Certificate obtained but certificate on server is different from the new certificate


#1

My domain is:
adiutor.it

I ran this command:
./getssl -f adiutor.it

It produced this output:
Registering account
Verify each domain
Verifying adiutor.it
adiutor.it is already validated
Verifying www.adiutor.it
www.adiutor.it is already validated
Verifying gwhite.adiutor.it
gwhite.adiutor.it is already validated
Verifying pippicalzelunghe.adiutor.it
pippicalzelunghe.adiutor.it is already validated
Verifying vega.adiutor.it
vega.adiutor.it is already validated
Verification completed, obtaining certificate.
Certificate saved in /root/.getssl/adiutor.it/adiutor.it.crt
The intermediate CA cert is in /root/.getssl/adiutor.it/chain.crt
copying domain certificate to /etc/pki/tls/certs/adiutor.it.crt
copying private key to /etc/pki/tls/private/adiutor.it.key
copying CA certificate to /etc/pki/tls/chain.crt
reloading SSL services
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
getssl: adiutor.it - certificate obtained but certificate on server is different from the new certificate

My operating system is (include version):
CentOS release 5.11 (Final)

My web server is (include version):
Apache/2.2.3

My hosting provider, if applicable, is:
hetzner

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

I cannot use certbot because the os version is quite old, so I decided to try getssl. Anyway, I have that final message “certificate on server is different from the new certificate” that kinda confuses me.
I’ve already read a similar q&a but unfortunately cannot apply to my usecase.
As you can see I have some subdomains that I’d like to manage with the same cert.

In my httpd.conf I have this for example:
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/adiutor.it.crt
SSLCertificateKeyFile /etc/pki/tls/private/adiutor.it.key
SSLCertificateChainFile /etc/pki/tls/chain.crt
ServerName vega.adiutor.it
[…]

Any suggestions?
Thanks in advance
Lorenzo


#2

restart the apache services so it uses the new certificate


#3

Thanks ahaw021, but I have restarted apache every time I tried to change some settings and every time I ran getssl again, and of course it didn’t help :worried:


#4

Hello @lorenzo,

Your certificate has been provided by the Fake Let’s Encrypt CA that is used to test it, you should use production Let’s Encrypt CA.

Edit: By default getssl uses staging server so that is the reason you are getting fake certs. In your getssl.cfg file you should comment the CA variable for staging and uncomment the CA for production:

# The staging server is best for testing (hence set as default)
#CA="https://acme-staging.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
CA="https://acme-v01.api.letsencrypt.org"

Cheers,
sahsanu


#5

Hello @sahsanu,
I’ve already tried with the production CA, and the message is exactly the same.

Anyway the good news is that I can now access the secured website without any warning, so I guess now I should be fine with my current setup.
One of the latest things I had modified was changing the ServerName in the httpd.conf (which was vega.adiutor.it) and using ServerAlias instead. Maybe this thing helped, if anyone experiences the same issue.

Thank you all
Lorenzo


#6

I suppose you mean the message from getssl which is correct but for your web site I can see you get the right certs so it is working fine now.

One thing you should check, at least with https://adiutor.it is the mixed content message you will receive because you are accessing an https page but you have some links pointing to an http site. I mean, your site is trying to get font from link http://fonts.googleapis.com/css?family=Open+Sans:400italic,600italic,400,600 and it should be https://fonts.googleapis.com/css?family=Open+Sans:400italic,600italic,400,600

Also, you should check your SSL config because it allows SSL3 protocol and vulnerable ciphers and it shouldn’t… you could check your health configuration at ssllabs. In this site you could get recommended configurations based on your web server, the type of ciphers you want to use and the version of openssl that is used in your O.S.

Good luck,
sahsanu


#7

Thanks a lot for your advice @sahsanu !
Best
Lorenzo


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.