Certbot success, but Chrome says "certificate cannot be verified up to a trusted certification authority"

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kiwi.hallikainen.org

I ran this command: certbot --apache -v

It produced this output:

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 6
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/kiwi.hallikainen.org.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for kiwi.hallikainen.org

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/kiwi.hallikainen.org/fullchain.pem
Key is saved at: /etc/letsencrypt/live/kiwi.hallikainen.org/privkey.pem
This certificate expires on 2021-11-09.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Deploying Certificate to VirtualHost /etc/httpd/conf.d/vhosts.conf
Successfully deployed certificate for kiwi.hallikainen.org to /etc/httpd/conf.d/vhosts.conf
Enhancement redirect was already set.
Your existing certificate has been successfully renewed, and the new certificate has been installed.

My web server is (include version):
httpd -v
Server version: Apache/2.4.37 (AlmaLinux)
Server built: Apr 20 2021 10:48:33

The operating system my web server runs on is (include version):
AlmaLinux release 8.4 (Electric Cheetah)

My hosting provider, if applicable, is: Contabo

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.18.0

Note the issue described in the subject. Certbot seems to have succeeded, but Chrome reports that the certificate cannot be verified up t a trusted source.

Here's the section of my vhosts.conf file:

<VirtualHost *:443>
     SSLEngine on
# from https://community.letsencrypt.org/t/a-tutorial-to-start-with-centos-6-5/3755/7
        SSLVerifyClient none
        ServerAdmin harold@hallikainen.org
        DocumentRoot /home/public_html
        ServerName kiwi.hallikainen.org
     Include /etc/letsencrypt/options-ssl-apache.conf
     SSLCertificateFile /etc/letsencrypt/live/kiwi.hallikainen.org/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/kiwi.hallikainen.org/privkey.pem
</VirtualHost>

I note that the issuer reported by Chrome is not Letsencrypt:

E = root@kiwi.hallikainen.org
CN = kiwi.hallikainen.org
OU = ca-8086971489563389296
O = Unspecified
C = US

THANKS!

Harold

1 Like

@Hallikainen I am fairly new to using LE and all looks good. But, did you restart apache after that? You said chrome is still seeing an older cert so that made me think you just missed that. I can't see your site right now - it is non-responsive to http and https.

@Hallikainen Oh, and avoid issuing more LE certs right now. Looks like you did 4 today and you will soon hit the rate limit of 5 / week. See:
crt.sh | hallikainen.org

1 Like

Thanks for the quick response! I had restarted httpd. I noticed an error in the DocumentRoot, so I fixed that. The new section of vhosts.conf is below. If I take out the rewrite in the http section, I do get the correct document root. But if I put it back, it correctly redirects to https, but puts up the Apache test page instead of my document root.

# =================================================================== kiwi.hallikainen.org

<VirtualHost *:80>
    ServerAdmin harold@hallikainen.org
    DocumentRoot /home/harold/public_html
    ServerName kiwi.hallikainen.org
#    ErrorLog logs/hallikainen.org-error_log
#    CustomLog logs/hallikainen.org-access_log common
RewriteEngine on
RewriteCond %{SERVER_NAME} =kiwi.hallikainen.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>


<VirtualHost *:443>
     SSLEngine on
# from https://community.letsencrypt.org/t/a-tutorial-to-start-with-centos-6-5/3755/7
        SSLVerifyClient none
        ServerAdmin harold@hallikainen.org
        DocumentRoot /home/harold/public_html
        ServerName kiwi.hallikainen.org
     Include /etc/letsencrypt/options-ssl-apache.conf
     SSLCertificateFile /etc/letsencrypt/live/kiwi.hallikainen.org/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/kiwi.hallikainen.org/privkey.pem
</VirtualHost>

Note that I am migrating from a Centos 6 system to the AlmaLinux system. I copied over ssl.conf . I see that it had the following lines pointing to self generated certificates that I have now replaced as shown below:

#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that restarting httpd will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt - Inserted below. hh 8/11/21
SSLCertificateFile /etc/letsencrypt/live/kiwi.hallikainen.org/fullchain.pem

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
# SSLCertificateKeyFile /etc/pki/tls/private/localhost.key - Inserted below 8/11/21. hh
SSLCertificateKeyFile /etc/letsencrypt/live/kiwi.hallikainen.org/privkey.pem

That fixed the issue as identified by Chrome. So, progress! Still seeing the test page instead of the DocumentRoot.

