Certificate not trusted on alternate domain/domain not detected by certbot (https line through it)

I have donated $25 dollars because I am very thankful of the service, however,
I tried following this article [Solved] Certificate Not Trusted to fix the “certificate not trusted issue.” but i get internal service error after adding the new lines of code to .htaccess. I had a buddy go to my domain and he said there was a line through the HTTPS symbol but on localhost this doesn’t happen.

My domains are:
https://www.groupfinder.cc
https://www.techmasterdesign.com

I ran this command: certbot --apache

It produced this output: worked perfectly, HTTPS is working

My web server is (include version):
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2020-08-12T21:33:25

The operating system my web server runs on is (include version):
Ubuntu LTS 18.04

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don’t know): yes, ssh

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no, terminal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): cerbot 1.7.0

1 Like

That site works fine.

This one is providing a certificate for a whole different server.

What lines did you actually add? And why did you add them to a .htaccess? That’s not a very good place to modify TLS settings.

1 Like
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem

Thank you for your help
Where should lines I add those if not to .htaccess?
I wonder why https://www.groupfinder.cc is providing a cert for a whole different server, maybe because it’s a different domain other than the one configured with cerbot? (I only configured www.techmasterdesign.com with certbot)

1 Like

To the appropriate <VirtualHost *:443> block. Of those 4 options, only SSLOptions is allowed in a .htaccess. Please read the documentation about options if you don’t understand or know enough about them:

https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslengine
https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatefile
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatekeyfile

I have no idea how TLS was configured on that hostname. As far as I can tell, there is no TLS configured for that hostname.

1 Like

Ok I went ahead and read about it. Primarily I tried to edit /etc/httpd/httpd.conf but with apache on ubuntu that file doesn’t exist, so the guide I read said to edit /etc/apache2/apache.conf or create a file named httpd.conf in the root apache2 dir and reference it from apache.conf. I did this and now no more internal service error, so that’s good. However, https://www.groupfinder.cc is still showing an invalid certificate. Is there a way to run cerbot --apache again and specify the groupfinder.cc domain so it can set up HTTPS? I have already used cerbot to set up HTTPS on my main domain (www.techmasterdesign.com) Thank you for your help.

1 Like

If your Apache is configured properly, certbot would identify both hostnames and give you the option to get a certificate for the other hostname too. But as I said, if Apache is configured properly.

1 Like
Name:    groupfinder.cc
Address:  184.168.131.241
Aliases:  www.groupfinder.cc

Name:    gscottmalibu.mynetgear.com
Address:  47.6.109.242
Aliases:  www.techmasterdesign.com
1 Like

It seems that going to www.groupfinder.cc does not return the invalid certificate and works perfectly with a valid certificate, but going to https://www.groupfinder.cc returns the invalid certificate. I wonder how the apache server is misconfigured, possibly because I only have my main www.techmasterdesign.com domain in the apache2.conf file and .htaccess?

apache2.conf looks like:

# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.4/ for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
# hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.

# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
#	/etc/apache2/
#	|-- apache2.conf
#	|	`--  ports.conf
#	|-- mods-enabled
#	|	|-- *.load
#	|	`-- *.conf
#	|-- conf-enabled
#	|	`-- *.conf
# 	`-- sites-enabled
#	 	`-- *.conf
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
#   together by including all remaining configuration files when starting up the
#   web server.
#
# * ports.conf is always included from the main configuration file. It is
#   supposed to determine listening ports for incoming connections which can be
#   customized anytime.
#
# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
#   directories contain particular configuration snippets which manage modules,
#   global configuration fragments, or virtual host configurations,
#   respectively.
#
#   They are activated by symlinking available configuration files from their
#   respective *-available/ counterparts. These should be managed by using our
#   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
#   their respective man pages for detailed information.
#
# * The binary is called apache2. Due to the use of environment variables, in
#   the default configuration, apache2 needs to be started/stopped with
#   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
#   work with the default configuration.


# Global configuration
#

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the Mutex documentation (available
# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#Mutex file:${APACHE_LOCK_DIR} default

#
# The directory where shm and other runtime files will be stored.
#

DefaultRuntimeDir ${APACHE_RUN_DIR}

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5


# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log

#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn

# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

# Include list of ports to listen on
Include ports.conf


# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all granted
</Directory>

<Directory /usr/share>
	AllowOverride None
	Require all granted
</Directory>

<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride All
	Require all granted
</Directory>

#<Directory /srv/>
#	Options Indexes FollowSymLinks
#	AllowOverride None
#	Require all granted
#</Directory>

# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
	Require all denied
</FilesMatch>


#
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
#
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.

# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf

# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

#HTTPS SSL
<VirtualHost *:443>
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/letsencrypt/live/www.techmasterdesign.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.techmasterdesign.com/privkey.pem

.htaccess looks like:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
ErrorDocument 404 /apachehandlers/404.html
ErrorDocument 403 /apachehandlers/403.html
1 Like

Unless I’m mistaken, those are two completely different locations.
Thus the completely different certs.

