Certbot created certificate, still domain is not via https:// available

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ads.optiopay.com

I ran this command: certbot certonly --webroot -w /var/www/html -d ads.optiopay.com

It produced this output:

  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your certificate will expire on 2021-12-28. To obtain a new or
    tweaked version of this certificate in the future, simply run
    certbot again. To non-interactively renew all of your
    certificates, run "certbot renew"

My web server is (include version): Webmin, LAMP, Debian 11

The operating system my web server runs on is (include version): Debian 11

My hosting provider, if applicable, is: Contabo

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

Hi @OptioB, welcome to the LE community forum :slight_smile:

There is definitely something weird going on there.

openssl s_client -connect ads.optiopay.com:443 -servername ads.optiopay.com
depth=0 C = DE, ST = Denial, L = Munich, O = Dis, CN =
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = Denial, L = Munich, O = Dis, CN =
verify return:1
Server did acknowledge servername extension.
Certificate chain
 0 s:/C=DE/ST=Denial/L=Munich/O=Dis/CN=

The newly acquired cert is not being used :frowning:

Doesn't Webmin have a menu choice to obtain a cert/TLS/SSL/enable HTTPS ?
Are there any other secured sites on that system (or is this the first one)?

Thanks for ultra fast reply. I checked webmin but actually requesting a certificate their does not work either… very strange

Failed to request certificate : No virtual host matching was found

In my first attempt I just followed these instructions:

Points 1 & 2

That is the first page @rg305

The ServerName must not be an IP.

You already got the cert.
The problem now is getting the system to use it.

You could go under the hood and update Apache manually.
[but that goes against the whole point of using a control panel - Webmin]

I also tried creating a new cert, via webmin instead of certbot, which should automatically apply it. I followed these instructions, but it did not work: Webmin – Let’s encrypt Zertifikat erstellen | goNeuland

That's funny, I tried this guide https://www.howtoforge.de/anleitung/wie-installiert-man-webmin-und-sichert-es-mit-lets-encrypt-ssl-auf-ubuntu-2004-lts/

Now the cert works for the port :10000 https://ads.optiopay.com:10000 but not without the port for the general site :confused:

You might get a clue and begin to unravel this with the output of:
sudo apachectl -t -D DUMP_VHOSTS

Also, confirmed (port 10000):

Certificate chain
 0 s:/CN=ads.optiopay.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Thanks @rg305.

That is the output:

root@ads:~# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   ads.optiopay.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:443                  ads.optiopay.com (/etc/apache2/sites-enabled/default-ssl.conf:2)

I don't see port 10000 in there.
Is there a NAT/PAT device inline (like a firewall)?

And let's have a look at file:

Hi rg305, reinstalled the OS, downgraded from Debian 11 to Debian 10. This way I could use certbot's automatic apache configuration. Which worked!
ads.optiopay.com is now secure :wink:

Thank you very much for you help!

1 Like

Huh? Why would a downgrade of Debian from 11 to 10 help with that regard? Wouldn't Certbot - Debiantesting Apache work too?

1 Like

Hey everyone, sorry for the delay in my answer. It actually might have been just a failure on my side in operating. I did not know that Debian 11 equals in Certbot Debian testing / unstable, thats why I choose Certbot - Debianbuster Apache + the command in step 7: certbot --apache
Which led to a failure message, certs were created but the configuration did not work. I don't know why.
It just turnt out after downgrading to Debian 10, doing the same steps with that it worked perfectly

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.