Harold

That "fix" should not have affected anything related to that name; as the server should be serving that name directly from the dedicated vhost config.
Something's just not right... with Apache.
Please undo the "fix" and show the output of:
sudo apachectl -S

Thanks! I think that fix was valid since it was pointing to a directory that did not exist.

I think there were two issues.

  1. ssl.conf still pointed to the self signed certificates. This resulted in the "certificate cannot be trusted" issue. I changed that to point to the letsencrypt certificates.

  2. On content, it appears that since I have the same name for the default server and the virtual host, the default (Apache test) page was coming up. I uncommented the document root in ssl.conf and pointed it to the correct location.

All is working well now! I am migrating to a new server, so I now have a bunch more domains to bring up, and a lot of php and mysql stuff.

THANKS!

Harold

PS - Here is the requested output:

[root@kiwi conf.d]# sudo apachectl -S

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server hallikainen.org (/etc/httpd/conf.d/vhosts.conf:6)
         port 80 namevhost hallikainen.org (/etc/httpd/conf.d/vhosts.conf:6)
         port 80 namevhost kiwi.hallikainen.org (/etc/httpd/conf.d/vhosts.conf:15)
         port 80 namevhost fr.hallikainen.org (/etc/httpd/conf.d/vhosts.conf:41)
         port 80 namevhost bh.hallikainen.org (/etc/httpd/conf.d/vhosts.conf:51)
         port 80 namevhost lss.hallikainen.org (/etc/httpd/conf.d/vhosts.conf:61)
         port 80 namevhost www.cccds.org (/etc/httpd/conf.d/vhosts.conf:89)
                 alias cccds.org
                 wild alias *.cccds.org
         port 80 namevhost www.miramonte1969.org (/etc/httpd/conf.d/vhosts.conf:117)
                 alias miramonte1969.org
                 wild alias *.miramonte1969.org
         port 80 namevhost www.kcralumni.org (/etc/httpd/conf.d/vhosts.conf:146)
                 alias kcpralumni.org
                 wild alias *.kcpralumni.org
         port 80 namevhost lssdb.hallikainen.org (/etc/httpd/conf.d/vhosts.conf:175)
         port 80 namevhost test.hallikainen.org (/etc/httpd/conf.d/vhosts.conf:183)
         port 80 namevhost w6iwi.org (/etc/httpd/conf.d/vhosts.conf:194)
         port 80 namevhost www.w6iwi.org (/etc/httpd/conf.d/vhosts.conf:203)
*:443                  is a NameVirtualHost
         default server kiwi.hallikainen.org (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost kiwi.hallikainen.org (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost kiwi.hallikainen.org (/etc/httpd/conf.d/vhosts.conf:27)
         port 443 namevhost w6iwi.org (/etc/httpd/conf.d/vhosts.conf:212)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/etc/httpd/htdocs"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

Both are incorrect "fixes"

The problem comes from a name:port overlap:

         port 443 namevhost kiwi.hallikainen.org (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost kiwi.hallikainen.org (/etc/httpd/conf.d/vhosts.conf:27)

You probably don't need much of the ssl.conf file.
You certainly don't need it to be using the same server name as the vhosts.conf file [which is likely already doing everything you it to do].

Thanks for the EXCELLENT help! By commenting out blocks, it looks like I only need the SSL Global Context of sslc.onf. If I comment that out, httpd runs, but https connections are refulsed.

THANKS!

Harold

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.