Certificate expired in old server, can't get a new one on new server

I had an SSL certificate from Let’s Encrypt some months ago, but I forgot to renew it. I ended up switching my website to another server, and since then I have been unable to get another SSL certificate.

Today I attempted to get an SSL certificate again, and it seemed to work. In the first time, I ran this command:
sudo certbot --apache -d smartmood.io -d www.smartmood.io

and was issued a certificate, but was unable to install it. The output below is from when I ran
sudo certbot --apache

some minutes afterward, and was apparently able to install the certificate.

Unfortunately, when I open my website on a browser, and check its certificate on https://www.ssllabs.com/, I still have issues. I’m not sure what is happening.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator apache, Installer apache

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: smartmood.io

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): 1

Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/smartmood.io-0001.conf)

What would you like to do?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Attempt to reinstall this existing certificate

2: Renew & replace the cert (limit ~5 per 7 days)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Keeping the existing certificate

Deploying Certificate to VirtualHost /etc/httpd/conf/httpd.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: No redirect - Make no further changes to the webserver configuration.

2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you're confident your site works on HTTPS. You can undo this

change by editing your web server's configuration.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Redirecting vhost in /etc/httpd/conf/httpd.conf to ssl vhost in /etc/httpd/conf/httpd.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations! You have successfully enabled https://smartmood.io

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=smartmood.io
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/smartmood.io-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/smartmood.io-0001/privkey.pem
   Your cert will expire on 2019-10-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version):
Apache/2.4.6

The operating system my web server runs on is (include version):
centos-release-7-6.1810.2.el7.centos.x86_64

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.35.1

What’s this show:

httpd -t -D DUMP_VHOSTS
grep -Ri sslcertificatefile /etc/httpd

Interesting
httpd -t -D DUMP_VHOSTS:

AH00526: Syntax error on line 371 of /etc/httpd/conf/httpd.conf:

SSLCertificateFile: file '/etc/letsencrypt/live/smartmood.io-0001/cert.pem' does not exist or is empty

grep -RI sslcertificatefile /etc/httpd:

grep: /etc/httpd/logs: Permission denied

grep: /etc/httpd/run: Permission denied

Sorry, could you please re-run those with sudo at the front of the command, or as the root user?

sudo grep -RI sslcertificatefile /etc/httpd produces no output at all.

I just changed the file name in line 371 of /etc/httpd/conf/httpd.conf from /etc/letsencrypt/live/smartmood.io-0001/cert.pem to /etc/letsencrypt/live/smartmood.io-0001/fullchain.pem (which was in the output of sudo certbot --apache but got the exact same error I did before. Even though I can sudo cat /etc/letsencrypt/live/smartmood.io-0001/fullchain.pem and see that the file does exist.

Unfortunately that was a typo from me, it should be -Ri not -RI.

I’d still be helpful to see the DUMP_VHOSTS one as well.

sudo grep -Ri sslcertificatefile /etc/httpd:

/etc/httpd/conf/httpd-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/smartmood.io-0001/cert.pem

/etc/httpd/conf/httpd.conf:SSLCertificateFile /etc/letsencrypt/live/smartmood.io-0001/fullchain.pem

/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If

/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/localhost.crt

/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile

/etc/httpd/logs/error_log:[Wed Jul 17 03:34:06.175947 2019] [ssl:emerg] [pid 11194] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/httpd/conf/httpd.conf:366)

/etc/httpd/logs/error_log:[Wed Jul 17 03:34:52.882263 2019] [ssl:emerg] [pid 11208] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/httpd/conf/httpd.conf:366)

Binary file /etc/httpd/modules/mod_ssl.so matches

Without seeing DUMP_VHOSTS, what seems likely is that the virtualhost in ssl.conf overlaps its ServerName or ServerAlias with the virtualhost from http.conf or httpd-le-ssl.conf.

Since a single domain can only effectively apply to a single virtualhost, your configuration doesn’t work as you intend.

To sort that out, remove the overlap, and your domain should start using the certificate from Let’s Encrypt.

1 Like

Thank you, solved the issue!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.