Certificate not found


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
kaskie-family.no-ip.org

I ran this command:
installed the cert

It produced this output:

My web server is (include version): apache2

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: home server on Ubuntu 16

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I’m picking up from this question that was closed because I was unable to reply.

Here are the results of the commands that I was asked to run:

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: kaskie-family.no-ip.org
    Domains: kaskie-family.no-ip.org
    Expiry Date: 2018-08-18 01:15:11+00:00 (VALID: 46 days)
    Certificate Path: /etc/letsencrypt/live/kaskie-family.no-ip.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kaskie-family.no-ip.org/privkey.pem
  Certificate Name: wafka.no-ip.org
    Domains: wafka.no-ip.org
    Expiry Date: 2018-08-18 01:37:04+00:00 (VALID: 47 days)
    Certificate Path: /etc/letsencrypt/live/wafka.no-ip.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/wafka.no-ip.org/privkey.pem
-------------------------------------------------------------------------------

$ grep -Eri ‘servername|serveralias’ /etc/apache2
/etc/apache2/conf-available/servername.conf:ServerName localhost
/etc/apache2/mods-available/info.conf: # http://servername/server-info (requires that mod_info.c be loaded).
/etc/apache2/mods-available/status.conf: # with the URL of http://servername/server-status
/etc/apache2/apache2.conf:ServerName localhost
/etc/apache2/sites-available/000-default.conf: # The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-available/000-default.conf: # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/000-default.conf: #ServerName www.example.com
/etc/apache2/sites-available/000-default.conf: ServerAlias wayne
/etc/apache2/sites-available/default-ssl.conf: ServerName 127.0.1.1
/etc/apache2/sites-available/default-ssl.conf: ServerName kaskie-owncloud.ddns.net
/etc/apache2/sites-available/default-ssl.conf: ServerName kaskie-family.no-ip.org
/etc/apache2/sites-available/default-ssl.conf: ServerAlias www.kaskie-family.no-ip.org
/etc/apache2/sites-enabled/default.conf: ServerName wafka.no-ip.org
/etc/apache2/sites-enabled/default.conf: ServerName kaskie-family.no-ip.org
/etc/apache2/sites-enabled/default.conf: ServerAlias www.kaskie-family.no-ip.org
/etc/apache2/sites-enabled/backup-default-ssl.bak: ServerName kaskie-owncloud.ddns.net
/etc/apache2/sites-enabled/backup-default-ssl.bak: ServerName wafka.no-ip.org
/etc/apache2/sites-enabled/backup-default-ssl.bak: ServerName wafka.no-ip.org
/etc/apache2/sites-enabled/backup-default-ssl.bak: ServerName kaskie-family.no-ip.org
/etc/apache2/sites-enabled/backup-default-ssl.bak: ServerAlias www.kaskie-family.no-ip.org
/etc/apache2/sites-enabled/backup-default-ssl.bak: ServerName kaskie-family.no-ip.org
/etc/apache2/sites-enabled/backup-default-ssl.bak: ServerAlias www.kaskie-family.no-ip.org

$ grep -Eri ‘SSLProtocol|SSLCipherSuite’ /etc/apache2
/etc/apache2/mods-available/ssl.conf: SSLCipherSuite HIGH:!aNULL
/etc/apache2/mods-available/ssl.conf: # the CPU cost, and did not override SSLCipherSuite in a way that puts
/etc/apache2/mods-available/ssl.conf: SSLProtocol all -SSLv3

$ netstat -pant | grep -i listen
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:32400 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:32401 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:37076 0.0.0.0:* LISTEN -
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:32600 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN -
tcp6 0 0 :::110 :::* LISTEN -
tcp6 0 0 :::143 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::443 :::* LISTEN -
tcp6 0 0 :::4190 :::* LISTEN -
tcp6 0 0 :::993 :::* LISTEN -
tcp6 0 0 :::995 :::* LISTEN -


#2

@_az


#3

Hi @wkaskie,

Can you please try to

cat /etc/letsencrypt/live/kaskie-family.no-ip.org/fullchain.pem (please just execute this command and see if there’s an output, do not share that output…)

P.S. i personally suggest you to create your own 443 vHost…

Thank you


#4

fullchain.pem doesn’t contain any secret information (it doesn’t include any private keys), so all of this information would also be available on crt.sh or elsewhere.


#5

True…

(I’m just trying to confirm if that’s right or not… Don’t want to make the topic length longer…)

I hate scroll down…lol


#6

yes, my key is visible


#7

One new piece of information. I originally a received “permission denied” error, when trying to cat out the fullchain.pem. Reran the command with sudo and showed the cert.

So, I reran apachectl configtest with sudo and that showed syntax OK.

So, I tried restarting apache2 with sudo privileges and it didn’t help. :frowning:


#8

I was able to see my key. Any other thoughts?


#9

I didn’t see what problems you’re reporting here but when I visit https://kaskie-family.no-ip.org/ I see that your server is misconfigured and is speaking HTTP instead of HTTPS on port 443. This usually means that you have an Apache virtualhost somewhere that refers to port 443 but doesn’t include the HTTPS directives such as SSLEngine on. Your virtualhost for the actual site might be just fine, but the presence of an HTTP virtualhost on port 443 elsewhere in your Apache configuration can still produce this error.


#10

Hi! thanks for your help. I was missing SSLEngine on, so I added it. Now, when I try to restart the server I get errors:

[Fri Jul 06 15:31:25.954254 2018] [ssl:emerg] [pid 3703] AH02572: Failed to configure at least one certificate and key for kaskie-owncloud.ddns.net:443
[Fri Jul 06 15:31:25.954310 2018] [ssl:emerg] [pid 3703] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Jul 06 15:31:25.954320 2018] [ssl:emerg] [pid 3703] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Jul 06 15:31:25.954336 2018] [ssl:emerg] [pid 3703] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Fri Jul 06 15:31:25.954339 2018] [ssl:emerg] [pid 3703] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed

#11

I fixed the configuration. I had a 2nd virtual host that wasn’t set up correctly, so I deleted it. I completely stopped apache and then started it again, no errors this time. But my site still doesn’t work.


#12

You can’t just add SSLEngine on by itself; it also needs a certificate and private key. If you don’t have those available, then you can’t have HTTPS in that virtualhost… in which case that particular virtualhost shouldn’t be listening on port 443 at all.


#13

It looks like you still have some virtualhost that listens on port 443 without HTTPS.


#14

letsencrypt added the certs, etc. That was already there. I was missing the SSLEngine On, though. Below is my default-ssl.conf file.

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerName 127.0.1.1
                DocumentRoot "/var/www"
                SSLEngine Off
        </VirtualHost>
        <VirtualHost _default_:443>
                ServerAdmin waynekaskie@gmail.com
                ServerName kaskie-family.no-ip.org
                ServerAlias www.kaskie-family.no-ip.org
                SSLEngine On
                DocumentRoot "/var/www/html"

                SSLCertificateFile /etc/letsencrypt/live/kaskie-family.no-ip.org/fullchain.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/kaskie-family.no-ip.org/privkey.pem
                SSLCertificateChainFile /etc/letsencrypt/live/kaskie-family.no-ip.org/chain.pem
                Include /etc/letsencrypt/options-ssl-apache.conf
        </VirtualHost>
</IfModule>

#15

You were right!!! I got rid of the 127.0.1.1 host and it works now!

Thank you for all of your help!!!


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.