Certbot created certificate not trusted / intermediate certificate?


#1

My domain is: workwebpage com / slorum net / slorum org
one machine/website, multiple domains. these root directories point to /var/www/html/. images.domain points to /var/www/images/.
/etc/httpd/conf/httpd.conf: /pastebin.com/sGSZiDka
I ran this command: sudo ./certbot-auto --apache -d workwebpage.com -d slorum.net -d slorum.org -d www.workwebpage.com -d www.slorum.net -d www.slorum.org -d images.workwebpage.com -d images.slorum.net -d images.slorum.org
It produced this output: Congratulations! You have successfully enabled https://workwebpage.com,
https://slorum.net, https://slorum.org, https://www.workwebpage.com,
https://www.slorum.net, https://www.slorum.org, https://images.workwebpage.com,
https://images.slorum.net, and https://images.slorum.org

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=workwebpage.com
–etc-- new users limited to 20 lines is a bit of a pain in the rear.

The operating system my web server runs on is (include version): CentOS 6.9
My web server is (include version): Apache/2.2.15 (Unix)
Python 2.6.6 (r266:84292, Aug 18 2016, 15:13:37)
Hosting Provider: Digital Ocean droplet
DNS: Clodflare (with cloud disabled / bypassed)
Root access

Any assistance would be highly appreciated. Thank you for your time.


#2

Additional information -

Created /etc/httpd/conf/httpd-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerName workwebpage.com
	ServerAlias slorum.org slorum.net www.workwebpage.com www.slorum.org www.slorum.net
        ServerAdmin alden@waygroovys.com
        DocumentRoot /var/www/html/
        ErrorLog /var/log/web/fazed-error.log
        CustomLog /var/log/web/fazed-access.log combined 
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/workwebpage.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/workwebpage.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/workwebpage.com/chain.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName images.workwebpage.com
        ServerAlias images.workwebpage.com images.slorum.net images.slorum.org
        ServerAdmin alden@waygroovys.com 
        DocumentRoot /var/www/images
        ErrorLog /var/log/web/images-error.log
        CustomLog /var/log/web/images-access.log combined 
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/workwebpage.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/workwebpage.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/workwebpage.com/chain.pem
</VirtualHost>
</IfModule>

https://www.ssllabs.com/ssltest/analyze.html?d=workwebpage.com

Comes back with Alternative Names - Invalid / Not Trusted. Will not load in Chrome.

https://www.sslshopper.com/ssl-checker.html#hostname=workwebpage.com
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

https://www.htbridge.com/ssl/?id=UGtwx3dI - The server’s certificate is untrusted.

https://www.digicert.com/help/ - SSL Certificate is not trusted


Things I have attempted:

/etc/httpd/conf/httpd-le-ssl.conf

  • change cert.pem to fullchain.pem, service httpd restart, test, fail, revert
  • change chain.pem to fullchain.pem, service httpd restart, test, fail, revert
  • delete sslcertificatechainfile lines, change cert.pem to fullchain.pem, service httpd restar, test, fail, revert
  • fully uninstall certbot/letsencrypt, start all over with first command, get sane/clean output, test, fail
  • Google a dozen threads that are somewhat similar, but not quite, try various things, get frustrated, make own thread.

#3

Hi @WayGroovy,

Remove the IfModule sentences in httpd.conf and httpd-le-ssl.conf, restart apache and try again:

<IfModule mod_ssl.c> <-- remove this in your conf files
</IfModule> <-- remove this in your conf files

Cheers,
sahsanu


#4

Note: They appear more than once - remove them all.

Also, ensure that what is in
/etc/letsencrypt/options-ssl-apache.conf
doesn’t conflict in any way (it shouldn’t but just check to be sure)


#5

Removed IfModule line, restarted apache, same result.

I am wondering if my problem is at the Cloudflare level somehow. The certificate offered in chrome / at ssllabs does not match my newly created cert on the machine.

– edit –

disregard last statement, I’m not reading UTC timestamps correctly.


#6

I suppose you mean lines, because that appears several times in several conf files.

I’m sorry but I’m leaving right now, some community buddies could help you out but just in case, you can tar your apache conf and upload it somewhere, or leave it in your server and post the url and tonight or tomorrow morning I will take a look:

tar zcvf /var/www/html/httpd-conf.tar.gz /etc/httpd/

So we can get it using http://workwebpage.com/httpd-conf.tar.gz

Cheers,
sahsanu


#7

Thank you for your help so far, @sahsanu

In chrome, when I visit https://workwebpage.com, it did not give the pem file that certbot created. Which I found odd. I searched my machine for files containing the publicly available cert.

I found /etc/pki/tls/certs/localhost.crt matched what was hosted, which is not what I expected.

I tracked that down in apache’s config. Appears I tried to set up the server with OpenSSL at some time in the past, and hadn’t removed that from the apache config. It was in /etc/httpd/conf.d/ssl.conf. Derp.

Redirected the links in /etc/httpd/conf.d/ssl.conf to now point to:

SSLCertificateFile /etc/letsencrypt/live/workwebpage.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/workwebpage.com/privkey.pem

And now everything seems copacetic. Again, thank you for your help. Hopefully if anyone else has a similar problem, this thread can help them track the issue down.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.