Certbot not working with CentOS 6

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: corp.appvision.net and support.appvision.net

I ran this command: ./certbot-auto certonly --cert-name corp.appvision.net -d support.appvision.net

It produced this output:
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: support.appvision.net
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    8f5445b3c6d80baea32e62aad1933d8f.7d91bc19e853fb64b44cfd7ad2a590df.acme.invalid
    from 104.197.131.45:443. Received 2 certificate(s), first
    certificate had names “corp.appvision.net”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): Apache 2.2

The operating system my web server runs on is (include version): Centos 6.9

My hosting provider, if applicable, is: SiteGround

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cpanel

Are you trying to expand your existing cert for corp.appvision.net to also cover support.appvision.net? If so, you should list both domains in the -d option eg ./certbot-auto certonly --cert-name corp.appvision.net -d support.appvision.net,corp.appvision.net

If that doesn’t help, could you please post the output of apachectl -S?

Hi,

The way you used certbot relies on tls-sni-01 challenge. However, I do not think that this challenge can be used in cPanel environments.

You probably want to use the http-01/webroot challenge and point to the public_html directory of your cPanel account.

Please refer to the relevant Certbot documentation section: https://certbot.eff.org/docs/using.html#webroot

cpanel is just for the Web Hosting. The Apache server is in the Google cloud and all the pages are working. Just trying to get SSL turned on for support.appvision.net

[root@test-devserver1-2 krist]# apachectl -S
[Tue Dec 19 01:29:28 2017] [warn] module deflate_module is already loaded, skipping
[Tue Dec 19 01:29:28 2017] [warn] default VirtualHost overlap on port 443, the first has precedence
VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
*:443 test-devserver1-2.c.third-opus-86816.internal (/etc/httpd/conf.d/ssl.conf:74)
*:443 support.appvision.net (/etc/httpd/conf/httpd.conf:373)
*:80 is a NameVirtualHost
default server corp.appvision.net (/etc/httpd/conf/httpd.conf:359)
port 80 namevhost corp.appvision.net (/etc/httpd/conf/httpd.conf:359)
Syntax OK

Hmm, I think you might need to add to your apache configuration:

NameVirtualHost *:443

if it’s not there already?

Btw, Thanks so much for your help. This has been a frustrating thing with CentOS. We also are in Google Cloud Environment (Compute Engine) and I don’t know if I put that in the earlier thread.

Already have NameVirtualHost *:80 there.

I tried adding in the 443 and it broke the apache config.

Snippet from the httpd.conf

Use name-based virtual hosting.

NameVirtualHost *:80
NameVirtualHost *:443

THIS IS THE VH Config for the site that I’m trying to enable SSL for. Keeps telling me it doesn’t like the name because the cert i have is for corp.appvision.net, but since they both are appvision.net it should work. It worked on CentOS 7 using multiple domains for one cert and was super easy. Maybe because certbot is actually in the yum repos.

<VirtualHost *:443>
ServerAdmin webmaster@appvision.net
ServerName support.appvision.net
DocumentRoot "/opt/otrs/bin/cgi-bin"
Options FollowSymLinks
DirectoryIndex index.pl

It’s not complaining because you have a cert for the other name. Certbot is trying to configure a temporary virtualhost to respond to the tls-sni-01 challenge, but for some reason your existing vhost for the corp subdomain is taking precedence and preventing the validation server from reaching the temporary vhost.

I thought that might be due to the lack of name based virtual hosting on port 443, which is why I suggested adding that line. In what way did it break your config?

Could you please also post the vhost config for the corp subdomain?

<VirtualHost :80>
ServerName corp.appvision.net
DocumentRoot "/var/www/html/framework"
Options FollowSymlinks
#SDH Added

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.
) https://%{SERVER_NAME}/$1 [R,L]

1 Like

This is the error that it throws after putting in the NameVirtualHost :*443 directive. Even after I commented it out.

[root@test-devserver1-2 krist]# service httpd start
Starting httpd: [Tue Dec 19 16:35:52 2017] [warn] module deflate_module is already loaded, skipping
[Tue Dec 19 16:35:52 2017] [warn] default VirtualHost overlap on port 443, the first has precedence
[FAILED]
[root@test-devserver1-2 krist]#

What’s the output of certbot-auto certificates?

