Certbot upgrade : SSL issue


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: maglin.com / www.maglin.com

I ran this command:

It produced this output:

My web server is (include version): Apache 2.2

The operating system my web server runs on is (include version):CentOS 6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot-auto version 0.30.0

I just upgraded my certbot client and, although no errors were reported on screen, reported all successful, our websit no longer works. IS browser reports:

Version:1.0 StartHTML:000000215 EndHTML:000001485 StartFragment:000000961 EndFragment:000001435 StartSelection:000000961 EndSelection:000001431 SourceURL:res://ieframe.dll/invalidcert.htm?SSLError=117440512

Your PC doesn’t trust this website’s security certificate.
The website’s security certificate is not yet valid or has expired.
The hostname in the website’s security certificate differs from the website you are trying to visit.

Error Code: DLG_FLAGS_INVALID_CA
DLG_FLAGS_SEC_CERT_DATE_INVALID
DLG_FLAGS_SEC_CERT_CN_INVALID

Chrome reports:

NET: ERR_CERT_AUTHORITY_INVALID

Subject: localhost.localdomain
Issuer: localhost.localdomain

Expires on: Mar 26, 2014
Current date: Jan 23, 2019

then lists PEM encoded chain

If I go to https://www.maglin.com with chrome, I get the “Your connection is not private” message
Clicking Advanced reports:

The server could not prove it is www.maglin.com; its security certificate is not trusted by your computer’s operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

If I click on the Not secure button beside the URL, one of the options is: Certificate (invalid). If I click on this, it says

This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certificate Authorities store.

What is that?

Initially I thought that SSL had just not been enabled and tried a certbot-auto renew (I can’t recall now if it was this one or not, but I did get prompted to enable SSL, so I chose that. Then prompted to redirect all HTTP to HTTPS, and chose that. Can’t get to any pages on our website : www.maglin.com.

Our site is set up as a virtual host under Apache.

Curious that Chrome is taken to the Apache server root when entering www.maglin.com.

I am at a loss to determine what went wrong. As I said, certbot-auto reports all ok

Thanks.


#2

I discovered I can edit the ssl.conf file to point the SSL directives to the Lets’ Encrypt certificate files. Going to www.maglin.com works now, except, it still goes to the default DocumentRoot: the virtual hosts are ignored.

httpd -S shows all of the virtual hosts that are loaded.

Why can’t Apache direct requests to these?


#4

I have not withdrawn the post. really need an answer as to why the virtual hosts are not recognized.


#5

Please show:
grep -Eri 'virtualh|servern|servera|listen|rewrite|redirect' /etc/apache2


#6

@rg305

Thanks for your reply. For now what I think I’ll do is copy the website files into the default doc root and look into this issue later if I can. We are enormously busy these days and I must do what I can to minimize time spent .


#7

No worries :slight_smile:
We’ll leave the light on…


#8

I took some time this morning to execute the grep. I have modified the results somewhat to remove lines for files that are backups of the live files. I make numerous backups for various reasons – yesterday was no exception :slight_smile:
I was not able to just copy them here as I received an error about not being able to post more than 20 links. Not sure why that occurred. I am also, at present, unable to upload so, if that can change, I’ll do that. Thank you.


#9

When uploading, the only allowed file types are: (jpg, jpeg, png, gif, go, js, txt, pcap, pcapng)
So you may have to rename it to .txt


#10

I did rename it to txt. I get an error message that says:

Sorry, new users can not upload attachments.

I was going to paste in a screen shot of this and got the same error message.


#11

OH!
Try using a public service like PasteBin / GoogleDrive

Or tar it and put it on your site for a short period (and post that link here)
[easier to keep away from crawlers]


#12

Here is the link:

http://www.maglin.com/getme.html?file=grep_results.tar


#13

Hi @maglin

I don’t see a problem with your site (via https://check-your-website.server-daten.de/?q=maglin.com ):

Domainname Http-Status redirect Sec. G
http://maglin.com/
209.239.8.121 200 0.647 H
http://www.maglin.com/
209.239.8.121 200 0.640 H
https://maglin.com/
209.239.8.121 200 6.544 B
https://www.maglin.com/
209.239.8.121 200 6.307 B

looks ok. Your certificate

CN=maglin.com
	23.01.2019
	23.04.2019
	drupal.maglin.com, html5.maglin.com, joomla.maglin.com, 
maglin.ca, maglin.com, mweb1.maglin.com, myadmin.maglin.com, 
www.maglin.ca, www.maglin.com - 9 entries 

is created yesterday. And you don’t have mixed content.

So all looks good.


#14

@ JuergenAuer

I know.

That’s why it is so bizarre that the vhosts are not recognized.

I may be able to do more exploration this weekend.

I need those vhosts!

Thank you for taking a look!


#15

Conflicts (3):

/etc/httpd/conf/vhosts-le-ssl.conf:<VirtualHost *:443>
/etc/httpd/conf/vhosts-le-ssl.conf:  Servername www.maglin.com <<<<<<<<<<<<<<<<< 1
/etc/httpd/conf/vhosts-le-ssl.conf:  ServerAlias maglin.com <<<<<<<<<<<<<<<<< 2
/etc/httpd/conf/vhosts-le-ssl.conf:</VirtualHost>
/etc/httpd/conf/vhosts-le-ssl.conf:<VirtualHost *:443>
/etc/httpd/conf/vhosts-le-ssl.conf:   Servername maglin.com <<<<<<<<<<<<<<<<< 2
/etc/httpd/conf/vhosts-le-ssl.conf:</VirtualHost>
/etc/httpd/conf/vhosts.conf:<VirtualHost *:443>
/etc/httpd/conf/vhosts.conf:         Servername www.maglin.com <<<<<<<<<<<<<<<<< 1
/etc/httpd/conf/vhosts.conf:</VirtualHost>
/etc/httpd/conf.d/ssl.conf:Listen 443
/etc/httpd/conf.d/ssl.conf:<VirtualHost _default_:443>         <<<<<<<<<<<<<<<<< 1
/etc/httpd/conf.d/ssl.conf:</VirtualHost>                                  

/etc/httpd/conf/httpd.conf:Listen 0.0.0.0:80
/etc/httpd/conf/httpd.conf:Listen 0.0.0.0:8080
/etc/httpd/conf/httpd.conf:    ServerName www.maglin.com <<<<<<<<<<<<<<<<< 3
/etc/httpd/conf/httpd.conf.ssl:Listen 0.0.0.0:80
/etc/httpd/conf/httpd.conf.ssl:Listen 0.0.0.0:8080
/etc/httpd/conf/httpd.conf.ssl:ServerName www.maglin.com <<<<<<<<<<<<<<<<< 3

#16

@rg305

Thanks!

I will be taking a look to resolve.


#17

I’ve resolved some of the things adequately enough for now. Still some issues that, prior to the upgrade, were not issues. For example, this configuration:

in ssl.conf did not override anything related to the virtual host in place for our main corporate website and Apache did not insist that the default server root would be associated with maglin.com. Not sure what happened with the configurations as a result of the upgrade but they definitely got screwed up, and, as the most important issues are resolved, I’ll leave it there for now. Don’t have time to pursue it further right now.

Thanks again for the assistance! Much appreciated!