Cert Bot SSL installed correctly but not working


#1

Domain : www.oldskoolgaming.tk

VPS Provider : DigitalOcean

OS : CentOs 6.8 (x64)

Okay so as guided by @pfg last time, this time I’ve created separate conf file for my domain, at conf.d
Then, executed ./certbot-auto

selected www version of domain from 2 options aka., www-version of the domain and non-www one… then entered email, support@oldskoolgaming.tk then choosed allow both http and https version ! Now done it without any errors for the very first time ! Hurray !

Then, tried to visit www.oldskoolgaming.tk & the oldskoolgaming.tk
[HTTP versions working fine]

Then tried to visit https versions of both links… Boom !

Ummm., what’s wrong I’ve done this time ?! Duh !! :expressionless:


#2

For some reason, the server isn’t using the correct certificate. It’s providing a self-signed certificate, not the one from Let’s Encrypt.

Which is strange, because the Apache plugin of certbot would reload Apache itself…


#3

Okay, so what’s the solution now ?!


#4

You might want to check the configuration file for the right certificate and/or reload Apache manually…


#5

Can you elaborate, please explain !
:confused: I didn’t just get you !


#6

It looks like you’re setting a self-signed certificate somewhere in your config (this might have been generated automatically when you installed mod_ssl or something like that).

Try running grep -r "SSLCertificateFile" /etc/httpd and check if there are any certificate files you don’t recognize (i.e. that don’t belong to certbot), and get rid of those directives. If you need help with that, please post the entire file where you’ve found this directive.


#7

Okay So As Much as I know, The certificate have to be issued by ‘Lets Encrypt’ not ‘oldskoolgaming’ and Issued to as ‘www.oldskoolgaming.tk’, Isn’t it ?!

Here’s the result

/etc/httpd/conf.d/oldskoolgaming.tk-le-ssl.conf:SSLCertificateFile /etc/letsencr ypt/live/www.oldskoolgaming.tk/cert.pem /etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certifica te. If /etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/localhost.crt /etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertifi cateFile
Help Me Out Brother !~


#8

/etc/httpd/conf.d/ssl.conf is the problematic file, /etc/pki/tls/certs/localhost.crt is the path to that self-signed certificate you’re seeing in the browser.

Can you post the contents of both /etc/httpd/conf.d/oldskoolgaming.tk-le-ssl.conf and /etc/httpd/conf.d/ssl.conf?


#9

Okay Here you go

`
NameVirtualHost *:80
<VirtualHost *:443>
ServerAdmin support@oldskoolgaming.tk
DocumentRoot /var/www/oldskoolgaming.tk/public_html
ServerName www.oldskoolgaming.tk
ServerAlias oldskoolgaming.tk
ErrorLog /var/www/oldskoolgaming.tk/error.log
CustomLog /var/www/oldskoolgaming.tk/requests.log common
SSLCertificateFile /etc/letsencrypt/live/www.oldskoolgaming.tk/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.oldskoolgaming.tk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/www.oldskoolgaming.tk/chain.pem

ssl_conf.txt (9.5 KB)


#10

Your /etc/httpd/conf.d/oldskoolgaming.tk-le-ssl.conf looks very odd. This VirtualHost should be for port 443 (HTTPS). Was this created by certbot's apache plugin, or did you manually create or modify this file?

Either way, changing everything in that file to port 443 (instead of port 80) should be a good start. I’m not seeing any <VirtualHost> tags either, are those missing or did they get lost because of the formatting here? (to paste code that spans multiple lines, put it between three backticks, i.e.:

```
code
```


#11

Okay, So Let me start clearing your doubts…

I’ve completely used cert-bot and haven’t done any kinda changes, well, for one more step confirmation, I’ll be emailing you and ‘OSG* Initial Website Setup’ txt file - which will contain the codes to install the website in any VPS, which is running CentOS 6.8 - Specially for DigitalOcean Droplets…
*OSG Stands For Old Skool Gaming - My Website name (Short Form)

I’ll do it after ending my reply and then will be posting the result shortly.

Umm, Well, Maybe… Let me take a Screen Shot and Upload here on my next reply…


#12

So Yeah @pfg you were correct…
Here’s the screenshot, and are present on their location…

Okay So Change The Name Virtual host to 443, saved the file then executed
service httpd restart
Nothing happened ! Well for an healthy note.,
Here’s a message stating Server could not reliably determine it’s fully qualified domain., As much as I’ve experience in linux, this can’t be the problem, but maybe !

Your Turn…!


#13

Let’s try removing all lines between (and including) <VirtualHost _default_:443> and </VirtualHost> in /etc/httpd/conf.d/ssl.conf. Not sure why apache is using that vhost to serve your domain, but it looks like that’s what’s happening.


#14

Okay @pfg so as you guided me I’ve removed all lines between (and including) <VirtualHost _default_:443> and </VirtualHost> in /etc/httpd/conf.d/ssl.conf

Then Saved it, and executed the cmd service httpd restart
I’ve got an warning, Here’s the screenshot of it…

But unlike any other time, this time, when I’m visiting https:// version I’m getting an error !


#15

Hmm, this sounds familiar. Can you try removing the <IfModule mod_ssl.c> (and the corresponding closing tag) from /etc/httpd/conf.d/oldskoolgaming.tk-le-ssl.conf? I think I’ve seen a similar problem where it was due to apache processing the config that enables mod_ssl after it encounters the config with that IfModule, and so doesn’t evaluate that vhost at all.


#16

Okay ! Good News,
Removed those 2 tags, u told to… executed an httpd restart ! And bingo
I can access both www version and non www version from https version ! hell yeah !

I guess we’ve encountered kinda same problem last time, isn’t it ?!

By the way, there’s still a warning there !


#17

@pfg just cause it’s done, should I ignore and move on without panicking, or want to discover more ?! :smiley:


#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.