Cert for hostname not domain name

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
wb0oew.com

I ran this command:
sudo /usr/local/bin/certbot-auto --apache --domains wb0oew.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/wb0oew.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/httpd/conf.d/virtual80-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Future versions of Certbot will automatically configure the webserver so that all requests redirect to secure HTTPS access. You can control this behavior and disable this warning with the --redirect and --no-redirect flags.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://wb0oew.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=wb0oew.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/wb0oew.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/wb0oew.com/privkey.pem
   Your cert will expire on 2020-07-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version):

Apache/2.4.37

The operating system my web server runs on is (include version):

CentOS Linux release 8.1.1911

My hosting provider, if applicable, is:

digitalocean.

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1.3.0

Hello! My hostname is droplet1, my domain name is wb0oew.com. All works fine with http so wanted to add https. I installed certbot, ran as above, all looks good. But when I test using

https://www.ssllabs.com/ssltest/analyze.html?d=wb0oew.com

It says the cert name is for droplet1, not wb0oew. I ran certbot-auto again “–domains wb0oew.com” but the result is the same.

So my question is: how can I create a certificate for my domain, not my hostname?

Thank you.

What does “sudo /usr/local/bin/certbot-auto certificates” show?

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: wb0oew.com
Domains: wb0oew.com
Expiry Date: 2020-07-14 19:42:28+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/wb0oew.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/wb0oew.com/privkey.pem

So the cert exists, but Apache isn’t using it for some reason.

Can you post the output of “sudo httpd -t -D DUMP_VHOSTS”?

Syntax OK

I assume you’ll next want the config file. There are two files in /etc/httpd/conf.d that look relevant:

[root@droplet1 conf.d]# ls
README  autoindex.conf  ssl.conf  userdir.conf  virtual80-le-ssl.conf  virtual80.conf  welcome.conf
[root@droplet1 conf.d]# more virtual80*
::::::::::::::
virtual80-le-ssl.conf
::::::::::::::
<IfModule mod_ssl.c>
<VirtualHost *:443>
    DocumentRoot "/var/www/html"
    ServerName wb0oew.com
    ServerAdmin elwood.downey@gmail.com

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/wb0oew.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wb0oew.com/privkey.pem
</VirtualHost>
</IfModule>
::::::::::::::
virtual80.conf
::::::::::::::
<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName wb0oew.com
    ServerAdmin elwood.downey@gmail.com
</VirtualHost>

Nothing else? It should have printed a list of configured virtual hosts.

Nope, nothing else. That’s why I added the two conf files to show the virt hosts should be active.

Note, again, that the report from ssllabs doesn’t say there is no cert, it says there is one just with the wrong name. So even though “certbot-auto certificates” says there’s one for wb0oew, ssllabs is only finding one for droplet1. You can see the full report for yourself by running:

https://www.ssllabs.com/ssltest/analyze.html?d=wb0oew.com

Are you sure you ran “sudo httpd -t -D DUMP_VHOSTS”? AFAICT I didn't misspell it. Did CentOS 8 remove support for it or something? It's supposed to produce something like in this post:

The web server on that IP address was configured to use that certificate somehow. If it's your Apache server, it is probably specified in another configuration file. Which is why getting a list of Apache's view of configuration files and virtual hosts is useful.

Doh! I had included the trailing ? in your first question. Now I get:

[ecdowney@droplet1 ~]$ sudo httpd -t -D DUMP_VHOSTS?
Syntax OK
[ecdowney@droplet1 ~]$ sudo httpd -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server wb0oew.com (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost wb0oew.com (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost wb0oew.com (/etc/httpd/conf.d/virtual80-le-ssl.conf:2)
*:80                   wb0oew.com (/etc/httpd/conf.d/virtual80.conf:1)

open this file and comment out (put # at the beginning of the line) any directive that starts with SSL and ends with File.

There were two such lines:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

After commenting them out and running “apachectl restart” now fails.

“systemctl status httpd.service” reports:

Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@droplet1 ecdowney]# systemctl status httpd.service
* httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2020-04-16 02:14:26 UTC; 24s ago
     Docs: man:httpd.service(8)
  Process: 16872 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 16872 (code=exited, status=1/FAILURE)
   Status: "Reading configuration..."

Apr 16 02:14:26 droplet1 systemd[1]: Starting The Apache HTTP Server...
Apr 16 02:14:26 droplet1 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Apr 16 02:14:26 droplet1 systemd[1]: httpd.service: Failed with result 'exit-code'.
Apr 16 02:14:26 droplet1 systemd[1]: Failed to start The Apache HTTP Server.

and “journalctl -xe” reports:

Apr 16 02:14:25 droplet1 systemd[1]: Stopping The Apache HTTP Server...
-- Subject: Unit httpd.service has begun shutting down
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit httpd.service has begun shutting down.
Apr 16 02:14:26 droplet1 systemd[1]: Stopped The Apache HTTP Server.
-- Subject: Unit httpd.service has finished shutting down
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit httpd.service has finished shutting down.
Apr 16 02:14:26 droplet1 systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit httpd.service has begun starting up.
Apr 16 02:14:26 droplet1 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Apr 16 02:14:26 droplet1 systemd[1]: httpd.service: Failed with result 'exit-code'.
Apr 16 02:14:26 droplet1 systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit httpd.service has failed.
-- 
-- The result is RESULT.

After restoring the lines, “apachectl restart” restores the originally reported error.

It appears you are using a self-signed certificate which does list droplet1 - your DigitalOcean droplet. There is an anchor used in the chain. Apache must be using this certificate instead of the LE certificate you created for wb0oew.com.

