Certificate question

Our site, www.ledwell.com redirects to ledwell.com. I ran:
certbot certonly --webroot -d www.ledwell.com -d ledwell.com -w /usr/local/webroot
cerbot certificates
shows
Domains: www.ledwell.com ledwell.com

Loading ledwell.com works just fine but www.ledwell.com says:
www.ledwell.com uses an invalid security certificate. The certificate is only valid for ledwell.com Error code: SSL_ERROR_BAD_CERT_DOMAIN

or another browser:

Your connection is not private

Attackers might be trying to steal your information from www.ledwell.com (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_COMMON_NAME_INVALID

If the cert were really not good, should I have not gotten a message about it when it was being created?

2 Likes

Hi @abwillis

certonly doesn't install the certificate and doesn't restart your webserver.

So your error message says: Your system uses a certificate only with one domain name.

Yep - now the check is done - https://check-your-website.server-daten.de/?q=ledwell.com

Domainname Http-Status redirect Sec. G
http://ledwell.com/ 66.228.49.67 GZip used - 21 / 1 - -2000,00 % 301 https://ledwell.com/ Html is minified: 100,00 % 0.296 A
http://www.ledwell.com/ 66.228.49.67 GZip used - 21 / 1 - -2000,00 % 301 https://www.ledwell.com/ Html is minified: 100,00 % 0.300 A
https://www.ledwell.com/ 66.228.49.67 GZip used - 21 / 1 - -2000,00 % 301 https://ledwell.com/ Html is minified: 100,00 % 3.857 N
Certificate error: RemoteCertificateNameMismatch
https://ledwell.com/ 66.228.49.67 GZip used - 20644 / 117928 - 82,49 % Inline-JavaScript (∑/total): 16/8792 Inline-CSS (∑/total): 8/8703 200 Html is minified: 118,93 % 4.250 B

The www version has a certificate error, non-www works.

You have a Litespeed. Looks like you have to install the certificate manual, use the output of

certbot certificates

Then restart your webserver, that's always required.

2 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

These may help:
https://openlitespeed.org/kb/lets-encrypt-ssl-on-openlitespeed/

https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:letsencrypt-ssl


You can run the following to create a deployment hook that reloads LiteSpeed when your certificate is updated so that your renewals are fully automated:

certbot certonly --cert-name ledwell.com --webroot -w /usr/local/webroot -d "ledwell.com,www.ledwell.com" --deploy-hook "/usr/local/lsws/bin/lswsctrl reload"

2 Likes

On install, certbot should have already added a cron job or systemd timer to run twice a day.
Try:
sudo crontab -l
sudo systemctl list-timers | grep -i cert

READERS: Get involved. Be heard. Do your part with: If you read something you like, then like it :heart:

2 Likes

Never knew that. :thinking:

I always thought the task was created upon successful installation of a certificate. I suppose for a generic certbot renew without a specified certificate name that creating a default task upon installation of the software would make sense.

2 Likes

As an example (Ubuntu 18, latest certbot installed from snapd, without having yet issued any certs):

cat /etc/systemd/system/snap.certbot.renew.service

[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application certbot.renew
Requires=snap-certbot-652.mount
Wants=network.target
After=snap-certbot-652.mount network.target snapd.apparmor.service
X-Snappy=yes

[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew
SyslogIdentifier=certbot.renew
Restart=no
WorkingDirectory=/var/snap/certbot/652
TimeoutStopSec=30
Type=oneshot

[Install]
WantedBy=multi-user.target

cat /etc/systemd/system/snap.certbot.renew.timer

[Unit]
# Auto-generated, DO NOT EDIT
Description=Timer renew for snap application certbot.renew
Requires=snap-certbot-652.mount
After=snap-certbot-652.mount
X-Snappy=yes

[Timer]
Unit=snap.certbot.renew.service
OnCalendar=*-*-* 03:47
OnCalendar=*-*-* 18:06

[Install]
WantedBy=timers.target

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No certs found.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

certbot --version

certbot 1.9.0
3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.