Certificate error after auto-generation

Hi - I’ve created many certs with certbot with no issues, but this one has me stumped. Its a simple apache setup with one virtual host. The certificate generated doesnt work though, I get a ‘name’ error saying that its set to willfrost not willfrost.co.uk

I selected willfrost.co.uk during the install and have retried several times.

My domain is: willfrost.co.uk

I ran this command: certbot-auto --apache

It produced this output: (ran normally)

My web server is (include version): apache

The operating system my web server runs on is (include version): centos 8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.4.0

Hi @strider

there are some checks of your domain, 20 and 30 minutes old - https://check-your-website.server-daten.de/?q=willfrost.co.uk

You have created some certificates:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-05-16 2020-08-14 willfrost.co.uk - 1 entries duplicate nr. 3
Let’s Encrypt Authority X3 2020-05-16 2020-08-14 willfrost.co.uk, www.willfrost.co.uk - 2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-05-16 2020-08-14 willfrost.co.uk - 1 entries duplicate nr. 2
Let’s Encrypt Authority X3 2020-05-16 2020-08-14 willfrost.co.uk - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-05-09 2020-08-07 willfrost.co.uk, www.willfrost.co.uk - 2 entries

But you use a self signed.

E=root@willfrost, CN=willfrost, O=Unspecified, C=US
	15.05.2020
	20.05.2021
expires in 369 days	willfrost - 1 entry

So it’s an installation problem, not a certificate creation problem.

What says

apachectl -S
1 Like

Hi - thanks - apachectl -S actually returns nothing. I’m on centos 8.

httpd.server reports active (running)

I didnt select self signed during the setup so not sure why that has happened. One thing I did notice which was unusual, I wasnt asked if I wanted to divert http to https, it just actioned that.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: willfrost.co.uk

I ran this command: cert-auto --apache

It produced this output: all good

My web server is (include version): willfrost.co.uk

The operating system my web server runs on is (include version): centos 8.1

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.4

If you use CentOS, you know you have to use httpd instead of apachectl.

Hi - thanks for the reply. yes we are using httpd we dont use apachectl why is that relevant ?

Which names would you like to activate HTTPS for?


1: willfrost.co.uk

2: www.willfrost.co.uk


Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter ‘c’ to cancel):

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for willfrost.co.uk

http-01 challenge for www.willfrost.co.uk

Waiting for verification…

Cleaning up challenges

Created an SSL vhost at /etc/httpd/conf.d/willfrost-le-ssl.conf

Deploying Certificate to VirtualHost /etc/httpd/conf.d/willfrost-le-ssl.conf

Deploying Certificate to VirtualHost /etc/httpd/conf.d/willfrost-le-ssl.conf

Redirecting vhost in /etc/httpd/conf.d/willfrost.conf to ssl vhost in /etc/httpd/conf.d/willfrost-le-ssl.conf


Congratulations! You have successfully enabled https://willfrost.co.uk and

https://www.willfrost.co.uk

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=willfrost.co.uk

https://www.ssllabs.com/ssltest/analyze.html?d=www.willfrost.co.uk


Please: Instead of apachectl -S httpd -S. Your real configuration is required.

Sorry my misunderstanding - this is the output from httpd -S

AH00526: Syntax error on line 14 of /etc/httpd/conf.d/willfrost-le-ssl.conf:

SSLCertificateFile: file ‘/etc/letsencrypt/live/willfrost.co.uk/fullchain.pem’ does not exist or is empty

Note fullchain.pem does exist and isnt empty

willfrost-le-ssl.conf is :-

ServerName willfrost.co.uk ServerAlias www.willfrost.co.uk ServerAdmin webmaster@scintillae.net DocumentRoot /var/www/html/willfrost.co.uk ErrorLog logs/willfrost.vote-error_log Options -Indexes Options FollowSymLinks

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/willfrost.co.uk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/willfrost.co.uk/privkey.pem

Screenshot 2020-05-17 at 11.00.13

[root@willfrost strider]# ls /etc/letsencrypt/live/willfrost.co.uk/privkey.pem

/etc/letsencrypt/live/willfrost.co.uk/privkey.pem

[root@willfrost strider]# ls /etc/letsencrypt/live/willfrost.co.uk/fullchain.pem

/etc/letsencrypt/live/willfrost.co.uk/fullchain.pem

root or sudo is required.

Aah sorry :-

[root@willfrost strider]# sudo httpd -S
VirtualHost configuration:
*:443 is a NameVirtualHost
default server willfrost.co.uk (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost willfrost.co.uk (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost willfrost.co.uk (/etc/httpd/conf.d/willfrost-le-ssl.conf:2)
alias www.willfrost.co.uk
*:80 willfrost.co.uk (/etc/httpd/conf.d/willfrost.conf:1)
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
PidFile: “/etc/httpd/run/httpd.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

There

you see your mess. Two port 443 vHosts with the same domain name.

Merge these in one or disable both, then use certbot with --reinstall to create a clean port 443 vHost.

Aah ok - this is the default for centos 8 httpd setup by the way - so everyone will hit this.