Certificate is considered self-signed by browsers and mediawiki

My domain is: pocketwiki.cau.ninja

I ran this command: sudo certbot --apache and it generated a certificate that gets detected as "self-signed" by firefox and mediawiki, the web-application of that domain.

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 20

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.26.0

As it creates multiple problems, I want to "switch" to a "non-self"-signed certificate.

What do you mean?

https://pocketwiki.cau.ninja/index.php/Hauptseite

Hi @xtay2, and welcome to the LE community forum :slight_smile:

That is impossible.
It might be that you ran certbot --apache [and that completed normally]
And that your site is still using a "self-signed" cert.
But no "self-signed" certs come from certbot.

So...
There must be a "problem" with your Apache config.
Let's have a look at the output of:

  • certbot certificates
  • apachectl -t -D DUMP_VHOSTS
2 Likes

certbot certificates gives:


Found the following certs:
Certificate Name: pocketwiki.cau.ninja
Serial Number: 4ef5ea7fd2a01bd5495c567ce79ff121a5c
Key Type: RSA
Domains: pocketwiki.cau.ninja wiki.pseudocode.site
Expiry Date: 2022-07-10 18:31:30+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/pocketwiki.cau.ninja/fullchain.pem
Private Key Path: /etc/letsencrypt/live/pocketwiki.cau.ninja/privkey.pem


apachectl -t -D DUMP_VHOSTS gives:
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 pocketwiki.cau.ninja (/etc/apache2/sites-enabled/pocketwiki-le-ssl.conf:2)

Or, when Im trying to edit a page:
Screenshot from 2022-04-12 17-16-29

You are connecting to https://localhost, not to https://pocketwiki.cau.ninja !!!

The certificate isn't valid for the first one, just for the second (and the other domain).

3 Likes

Please show this file:

1 Like
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin admin@your-domain.com
    DocumentRoot /var/www/html/pocketwiki/
    ServerName pocketwiki.cau.ninja

    <Directory /var/www/html/pocketwiki/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        allow from all
        Require all granted
    </Directory>

    ErrorLog /var/log/apache2/mediawiki_error
    CustomLog /var/log/apache2/mediawiki_access common

SSLCertificateFile /etc/letsencrypt/live/pocketwiki.cau.ninja/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pocketwiki.cau.ninja/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Is it possible to add the certificate for localhost too?

No.

You can edit your /etc/hosts file and make your pc believe that pocketwiki.cau.ninja is hosted on 127.0.0.1, though. (Instead of querying the public DNS)

2 Likes

How do I have to change it? Currently it looks like this:

127.0.0.1	localhost
127.0.1.1	Primeserver

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Are you sure that's the right file? It doesn't look like it.

You just add a line like this, in /etc/hosts

127.0.0.1 pocketwiki.cau.ninja
1 Like

Change the localhost line to read;

127.0.0.1 localhost pocketwiki.cau.ninja

1 Like

Add another line wherever you like it best.

1 Like

I have now changed it, but both the firefox- and editing-error persist. If you want to try it, you can freely edit one character on https://pocketwiki.cau.ninja/index.php/Testpage?veaction=edit and commit it as a "minor change" by clicking "Ă„nderungen speichern" in the top right corner.

Mediawiki describes the occurring error with: "Error contacting the Parsoid/RESTBase server: (curl error: 60) Peer certificate cannot be authenticated with given CA certificates
You may be using a self-signed SSL certificate. Workaround unknown."

You have to use your domain name in the browser. Not localhost.

1 Like

Sorry, my bad. A friend tried that (outside of my network) and he had the same error. (Error contacting the Parsoid/RESTBase server...)

Ok, does MediaWiki know about the domain name, or is it trying to contact "localhost"? MediaWiki itself has to use the domain name.

Anyhow, your wiki is working for me: Änderungen – PocketWiki

1 Like

Yes, in the mediawikis "LocalSettings.php" I have this:
Screenshot from 2022-04-12 17-47-35