefork.conf
lrwxrwxrwx 1 root root   34 Sep  4 17:03 mpm_prefork.load -> ../mods-available/mpm_prefork.load
lrwxrwxrwx 1 root root   34 Aug 22 15:00 negotiation.conf -> ../mods-available/negotiation.conf
lrwxrwxrwx 1 root root   34 Aug 22 15:00 negotiation.load -> ../mods-available/negotiation.load
lrwxrwxrwx 1 root root   29 Sep  4 17:03 php7.4.conf -> ../mods-available/php7.4.conf
lrwxrwxrwx 1 root root   29 Sep  4 17:03 php7.4.load -> ../mods-available/php7.4.load
lrwxrwxrwx 1 root root   33 Aug 22 15:00 reqtimeout.conf -> ../mods-available/reqtimeout.conf
lrwxrwxrwx 1 root root   33 Aug 22 15:00 reqtimeout.load -> ../mods-available/reqtimeout.load
lrwxrwxrwx 1 root root   30 Aug 22 15:42 rewrite.load -> ../mods-available/rewrite.load
lrwxrwxrwx 1 root root   31 Aug 22 15:00 setenvif.conf -> ../mods-available/setenvif.conf
lrwxrwxrwx 1 root root   31 Aug 22 15:00 setenvif.load -> ../mods-available/setenvif.load
lrwxrwxrwx 1 root root   36 Aug 22 15:26 socache_shmcb.load -> ../mods-available/socache_shmcb.load
lrwxrwxrwx 1 root root   26 Aug 22 15:26 ssl.conf -> ../mods-available/ssl.conf
lrwxrwxrwx 1 root root   26 Aug 22 15:26 ssl.load -> ../mods-available/ssl.load
lrwxrwxrwx 1 root root   29 Aug 22 15:00 status.conf -> ../mods-available/status.conf
lrwxrwxrwx 1 root root   29 Aug 22 15:00 status.load -> ../mods-available/status.load

/etc/apache2/sites-available:
total 28
drwxr-xr-x 2 root root 4096 Sep  4 17:08 .
drwxr-xr-x 8 root root 4096 Sep  4 17:12 ..
-rw-r--r-- 1 root root 1334 Sep  4 17:01 000-default.conf
-rw-r--r-- 1 root root 6338 Jul  5 07:11 default-ssl.conf
-rw-r--r-- 1 root root  980 Sep  4 17:08 truecloud.ddns.net-le-ssl.conf
-rw-r--r-- 1 root root  660 Aug 22 15:42 truecloud.ddns.net.conf

/etc/apache2/sites-enabled:
total 8
drwxr-xr-x 2 root root 4096 Sep  4 17:08 .
drwxr-xr-x 8 root root 4096 Sep  4 17:12 ..
lrwxrwxrwx 1 root root   35 Aug 22 15:00 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root   35 Aug 22 15:26 default-ssl.conf -> ../sites-available/default-ssl.conf
lrwxrwxrwx 1 root root   59 Sep  4 17:08 truecloud.ddns.net-le-ssl.conf -> /etc/apache2/sites-available/truecloud.ddns.net-le-ssl.conf
lrwxrwxrwx 1 root root   42 Aug 24 15:42 truecloud.ddns.net.conf -> ../sites-available/truecloud.ddns.net.conf
/etc/letsencrypt:
total 48
drwxr-xr-x   9 root root 4096 Sep  5 09:44 .
drwxr-xr-x 112 root root 4096 Sep  4 17:42 ..
-rw-r--r--   1 root root   64 Aug 24 06:19 .updated-options-ssl-apache-conf-digest.txt
drwxr-xr-x   4 root root 4096 Aug 22 15:43 accounts
drwx------   3 root root 4096 Aug 30 08:10 archive
-rw-r--r--   1 root root  121 Feb 11  2019 cli.ini
drwxr-xr-x   2 root root 4096 Sep  4 17:12 csr
drwx------   2 root root 4096 Sep  4 17:12 keys
drwx------   3 root root 4096 Aug 30 08:10 live
-rw-r--r--   1 root root  952 Aug 24 06:19 options-ssl-apache.conf
drwxr-xr-x   2 root root 4096 Sep  4 17:12 renewal
drwxr-xr-x   5 root root 4096 Aug 22 14:55 renewal-hooks

