Certbot is issuing a selfsigned cert, and not a signed cert.
My domain is: ottawakaraoke.ca
I ran this command:
It produced this output:
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):certbot --version or certbot-auto --version if you’re using Certbot): Certbot 0.40.1
rg305
November 8, 2019, 2:40am
2
Please show:certbot-auto certificates
Found the following certs:
Certificate Name: canadakaraoke.com
Domains: canadakaraoke.com www.canadakaraoke.com www.ottawakaraoke.ca
Expiry Date: 2020-02-06 01:02:33+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/canadakaraoke.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/canadakaraoke.com/privkey.pem
Certificate Name: www.ottawakaraoke.ca
Domains: www.ottawakaraoke.ca
Expiry Date: 2020-02-06 01:34:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.ottawakaraoke.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.ottawakaraoke.ca/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
rg305
November 8, 2019, 3:00am
4
You have not obtained a cert to cover this name:
You have two certs; and both cover:
ianarman1:
www.ottawakaraoke.ca
If you browse to the website the cert is showing as invalid:
rg305
November 8, 2019, 3:02am
6
Please use the following link:ottawakaraoke.ca
rg305
November 8, 2019, 3:04am
8
It has no choice but to serve you with that "catch-all" cert.
rg305
November 8, 2019, 3:07am
10
Ready to “fix” the problem?
Hello,
I have reviewed the SSL labs.
I ran the following command, chose “reinstall” and was still issued with the same cert.
sudo /usr/local/bin/certbot-auto --apache -d ottawakaraoke.ca
Yes, please @rg305 , I appreciate your guidance.
I think it’s because my pre-installed config has Debian 8, and not Ubuntu 16, I’m experiencing this strange config.
rg305
November 8, 2019, 3:12am
12
If your willing to “go under the hood” (just a bit), this may be the quickest solution:
sudo /usr/local/bin/certbot-auto certonly --apache -d ottawakaraoke.ca -d www.ottawakaraoke.ca
[show results (again) with: cerbot-auto certificates]
Hello @rg305
If your willing to “go under the hood” (just a bit), this may be the quickest solution:
I ran the following command.sudo /usr/local/bin/certbot-auto certonly --apache -d ottawakaraoke.ca -d www.ottawakaraoke.ca
Here is the output from sudo /usr/local/bin/certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: canadakaraoke.com
Domains: canadakaraoke.com www.canadakaraoke.com www.ottawakaraoke.ca
Expiry Date: 2020-02-06 01:02:33+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/canadakaraoke.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/canadakaraoke.com/privkey.pem
Certificate Name: ottawakaraoke.ca
Domains: ottawakaraoke.ca www.ottawakaraoke.ca
Expiry Date: 2020-02-06 02:12:39+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/ottawakaraoke.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ottawakaraoke.ca/privkey.pem
Certificate Name: www.ottawakaraoke.ca
Domains: www.ottawakaraoke.ca
Expiry Date: 2020-02-06 01:34:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.ottawakaraoke.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.ottawakaraoke.ca/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@vps258057:/etc/apache2/sites-enabled#
If you visit the link again ottawakaraoke.ca , you will notice that there is 'mixed content'.
let me attempt a fix...
rg305
November 8, 2019, 3:21am
14
Perfect!
Step 2: Use the new cert.
(A) Locate the vhost config that is using the “www” certgrep -Eri 'www.ottawakaraoke.ca' /etc/apache2/grep -Eri 'fullchain.pem|privkey.pem' /etc/apache2/
(B) Modify file found in (2A) replacing sections relating to which cert is being used./etc/apache2/sites-available/wordpress-le-ssl.conf/etc/letsencrypt/live/ottawakaraoke.ca/fullchain.pem/etc/letsencrypt/live/ottawakaraoke.ca/privkey.pem
(C) Restart Apachesystemctl restart apache2
@rg305 , I have been working with WordPress for a long time, and learned a lot.
grep -Eri 'www.ottawakaraoke.ca' /etc/apache2/
/etc/apache2/sites-available/wordpress.conf:ServerAlias www.ottawakaraoke.ca
/etc/apache2/sites-available/wordpress.conf:RewriteCond %{SERVER_NAME} =www.ottawakaraoke.ca [OR]
/etc/apache2/sites-available/wordpress-le-ssl.conf:ServerAlias www.ottawakaraoke.ca
apache restarted by sudo systemctl restart apache2
the website is still showing as "not secure" ottawakaraoke.ca
rg305
November 8, 2019, 3:35am
16
We are not done yet - we’re still on 2B.
grep -Eri 'fullchain.pem|privkey.pem' /etc/apache2/
/etc/apache2/sites-available/wordpress-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/ottawakaraoke.ca/fullchain.pem
/etc/apache2/sites-available/wordpress-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/ottawakaraoke.ca/privkey.pem
/etc/apache2/sites-available/wordpress-le-ssl.conf:#SSLCertificateFile /etc/letsencrypt/live/ottawakaraoke.ca/fullchain.pem
/etc/apache2/sites-available/wordpress-le-ssl.conf:#SSLCertificateKeyFile /etc/letsencrypt/live/ottawakaraoke.ca/privkey.pem
I also replaced the 2A, although it was using the same full path.
SSLCertificateFile /etc/letsencrypt/live/ottawakaraoke.ca/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ottawakaraoke.ca/privkey.pem
#SSLCertificateFile /etc/letsencrypt/live/ottawakaraoke.ca/fullchain.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/ottawakaraoke.ca/privkey.pem
rg305
November 8, 2019, 3:44am
18
My eyes must be crossed.
`
they are the same, i only changed it to show you i looked at the file.
I have restarted the apache server, and the website is still showing as “not secure”
