Certificate is not Trusted

husainalshehhi · February 18, 2018, 10:40pm

The problem that I am having is that the certificate is not trusted by the browser. I have not modified anything in the apache server configuration. I am not well versed into apache anyway.

My domain is: husainalshehhi.com

I ran this command:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache 
$ sudo certbot --apache

It produced this output:

I don’t remember the exact output, It was successful though. But when I run it again, it gives me something similar to

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/husainalshehhi.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/husainalshehhi.com/privkey.pem
   Your cert will expire on 2018-05-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version): Apache/2.4.25 (Unix)

The operating system my web server runs on is (include version): Ubuntu 14.04

My hosting provider, if applicable, is: Azure

I can login to a root shell on my machine (yes or no, or I don’t know): yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no.

danb35 · February 18, 2018, 11:14pm

You may have issued a certificate successfully, but your Apache configuration is using a self-signed certificate for www.example.com.

husainalshehhi · February 19, 2018, 9:53pm

Thank you @danb35.

Do you know what I should add to Apache configuration to enable the certificate? I am not familiar with apache configuration. I thought originally that certbot would do that for me.

schoen · February 20, 2018, 12:05am

Normally it does! Can you try something like this

grep -r SSLCertificate /etc/apache2

husainalshehhi · February 21, 2018, 2:32am

Thanks @schoen

This is what I am getting:

$ sudo grep -r SSLCertificate /opt/bitnami/apache2/
Binary file /opt/bitnami/apache2/modules/mod_ssl.so matches
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:#   Point SSLCertificateFile at a PEM encoded certificate.  If
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:#SSLCertificateFile "/opt/bitnami/apache2/conf/server-dsa.crt"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:#SSLCertificateFile "/opt/bitnami/apache2/conf/server-ecc.crt"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:#SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server-dsa.key"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:#SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server-ecc.key"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:#   Point SSLCertificateChainFile at a file containing the
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:#   the referenced file can be the same as SSLCertificateFile
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:#SSLCertificateChainFile "/opt/bitnami/apache2/conf/server-ca.crt"
/opt/bitnami/apache2/conf/bitnami/bitnami.conf:SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
/opt/bitnami/apache2/conf/bitnami/bitnami.conf:SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:#   Point SSLCertificateFile at a PEM encoded certificate.  If
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:#SSLCertificateFile "/opt/bitnami/apache2/conf/server-dsa.crt"
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:#SSLCertificateFile "/opt/bitnami/apache2/conf/server-ecc.crt"
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:#SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server-dsa.key"
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:#SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server-ecc.key"
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:#   Point SSLCertificateChainFile at a file containing the
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:#   the referenced file can be the same as SSLCertificateFile
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:#SSLCertificateChainFile "/opt/bitnami/apache2/conf/server-ca.crt"

and

bitnami@Husain-Blo:~$ grep -r SSLCertificate /etc/apache2
/etc/apache2/sites-available/default-ssl.conf:          #   SSLCertificateFile directive is needed.
/etc/apache2/sites-available/default-ssl.conf:          SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf:          SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
/etc/apache2/sites-available/default-ssl.conf:          #   Point SSLCertificateChainFile at a file containing the
/etc/apache2/sites-available/default-ssl.conf:          #   the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-available/default-ssl.conf:          #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
/etc/apache2/sites-available/000-default-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/husainalshehhi.com/fullchain.pem
/etc/apache2/sites-available/000-default-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/husainalshehhi.com/privkey.pem

_az · February 21, 2018, 2:42am

Perhaps the issue is that Certbot doesn’t know how to locate the Bitnami-managed Apache installation.

You would either need to point it using the provided flags:

apache:
  Apache Web Server plugin - Beta

  --apache-enmod APACHE_ENMOD
                        Path to the Apache 'a2enmod' binary. (default:
                        a2enmod)
  --apache-dismod APACHE_DISMOD
                        Path to the Apache 'a2dismod' binary. (default:
                        a2dismod)
  --apache-le-vhost-ext APACHE_LE_VHOST_EXT
                        SSL vhost configuration extension. (default: -le-
                        ssl.conf)
  --apache-server-root APACHE_SERVER_ROOT
                        Apache server root directory. (default: /etc/apache2)
  --apache-vhost-root APACHE_VHOST_ROOT
                        Apache server VirtualHost configuration root (default:
                        /etc/apache2/sites-available)
  --apache-logs-root APACHE_LOGS_ROOT
                        Apache server logs directory (default:
                        /var/log/apache2)
  --apache-challenge-location APACHE_CHALLENGE_LOCATION
                        Directory path for challenge configuration. (default:
                        /etc/apache2)
  --apache-handle-modules APACHE_HANDLE_MODULES
                        Let installer handle enabling required modules for
                        you.(Only Ubuntu/Debian currently) (default: True)
  --apache-handle-sites APACHE_HANDLE_SITES
                        Let installer handle enabling sites for you.(Only
                        Ubuntu/Debian currently) (default: True)

or just manually change the SSLCertificateFile and SSLCertificateKeyFile references to e.g. /etc/letsencrypt/live/example.com/cert.pem and privkey.pem .

husainalshehhi · February 21, 2018, 2:52am

Thank you very much @_az. I ran

sudo certbot --apache --apache-server-root /opt/bitnami/apache2/

and it solved my very long standing problem.

schoen · February 21, 2018, 5:41am

Wow, that was some excellent advice from @_az!

system · March 23, 2018, 5:41am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.