Certbot created certificate, still domain is not via https:// available

OptioB · September 30, 2021, 12:48am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ads.optiopay.com

I ran this command: certbot certonly --webroot -w /var/www/html -d ads.optiopay.com

It produced this output:
IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ads.optiopay.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ads.optiopay.com/privkey.pem
Your certificate will expire on 2021-12-28. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew all of your
certificates, run "certbot renew"

My web server is (include version): Webmin, LAMP, Debian 11

The operating system my web server runs on is (include version): Debian 11

My hosting provider, if applicable, is: Contabo

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

rg305 · September 30, 2021, 12:58am

Hi @OptioB, welcome to the LE community forum

There is definitely something weird going on there.

openssl s_client -connect ads.optiopay.com:443 -servername ads.optiopay.com
CONNECTED(00000198)
depth=0 C = DE, ST = Denial, L = Munich, O = Dis, CN = 173.212.240.164
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = Denial, L = Munich, O = Dis, CN = 173.212.240.164
verify return:1
Server did acknowledge servername extension.
---
Certificate chain
 0 s:/C=DE/ST=Denial/L=Munich/O=Dis/CN=173.212.240.164
   i:/C=DE/ST=Denial/L=Munich/O=Dis/CN=173.212.240.164
---

The newly acquired cert is not being used

rg305 · September 30, 2021, 12:59am

Doesn't Webmin have a menu choice to obtain a cert/TLS/SSL/enable HTTPS ?
Are there any other secured sites on that system (or is this the first one)?

OptioB · September 30, 2021, 1:06am

Thanks for ultra fast reply. I checked webmin but actually requesting a certificate their does not work either… very strange

Failed to request certificate : No virtual host matching 173.212.240.164 was found

OptioB · September 30, 2021, 1:08am

In my first attempt I just followed these instructions:
https://www.server-world.info/en/note?os=Debian_11&p=ssl&f=2

Points 1 & 2

OptioB · September 30, 2021, 1:09am

That is the first page @rg305

rg305 · September 30, 2021, 1:10am

The ServerName must not be an IP.

rg305 · September 30, 2021, 1:12am

You already got the cert.
The problem now is getting the system to use it.

You could go under the hood and update Apache manually.
[but that goes against the whole point of using a control panel - Webmin]

OptioB · September 30, 2021, 1:25am

I also tried creating a new cert, via webmin instead of certbot, which should automatically apply it. I followed these instructions, but it did not work: Webmin – Let’s encrypt Zertifikat erstellen | goNeuland

OptioB · September 30, 2021, 1:34am

That's funny, I tried this guide https://www.howtoforge.de/anleitung/wie-installiert-man-webmin-und-sichert-es-mit-lets-encrypt-ssl-auf-ubuntu-2004-lts/

Now the cert works for the port :10000 https://ads.optiopay.com:10000 but not without the port for the general site

rg305 · September 30, 2021, 1:58am

You might get a clue and begin to unravel this with the output of:
sudo apachectl -t -D DUMP_VHOSTS

Also, confirmed (port 10000):

---
Certificate chain
 0 s:/CN=ads.optiopay.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

OptioB · September 30, 2021, 9:35am

Thanks @rg305.

That is the output:

root@ads:~# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   ads.optiopay.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:443                  ads.optiopay.com (/etc/apache2/sites-enabled/default-ssl.conf:2)

rg305 · September 30, 2021, 12:48pm

I don't see port 10000 in there.
Is there a NAT/PAT device inline (like a firewall)?

And let's have a look at file:

OptioB · September 30, 2021, 2:45pm

Hi rg305, reinstalled the OS, downgraded from Debian 11 to Debian 10. This way I could use certbot's automatic apache configuration. Which worked!
ads.optiopay.com is now secure

Thank you very much for you help!

Osiris · September 30, 2021, 3:24pm

Huh? Why would a downgrade of Debian from 11 to 10 help with that regard? Wouldn't Certbot - Debiantesting Apache work too?

OptioB · October 11, 2021, 8:31am

Hey everyone, sorry for the delay in my answer. It actually might have been just a failure on my side in operating. I did not know that Debian 11 equals in Certbot Debian testing / unstable, thats why I choose Certbot - Debianbuster Apache + the command in step 7: certbot --apache
Which led to a failure message, certs were created but the configuration did not work. I don't know why.
It just turnt out after downgrading to Debian 10, doing the same steps with that it worked perfectly

system · November 10, 2021, 8:31am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.