1 Like

You mean http://www.groupfinder.cc ? Well, that URL redirects to http://www.techmasterdesign.com/groupfinder (which in turn redirects to the HTTPS site), which is a totally different hostname! You don’t have a certificate for groupfinder.cc or www.groupfinder.cc. Never issued. But that’s not strange if you haven’t used certbot to get one for that hostname(s).

You shouldn’t put <VirtualHost> sections in that configuration file. The directory /sites-available/ should be used for that. With one <VirtualHost> section per file.

It’s also better to include most if not all Apache directives in a configuration file. Preferably in the appropriate <VirtualHost> section if possible/indicated.

1 Like

A certificate doesn’t like or dislike anything. It’s the browser not seeing the correct certificate for a certain hostname.

Changing the redirect from a site without a valid certificate to another site without a valid certificate doesn’t change anything!

Please read more information about how certificates work.

1 Like

the forward on groupfinder.cc with godaddy was setup with http, changing to https. I forgot to change it. I think that’s why the https directive on groupfinder.cc was returning an invalid cert. (This didn’t help) Also, I noticed that

 SSLCertificateFile /etc/letsencrypt/live/www.techmasterdesign.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.techmasterdesign.com/privkey.pem

are already part of 000-default-le-ssl.conf (I presume certbot makes another ssl.conf so that it can delete it to rollback), do they also need to be apart of 000-default.conf and default-ssl.conf as well? I’m pretty sure that certbot --apache will not detect the www.groupfinder.cc domain (I’m pretty sure i had the domain before i ran the certbot command), what should I do with my apache configuration to allow certbot to detect my other domain?

This is what the 000-default-le-ssl.conf file looks like:

<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	ServerName www.techmasterdesign.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf


Include /etc/letsencrypt/options-ssl-apache.conf
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/letsencrypt/live/www.techmasterdesign.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.techmasterdesign.com/privkey.pem
</VirtualHost>
</IfModule>
1 Like

Thank you so much for your generous donation. :grinning:

I don’t want to interject too much into the mix, but according to the official apache documentation for .htaccess:

You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server.

1 Like

Thank you guys both for the info and the bot of course! I think it’s not a big deal to leave the configuration the way it is considering http://www.groupfinder.cc works fine, www.groupfinder.cc works fine and so does https://www.techmasterdesign.com. The only domain with trouble is https://www.groupfinder.cc. I just dunno how to get certbot to detect the other domain (presumably have to change the apache configuration somehow). I will move .htaccess contents into the apache2.conf (Except error document handlers, they have trouble when placed in apache2.conf). Also, godaddy is set up to redirect groupfinder.cc to techmasterdesign.com, im going to try changing the CNAME and WWW of groupfinder.cc to techmasterdesign.com instead of using forwarding.

2 Likes

I use GoDaddy for many sites for both registration and hosting. If you are using domain forwarding via the interface on the GoDaddy website, be cautious if you mess with the DNS records directly (the A record especially). GoDaddy tends to handle a lot of things internally. Just be sure that you are forwarding to https for the target domain with a permanent 301 redirect.

I also have a couple of curiosities:

www.groupfinder.cc. 599 IN CNAME groupfinder.mooo.com.

www.techmasterdesign.com. 3599 IN CNAME gscottmalibu.mynetgear.com.

1 Like

a CNAME is a CNAME.
[As long as they end up returning the correct IP]

But I still see dissimilar IPs:
[could that be part of the problem - I ask (after showing this issue twice before)]

Name:    techmasterdesign.com
Address:  47.6.109.242

Name:    gscottmalibu.mynetgear.com
Address:  47.6.109.242
Aliases:  www.techmasterdesign.com

Name:    groupfinder.cc
Address:  47.6.109.242

And to add some complexity to the problem:
The www returns yet a different (set of) IPs.

Name:    www.groupfinder.cc
Addresses:  23.217.138.108
          23.202.231.167
1 Like

I think there’s a circularish resolution problem of some kind.

1 Like

Nah, I think he is trying to use a web page to forward where a CNAME would work MUCH better.

[LE will NOT follow a webpage forward]

1 Like

He admitted that he was using GoDaddy to do the forwarding. Messing with the DNS records (aside from MX) has been, in my personal experience, bad juju when using GoDaddy’s forwarding function. In my experience they don’t let you forward PART of a domain (meaning forward the apex and not the subdomains).

1 Like

It is a tricky situation trying to CNAME the apex.

1 Like