/etc/letsencrypt/accounts:
total 16
drwxr-xr-x 4 root root 4096 Aug 22 15:43 .
drwxr-xr-x 9 root root 4096 Sep  5 09:44 ..
drwxr-xr-x 3 root root 4096 Aug 22 15:43 acme-staging-v02.api.letsencrypt.org
drwxr-xr-x 3 root root 4096 Aug 24 06:56 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org:
total 12
drwxr-xr-x 3 root root 4096 Aug 22 15:43 .
drwxr-xr-x 4 root root 4096 Aug 22 15:43 ..
drwx------ 3 root root 4096 Aug 22 15:43 directory

/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory:
total 12
drwx------ 3 root root 4096 Aug 22 15:43 .
drwxr-xr-x 3 root root 4096 Aug 22 15:43 ..
drwx------ 2 root root 4096 Aug 22 15:43 6dabcc0ccd798e21a1f39260c30529e7

/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory/6dabcc0ccd798e21a1f39260c30529e7:
total 20
drwx------ 2 root root 4096 Aug 22 15:43 .
drwx------ 3 root root 4096 Aug 22 15:43 ..
-rw-r--r-- 1 root root   66 Aug 22 15:43 meta.json
-r-------- 1 root root 1632 Aug 22 15:43 private_key.json
-rw-r--r-- 1 root root   86 Aug 22 15:43 regr.json

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 12
drwxr-xr-x 3 root root 4096 Aug 24 06:56 .
drwxr-xr-x 4 root root 4096 Aug 22 15:43 ..
drwx------ 3 root root 4096 Aug 24 06:57 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 12
drwx------ 3 root root 4096 Aug 24 06:57 .
drwxr-xr-x 3 root root 4096 Aug 24 06:56 ..
drwx------ 2 root root 4096 Aug 24 06:57 fb155be635a402a8300329d2a61dda89

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/fb155be635a402a8300329d2a61dda89:
total 20
drwx------ 2 root root 4096 Aug 24 06:57 .
drwx------ 3 root root 4096 Aug 24 06:57 ..
-rw-r--r-- 1 root root   97 Aug 24 06:57 meta.json
-r-------- 1 root root 1632 Aug 24 06:57 private_key.json
-rw-r--r-- 1 root root   79 Aug 24 06:57 regr.json

/etc/letsencrypt/archive:
total 12
drwx------ 3 root root 4096 Aug 30 08:10 .
drwxr-xr-x 9 root root 4096 Sep  5 09:44 ..
drwxr-xr-x 2 root root 4096 Sep  4 17:12 truecloud.ddns.net

/etc/letsencrypt/archive/truecloud.ddns.net:
total 68
drwxr-xr-x 2 root root 4096 Sep  4 17:12 .
drwx------ 3 root root 4096 Aug 30 08:10 ..
-rw-r--r-- 1 root root 1850 Aug 30 08:10 cert1.pem
-rw-r--r-- 1 root root 1850 Sep  4 17:08 cert2.pem
-rw-r--r-- 1 root root 1850 Sep  4 17:12 cert3.pem
-rw-r--r-- 1 root root 3749 Aug 30 08:10 chain1.pem
-rw-r--r-- 1 root root 3749 Sep  4 17:08 chain2.pem
-rw-r--r-- 1 root root 3749 Sep  4 17:12 chain3.pem
-rw-r--r-- 1 root root 5599 Aug 30 08:10 fullchain1.pem
-rw-r--r-- 1 root root 5599 Sep  4 17:08 fullchain2.pem
-rw-r--r-- 1 root root 5599 Sep  4 17:12 fullchain3.pem
-rw------- 1 root root 1708 Aug 30 08:10 privkey1.pem
-rw------- 1 root root 1704 Sep  4 17:08 privkey2.pem
-rw------- 1 root root 1704 Sep  4 17:12 privkey3.pem