[root@test-devserver1-2 ragediver24]# ./certbot-auto certificates
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log


No certs found.

The certs were done previously through another method, not certbot.
but certbot is downloaded to the vm

Aha! So what was the other method?

https://gethttpsforfree.com/

Get HTTPS for free!
You can now get free https certificates from the non-profit certificate authority Let’s Encrypt! This is a website that will take you through the manual steps to get your free https certificate so you can make your own website use https! This website is open source and NEVER asks for your private keys. Never trust a website that asks for your private keys!
NOTE: This website is for people who know how to generate certificate signing requests (CSRs)! If you’re not familiar with how to do this, please use the official Let’s Encrypt client that can automatically issue and install https certificates for you. This website is designed for people who know what they are doing and just want to get their free https certificate.
Step 1: Account Info
Let’s Encrypt requires that you register an account email and public key before issuing a certificate. The email is so that they can contact you if needed, and the public key is so you can securely sign your requests to issue/revoke/renew your certificates. Keep your account private key secret! Anyone who has it can impersonate you when making requests to Let’s Encrypt!

Ok, that explains how you obtained the other cert. But how did you install it?

I’m guessing this might provide a clue as to why it seems to be interfering with certbot.

I’m assuming the same way. I’m not the one who installed it lol. I believe they followed the process on that site. The certs are contained in /etc/pki/tls/private

Okay. So can you find a reference to that cert in your apache configuration? If so could you post the vhost or file that it occurs in?

We are also using an .htaccess file:

Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteRule ^cache/jsLanguage/(……).js$ index.php?entryPoint=jslang&module=app_strings&l ang=$1 [L,QSA]
RewriteRule ^cache/jsLanguage/(\w*)/(…
…).js$ index.php?entryPoint=jslang&module=$1&lang =$2 [L,QSA]

<FilesMatch “.(jpg|png|gif|js|css|ico)$”>

Header set ETag ""
Header set Cache-Control "max-age=2592000"
Header set Expires "01 Jan 2112 00:00:00 GMT"



ExpiresByType text/css "access plus 1 month"
ExpiresByType text/javascript "access plus 1 month"
ExpiresByType application/x-javascript "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/png “access plus 1 month”

BEGIN SUGARCRM RESTRICTIONS

RedirectMatch 403 (?i)..log$
RedirectMatch 403 (?i)/+not_imported_.
.txt
RedirectMatch 403 (?i)/+(soap|cache|xtemplate|data|examples|include|log4php|metadata|modules)/ +.*.(php|tpl)
RedirectMatch 403 (?i)/+emailmandelivery.php
RedirectMatch 403 (?i)/+upload
RedirectMatch 403 (?i)/+custom/+blowfish
RedirectMatch 403 (?i)/+cache/+diagnostic
RedirectMatch 403 (?i)/+files.md5$

