Certificate not valid


#1

Hi,

I just created a certificate in a server where I host multiple virtual accounts and I get an error saying that the certificate is invalid.

My domain is: www.vanguardmagic.com

In the letsencrypt log file there is no error. I re-created the certificate several times but the error persist.

My web server is (include version): Apache 2.4.10

The operating system my web server runs on is (include version): debian 8

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Thanks


#2

Hi @GonzaloSP,

The problem is that the certificate you have issued only covers vanguardmagic.com but not www.vanguardmagic.com and you are redirecting all connections from vanguardmagic.com to www.vanguardmagic.com so the certificate is not valid for this subdomain. You should create a certificate covering both names.

What command did you use to issue your certificate?.

Cheers,
sahsanu


#3

sahsanu, of course that was the problem. Thank you very much.

I created the certificate using sudo certbot --authenticator standalone --installer apache -d vanguardmagic.com

Should I run sudo certbot --authenticator standalone --installer apache -d www.vanguardmagic.com as well?

Very appreciated!


#4

You should create a certificate covering both names:

sudo certbot --authenticator standalone --installer apache --cert-name vanguardmagic.com -d vanguardmagic.com -d www.vanguardmagic.com

I’ve added two new params, --cert-name vanguardmagic.com that will use the already created dir structure inside /etc/letsencrypt/ and a new -d param, -d www.vanguardmagic.com that will also cover your www subdomain.

Are you using standalone authentication for some reason?. I’m asking because this authentication method requires to stop your webserver and once renewed the cert, start it again, maybe you should use apache as authenticator too.

sudo certbot --authenticator apache --installer apache --cert-name vanguardmagic.com -d vanguardmagic.com -d www.vanguardmagic.com

Cheers,
sahsanu


#5

@sahsanu I am using the standalone version in debian because it wasn’t in the repository the first time I installed.

Regarding the command that you suggested I got the following error

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.


#6

@GonzaloSP, with standalone I mean the authentication method, I’m not talking about certbot package. By the way, what is your certbot version?

sudo certbot --version


#7

@sahsanu the version is certbot 0.10.2


#8

That version is too old, could you please try this command?:

sudo certbot --authenticator apache --installer apache --preferred-challenges http-01 -cert-name vanguardmagic.com -d vanguardmagic.com -d www.vanguardmagic.com


#9

I will try to update it soon.
When I run that command I get

usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: File not found: ert-name


#10

Ok, then lets continue with the standalone method that works for you.

sudo certbot --authenticator standalone --installer apache 
--cert-name vanguardmagic.com -d vanguardmagic.com -d 
www.vanguardmagic.com

#11

Wait, I didn’t see the error, sorry, I forgot a dash in the param --cert-name:

sudo certbot --authenticator apache --installer apache --preferred-challenges http-01 --cert-name vanguardmagic.com -d vanguardmagic.com -d www.vanguardmagic.com


#12

@sahsanu

Thanks for all the time dedicated to this.
I got this answer:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org


Confirm that you intend to update certificate vanguardmagic.com to include
domains [u’vanguardmagic.com’, u’www.vanguardmagic.com’]. Note that it
previously contained domains [u’vanguardmagic.com’].

(U)pdate cert/©ancel: U
Renewing an existing certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin


#13

Ok, that is because your old version, then use standalone authentication.

sudo certbot --authenticator standalone --installer apache --cert-name vanguardmagic.com -d vanguardmagic.com -d www.vanguardmagic.com


#14

@sahsanu again I got another error (although apache was off):

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org


Confirm that you intend to update certificate vanguardmagic.com to include
domains [u’vanguardmagic.com’, u’www.vanguardmagic.com’]. Note that it
previously contained domains [u’vanguardmagic.com’].

(U)pdate cert/©ancel:
(U)pdate cert/©ancel: U
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for vanguardmagic.com
http-01 challenge for www.vanguardmagic.com


The program apache2 (process ID 12150) is already listening on TCP port 80. This
will prevent us from binding to that port. Please stop the apache2 program
temporarily and then try again.

Press Enter to Continue
Cleaning up challenges
At least one of the required ports is already taken.


#15

Yes, you must stop apache before issuing the command and start it again once done. And add pre-hook and post-hook commands so it can be done automatically in next renewal

sudo service apache2 stop

sudo certbot --authenticator standalone --installer apache --cert-name vanguardmagic.com -d vanguardmagic.com -d www.vanguardmagic.com --pre-hook 'service apache2 stop' --post-hook 'service apache2 start'

sudo service apache2 start


#16

Yes, I got that error before, even with apache off, the only was to set it up was the one I mentioned before for some reason.


#17

Solution:

For some reason I had to stop mysqld and apache in order to renew the certificates. In fact, certbot tells you the ID of the process that has taken the port, so I kill the two process by using their ID and then I ran:

sudo certbot --authenticator standalone --installer apache --cert-name vanguardmagic.com -d vanguardmagic.com -d www.vanguardmagic.com

That solved the issue.
Thank you @sahsanu for the guidance!