Certbot NET::ERR_CERT_AUTHORITY_INVALID error

MusNik · August 6, 2019, 2:05pm

Hello! Just installed a certificate on my site but it seems not working, saying that “sertificate is self-signed”.

My domain is: keevee.games

I ran this command: certbot-auto --apache

It produced this output: Congratulations! You have successfully enabled https://keevee.games (no errors)

My web server is: Apache 2.4.6

The operating system my web server runs on is: CentOS 7

My hosting provider: VPS

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

The version of my client is: 0.36.0

Phil · August 6, 2019, 3:08pm

Hi @MusNik,

Welcome to the community forum!

I too can see that your apache webserver is serving up a self signed cert.

$ echo | openssl s_client -connect keevee.games:443 -servername keevee.games 2>&1 | openssl x509 -noout -issuer
issuer=C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = keevee.games, emailAddress = root@keevee.games

Have you tried gracefully restarting apache to and checking if the Let’s Encrypt issued certificate is served up?

sudo apachectl -k graceful

MusNik · August 6, 2019, 3:19pm

Gracefully restarted apachectl, nothing shanged.

Phil · August 6, 2019, 3:31pm

Can you share the output of

apachectl -S

and your vhost config for keevee.games

MusNik · August 6, 2019, 3:45pm

Here is the output:

VirtualHost configuration:
*:80                   keevee.games (/etc/httpd/conf/httpd.conf:44)
*:443                  is a NameVirtualHost
         default server keevee.games (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost keevee.games (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost keevee.games (/etc/httpd/conf/httpd-le-ssl.conf:2)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

conf/httpd.conf:

<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName keevee.games
RewriteEngine on
RewriteCond %{SERVER_NAME} =keevee.games
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

conf/httpd-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    DocumentRoot "/var/www/html"
    ServerName keevee.games
SSLCertificateFile /etc/letsencrypt/live/keevee.games/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/keevee.games/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/keevee.games/chain.pem
</VirtualHost>
</IfModule>

conf.d/ssl.conf

<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

Phil · August 6, 2019, 4:10pm

It appears that your conf.d/ssl.conf _default_:443 vhost is being served up first which includes the self-signed

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

I would suggest temporarily moving that file out of the way, gracefully restarting apache, and verifying with openssl and apachectl -S that your correct vhost config is actually being served.

JuergenAuer · August 6, 2019, 4:13pm

Hi @MusNik

there you see the problem:

you have two different configurations with the same port and the same domain name.

Merge these into one vHost and remove the other. Then restart your server.

MusNik · August 6, 2019, 4:29pm

Thank you, @Phil, @JuergenAuer

You are right, the problem was because of vHost duplicate. I fixed that by deleting VirtualHost _default_:443 part from the conf.d/ssl.conf file

Topic		Replies	Views
Why my Letsencrypt cert is considered as Self-signed cert by browsers Help	7	17228	January 9, 2018
The certificate is only valid for sys.mysite.org Server	7	3059	July 1, 2016
Self signed certificate instead of "Fake LE Root X1" Help	15	2272	March 8, 2018
Cert Bot SSL installed correctly but not working Help	17	12505	August 29, 2016
Cannot get rid of supposed self signed cert Help	19	1022	February 21, 2020

Certbot NET::ERR_CERT_AUTHORITY_INVALID error

Related topics