Certbot-auto renew was successful but browser certificate error is still seen

omarsabha · November 16, 2017, 11:22pm

Hi Let’s Encrypt community,
I renewed the certificate on my amazon server but I am still getting https certificate error on the browser

./certbot-auto certificates
Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: www.tumoohi.org
Domains: www.tumoohi.org
Expiry Date: 2018-02-14 21:06:06+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.tumoohi.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.tumoohi.org/privkey.pem

[ec2-user@ip-172-31-18-71 ~]$ echo | openssl s_client -connect www.tumoohi.org:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Aug 15 17:47:00 2017 GMT
notAfter=Nov 13 17:47:00 2017 GMT
[ec2-user@ip-172-31-18-71 ~]$

I used certbot-auto script to renew standalone. I restarted httpd service but I still see the error? Is there any steps that I am missing any steps? Is there any SSL installation needed?

Thank you in advance

Regards,
sab7a85

jmorahan · November 16, 2017, 11:28pm

In your Apache configuration, are you referring to the certificate in /etc/letsencrypt/live/www.tumoohi.org or another location?

What is the output of ls -l /etc/letsencrypt/live/www.tumoohi.org ?

omarsabha · November 17, 2017, 7:11am

Thanks for helping @jmorahan

I checked the ssl_error_log and I saw this error repeated:
[Thu Nov 16 22:51:05.988264 2017] [ssl:warn] [pid 3914] AH01909: ip-172-31-18-71.eu-west-1.compute.internal:443:0 server certificate does NOT include an ID which matches the server name

Here are the outputs you asked:
sudo ls -lrt /etc/letsencrypt/live/www.tumoohi.org
total 4
-rw-r–r-- 1 root root 543 Aug 15 18:46 README
lrwxrwxrwx 1 root root 42 Nov 16 22:06 privkey.pem -> …/…/archive/www.tumoohi.org/privkey3.pem
lrwxrwxrwx 1 root root 44 Nov 16 22:06 fullchain.pem -> …/…/archive/www.tumoohi.org/fullchain3.pem
lrwxrwxrwx 1 root root 40 Nov 16 22:06 chain.pem -> …/…/archive/www.tumoohi.org/chain3.pem
lrwxrwxrwx 1 root root 39 Nov 16 22:06 cert.pem -> …/…/archive/www.tumoohi.org/cert3.pem

sudo ls -lrt /etc/letsencrypt/archive/www.tumoohi.org
total 48
-rw-r–r-- 1 root root 1704 Aug 15 18:46 privkey1.pem
-rw-r–r-- 1 root root 3444 Aug 15 18:46 fullchain1.pem
-rw-r–r-- 1 root root 1647 Aug 15 18:46 chain1.pem
-rw-r–r-- 1 root root 1797 Aug 15 18:46 cert1.pem
-rw-r–r-- 1 root root 1708 Nov 12 20:33 privkey2.pem
-rw-r–r-- 1 root root 3444 Nov 12 20:33 fullchain2.pem
-rw-r–r-- 1 root root 1647 Nov 12 20:33 chain2.pem
-rw-r–r-- 1 root root 1797 Nov 12 20:33 cert2.pem
-rw-r–r-- 1 root root 1704 Nov 16 22:06 privkey3.pem
-rw-r–r-- 1 root root 3444 Nov 16 22:06 fullchain3.pem
-rw-r–r-- 1 root root 1647 Nov 16 22:06 chain3.pem
-rw-r–r-- 1 root root 1797 Nov 16 22:06 cert3.pem

I had the following setting in ssl.conf file
SSLCertificateFile /etc/pki/tls/certs/custom.pem
SSLCertificateKeyFile /etc/pki/tls/certs/privkey.pem
SSLCACertificateFile /etc/pki/tls/certs/intermediate.pem

And I changed the lines to:
SSLCertificateFile /etc/letsencrypt/live/www.tumoohi.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.tumoohi.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.tumoohi.org/chain.pem

But I still see an error in ssl_error.log
[Fri Nov 17 07:06:20.897759 2017] [ssl:warn] [pid 6321] AH01909: ip-172-31-18-71.eu-west-1.compute.internal:443:0 server certificate does NOT include an ID which matches the server name

Please let me know your thoughts

omarsabha · November 17, 2017, 7:51am

I added the following line to httpd.conf file:
ServerName www.tumoohi.org

I can see the it is updated now
./certbot-auto certificates
Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: www.tumoohi.org
Domains: www.tumoohi.org
Expiry Date: 2018-02-14 21:06:06+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.tumoohi.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.tumoohi.org/privkey.pem

I restarted httpd service and refreshed the browsers but the browsers still show errors with with the website security certificate ?!

omarsabha · November 17, 2017, 8:16am

Fixed !! I guess I just had to give it some time after the work i did above
#patienceisatreasure

jmorahan · November 17, 2017, 8:41am

Strange, I have no idea why there would be a delay. Glad you got it working though!

system · December 17, 2017, 8:41am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Certbot-auto renew was successful but browser certificate error is still seen

Found the following certs: Certificate Name: www.tumoohi.org Domains: www.tumoohi.org Expiry Date: 2018-02-14 21:06:06+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/www.tumoohi.org/fullchain.pem Private Key Path: /etc/letsencrypt/live/www.tumoohi.org/privkey.pem

Found the following certs: Certificate Name: www.tumoohi.org Domains: www.tumoohi.org Expiry Date: 2018-02-14 21:06:06+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/www.tumoohi.org/fullchain.pem Private Key Path: /etc/letsencrypt/live/www.tumoohi.org/privkey.pem

Found the following certs:
Certificate Name: www.tumoohi.org
Domains: www.tumoohi.org
Expiry Date: 2018-02-14 21:06:06+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.tumoohi.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.tumoohi.org/privkey.pem

Found the following certs:
Certificate Name: www.tumoohi.org
Domains: www.tumoohi.org
Expiry Date: 2018-02-14 21:06:06+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.tumoohi.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.tumoohi.org/privkey.pem