Certificate not found

wkaskie · July 2, 2018, 1:38am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
kaskie-family.no-ip.org

I ran this command:
installed the cert

It produced this output:

My web server is (include version): apache2

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: home server on Ubuntu 16

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

I'm picking up from this question that was closed because I was unable to reply.

Here are the results of the commands that I was asked to run:

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: kaskie-family.no-ip.org
    Domains: kaskie-family.no-ip.org
    Expiry Date: 2018-08-18 01:15:11+00:00 (VALID: 46 days)
    Certificate Path: /etc/letsencrypt/live/kaskie-family.no-ip.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kaskie-family.no-ip.org/privkey.pem
  Certificate Name: wafka.no-ip.org
    Domains: wafka.no-ip.org
    Expiry Date: 2018-08-18 01:37:04+00:00 (VALID: 47 days)
    Certificate Path: /etc/letsencrypt/live/wafka.no-ip.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/wafka.no-ip.org/privkey.pem
-------------------------------------------------------------------------------

$ grep -Eri 'servername|serveralias' /etc/apache2
/etc/apache2/conf-available/servername.conf:ServerName localhost
/etc/apache2/mods-available/info.conf: # http://servername/server-info (requires that mod_info.c be loaded).
/etc/apache2/mods-available/status.conf: # with the URL of http://servername/server-status
/etc/apache2/apache2.conf:ServerName localhost
/etc/apache2/sites-available/000-default.conf: # The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-available/000-default.conf: # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/000-default.conf: #ServerName www.example.com
/etc/apache2/sites-available/000-default.conf: ServerAlias wayne
/etc/apache2/sites-available/default-ssl.conf: ServerName 127.0.1.1
/etc/apache2/sites-available/default-ssl.conf: ServerName kaskie-owncloud.ddns.net
/etc/apache2/sites-available/default-ssl.conf: ServerName kaskie-family.no-ip.org
/etc/apache2/sites-available/default-ssl.conf: ServerAlias www.kaskie-family.no-ip.org
/etc/apache2/sites-enabled/default.conf: ServerName wafka.no-ip.org
/etc/apache2/sites-enabled/default.conf: ServerName kaskie-family.no-ip.org
/etc/apache2/sites-enabled/default.conf: ServerAlias www.kaskie-family.no-ip.org
/etc/apache2/sites-enabled/backup-default-ssl.bak: ServerName kaskie-owncloud.ddns.net
/etc/apache2/sites-enabled/backup-default-ssl.bak: ServerName wafka.no-ip.org
/etc/apache2/sites-enabled/backup-default-ssl.bak: ServerName wafka.no-ip.org
/etc/apache2/sites-enabled/backup-default-ssl.bak: ServerName kaskie-family.no-ip.org
/etc/apache2/sites-enabled/backup-default-ssl.bak: ServerAlias www.kaskie-family.no-ip.org
/etc/apache2/sites-enabled/backup-default-ssl.bak: ServerName kaskie-family.no-ip.org
/etc/apache2/sites-enabled/backup-default-ssl.bak: ServerAlias www.kaskie-family.no-ip.org

$ grep -Eri 'SSLProtocol|SSLCipherSuite' /etc/apache2
/etc/apache2/mods-available/ssl.conf: SSLCipherSuite HIGH:!aNULL
/etc/apache2/mods-available/ssl.conf: # the CPU cost, and did not override SSLCipherSuite in a way that puts
/etc/apache2/mods-available/ssl.conf: SSLProtocol all -SSLv3

$ netstat -pant | grep -i listen
(Not all processes could will not be shown, you tcp 0 0 127.0.0.1:3306 tcp 0 0 0.0.0.0:110 tcp 0 0 0.0.0.0:143 tcp 0 0 0.0.0.0:32400 tcp 0 0 0.0.0.0:465 tcp 0 0 127.0.0.1:32401 tcp 0 0 127.0.0.1:37076 tcp 0 0 192.168.122.1:53 tcp 0 0 0.0.0.0:22 tcp 0 0 127.0.0.1:32600 tcp 0 0 0.0.0.0:25 tcp 0 0 0.0.0.0:4190 tcp 0 0 0.0.0.0:993 tcp 0 0 0.0.0.0:995 tcp6 0 0 :::110 tcp6 0 0 :::143 tcp6 0 0 :::80 tcp6 0 0 :::22 tcp6 0 0 :::443 tcp6 0 0 :::4190 tcp6 0 0 :::993 tcp6 0 0 :::995 be identified, non-owned process info
would have to be root to see it all.)
0.0.0.0:* LISTEN -
0.0.0.0:* LISTEN -
0.0.0.0:* LISTEN -
0.0.0.0:* LISTEN -
0.0.0.0:* LISTEN -
0.0.0.0:* LISTEN -
0.0.0.0:* LISTEN -
0.0.0.0:* LISTEN -
0.0.0.0:* LISTEN -
0.0.0.0:* LISTEN -
0.0.0.0:* LISTEN -
0.0.0.0:* LISTEN -
0.0.0.0:* LISTEN -
0.0.0.0:* LISTEN -
:::* LISTEN -
:::* LISTEN -
:::* LISTEN -
:::* LISTEN -
:::* LISTEN -
:::* LISTEN -
:::* LISTEN -
:::* LISTEN -

stevenzhu · July 2, 2018, 2:43am

@_az

stevenzhu · July 2, 2018, 2:45am

Hi @wkaskie,

Can you please try to

cat /etc/letsencrypt/live/kaskie-family.no-ip.org/fullchain.pem (please just execute this command and see if there’s an output, do not share that output…)