END SUGARCRM RESTRICTIONS

Options +FollowSymLinks RewriteEngine On RewriteBase / RewriteRule ^cache/jsLanguage/(.._..).js$ index.php?entryPoint=jslang&module=app_strings&l ang=$1 [L,QSA] RewriteRule ^cache/jsLanguage/(\w*)/(.._..).js$ index.php?entryPoint=jslang&module=$1&lang =$2 [L,QSA] Header set ETag "" Header set Cache-Control "max-age=2592000" Header set Expires "01 Jan 2112 00:00:00 GMT" ExpiresByType text/css "access plus 1 month" ExpiresByType text/javascript "access plus 1 month" ExpiresByType application/x-javascript "access plus 1 month" ExpiresByType image/gif "access plus 1 month" ExpiresByType image/jpg "access plus 1 month" ExpiresByType image/png "access plus 1 month" [root@test-devserver1-2 framework]# vim .htaccess Options +FollowSymLinks RewriteEngine On RewriteBase / RewriteRule ^cache/jsLanguage/(.._..).js$ index.php?entryPoint=jslang&module=app_strings&lang=$1 [L,QSA] RewriteRule ^cache/jsLanguage/(\w*)/(.._..).js$ index.php?entryPoint=jslang&module=$1&lang=$2 [L,QSA] Header set ETag "" Header set Cache-Control "max-age=2592000" Header set Expires "01 Jan 2112 00:00:00 GMT" ExpiresByType text/css "access plus 1 month" ExpiresByType text/javascript "access plus 1 month" ExpiresByType application/x-javascript "access plus 1 month" ExpiresByType image/gif "access plus 1 month" ExpiresByType image/jpg "access plus 1 month" ExpiresByType image/png "access plus 1 month" # BEGIN SUGARCRM RESTRICTIONS RedirectMatch 403 (?i).*\.log$ RedirectMatch 403 (?i)/+not_imported_.*\.txt RedirectMatch 403 (?i)/+(soap|cache|xtemplate|data|examples|include|log4php|metadata|modules)/+.*\.(php|tpl) RedirectMatch 403 (?i)/+emailmandelivery\.php RedirectMatch 403 (?i)/+upload RedirectMatch 403 (?i)/+custom/+blowfish RedirectMatch 403 (?i)/+cache/+diagnostic RedirectMatch 403 (?i)/+files\.md5$ # END SUGARCRM RESTRICTIONS Options +FollowSymLinks RewriteEngine On RewriteBase / RewriteRule ^cache/jsLanguage/(.._..).js$ index.php?entryPoint=jslang&module=app_strings&lang=$1 [L,QSA] RewriteRule ^cache/jsLanguage/(\w*)/(.._..).js$ index.php?entryPoint=jslang&module=$1&lang=$2 [L,QSA] Header set ETag "" Header set Cache-Control "max-age=2592000" Header set Expires "01 Jan 2112 00:00:00 GMT" ExpiresByType text/css "access plus 1 month" ExpiresByType text/javascript "access plus 1 month" ExpiresByType application/x-javascript "access plus 1 month"

HTTPD.CONF FILE:

ServerRoot “/etc/httpd”

DocumentRoot “/var/www/html/framework”

<VirtualHost :80>
ServerName corp.appvision.net
DocumentRoot "/var/www/html/framework"
Options FollowSymlinks
#SDH Added

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.
) https://%{SERVER_NAME}/$1 [R,L]

<VirtualHost :443>
ServerAdmin webmaster@appvision.net
ServerName support.appvision.net
DocumentRoot "/opt/otrs/bin/cgi-bin"
Options FollowSymLinks
DirectoryIndex index.pl

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.
) https://%{HTTP_HOST}%{REQUEST_URI}

DirectoryIndex deleteme.html

Alias /otrs-web/ “opt/otrs/var/httpd/htdocs/”
<Location “/otrs-web/”>
SetHandler default-handler

What I’m not understanding is where the corp.appvision.net certificate is coming from. You said it’s in /etc/pki/tls/private but I don’t see any reference to that directory in the configuration you posted. Maybe it’s in /etc/httpd/conf.d/ssl.conf? Are you sure it’s on that server? Is Apache listening on port 443? lsof -i :443 | grep LISTEN

Where did you put the NameVirtualHost *:443 when you tried it?

oops I sent the wrong file. Hre’s the VH block from the ssl.conf file:

<VirtualHost *:443>

General setup for the virtual host, inherited from global configuration

#DocumentRoot “/var/www/html/framework”
#ServerName www.example.com:443

Use separate log files for the SSL virtual host; note that LogLevel

is not inherited from httpd.conf.

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSL Engine Switch:

Enable/Disable SSL for this virtual host.

SSLEngine on

SSL Protocol support:

List the enable protocol levels with which clients will be able to

connect. Disable SSLv2 access by default:

SSLProtocol all -SSLv2 -SSLv3

SSL Cipher Suite:

List the ciphers that the client is permitted to negotiate.

See the mod_ssl documentation for a complete list.

#SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
#SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;

Server Certificate:

Point SSLCertificateFile at a PEM encoded certificate. If

the certificate is encrypted, then you will be prompted for a

pass phrase. Note that a kill -HUP will prompt again. A new

certificate can be generated using the genkey(1) command.

SSLCertificateFile /etc/pki/tls/certs/domain.crt

Server Private Key:

If the key is not combined with the certificate, use this

directive to point at the key file. Keep in mind that if

you’ve both a RSA and a DSA private key you can configure

both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /etc/pki/tls/private/domain.key

Okay, and that /etc/pki/tls/certs/domain.crt is the Let’s Encrypt certificate for corp.appvision.net?

Can you confirm that with e.g. openssl x509 -text -in /etc/pki/tls/certs/domain.crt -noout?