/etc/letsencrypt/csr:
total 60
drwxr-xr-x 2 root root 4096 Sep  4 17:12 .
drwxr-xr-x 9 root root 4096 Sep  5 09:44 ..
-rw-r--r-- 1 root root  928 Aug 22 14:56 0000_csr-certbot.pem
-rw-r--r-- 1 root root  928 Aug 22 14:57 0001_csr-certbot.pem
-rw-r--r-- 1 root root  928 Aug 22 15:04 0002_csr-certbot.pem
-rw-r--r-- 1 root root  936 Aug 22 15:40 0003_csr-certbot.pem
-rw-r--r-- 1 root root  928 Aug 22 15:50 0004_csr-certbot.pem
-rw-r--r-- 1 root root  928 Aug 24 06:19 0005_csr-certbot.pem
-rw-r--r-- 1 root root  928 Aug 24 06:28 0006_csr-certbot.pem
-rw-r--r-- 1 root root  928 Aug 24 15:31 0007_csr-certbot.pem
-rw-r--r-- 1 root root  928 Aug 24 16:17 0008_csr-certbot.pem
-rw-r--r-- 1 root root  928 Aug 30 08:08 0009_csr-certbot.pem
-rw-r--r-- 1 root root  928 Aug 30 08:10 0010_csr-certbot.pem
-rw-r--r-- 1 root root  928 Sep  4 17:08 0011_csr-certbot.pem
-rw-r--r-- 1 root root  928 Sep  4 17:12 0012_csr-certbot.pem

/etc/letsencrypt/keys:
total 60
drwx------ 2 root root 4096 Sep  4 17:12 .
drwxr-xr-x 9 root root 4096 Sep  5 09:44 ..
-rw------- 1 root root 1704 Aug 22 14:56 0000_key-certbot.pem
-rw------- 1 root root 1704 Aug 22 14:57 0001_key-certbot.pem
-rw------- 1 root root 1704 Aug 22 15:04 0002_key-certbot.pem
-rw------- 1 root root 1704 Aug 22 15:40 0003_key-certbot.pem
-rw------- 1 root root 1704 Aug 22 15:50 0004_key-certbot.pem
-rw------- 1 root root 1704 Aug 24 06:19 0005_key-certbot.pem
-rw------- 1 root root 1704 Aug 24 06:28 0006_key-certbot.pem
-rw------- 1 root root 1704 Aug 24 15:31 0007_key-certbot.pem
-rw------- 1 root root 1704 Aug 24 16:17 0008_key-certbot.pem
-rw------- 1 root root 1704 Aug 30 08:08 0009_key-certbot.pem
-rw------- 1 root root 1708 Aug 30 08:10 0010_key-certbot.pem
-rw------- 1 root root 1704 Sep  4 17:08 0011_key-certbot.pem
-rw------- 1 root root 1704 Sep  4 17:12 0012_key-certbot.pem

/etc/letsencrypt/live:
total 16
drwx------ 3 root root 4096 Aug 30 08:10 .
drwxr-xr-x 9 root root 4096 Sep  5 09:44 ..
-rw-r--r-- 1 root root  740 Aug 22 15:05 README
drwxr-xr-x 2 root root 4096 Sep  4 17:12 truecloud.ddns.net

/etc/letsencrypt/live/truecloud.ddns.net:
total 12
drwxr-xr-x 2 root root 4096 Sep  4 17:12 .
drwx------ 3 root root 4096 Aug 30 08:10 ..
-rw-r--r-- 1 root root  692 Aug 30 08:10 README
lrwxrwxrwx 1 root root   42 Sep  4 17:12 cert.pem -> ../../archive/truecloud.ddns.net/cert3.pem
lrwxrwxrwx 1 root root   43 Sep  4 17:12 chain.pem -> ../../archive/truecloud.ddns.net/chain3.pem
lrwxrwxrwx 1 root root   47 Sep  4 17:12 fullchain.pem -> ../../archive/truecloud.ddns.net/fullchain3.pem
lrwxrwxrwx 1 root root   45 Sep  4 17:12 privkey.pem -> ../../archive/truecloud.ddns.net/privkey3.pem

/etc/letsencrypt/renewal:
total 12
drwxr-xr-x 2 root root 4096 Sep  4 17:12 .
drwxr-xr-x 9 root root 4096 Sep  5 09:44 ..
-rw-r--r-- 1 root root  549 Sep  4 17:12 truecloud.ddns.net.conf

/etc/letsencrypt/renewal-hooks:
total 20
drwxr-xr-x 5 root root 4096 Aug 22 14:55 .
drwxr-xr-x 9 root root 4096 Sep  5 09:44 ..
drwxr-xr-x 2 root root 4096 Aug 22 14:55 deploy
drwxr-xr-x 2 root root 4096 Aug 22 14:55 post
drwxr-xr-x 2 root root 4096 Aug 22 14:55 pre

/etc/letsencrypt/renewal-hooks/deploy:
total 8
drwxr-xr-x 2 root root 4096 Aug 22 14:55 .
drwxr-xr-x 5 root root 4096 Aug 22 14:55 ..

