Certbot succeeded, but website still showing risk

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pdxwater.org

I ran this command:
certbot certonly --webroot -w /var/www/pdxwater.org -d pdxwater.org -d www.pdxwater.org

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for pdxwater.org and www.pdxwater.org

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/pdxwater.org/fullchain.pem
Key is saved at: /etc/letsencrypt/live/pdxwater.org/privkey.pem
This certificate expires on 2022-04-15.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

My web server is (include version):
Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04 LTS

My hosting provider, if applicable, is: digitalocean.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): pm2

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

1 Like

Can you describe the specific problem further?

Your site is using certificates although a bit unusually.

When I connect using pdxwater.org I see the cert you created with just that name. See here

But if I connect using www.pdxwater.org I see the cert you created with both your apex and www names. See here (note the SAN list)

That is ok since the cert contains the name in the requested URL. Although it indicates you could improve your Apache and certbot config.

3 Likes

Hi, thank you for your reply. I'm getting a warning: potential security risk when I visit both pdxwater.org and www.pdxwater.org

I believe that my config may be causing the problem as I adjusted it to match another config for matthewalbertcole.com without fully understanding the changes I had made.

2 Likes

Let's not change your config just yet. I now see your previous thread and I think best not to repeat those issues. As noted, I don't see a problem - just something less than ideal.

If you clicked the two 'here' links I provided, you can see your certs test fine. In fact, they use the same "chain" as this forum site uses.

Was there any other text with the 'potential security risk' message? What if you click the icon where that appears - do other details display?

What program is showing that message? A browser? What version and oper sys.

2 Likes

I don't see any warning now. I don't understand what happened. I swear it wasn't working a couple hours ago, and I didn't change anything. :man_facepalming:

2 Likes

Something is not quite right (yet).
[or a least not as one would expect the defaults to be]

Please show:
certbot certificates
apachectl -t -D DUMP_VHOSTS

1 Like
root@nodejs-s-1vcpu-1gb-nyc3-01:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: matthewalbertcole.com
    Serial Number: 43f4f41e3e9b3ee991fabca5baf754fbd0f
    Key Type: RSA
    Domains: matthewalbertcole.com www.matthewalbertcole.com
    Expiry Date: 2022-04-15 08:46:25+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/matthewalbertcole.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/matthewalbertcole.com/privkey.pem
  Certificate Name: pdxwater.org-0001
    Serial Number: 4ec73b8941a86b39d5a0087d72bbf2807e1
    Key Type: RSA
    Domains: pdxwater.org
    Expiry Date: 2022-04-15 12:58:51+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/pdxwater.org-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/pdxwater.org-0001/privkey.pem
  Certificate Name: pdxwater.org
    Serial Number: 48ea5386612295e99294d270b87c8e600e5
    Key Type: RSA
    Domains: pdxwater.org www.pdxwater.org
    Expiry Date: 2022-04-15 10:51:31+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/pdxwater.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/pdxwater.org/privkey.pem
  Certificate Name: www.matthewalbertcole.com
    Serial Number: 421a0cd44b5f5f69d0dd91f7bd96d2cc4cb
    Key Type: RSA
    Domains: www.matthewalbertcole.com
    Expiry Date: 2022-04-15 12:58:56+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.matthewalbertcole.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.matthewalbertcole.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@nodejs-s-1vcpu-1gb-nyc3-01:~# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server www.matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:2)
         port 443 namevhost www.matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:2)
         port 443 namevhost matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:12)
         port 443 namevhost www.pdxwater.org (/etc/apache2/sites-enabled/pdxwater.org-le-ssl.conf:2)
         port 443 namevhost pdxwater.org (/etc/apache2/sites-enabled/pdxwater.org-le-ssl.conf:12)
*:80                   is a NameVirtualHost
         default server matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com.conf:1)
         port 80 namevhost matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com.conf:1)
                 alias www.matthewalbertcole.com
         port 80 namevhost pdxwater.org (/etc/apache2/sites-enabled/pdxwater.org.conf:1)
                 alias www.pdxwater.org

1 Like

This cert has both names on it:

Certificate Name: pdxwater.org
         Domains: pdxwater.org 
              www.pdxwater.org

This cert has only one of the two names [and is unnecessary]:

Certificate Name: pdxwater.org-0001
         Domains: pdxwater.org

This cert has both names on it:

Certificate Name: matthewalbertcole.com
         Domains: matthewalbertcole.com 
              www.matthewalbertcole.com

