Each time I try to re-issue the certificate, it comes back as invalid, expired in August. Is there still an issue?
Hi @gardfish,
I split this reply off of the previous post because it is unrelated to the incident mentioned in the previous thread.
Can you provide answers to the default “Help” template? It will help the community figure out the root cause of your problem.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Thanks for splitting the post. Here are the details:
My domain is:
oame.on.ca
I ran this command:
sudo ./certbot-auto
It produced this output:
Congratulations! You have successfully enabled https://www.oame.on.ca and
https://oame.on.ca
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.oame.on.ca
https://www.ssllabs.com/ssltest/analyze.html?d=oame.on.ca
IMPORTANT NOTES:
-
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.oame.on.ca/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.oame.on.ca/privkey.pem
Your cert will expire on 2019-02-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the “certonly” option. To non-interactively renew all
of your certificates, run “certbot-auto renew” -
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
My web server is (include version):
Server version: Apache/2.4.34 (Amazon)
The operating system my web server runs on is (include version):
Amazon Linux AMI release 2018.03
My hosting provider, if applicable, is:
AWS
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No control panel
Thanks!
Thanks for splitting the post.
My domain is:
oame.on.ca
I ran this command:
sudo certbot-auto
It produced this output:
Congratulations! You have successfully enabled https://www.oame.on.ca and
https://oame.on.ca
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.oame.on.ca
https://www.ssllabs.com/ssltest/analyze.html?d=oame.on.ca
IMPORTANT NOTES:
-
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.oame.on.ca/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.oame.on.ca/privkey.pem
Your cert will expire on 2019-02-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the “certonly” option. To non-interactively renew all
of your certificates, run “certbot-auto renew” -
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
My web server is (include version):
Server version: Apache/2.4.34 (Amazon)
The operating system my web server runs on is (include version):
Amazon Linux AMI release 2018.03
My hosting provider, if applicable, is:
AWS
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No control panel.
Thanks!
Hi @gardfish
your configuration ( https://check-your-website.server-daten.de/?q=oame.on.ca ):
| • http://oame.on.ca/ | 301 | https://oame.on.ca/ | 0.504 | A |
|---|---|---|---|---|
| • http://www.oame.on.ca/ | 301 | https://www.oame.on.ca/ | 0.343 | A |
| • https://oame.on.ca/ | 200 | 2.176 | N | |
| Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors | ||||
| • https://www.oame.on.ca/ | 200 | 2.450 | B |
Your www-version is ok
| oame.on.ca | 443 | Certificate/chain invalide and wrong name | Tls12 | ECDH Ephermal | 256 | Aes256 | 256 | Sha384 | not supported | ok |
|---|---|---|---|---|---|---|---|---|---|---|
| www.oame.on.ca | 443 | ok | Tls12 | DiffieHellman | 2048 | Aes128 | 128 | Sha256 | not supported | ok |
But your non-www - version uses a self signed certificate, which is expired.
--
So you should create one certificate with two domain names - www + non-www.
sudo certbot-auto renew -d oame.on.ca -d www.oame.on.ca
If that doesn't work, share your configuration file. Or share your file
/var/log/letsencrypt/letsencrypt.log
there are the details of your configuration.
1 Like
PS: You have already such a certificate, created today.
X509v3 Subject Alternative Name:
DNS:oame.on.ca
DNS:www.oame.on.ca
So don't create a new certificate, instead check your configuration. So the non-www version use this certificate.
Thanks JuergenAuer,
In theory they should both be using the same certificate as www.oame.on.ca is just an alias for oame.on.ca
<VirtualHost *:443>
ServerAdmin aws@oame.on.ca
DocumentRoot /var/www/html
ServerName oame.on.ca
ServerAlias www.oame.on.ca
ErrorLog logs/error_log
CustomLog logs/access_log common
RewriteEngine on
// Some rewrite rules in this file were disabled on your HTTPS site,
// because they have the potential to create redirection loops.
// RewriteCond %{SERVER_NAME} =www.oame.on.ca [OR]
// RewriteCond %{SERVER_NAME} =oame.on.ca
// RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.oame.on.ca/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.oame.on.ca/privkey.pem
</VirtualHost>
Would you recommend that I split them out into separate VirtualHosts?
Now my online tool has the correct certificate (www-version) with two domain names.
CN=www.oame.on.ca
30.11.2018
28.02.2019
oame.on.ca, www.oame.on.ca - 2 entries
But the non-www version uses the self signed.
Self signed certificates are often found in the standard configuration file. Are there other configuration files with VirtualHost - elements?
Normally such a configuration should work. But you can try it. Two separate files with two separate VirtualHosts, but with the same certificate.
1 Like
I appreciate your time on this JuergenAuer. You were exactly right. I found the default ssl.conf configuration in the conf.d folder and was able to identify the VirtualHost that was causing the issue.
Thank you so much!
3 Likes
Happy to read that. Now it looks good:
| • http://oame.on.ca/ | 301 | https://oame.on.ca/ | 0.233 | A |
|---|---|---|---|---|
| • http://www.oame.on.ca/ | 301 | https://www.oame.on.ca/ | 0.223 | A |
| • https://oame.on.ca/ | 200 | 2.227 | B | |
| • https://www.oame.on.ca/ | 200 | 2.243 | B |
And both connections are using the same certificate with two domain names.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.