Certificate is only for local domain (.home)

The_Red_Freak · August 17, 2017, 10:07pm

Hello,

i have a “server” on my local network which i can access through server.home.
I have a public domain which points to that server. It is not secure (http) so i want to secure it with certbot.
I used certbot --apache which generates me an certificate for server.home but not for the domain. How do i let certbot know that i want a certificate for the public domain?

~The_Red_Freak

schoen · August 17, 2017, 10:29pm

Hi @The_Red_Freak,

Let’s Encrypt would not be able to issue you a certificate for the name server.home… did you mean to say that Certbot it trying to request a certificate for server.home, or did you see the “Congratulations!” message at the end of the process?

When you run certbot --apache, it tries to find all of the virtual hosts in your existing Apache configuration and offer to request a certificate for each of them. You can specify a particular domain name to request a certificate for with a -d option, like certbot --apache -d example.com (but if Certbot didn’t manage to find that name in your existing Apache configuration, it may also not know how to install the resulting certificate correctly after obtaining it).

The_Red_Freak · August 17, 2017, 10:38pm

I saw a "Congratulations!"
here’s a pic of the Certificate: http://prntscr.com/g9tzhw
Its in German, because I’m austrian

schoen · August 17, 2017, 11:19pm

I think something more complicated is going on and I would like to see the output from Certbot in that case.

If you look at the following line, it says “Ausgestellt von: Avast Web/Mail Shield Self-signed Root”. If that were a Let’s Encrypt certificate, it should instead probably say “Ausgestellt von: Let’s Encrypt Authority X3”.

What you’re seeing here when you look at the site from that particular PC is that your Avast antivirus is intercepting the HTTPS connection in order to perform a virus scan of the content. Then it is re-encrypting the content using its own internal root certificate. This process hides from you what the underlying certificate (if any) actually was.

The_Red_Freak · August 17, 2017, 11:22pm

Makes it a significant difference if the Site is behind cloudflare?
(I’m currently running Certbot. I am providing output in next post)

schoen · August 17, 2017, 11:24pm

Yes, certbot --apache doesn't work behind CloudFlare. You would need to use --webroot instead. (Or -a webroot -i apache if you want Certbot to install the certificate for you after it's obtained.)

The_Red_Freak · August 17, 2017, 11:29pm

I have now used certbot --webroot -i apache and i get this output and this debug log file. But now it says: Valid certificate. But theres still the red https thing next to the url addressbar
Edit:
Also it says:

This page is not secure (broken HTTPS).

schoen · August 17, 2017, 11:42pm

What I’m seeing right now is that you have a valid certificate from Comodo, not from Let’s Encrypt. Perhaps this is a previous certificate that’s still installed and that’s taking priority over the Let’s Encrypt certificate? It’s clear that Let’s Encrypt did successfully issue you some certificates:

https://crt.sh/?Identity=%thefreaks.eu&iCAID=16418

If you get contradictory security indications, it can often be due to mixed content (loading some site resources over HTTP when the main page is HTTPS). One tool to diagnose that is

https://whynopadlock.com/

That’s not related to the issue about your certificate, but can be a helpful way to look into why the browser sometimes appears to contradict itself (for example, saying that the certificate is valid but that the page isn’t “secure”).

The_Red_Freak · August 17, 2017, 11:44pm

i have never installed any certificates on this machine before so it is may be from CloudFlare?

The_Red_Freak · August 17, 2017, 11:54pm

Erm. that is weird, i have now a padlock next to the url, but the certificate is not from Lets’ Encrypt
Picture

schoen · August 18, 2017, 12:05am

Yes, so I was focused on understanding what went wrong with Certbot and I somehow forgot to mention the far more important point that if you're using CloudFlare, a Let's Encrypt certificate is likely to be virtually worthless to you because they provide TLS termination for you, including getting a certificate for you. Instead, you can use a CloudFlare-issued origin certificate

(That solution doesn't work if you need to be able to access the origin server directly from a normal web browser.)

The_Red_Freak · August 18, 2017, 12:08am

oh, ok. But i have seen that i can upload a custom one. Is it possible to upload the certbot generated file or do i have to use the CloudFlare certificate?

schoen · August 18, 2017, 12:28am

If it’s not a paid plan, I believe that the custom certificate is then used only between your site and CloudFlare, and not between CloudFlare and the general public. But you can certainly use it for that case.

The_Red_Freak · August 18, 2017, 8:14am

I can upload a custom certificate but i dont know where they are on the local machine, and i dont know which file to upload
Can you help me with that?

schoen · August 18, 2017, 5:23pm

Do you mean that you can upload a custom certificate to CloudFlare in order to tell CloudFlare to trust it between CloudFlare and your origin server? But if it’s your Let’s Encrypt certificate, there would be no need to do so because CloudFlare already trusts Let’s Encrypt certificates.

Or do you mean that you can upload a custom certificate to CloudFlare in order for CloudFlare to show that certificate, because you have a CloudFlare plan that permits this?

The_Red_Freak · August 19, 2017, 10:00am

oh yeah i just noticed that i have to pay to upload the certificate.
But i really want to thank you for your support!

system · September 18, 2017, 10:00am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.