Certbot NET::ERR_CERT_AUTHORITY_INVALID error

MusNik · August 6, 2019, 2:05pm

Hello! Just installed a certificate on my site but it seems not working, saying that “sertificate is self-signed”.

My domain is: keevee.games

I ran this command: certbot-auto --apache

It produced this output: Congratulations! You have successfully enabled https://keevee.games (no errors)

My web server is: Apache 2.4.6

The operating system my web server runs on is: CentOS 7

My hosting provider: VPS

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

The version of my client is: 0.36.0

Phil · August 6, 2019, 3:08pm

Hi @MusNik,

Welcome to the community forum!

I too can see that your apache webserver is serving up a self signed cert.

$ echo | openssl s_client -connect keevee.games:443 -servername keevee.games 2>&1 | openssl x509 -noout -issuer
issuer=C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = keevee.games, emailAddress = root@keevee.games

Have you tried gracefully restarting apache to and checking if the Let’s Encrypt issued certificate is served up?

sudo apachectl -k graceful

MusNik · August 6, 2019, 3:19pm

Gracefully restarted apachectl, nothing shanged.

Phil · August 6, 2019, 3:31pm

Can you share the output of

apachectl -S

and your vhost config for keevee.games

MusNik · August 6, 2019, 3:45pm

Here is the output:

VirtualHost configuration:
*:80                   keevee.games (/etc/httpd/conf/httpd.conf:44)
*:443                  is a NameVirtualHost
         default server keevee.games (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost keevee.games (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost keevee.games (/etc/httpd/conf/httpd-le-ssl.conf:2)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

conf/httpd.conf:

<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName keevee.games
RewriteEngine on
RewriteCond %{SERVER_NAME} =keevee.games
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

conf/httpd-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    DocumentRoot "/var/www/html"
    ServerName keevee.games
SSLCertificateFile /etc/letsencrypt/live/keevee.games/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/keevee.games/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/keevee.games/chain.pem
</VirtualHost>
</IfModule>

conf.d/ssl.conf

<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

Phil · August 6, 2019, 4:10pm

It appears that your conf.d/ssl.conf _default_:443 vhost is being served up first which includes the self-signed

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

I would suggest temporarily moving that file out of the way, gracefully restarting apache, and verifying with openssl and apachectl -S that your correct vhost config is actually being served.

JuergenAuer · August 6, 2019, 4:13pm

Hi @MusNik

there you see the problem:

you have two different configurations with the same port and the same domain name.

Merge these into one vHost and remove the other. Then restart your server.

MusNik · August 6, 2019, 4:29pm

Thank you, @Phil, @JuergenAuer

You are right, the problem was because of vHost duplicate. I fixed that by deleting VirtualHost _default_:443 part from the conf.d/ssl.conf file

system · September 5, 2019, 4:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.