Certificate not valid

GonzaloSP · November 2, 2018, 11:49am

Hi,

I just created a certificate in a server where I host multiple virtual accounts and I get an error saying that the certificate is invalid.

My domain is: www.vanguardmagic.com

In the letsencrypt log file there is no error. I re-created the certificate several times but the error persist.

My web server is (include version): Apache 2.4.10

The operating system my web server runs on is (include version): debian 8

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Thanks

sahsanu · November 2, 2018, 11:57am

Hi @GonzaloSP,

The problem is that the certificate you have issued only covers vanguardmagic.com but not www.vanguardmagic.com and you are redirecting all connections from vanguardmagic.com to www.vanguardmagic.com so the certificate is not valid for this subdomain. You should create a certificate covering both names.

What command did you use to issue your certificate?.

Cheers,
sahsanu

GonzaloSP · November 2, 2018, 12:40pm

sahsanu, of course that was the problem. Thank you very much.

I created the certificate using sudo certbot --authenticator standalone --installer apache -d vanguardmagic.com

Should I run sudo certbot --authenticator standalone --installer apache -d www.vanguardmagic.com as well?

Very appreciated!

sahsanu · November 2, 2018, 12:45pm

You should create a certificate covering both names:

sudo certbot --authenticator standalone --installer apache --cert-name vanguardmagic.com -d vanguardmagic.com -d www.vanguardmagic.com

I've added two new params, --cert-name vanguardmagic.com that will use the already created dir structure inside /etc/letsencrypt/ and a new -d param, -d www.vanguardmagic.com that will also cover your www subdomain.

Are you using standalone authentication for some reason?. I'm asking because this authentication method requires to stop your webserver and once renewed the cert, start it again, maybe you should use apache as authenticator too.

sudo certbot --authenticator apache --installer apache --cert-name vanguardmagic.com -d vanguardmagic.com -d www.vanguardmagic.com

Cheers,
sahsanu

GonzaloSP · November 2, 2018, 12:54pm

@sahsanu I am using the standalone version in debian because it wasn't in the repository the first time I installed.

Regarding the command that you suggested I got the following error

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

sahsanu · November 2, 2018, 12:57pm

@GonzaloSP, with standalone I mean the authentication method, I’m not talking about certbot package. By the way, what is your certbot version?

sudo certbot --version

GonzaloSP · November 2, 2018, 1:00pm

@sahsanu the version is certbot 0.10.2

sahsanu · November 2, 2018, 1:10pm

That version is too old, could you please try this command?:

sudo certbot --authenticator apache --installer apache --preferred-challenges http-01 -cert-name vanguardmagic.com -d vanguardmagic.com -d www.vanguardmagic.com

GonzaloSP · November 2, 2018, 1:18pm

I will try to update it soon.
When I run that command I get

usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: File not found: ert-name

sahsanu · November 2, 2018, 1:21pm

Ok, then lets continue with the standalone method that works for you.

sudo certbot --authenticator standalone --installer apache 
--cert-name vanguardmagic.com -d vanguardmagic.com -d 
www.vanguardmagic.com

sahsanu · November 2, 2018, 1:24pm

Wait, I didn’t see the error, sorry, I forgot a dash in the param --cert-name:

sudo certbot --authenticator apache --installer apache --preferred-challenges http-01 --cert-name vanguardmagic.com -d vanguardmagic.com -d www.vanguardmagic.com

GonzaloSP · November 2, 2018, 1:39pm

@sahsanu

Thanks for all the time dedicated to this.
I got this answer:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Confirm that you intend to update certificate vanguardmagic.com to include
domains [u'vanguardmagic.com', u'www.vanguardmagic.com']. Note that it
previously contained domains [u'vanguardmagic.com'].

(U)pdate cert/(C)ancel: U
Renewing an existing certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin

sahsanu · November 2, 2018, 1:42pm

Ok, that is because your old version, then use standalone authentication.

sudo certbot --authenticator standalone --installer apache --cert-name vanguardmagic.com -d vanguardmagic.com -d www.vanguardmagic.com

GonzaloSP · November 2, 2018, 1:54pm

@sahsanu again I got another error (although apache was off):

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Confirm that you intend to update certificate vanguardmagic.com to include
domains [u'vanguardmagic.com', u'www.vanguardmagic.com']. Note that it
previously contained domains [u'vanguardmagic.com'].

(U)pdate cert/(C)ancel:
(U)pdate cert/(C)ancel: U
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for vanguardmagic.com
http-01 challenge for www.vanguardmagic.com

The program apache2 (process ID 12150) is already listening on TCP port 80. This
will prevent us from binding to that port. Please stop the apache2 program
temporarily and then try again.

Press Enter to Continue
Cleaning up challenges
At least one of the required ports is already taken.

sahsanu · November 2, 2018, 1:57pm

Yes, you must stop apache before issuing the command and start it again once done. And add pre-hook and post-hook commands so it can be done automatically in next renewal

sudo service apache2 stop

sudo certbot --authenticator standalone --installer apache --cert-name vanguardmagic.com -d vanguardmagic.com -d www.vanguardmagic.com --pre-hook 'service apache2 stop' --post-hook 'service apache2 start'

sudo service apache2 start

GonzaloSP · November 2, 2018, 2:00pm

Yes, I got that error before, even with apache off, the only was to set it up was the one I mentioned before for some reason.

GonzaloSP · November 3, 2018, 3:42am

Solution:

For some reason I had to stop mysqld and apache in order to renew the certificates. In fact, certbot tells you the ID of the process that has taken the port, so I kill the two process by using their ID and then I ran:

sudo certbot --authenticator standalone --installer apache --cert-name vanguardmagic.com -d vanguardmagic.com -d www.vanguardmagic.com

That solved the issue.
Thank you @sahsanu for the guidance!

system · December 3, 2018, 3:42am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Certificate not valid

Confirm that you intend to update certificate vanguardmagic.com to include
domains [u'vanguardmagic.com', u'www.vanguardmagic.com']. Note that it
previously contained domains [u'vanguardmagic.com'].

Confirm that you intend to update certificate vanguardmagic.com to include
domains [u'vanguardmagic.com', u'www.vanguardmagic.com']. Note that it
previously contained domains [u'vanguardmagic.com'].

The program apache2 (process ID 12150) is already listening on TCP port 80. This
will prevent us from binding to that port. Please stop the apache2 program
temporarily and then try again.

Certificate not valid

Confirm that you intend to update certificate vanguardmagic.com to include domains [u'vanguardmagic.com', u'www.vanguardmagic.com']. Note that it previously contained domains [u'vanguardmagic.com'].

Confirm that you intend to update certificate vanguardmagic.com to include domains [u'vanguardmagic.com', u'www.vanguardmagic.com']. Note that it previously contained domains [u'vanguardmagic.com'].

The program apache2 (process ID 12150) is already listening on TCP port 80. This will prevent us from binding to that port. Please stop the apache2 program temporarily and then try again.

Confirm that you intend to update certificate vanguardmagic.com to include
domains [u'vanguardmagic.com', u'www.vanguardmagic.com']. Note that it
previously contained domains [u'vanguardmagic.com'].

Confirm that you intend to update certificate vanguardmagic.com to include
domains [u'vanguardmagic.com', u'www.vanguardmagic.com']. Note that it
previously contained domains [u'vanguardmagic.com'].

The program apache2 (process ID 12150) is already listening on TCP port 80. This
will prevent us from binding to that port. Please stop the apache2 program
temporarily and then try again.