Certificate setup is done successfully, but https is not working

I have created a certificate successfully. But https is not working.

My domain is:
xxx.t8pbdyn2eb.eu-central-1.elasticbeanstalk.com

configuration and command:
/etc/httpd/conf.d/ssl.pre:
mode: “000644”
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443

        <VirtualHost *:443>
            <Directory /opt/python/current/app/build/static>
                Order deny,allow
                Allow from all
            </Directory>
            
            SSLEngine on
            SSLCertificateFile "/etc/letsencrypt/live/xxx.t8pbdyn2eb.eu-central-1.elasticbeanstalk.com/fullchain.pem"
            SSLCertificateKeyFile "/etc/letsencrypt/live/xxx.t8pbdyn2eb.eu-central-1.elasticbeanstalk.com/privkey.pem"
            SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
            SSLProtocol All -SSLv2 -SSLv3
            SSLHonorCipherOrder On
            SSLSessionTickets Off
            
            Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
            Header always set X-Frame-Options DENY
            Header always set X-Content-Type-Options nosniff
            
            ProxyPass / http://localhost:80/ retry=0
            ProxyPassReverse / http://localhost:80/
            ProxyPreserveHost on
            RequestHeader set X-Forwarded-Proto "https" early
            # If you have pages that may take awhile to
            # respond, add a ProxyTimeout:
            # ProxyTimeout seconds
        </VirtualHost>

command :
1. wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto
30_getcert:
2. sudo ./certbot-auto certonly --debug --non-interactive --email xxx@gmail.com --agree-tos --debug --apache --domains xxx.t8pbdyn2eb.eu-central-1.elasticbeanstalk.com --keep-until-expiring

    3. sudo ln -sf /etc/letsencrypt/live/xxx.t8pbdyn2eb.eu-central-1.elasticbeanstalk.com /etc/letsencrypt/live/ebcert

   4.sudo mv /etc/httpd/conf.d/ssl.pre  /etc/httpd/conf.d/ssl.conf

It produced this output:

/var/log/httpd/ssl_error_log:
[Fri May 24 11:10:12.451577 2019] [ssl:warn] [pid 4369] AH01906: ip-xxx.eu-central-1.compute.internal:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri May 24 11:10:16.614421 2019] [ssl:warn] [pid 4369] AH01906: ip-xxx.eu-central-1.compute.internal:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri May 24 11:15:07.012148 2019] [ssl:warn] [pid 4369] AH01906: ip-xxx.eu-central-1.compute.internal:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri May 24 11:15:11.855848 2019] [ssl:warn] [pid 4369] AH01906: ip-xxx.eu-central-1.compute.internal:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

