Certificate is not Valid

wkaskie · May 20, 2018, 3:12am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
kaskie-family.no-ip.org

I ran this command:
sudo certbot --apache

It produced this output:
succss

My web server is (include version):
apchache 2.4.18

The operating system my web server runs on is (include version):
ubuntu

My hosting provider, if applicable, is:
Server is running on site

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

I am getting the following in Chrome:
Your connection is not private
Attackers might be trying to steal your information from kaskie-family.no-ip.org (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_REVOKED

With this certificate information:
SSL Server Certificate
Common Name (CN) kaskie-family.no-ip.org
Organization (O)
Organizational Unit (OU)
Common Name (CN) StartCom Class 1 DV Server CA
Organization (O) StartCom Ltd.
Organizational Unit (OU) StartCom Certification Authority
Issued On Wednesday, March 22, 2017 at 10:28:02 AM
Expires On Sunday, March 22, 2020 at 10:28:02 AM
SHA-256 Fingerprint EA EE C4 1F 51 46 F1 EC D0 50 06 9E 96 58 AC 5F
00 41 0D 85 82 F0 E7 40 2B DE 9B CD C5 DC 3A C0
SHA-1 Fingerprint 75 AF 14 AB 88 2F 03 12 C7 DD 69 C1 00 7F 80 DB
01 45 90 08

wkaskie · May 20, 2018, 3:15am

Also, my default-ssl.conf:

		ServerName kaskie-family.no-ip.org
	ServerAlias www.kaskie-family.no-ip.org

	DocumentRoot "/var/www/html"
	
	SSLCertificateFile /etc/letsencrypt/live/kaskie-family.no-ip.org/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/kaskie-family.no-ip.org/privkey.pem
	SSLCertificateChainFile /etc/letsencrypt/live/kaskie-family.no-ip.org/chain.pem
	Include /etc/letsencrypt/options-ssl-apache.conf

stevenzhu · May 20, 2018, 3:20am

Hi,

Can you try to restart the Apache?
(Just in case certbot didn’t)

Also, please run this command and share us the output. apache2ctl -S

Thank you

schoen · May 20, 2018, 3:24am

You’re using an old certificate issued by StartCom. However, you’ve issued two certificates from Let’s Encrypt today

https://crt.sh/?Identity=%kaskie-family.no-ip.org&iCAID=16418

But your web server isn’t using either of them. Did you do something to configure your server to use the newly-issued certificates after you issued them?

wkaskie · May 20, 2018, 3:26am

I had a hard time stopping apache! Had to run “killall” but finally got it to stop. Restarted it.

Getting this now:
This site can’t provide a secure connection
kaskie-family.no-ip.org sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

apache2ctl -S
AH00526: Syntax error on line 21 of /etc/apache2/sites-enabled/default-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/wafka.no-ip.org/fullchain.pem' does not exist or is empty
Action '-S' failed.
The Apache error log may have more information.

The error is referring to a different VirtualHost. But to be safe, I renewed that certificate.

-------------------------------------------------------------------------------

Congratulations! You have successfully enabled https://wafka.no-ip.org

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=wafka.no-ip.org

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/wafka.no-ip.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/wafka.no-ip.org/privkey.pem
Your cert will expire on 2018-08-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew all of
your certificates, run “certbot renew”
If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

stevenzhu · May 20, 2018, 3:29am

Okay…

Can you check if those are okay? (I mean, can you try to get the Apache running… with no error?)

And them the issue might just resolved.

P.S. please check if there is any duplicate vHosts which might override the host (using startcom certs). Also, check if your domain is matching with the IP address…(just in case it doesn’t…)

Thank you

wkaskie · May 20, 2018, 3:40am

Still not working, but new error:

This site can’t provide a secure connection
kaskie-family.no-ip.org sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

I also got rid of the other vhost, just to test. and now running the apache2ctl -S shows this:

AH00526: Syntax error on line 27 of /etc/apache2/sites-enabled/default-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/kaskie-family.no-ip.org/fullchain.pem' does not exist or is empty
Action '-S' failed.
The Apache error log may have more information.

wkaskie · May 20, 2018, 3:52am

And this is the results of the SSL test:

There are some errors that we cannot fix properly in the current version. They will be addressed in the next generation version, which is currently being developed.

No secure protocols supported - if you get this message, but you know that the site supports SSL, wait until the cache expires on its own, then try again, making sure the hostname you enter uses the "www" prefix (e.g., "www.ssllabs.com", not just "ssllabs.com").
no more data allowed for version 1 certificate - the certificate is invalid; it is declared as version 1, but uses extensions, which were introduced in version 3. Browsers might ignore this problem, but our parser is strict and refuses to proceed. We'll try to find a different parser to avoid this problem.
Failed to obtain certificate and Internal Error - errors of this type will often be reported for servers that use connection rate limits or block connections in response to unusual traffic. Problems of this type are very difficult to diagnose. If you have access to the server being tested, before reporting a problem to us, please check that there is no rate limiting or IDS in place.
NetScaler issues - some NetScaler versions appear to reject SSL handshakes that do not include certain suites or handshakes that use a few suites. If the test is failing and there is a NetScaler load balancer in place, that's most likely the reason.
Unexpected failure - our tests are designed to fail when unusual results are observed. This usually happens when there are multiple TLS servers behind the same IP address. In such cases we can't provide accurate results, which is why we fail.

schoen · May 20, 2018, 4:33am

Does that file actually exist? Have you manually deleted or renamed anything within /etc/letsencrypt?

rg305 · May 20, 2018, 5:49am

Please show these four (you can post replies individually if you like):
sudo certbot certificates
grep -Eri 'servername|serveralias' /etc/apache2
grep -Eri 'SSLProtocol|SSLCipherSuite' /etc/apache2
netstat -pant | grep -i listen

system · June 19, 2018, 5:49am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ssl certificate not valid Help	4	481	June 5, 2020
Invalid certificate chain Help	2	1948	March 16, 2022
Error With Website Certificate Help	7	1296	April 15, 2022
SSL certificate is invalid on some computers Help	15	2028	February 6, 2021
Take the certifikate Help	4	409	August 27, 2023

Certificate is not Valid

You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=wafka.no-ip.org

Related topics

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=wafka.no-ip.org