/etc/letsencrypt/renewal-hooks/post:
total 8
drwxr-xr-x 2 root root 4096 Aug 22 14:55 .
drwxr-xr-x 5 root root 4096 Aug 22 14:55 ..

/etc/letsencrypt/renewal-hooks/pre:
total 8
drwxr-xr-x 2 root root 4096 Aug 22 14:55 .
drwxr-xr-x 5 root root 4096 Aug 22 14:55 ..
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: truecloud.ddns.net
    Serial Number: 30bc6be1bc54eb7e3600e76f8a3fc5549d2
    Key Type: RSA
    Domains: truecloud.ddns.net
    Expiry Date: 2021-12-03 16:12:16+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/truecloud.ddns.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/truecloud.ddns.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Likes

Thanks for that. :slightly_smiling_face:

The duplications here are very bad:

What are the outputs of:

sudo cat /etc/apache2/sites-enabled/000-default.conf
sudo cat /etc/apache2/sites-enabled/truecloud.ddns.net.conf
sudo cat /etc/apache2/sites-enabled/default-ssl.conf
sudo cat /etc/apache2/sites-enabled/truecloud.ddns.net-le-ssl.conf
sudo cat /etc/letsencrypt/renewal/truecloud.ddns.net.conf

Please put 3 backticks above and below each output, like this:

```
output
```

1 Like
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName truecloud.ddns.net

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
# Begin vhost record on the default HTTP port 80
<VirtualHost *:80>
    # This is the name of the vhost.
    ServerName truecloud.ddns.net
    # These are alternative names for this same vhost.
    # We put the other domains here. They will all go to the same place.
    # ServerAlias www.truecloud.ddns.net
    # ServerAlias udrupalalumni.com
    # Directory where the website code lives.
    DocumentRoot /var/www/html

    <Directory />
        Options FollowSymLinks
        AllowOverride All
    </Directory>

RewriteEngine on
RewriteCond %{SERVER_NAME} =truecloud.ddns.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
                # error, crit, alert, emerg.
                # It is also possible to configure the loglevel for particular
                # modules, e.g.
                #LogLevel info ssl:warn

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                # For most configuration files from conf-available/, which are
                # enabled or disabled at a global level, it is possible to
                # include a line for only one particular virtual host. For example the
                # following line enables the CGI configuration for this host only
                # after it has been globally disabled with "a2disconf".
                #Include conf-available/serve-cgi-bin.conf

                #   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on

                #   A self-signed (snakeoil) certificate can be created by installing
                #   the ssl-cert package. See
                #   /usr/share/doc/apache2/README.Debian.gz for more info.
                #   If both key and certificate are stored in the same file, only the
                #   SSLCertificateFile directive is needed.
                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

                #   Server Certificate Chain:
                #   Point SSLCertificateChainFile at a file containing the
                #   concatenation of PEM encoded CA certificates which form the
                #   certificate chain for the server certificate. Alternatively
                #   the referenced file can be the same as SSLCertificateFile
                #   when the CA certificates are directly appended to the server
                #   certificate for convinience.
                #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

                #   Certificate Authority (CA):
                #   Set the CA certificate verification path where to find CA
                #   certificates for client authentication or alternatively one
                #   huge file containing all of them (file must be PEM encoded)
                #   Note: Inside SSLCACertificatePath you need hash symlinks
                #                to point to the certificate files. Use the provided
                #                Makefile to update the hash symlinks after changes.
                #SSLCACertificatePath /etc/ssl/certs/
                #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

                #   Certificate Revocation Lists (CRL):
                #   Set the CA revocation path where to find CA CRLs for client
                #   authentication or alternatively one huge file containing all
                #   of them (file must be PEM encoded)
                #   Note: Inside SSLCARevocationPath you need hash symlinks
                #                to point to the certificate files. Use the provided
                #                Makefile to update the hash symlinks after changes.
                #SSLCARevocationPath /etc/apache2/ssl.crl/
                #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

                #   Client Authentication (Type):
                #   Client certificate verification type and depth.  Types are
                #   none, optional, require and optional_no_ca.  Depth is a
                #   number which specifies how deeply to verify the certificate
                #   issuer chain before deciding the certificate is not valid.
                #SSLVerifyClient require
                #SSLVerifyDepth  10

