Certbot and Letsencrypt on Raspberry Pi 3B with Debian9 stretch generate bogus certificates

The ports 80 definition in the nextcloud-le-ssl.conf was introduced by certbot/letsencrypt with --apache resp. certonly option. Somehow those two things came together in the file…

@schoen i got the following result by running grep -r SSLCertificate /etc/apache2:

grep -r SSLCertificate /etc/apache2

/etc/apache2/sites-available/default-ssl.conf: # SSLCertificateFile directive is needed.
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
/etc/apache2/sites-available/default-ssl.conf: # Point SSLCertificateChainFile at a file containing the
/etc/apache2/sites-available/default-ssl.conf: # the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-available/default-ssl.conf: #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
/etc/apache2/sites-available/nextcloud-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/korimort.freedynamicdns.net-0001/cert.pem
/etc/apache2/sites-available/nextcloud-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/korimort.freedynamicdns.net-0001/privkey.pem
/etc/apache2/sites-available/nextcloud-le-ssl.conf:SSLCertificateChainFile /etc/letsencrypt/live/korimort.freedynamicdns.net-0001/chain.pem

Do you also have /etc/apache2/sites-enabled? (And what’s in it?)

yes, i have enabled 3 sites:

000-default.conf nextcloud.conf nextcloud-le-ssl.conf , where as JürgenAuer mentioned nextcloud-le-ssl contains virtualhost definitions both for :80 and :443. This file was generated from nextcloud. conf by letsencrypt/certbot with options certonly and --apache (i don’t remember in which order i exactly used those operations to produce that double entry):


nextcloud.conf:

Alias /nextcloud “/var/www/nextcloud/”
ServerName korimort.freedynamicdns.net

Options +FollowSymlinks AllowOverride All Satisfy Any Dav off

SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud


RewriteEngine on
RewriteCond %{SERVER_NAME} =korimort.freedynamicdns.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

nextcloud-le-ssl.conf:

Options +FollowSymlinks AllowOverride All Satisfy Any Dav off

SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud

RewriteEngine on # Some rewrite rules in this file were disabled on your HTTPS site, # because they have the potential to create redirection loops.

RewriteCond %{SERVER_NAME} =korimort.freedynamicdns.net

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

ServerName korimort.freedynamicdns.net
SSLCertificateFile /etc/letsencrypt/live/korimort.freedynamicdns.net-0001/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/korimort.freedynamicdns.net-0001/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/korimort.freedynamicdns.net-0001/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf




<Directory /var/www/nextcloud/>
Options +FollowSymlinks
AllowOverride All
Satisfy Any

Dav off

SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud

RewriteEngine on # Some rewrite rules in this file were disabled on your HTTPS site, # because they have the potential to create redirection loops.

RewriteCond %{SERVER_NAME} =korimort.freedynamicdns.net

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]


Hmmm, could we also see the output of certbot certificates?

Also, there’s now a different problem where your server is speaking HTTP instead of HTTPS on port 443.

fullchain.pem:

-----BEGIN CERTIFICATE-----
MIIFbjCCBFagAwIBAgISBNh/l/8u88yzLTPVIasYL3slMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAzMDIxMDA3NDNaFw0x
OTA1MzExMDA3NDNaMCYxJDAiBgNVBAMTG2tvcmltb3J0LmZyZWVkeW5hbWljZG5z
Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOYj41rYqzegOa+T
95gF0GZdeqX0VjF9TASAEcOILEnYyKTE8EYnGYdEXWz+IPPlTYr0xpnKE2VCZIDZ
bsvhEjko4n477bdCVl58ymmyqJFg9L12XsYFEP+RaEA3A9aQKPqbrveNu0SHGmHW
Zvg6FX6ZDGm2+hNKoJnSw2m7YwwnCXCmRblbYmwq7w/nAqoMYpzXae1SEh1Bduyo
eE7cFrcicjpuwdAKYkbSd8ktbI3+rvBu4ZXjdIFLfCxxhEHQqe9hAeCRQg5mihjc
/72SkdQSOX0WK0YEYX7mjWPPhfI/IPOHCHvw3KedfDMv6TA4AJDwxm0cwE0sRJr4
Y7NqOL8CAwEAAaOCAnAwggJsMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUFzY9dqCa
KXrbVMcmihiBi/ehpgowHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEw
bwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMu
bGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMu
bGV0c2VuY3J5cHQub3JnLzAmBgNVHREEHzAdghtrb3JpbW9ydC5mcmVlZHluYW1p
Y2Rucy5uZXQwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAm
BggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEE
AdZ5AgQCBIH1BIHyAPAAdgDiaUuuJujpQAnohhu2O4PUPuf+dIj7pI8okwGd3fHb
/gAAAWk+Fp2iAAAEAwBHMEUCIQDwWHXLyWVhsDMctuRzP1gXB40fL4CSCL4iXgUf
OSMsIQIgIineeXS/ZUhc48n72SYmWBaN5rpgl0HPX4/SK0NBrRAAdgApPFGWVMg5
ZbqqUPxYB9S3b79Yeily3KTDDPTlRUf0eAAAAWk+Fp2jAAAEAwBHMEUCIQCY6EvO
XTacnYkcRbRP1jbLUNGDn4AZ7Y0xmBw1ONGGPgIgaumrhiAxcmCofagIJA/xwlAJ
QjpWoDDWKKufcqh88M8wDQYJKoZIhvcNAQELBQADggEBAAVBmlTRp+DRPCPwGj+k
yqXyCRkIPrAZzdKZRLOHQ+DyNYQSuXZP1K3BEa3Qm5/MCzdtu9SwQAUVuM46RMz/
sF/5gN5IK8HDmuI+oz+8jooia+59eVNzSi2IXarbjrZf97X+qg5olE6xQK33o+MF
kqhFGQ/0Wvs/kLWrGO9p7Qa7wTBrY3ViuabMgW4WGQO48Imm0iFR22YwXLbyYCcl
AcHa8995oURo7k8T90drbMRVM2RYZBN2HGsErvvDbBuC1q5NtKu+yaVQibiZZtnI
Lue03HXGfE1l44QDu5N7xoDu5SN8k+tkI6pYsetoOQ2F+715m3aakb8G0rHwfOnb
S8s=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

