Certificate renewed, test ok, but SSL error on web

My domain is: Cloud01.niva.it

I ran this command: go to https://cloud01.niva.it:8443/Teamwork

It produced this output: certificate expired

My web server is (include version): Oracle Linux Server 7.5

The operating system my web server runs on is (include version): Oracle Linux Server 7.5

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.35.1

Hi All,

I have an issue with one of our web appliance. I renewed the certificate about 1 month ago, everything is ok with conf and apache (new cert installed), test with https://globalsign.ssllabs.com/analyze.html is ok, also now, but when I try to go on https://cloud01.niva.it:8443/Teamwork it gives expired cert…
How it is possible?

Thanks

Hi @Carnialman

that’s simple. Ssllabs checks only the port 443.

Checking your port 443 there are two things you should fix ( https://check-your-website.server-daten.de/?q=cloud01.niva.it ):

Your chain is incomplete:

Chain - incomplete	
	1	CN=cloud01.niva.it

The intermediate Letsencrypt certificate is missing. And you have a Grade O - SHA1 as Hash Algorithm.

But checking your Port 8443 ( https://check-your-website.server-daten.de/?q=cloud01.niva.it%3A8443 ) there is the expired certificate:

CN=cloud01.niva.it
	21.03.2019
	19.06.2019
7 days expired	cloud01.niva.it - 1 entry

So that port is insecure. Curious:

There the chain is correct:

Chain (complete)	
	1	CN=cloud01.niva.it
	2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

If the configuration is good, you need only a restart of that webserver so the new certificate is used.

Your main port has an

Server: Apache/2.4.6 () OpenSSL/1.0.2k-fips PHP/7.2.8

your special port an Apache Coyote.

2 Likes

Now checked with Ssllabs, there are the same problems reported:

Incomplete chain, Cipher Suites without preference, so no Forward Secrecy. Ok - Grade A, not B.

3 Likes

Thank you so much for the reply.
So you think that a reboot is needed?
How can I solve the chain problem? Unfortunately I’m not so good with certificate! :roll_eyes:

1 Like

No, a restart of your Apache Coyote.

Share your port 443 vHost configuration. There you may have the wrong file (cert instead of fullchain).

here you are
vhost.txt (9.4 KB)

1 Like

There is the missing part:

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

Change the last row - without # and add the chain file.

It’s possible that you can ignore that, instead there

SSLCertificateFile /etc/letsencrypt/live/cloud01.niva.it/cert.pem

use fullchain.pem. fullchain.pem contains the cert and the chain in one file.

Some Apache -> two files
Other Apache -> one file

Ok, I changed from
SSLCertificateFile /etc/letsencrypt/live/cloud01.niva.it/cert.pem
to
SSLCertificateFile /etc/letsencrypt/live/cloud01.niva.it/fullchain.pem
and I also restarted tomcat.

Anyway, after a restart of tomcat the cert is still expired

1 Like

You use a tomcat? Then your Apache config isn’t really relevant.

So check your tomcat documentation.

There was another thread. Then searched.

Found an older thread.

Tomcat uses either Java keystore files or pfx files.

You have to create a Java keystore or a pfx file, so Tomcat is able to use the certificate.

1 Like

Thank you so much!
Anyway I was able to find the correct procedure and configure a crontab with it, so next time no issue will appear.
Regards

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.