P.S. i personally suggest you to create your own 443 vHost…

Thank you

schoen · July 2, 2018, 4:49am

fullchain.pem doesn't contain any secret information (it doesn't include any private keys), so all of this information would also be available on crt.sh or elsewhere.

stevenzhu · July 2, 2018, 4:51am

True....

(I'm just trying to confirm if that's right or not.... Don't want to make the topic length longer.....)

I hate scroll down...lol

wkaskie · July 2, 2018, 11:42pm

yes, my key is visible

wkaskie · July 2, 2018, 11:47pm

One new piece of information. I originally a received “permission denied” error, when trying to cat out the fullchain.pem. Reran the command with sudo and showed the cert.

So, I reran apachectl configtest with sudo and that showed syntax OK.

So, I tried restarting apache2 with sudo privileges and it didn’t help.

wkaskie · July 6, 2018, 6:21pm

I was able to see my key. Any other thoughts?

schoen · July 6, 2018, 7:11pm

I didn’t see what problems you’re reporting here but when I visit https://kaskie-family.no-ip.org/ I see that your server is misconfigured and is speaking HTTP instead of HTTPS on port 443. This usually means that you have an Apache virtualhost somewhere that refers to port 443 but doesn’t include the HTTPS directives such as SSLEngine on. Your virtualhost for the actual site might be just fine, but the presence of an HTTP virtualhost on port 443 elsewhere in your Apache configuration can still produce this error.

wkaskie · July 6, 2018, 7:33pm

Hi! thanks for your help. I was missing SSLEngine on, so I added it. Now, when I try to restart the server I get errors:

[Fri Jul 06 15:31:25.954254 2018] [ssl:emerg] [pid 3703] AH02572: Failed to configure at least one certificate and key for kaskie-owncloud.ddns.net:443
[Fri Jul 06 15:31:25.954310 2018] [ssl:emerg] [pid 3703] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Jul 06 15:31:25.954320 2018] [ssl:emerg] [pid 3703] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Jul 06 15:31:25.954336 2018] [ssl:emerg] [pid 3703] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Fri Jul 06 15:31:25.954339 2018] [ssl:emerg] [pid 3703] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed

wkaskie · July 6, 2018, 7:46pm

I fixed the configuration. I had a 2nd virtual host that wasn’t set up correctly, so I deleted it. I completely stopped apache and then started it again, no errors this time. But my site still doesn’t work.

schoen · July 6, 2018, 7:47pm

You can't just add SSLEngine on by itself; it also needs a certificate and private key. If you don't have those available, then you can't have HTTPS in that virtualhost... in which case that particular virtualhost shouldn't be listening on port 443 at all.

schoen · July 6, 2018, 7:48pm

It looks like you still have some virtualhost that listens on port 443 without HTTPS.

wkaskie · July 7, 2018, 7:03pm

letsencrypt added the certs, etc. That was already there. I was missing the SSLEngine On, though. Below is my default-ssl.conf file.

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerName 127.0.1.1
                DocumentRoot "/var/www"
                SSLEngine Off
        </VirtualHost>
        <VirtualHost _default_:443>
                ServerAdmin waynekaskie@gmail.com
                ServerName kaskie-family.no-ip.org
                ServerAlias www.kaskie-family.no-ip.org
                SSLEngine On
                DocumentRoot "/var/www/html"

                SSLCertificateFile /etc/letsencrypt/live/kaskie-family.no-ip.org/fullchain.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/kaskie-family.no-ip.org/privkey.pem
                SSLCertificateChainFile /etc/letsencrypt/live/kaskie-family.no-ip.org/chain.pem
                Include /etc/letsencrypt/options-ssl-apache.conf
        </VirtualHost>
</IfModule>

wkaskie · July 7, 2018, 7:05pm

You were right!!! I got rid of the 127.0.1.1 host and it works now!

Thank you for all of your help!!!

system · August 6, 2018, 7:06pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificate is not Valid Help	10	12704	June 19, 2018
Error With Website Certificate Help	7	1296	April 15, 2022
Old problem fixed Help	13	1371	June 14, 2020
No certificate found Help	2	1664	August 1, 2020
Wheres my certificate Help	2	819	May 29, 2019

Certificate not found

Related topics