Sorry, I don’t mean “could we see your certificates”, but "could we see the result of running the command certbot certificates"?

Renewal configuration file /etc/letsencrypt/renewal/korimort.freedynamicdns.net.conf produced an unexpected error: expected /etc/letsencrypt/live/korimort.freedynamicdns.net/cert.pem to be a symlink. Skipping.


Found the following certs:
Certificate Name: korimort.freedynamicdns.net-0001
Domains: korimort.freedynamicdns.net
Expiry Date: 2019-05-31 10:07:43+00:00 (VALID: 87 days)
Certificate Path: /etc/letsencrypt/live/korimort.freedynamicdns.net-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/korimort.freedynamicdns.net-0001/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/korimort.freedynamicdns.net.conf


This means you’ve probably copied files around and replace the symlink with an actual file.
That breaks what certbot expects to find and use.
Please show:
ls -l /etc/letsencrypt/live/korimort.freedynamicdns.net/

Ok. As far as i remember i did not remove any symlinks or copy/move files in the letsencrypt folders. There is only one subfolder in the letsencrypt live folder, namely /etc/letsencrypt/live/korimort.freedynamicdns.net-0001/ . As i did not get the https page working i thought that something went wrong with the generation of the certificates and i used certbot to revoke the certificates and replace it with new ones. I think that is why my present folder is called *-0001. After revoking the certificate the certbot script asks whether to remove the folder with the certificate and the keys.

$ ls -l /etc/letsencrypt/live/korimort.freedynamicdns.net-0001/
total 8
lrwxrwxrwx 1 root root 56 Mar 2 11:07 cert.pem -> …/…/archive/korimort.freedynamicdns.net-0001/cert1.pem
lrwxrwxrwx 1 root root 57 Mar 2 11:07 chain.pem -> …/…/archive/korimort.freedynamicdns.net-0001/chain1.pem
lrwxrwxrwx 1 root root 61 Mar 2 11:07 fullchain.pem -> …/…/archive/korimort.freedynamicdns.net-0001/fullchain1.pem
lrwxrwxrwx 1 root root 59 Mar 2 11:07 privkey.pem -> …/…/archive/korimort.freedynamicdns.net-0001/privkey1.pem
-rw-r–r-- 1 root root 692 Mar 2 11:07 README

But these are two different folders:
/etc/letsencrypt/live/korimort.freedynamicdns.net/
/etc/letsencrypt/live/korimort.freedynamicdns.net-0001/

Are you still seeing the “unexpected error:”?

Please also you show:
cerbot certificates

@rg305, I think the output of certbot certificates is at the post

Maybe this is a result of revoking and deleting the original certificate. :frowning:

The post seems merged or altered.
That is why I asked to see the output again (hopefully unaltered and in its’ entirety).

In any case, I do agree with you on that it seems that the deleting is to blame.
[most likely done incompletely or incorrectly]

Perhaps a link on “how to” properly delete a cert and/or related files would be beneficial…

I think if you use Certbot itself to delete a certificate, you can get an invalid web server configuration (which can prevent serving any sites or getting any new certificates!), but not an invalid Certbot configuration. This is often confusing when it happens. On the other hand, if you use rm in /etc/letsencrypt, you can get an invalid Certbot configuration too.

Yes. certbot --apche resp. certbot certonyl is both changing the Virtualhosts configuration. As visible from the above file, the new virtualhost config output by certbot can be misleading or even wrong maybe because of not correctly assembling the virtualhosts configuration. Deleting of certificates once i did by hand in the first time after i had revoked the certificates with certbot and i did accidentially not choose yes on the question whether to delete the folder, but i guess a revoked certificate and key would be of no use to be kept…

It can still be used by your web server, whereas if you delete it, your web server configuration can become invalid. It may not be accepted by browsers, but your web server doesn’t know that and is willing to serve it.

Ok. So you want to say, that the webserver keeps somewhere its own copy of the certificates whereas we have in the Virtualhosts directive lines like SSLCertificateChain and SSLCertificateFile… which tell about the locations of the private key, certificate and certificate chain? Can a deleted certificate really be served?

No, the web server keeps its SSLCertificateFile references to the copies in /etc/letsencrypt. Certbot (although it may have created these references) doesn’t take account of whether they exist when deleting certificates in /etc/letsencrypt, which means that if Certbot deletes these certificates, the web server configuration can become invalid as a result.

Then, where can it be checked what is the current configuration of my apache2-2.4.25 with respect to the certificates? I have always run systemctl reload apache2.service command to reload the apache server when it was told in diverse instructions on certbot/letsencrypt aso.