I ran the SSL test on droplet1 and clicked “ignore trust” and here are some of the results. Note that there are many weak cypher suites listed in the over-all results.

droplet1

Certificate #1: RSA 2048 bits (SHA256withRSA)

Server Key and Certificate #1
Subject droplet1
Fingerprint SHA256: a3aeadb234a68ea2199f484361b6a4a4ee45938fcd8da3bc9d5ce6b7a13b5e54
Pin SHA256: yRCWjFepOL5ZFWphpA7zQDmtPsS35HQv78e7q916yik=
Common names droplet1
Alternative names droplet1 MISMATCH
Serial Number 5cd50895825189d1
Valid from Wed, 15 Apr 2020 20:28:59 UTC
Valid until Tue, 20 Apr 2021 22:08:59 UTC (expires in 1 year)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer droplet1
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency No
OCSP Must Staple No
Revocation information None
DNS CAA No (more info)
Trusted No NOT TRUSTED (Why?)
Mozilla Apple Android Java Windows

Additional Certificates (if supplied)
Certificates provided 2 (2687 bytes)
Chain issues Contains anchor

#2
Subject droplet1 Not in trust store
Fingerprint SHA256: e64e9e7ed28b4cab938b9720f0ab76d49cbc51bedb33be95e31385a1170fe849
Pin SHA256: KmVP1d0IzT8GHUH/uMvzEWuAFQ9wv0M1PVhvdrTr+gM=
Valid until Tue, 20 Apr 2021 22:08:59 UTC (expires in 1 year)
Key RSA 4096 bits (e 65537)
Issuer droplet1 Self-signed
Signature algorithm SHA256withRSA

Out of curiosity, I also went to clearskyinstitute.com that shows on your page for wb0oew.com in the left column. That is also insecure. Different IP address also so I’m guessing it was just a link to another site?

Yes, I am in the middle of migrating clearskyinstitute.com from godaddy to digitalocean. wb0oew.com is my play/staging area until I’m ready to make the DNS change. The web pages are still identical on both servers so all links still send you to csi even when viewing on wb0oew.

clearskyinstitute.com should work fine with both http and https. I used letsencrypt there also and it all went smoothly, although that server is Centos 6 so maybe it is more mature. wb0oew is Centos 8 and I am surprised to be having this difficulty.

So anyway, you say there is a second cert somewhere. How do I find it and how to get rid of it so cert for wb0oew.com can kick in? I only see one in live:

[ecdowney@droplet1 ~]$ sudo ls /etc/letsencrypt/live/
README	wb0oew.com

Thanks to all.

When apache refused to start, what did /var/log/httpd/error.log (or the appropriate file on your system, I am no red hat expert) say?

@9peppe

/var/log/httpd/error_log:

 [Thu Apr 16 17:06:40.898648 2020] [mpm_event:notice] [pid 16933:tid 140668415781120] AH00492: caught SIGWINCH, shutting down gracefully
[Thu Apr 16 17:06:42.012163 2020] [core:notice] [pid 6177:tid 139988198295808] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Apr 16 17:06:42.013197 2020] [suexec:notice] [pid 6177:tid 139988198295808] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Apr 16 17:06:42.014726 2020] [ssl:emerg] [pid 6177:tid 139988198295808] AH02311: Fatal error initialising mod_ssl, exiting. See /etc/httpd/logs/ssl_error_log for more information

/etc/httpd/logs/ssl_error_log:

[Thu Apr 16 17:06:42.014263 2020] [ssl:emerg] [pid 6177:tid 139988198295808] AH02572: Failed to configure at least one certificate and key for wb0oew.com:443
[Thu Apr 16 17:06:42.014657 2020] [ssl:emerg] [pid 6177:tid 139988198295808] SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Thu Apr 16 17:06:42.014669 2020] [ssl:emerg] [pid 6177:tid 139988198295808] SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Thu Apr 16 17:06:42.014722 2020] [ssl:emerg] [pid 6177:tid 139988198295808] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned

show me these files:

• /etc/httpd/conf.d/ssl.conf
• /etc/httpd/conf.d/virtual80-le-ssl.conf

@9peppe

/etc/httpd/conf.d/ssl.conf (I removed all # and empty lines for brevity here)

Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

/etc/httpd/conf.d/virtual80-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    DocumentRoot "/var/www/html"
    ServerName wb0oew.com
    ServerAdmin elwood.downey@gmail.com

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/wb0oew.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wb0oew.com/privkey.pem
</VirtualHost>
</IfModule>

try:

mv /etc/httpd/conf.d/ssl.conf /somewhere/else

@9peppe

sudo apachectl restart
(no output)

/var/log/httpd/error_log

[Thu Apr 16 17:29:10.437319 2020] [mpm_event:notice] [pid 6372:tid 140304293751040] AH00492: caught SIGWINCH, shutting down gracefully

[Thu Apr 16 17:29:11.550948 2020] [core:notice] [pid 7129:tid 140499086895360] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0

[Thu Apr 16 17:29:11.551905 2020] [suexec:notice] [pid 7129:tid 140499086895360] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

[Thu Apr 16 17:29:11.614320 2020] [ssl:warn] [pid 7129:tid 140499086895360] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]

[Thu Apr 16 17:29:11.615284 2020] [lbmethod_heartbeat:notice] [pid 7129:tid 140499086895360] AH02282: No slotmem from mod_heartmonitor

[Thu Apr 16 17:29:11.618542 2020] [mpm_event:notice] [pid 7129:tid 140499086895360] AH00489: Apache/2.4.37 (centos) OpenSSL/1.1.1c configured -- resuming normal operations

[Thu Apr 16 17:29:11.618569 2020] [core:notice] [pid 7129:tid 140499086895360] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.