Certbot creating self signed certificate

I have two domains on my server, on the 1st domain mgjuddltd.co.uk certbot --apache sets up a valid and happy ssl certificate and https instance, when I re-run it for phillw.net the result is that a self signed certificate is generated / used, thus browsers complain!!!. Any ideas as to how to correct this? CentOS v7.6, httpd (apache).

Hi @phillw

there is a self signed certificate ( https://check-your-website.server-daten.de/?q=phillw.net ):

E=root@phillw.net, CN=phillw.net, 
OU=SomeOrganizationalUnit, O=SomeOrganization, 
L=SomeCity, S=SomeState, C=--
	03.07.2018
	03.07.2019
expires in 71 days

Perhaps there are different vHosts. Certbot configures one - your server uses another.

What says

certbot certificates
apachectl -S

Your port 443 vHost may use the standard 443 vHost, not the individual vHost.

certbot certificates
Found the following certs:
Certificate Name: mgjuddltd.co.uk-0002
Domains: mgjuddltd.co.uk www.mgjuddltd.co.uk
Expiry Date: 2019-07-19 10:20:11+00:00 (VALID: 86 days)
Certificate Path: /etc/letsencrypt/live/mgjuddltd.co.uk-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mgjuddltd.co.uk-0002/privkey.pem
Certificate Name: phillw.net-0003
Domains: phillw.net www.phillw.net
Expiry Date: 2019-07-19 10:39:22+00:00 (VALID: 86 days)
Certificate Path: /etc/letsencrypt/live/phillw.net-0003/fullchain.pem
Private Key Path: /etc/letsencrypt/live/phillw.net-0003/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/mgjuddltd.co.uk-0001.conf
/etc/letsencrypt/renewal/mgjuddltd.co.uk.conf
/etc/letsencrypt/renewal/phillw.net-0001.conf
/etc/letsencrypt/renewal/phillw.net-0002.conf
/etc/letsencrypt/renewal/phillw.net.conf

apachectl -S
apachectl -S
VirtualHost configuration:
*:80 is a NameVirtualHost
default server phillw.net (/etc/httpd/conf/httpd.conf:355)
port 80 namevhost phillw.net (/etc/httpd/conf/httpd.conf:355)
alias www.phillw.net
port 80 namevhost mgjuddltd.co.uk (/etc/httpd/conf/httpd.conf:371)
alias www.mgjuddltd.co.uk
*:443 is a NameVirtualHost
default server phillw.net (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost phillw.net (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost mgjuddltd.co.uk (/etc/httpd/conf/httpd-le-ssl.conf:2)
alias www.mgjuddltd.co.uk
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

Looks like you have two vHosts with the same name. So the default with the self signed is used.

–> change the name of your default vHost.

default changed, now neither site is accessible :confused:
apachectl -S
VirtualHost configuration:
*:80 is a NameVirtualHost
default server phillw.net (/etc/httpd/conf/httpd.conf:355)
port 80 namevhost phillw.net (/etc/httpd/conf/httpd.conf:355)
alias www.phillw.net
port 80 namevhost mgjuddltd.co.uk (/etc/httpd/conf/httpd.conf:375)
alias www.mgjuddltd.co.uk
*:443 is a NameVirtualHost
default server www.example.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.example.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost mgjuddltd.co.uk (/etc/httpd/conf/httpd-le-ssl.conf:2)
alias www.mgjuddltd.co.uk
port 443 namevhost phillw.net (/etc/httpd/conf/httpd-le-ssl.conf:22)
alias www.phillw.net
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

Now you have a duplicated port 80

and a duplicated port 443.

Every combination port + servername should be unique.

Taking this one step at a time, there is ONE instance of example.com in /etc/httpd/conf.d/ssl.conf

General setup for the virtual host, inherited from global configuration

DocumentRoot “/var/www/html”
ServerName www.example.com:443
So, the question is… how do I remove the duplicated port 443

I have tried
ServerName www.example.com
still gives
default server www.example.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.example.com (/etc/httpd/conf.d/ssl.conf:56)

I have had to reset back to normal (non https) as it is bed time for me and the sites need to be available in the morning.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.