This cert has only one of the two names [and is unnecessary]:

Certificate Name: www.matthewalbertcole.com
         Domains: www.matthewalbertcole.com
1 Like

Although these files do contain both names, the distance between the names is worth investigating:

port 443 namevhost www.matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:2)
port 443 namevhost     matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:12)

port 443 namevhost www.pdxwater.org (/etc/apache2/sites-enabled/pdxwater.org-le-ssl.conf:2)
port 443 namevhost     pdxwater.org (/etc/apache2/sites-enabled/pdxwater.org-le-ssl.conf:12)

Let's have a look at both of those files:
/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf
/etc/apache2/sites-enabled/pdxwater.org-le-ssl.conf

1 Like
root@nodejs-s-1vcpu-1gb-nyc3-01:/etc/apache2/sites-enabled# cat matthewalbertcole.com-le-ssl.conf 
<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerAdmin root@matthewalbertcole.com
                DocumentRoot /var/www/matthewalbertcole.com
		ServerName www.matthewalbertcole.com
		Redirect permanent / https://matthewalbertcole.com
		Include /etc/letsencrypt/options-ssl-apache.conf
		SSLCertificateFile /etc/letsencrypt/live/matthewalbertcole.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/matthewalbertcole.com/privkey.pem
</VirtualHost>

<VirtualHost *:443>

		ServerAdmin root@matthewalbertcole.com
		DocumentRoot /var/www/matthewalbertcole.com
		ServerName matthewalbertcole.com

		<Proxy *>
		 Order deny,allow
		 Allow from all
		</Proxy>
	
		SSLEngine on
		SSLProxyEngine on

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                Include /etc/letsencrypt/options-ssl-apache.conf

		ProxyRequests Off
		ProxyPreserveHost On
		SSLProxyVerify none
		SSLProxyCheckPeerCN off
		SSLProxyCheckPeerName off
		SSLProxyCheckPeerExpire off
		ProxyRequests Off
		ProxyPass / http://localhost:8080/
		ProxyPassReverse / http://localhost:8080/

		Timeout 600
		ProxyTimeout 600
		SetEnv proxy-nokeepalive 1
		SetEnv proxy-initial-not-pooled 1


		SSLCertificateFile /etc/letsencrypt/live/matthewalbertcole.com/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/matthewalbertcole.com/privkey.pem
        </VirtualHost>
</IfModule>

root@nodejs-s-1vcpu-1gb-nyc3-01:/etc/apache2/sites-enabled# cat pdxwater.org-le-ssl.conf 
<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerAdmin root@pdxwater.org
                DocumentRoot /var/www/pdxwater.org
                ServerName www.pdxwater.org
                Redirect permanent / https://pdxwater.org
		Include /etc/letsencrypt/options-ssl-apache.conf
		SSLCertificateFile /etc/letsencrypt/live/pdxwater.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pdxwater.org/privkey.pem
</VirtualHost>

<VirtualHost *:443>

		ServerAdmin root@pdxwater.org
		DocumentRoot /var/www/pdxwater.org
		ServerName pdxwater.org

		<Proxy *>
		 Order deny,allow
		 Allow from all
		</Proxy>

		SSLEngine on
		SSLProxyEngine on

		ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
		
		Include /etc/letsencrypt/options-ssl-apache.conf

		ProxyRequests Off
		ProxyPreserveHost On
		SSLProxyVerify none
		SSLProxyCheckPeerCN off
		SSLProxyCheckPeerExpire off
		ProxyRequests Off
		ProxyPass / http://localhost:3000/
		ProxyPassReverse / http://localhost:3000/

		Timeout 600
		ProxyTimeout 600
		SetEnv proxy-nokeepalive 1
		SetEnv proxy-initial-not-pooled 1


		SSLCertificateFile /etc/letsencrypt/live/pdxwater.org-0001/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/pdxwater.org-0001/privkey.pem
	</VirtualHost>
</IfModule>

1 Like

The only change I would make is:

 SSLCertificateFile    /etc/letsencrypt/live/pdxwater.org-0001/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/pdxwater.org-0001/privkey.pem

TO:

 SSLCertificateFile    /etc/letsencrypt/live/pdxwater.org/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/pdxwater.org/privkey.pem

Then delete the two unnecessary certs:
certbot delete --cert-name pdxwater.org-0001
certbot delete --cert-name www.matthewalbertcole.com

2 Likes

OK done. Did that do the trick? Seems to have not broken anything at least. :smiley:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.