Certificate has wrong domain validity - CENTOS7 / 1&1 server / certbot


#1

Trying to set up web SSL for one domain on my CENTOS7 server.

Used:

./certbot-auto certonly --webroot -w /[path to website] -d goznet.co.uk -d www.goznet.co.uk

which created the usual four files cert.pem, chain.pem, fullchain.pem and privkey.pem in the correct goznet.co.uk path off /etc/letsencrypt.

The .well-known folder was successfully created in [path to website] so didn’t appear to be any issues.

However on testing, Firefox 46.0.1 reports:

www.goznet.co.uk uses an invalid security certificate. The certificate is not trusted because it is self-signed.
The certificate is only valid for s17931428
Error code: SEC_ERROR_UNKNOWN_ISSUER

s17931428.onlinehome-server.info is my server name, but was never specified in the certbot command. It appears to have been autodetected from the server by certbot, and overridden my specified domains. It’s not specified anywhere in my Apache config I can see, so it doesn’t seem to be getting it from there.

Testing with ssllabs.com seems to confirm that behaviour, though of course the cause might be more subtle or operator-induced.

Any ideas?


#2

You’re using “certonly” mode, meaning the configuration of SSL on your web server is up to you. What certbot gave you is a number of files that include your certificate, intermediate certificates (chain) and your private key. You’ll need to configure your web server to use those files, instead of the self-signed certificate that it currently seems to use (which isn’t related to Let’s Encrypt or certbot at all). The Mozilla SSL Config Generator is usually a good starting point.


#3

Yep, looking right - many thanks. I’m specifying the various SSL bits in my config, but they seem to be being ignored as if they weren’t there at all. Will investigate further.

SSLCertificateFile "/etc/letsencrypt/live/goznet.co.uk/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/goznet.co.uk/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/goznet.co.uk/chain.pem"

#4

All resolved, thanks for pointing me in the right direction to what mostly appears to have been operator error as feared. All down to the virtualhost port listening I was sure I’d set correctly, but clearly hadn’t. Seems solid now. Thank you again.