                #   SSL Engine Options:
                #   Set various options for the SSL engine.
                #   o FakeBasicAuth:
                #        Translate the client X.509 into a Basic Authorisation.  This means that
                #        the standard Auth/DBMAuth methods can be used for access control.  The
                #        user name is the `one line' version of the client's X.509 certificate.
                #        Note that no password is obtained from the user. Every entry in the user
                #        file needs this password: `xxj31ZMTZzkVA'.
                #   o ExportCertData:
                #        This exports two additional environment variables: SSL_CLIENT_CERT and
                #        SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
                #        server (always existing) and the client (only existing when client
                #        authentication is used). This can be used to import the certificates
                #        into CGI scripts.
                #   o StdEnvVars:
                #        This exports the standard SSL/TLS related `SSL_*' environment variables.
                #        Per default this exportation is switched off for performance reasons,
                #        because the extraction step is an expensive operation and is usually
                #        useless for serving static content. So one usually enables the
                #        exportation for CGI and SSI requests only.
                #   o OptRenegotiate:
                #        This enables optimized SSL connection renegotiation handling when SSL
                #        directives are used in per-directory context.
                #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                #   SSL Protocol Adjustments:
                #   The safe and default but still SSL/TLS standard compliant shutdown
                #   approach is that mod_ssl sends the close notify alert but doesn't wait for
                #   the close notify alert from client. When you need a different shutdown
                #   approach you can use one of the following variables:
                #   o ssl-unclean-shutdown:
                #        This forces an unclean shutdown when the connection is closed, i.e. no
                #        SSL close notify alert is send or allowed to received.  This violates
                #        the SSL/TLS standard but is needed for some brain-dead browsers. Use
                #        this when you receive I/O errors because of the standard approach where
                #        mod_ssl sends the close notify alert.
                #   o ssl-accurate-shutdown:
                #        This forces an accurate shutdown when the connection is closed, i.e. a
                #        SSL close notify alert is send and mod_ssl waits for the close notify
                #        alert of the client. This is 100% SSL/TLS standard compliant, but in
                #        practice often causes hanging connections with brain-dead browsers. Use
                #        this only for browsers where you know that their SSL implementation
                #        works correctly.
                #   Notice: Most problems of broken clients are also related to the HTTP
                #   keep-alive facility, so you usually additionally want to disable
                #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
                #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
                #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
                #   "force-response-1.0" for this.
                # BrowserMatch "MSIE [2-6]" \
                #               nokeepalive ssl-unclean-shutdown \
                #               downgrade-1.0 force-response-1.0

        </VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<IfModule mod_ssl.c>
<VirtualHost *:443>
    # This is the name of the vhost.
    ServerName truecloud.ddns.net
    # These are alternative names for this same vhost.
    # We put the other domains here. They will all go to the same place.
    # ServerAlias www.truecloud.ddns.net
    # ServerAlias udrupalalumni.com
    # Directory where the website code lives.
    DocumentRoot /var/www/html

    <Directory />
        Options FollowSymLinks
        AllowOverride All
    </Directory>

RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =truecloud.ddns.net
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/truecloud.ddns.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/truecloud.ddns.net/privkey.pem
</VirtualHost>
</IfModule>
# renew_before_expiry = 30 days
version = 1.18.0
archive_dir = /etc/letsencrypt/archive/truecloud.ddns.net
cert = /etc/letsencrypt/live/truecloud.ddns.net/cert.pem
privkey = /etc/letsencrypt/live/truecloud.ddns.net/privkey.pem
chain = /etc/letsencrypt/live/truecloud.ddns.net/chain.pem
fullchain = /etc/letsencrypt/live/truecloud.ddns.net/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = fb155be635a402a8300329d2a61dda89
authenticator = apache
server = https://acme-v02.api.letsencrypt.org/directory
installer = apache
2 Likes

Here's where the snakeoil certificate is coming from:

Fortunately, your configuration is so clean and straightforward that this is easy to resolve.

  1. Remove these lines in /etc/apache2/sites-enabled/truecloud.ddns.net-le-ssl.conf:
  1. Run these commands:
sudo a2dissite 000-default.conf
sudo a2dissite default-ssl.conf
sudo apachectl -k graceful
  1. Clear the cache of your web browser.

All should be well. :blush:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.