/var/log/httpd/error_log:
[Fri May 24 11:21:28.100657 2019] [suexec:notice] [pid 6724] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri May 24 11:21:28.115954 2019] [so:warn] [pid 6724] AH01574: module ssl_module is already loaded, skipping
[Fri May 24 11:21:28.116056 2019] [so:warn] [pid 6724] AH01574: module wsgi_module is already loaded, skipping
[Fri May 24 11:21:28.119964 2019] [ssl:warn] [pid 6724] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri May 24 11:21:28.120369 2019] [ssl:warn] [pid 6724] AH01909: ip-172-31-6-172.eu-central-1.compute.internal:443:0 server certificate does NOT include an ID which matches the server name
[Fri May 24 11:21:28.120493 2019] [http2:warn] [pid 6724] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
[Fri May 24 11:21:28.121028 2019] [lbmethod_heartbeat:notice] [pid 6724] AH02282: No slotmem from mod_heartmonitor
[Fri May 24 11:21:28.121101 2019] [:warn] [pid 6724] mod_wsgi: Compiled for Python/3.6.2.
[Fri May 24 11:21:28.121105 2019] [:warn] [pid 6724] mod_wsgi: Runtime using Python/3.6.8.
[Fri May 24 11:21:28.123422 2019] [mpm_prefork:notice] [pid 6724] AH00163: Apache/2.4.39 (Amazon) OpenSSL/1.0.2k-fips mod_wsgi/3.5 Python/3.6.8 configured – resuming normal operations
[Fri May 24 11:21:28.123438 2019] [core:notice] [pid 6724] AH00094: Command line: ‘/usr/sbin/httpd -D FOREGROUND’
[Fri May 24 11:21:31.434390 2019] [:error] [pid 6729] /opt/python/current/app
[Fri May 24 11:25:59.376583 2019] [mpm_prefork:notice] [pid 6724] AH00169: caught SIGTERM, shutting down
[Fri May 24 11:25:59.806139 2019] [ssl:warn] [pid 7131] AH01909: ip-172-31-6-172.eu-central-1.compute.internal:443:0 server certificate does NOT include an ID which matches the server name
[Fri May 24 11:25:59.806660 2019] [suexec:notice] [pid 7131] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri May 24 11:25:59.823751 2019] [so:warn] [pid 7131] AH01574: module ssl_module is already loaded, skipping
[Fri May 24 11:25:59.823866 2019] [so:warn] [pid 7131] AH01574: module wsgi_module is already loaded, skipping
[Fri May 24 11:25:59.827841 2019] [ssl:warn] [pid 7131] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri May 24 11:25:59.828189 2019] [ssl:warn] [pid 7131] AH01909: ip-172-31-6-172.eu-central-1.compute.internal:443:0 server certificate does NOT include an ID which matches the server name
[Fri May 24 11:25:59.828308 2019] [http2:warn] [pid 7131] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
[Fri May 24 11:25:59.828806 2019] [lbmethod_heartbeat:notice] [pid 7131] AH02282: No slotmem from mod_heartmonitor
[Fri May 24 11:25:59.828868 2019] [:warn] [pid 7131] mod_wsgi: Compiled for Python/3.6.2.
[Fri May 24 11:25:59.828872 2019] [:warn] [pid 7131] mod_wsgi: Runtime using Python/3.6.8.
[Fri May 24 11:25:59.831287 2019] [mpm_prefork:notice] [pid 7131] AH00163: Apache/2.4.39 (Amazon) OpenSSL/1.0.2k-fips mod_wsgi/3.5 Python/3.6.8 configured – resuming normal operations
[Fri May 24 11:25:59.831303 2019] [core:notice] [pid 7131] AH00094: Command line: ‘/usr/sbin/httpd -D FOREGROUND’
[Fri May 24 11:30:44.316985 2019] [:error] [pid 7136] /opt/python/current/app
[Fri May 24 13:31:34.499629 2019] [:error] [pid 7136] ERROR django.security.DisallowedHost Invalid HTTP_HOST header: ‘www.baidu.com’. You may need to add ‘www.baidu.com’ to ALLOWED_HOSTS. [PID:7136:Dummy-2]
[Fri May 24 13:31:34.499685 2019] [:error] [pid 7136] ERROR django.security.DisallowedHost Invalid HTTP_HOST header: ‘www.baidu.com’. You may need to add ‘www.baidu.com’ to ALLOWED_HOSTS. [PID:7136:Dummy-2]
[Fri May 24 13:31:34.544236 2019] [:error] [pid 7136] WARNING django.request Bad Request: / [PID:7136:Dummy-2]
[Fri May 24 13:31:34.544284 2019] [:error] [pid 7136] WARNING django.request Bad Request: / [PID:7136:Dummy-2]

The operating system my web server runs on is (include version):

4.14.109-80.92.amzn1.x86_64 #1 SMP Mon Apr 1 23:07:39 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:
Aws elastic Beanstalk
I can log in to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Both commands do not show certbot version

Hi,

As you can see, you’ve placed a CA certificate into the regular SSL CERTIFICATE field.
What’s your full apache configuration?

Thank you

Hi, I am new in using ssl. Can you explain me what does it mean?

Hi @Jisanbd

if you use certonly, you have to install the certificate manual. But there is not your certificate, there is the Letsencrypt intermediate certificate visible.

What’s your complete domain name?

zaanur-env.qf32bjjbxg.eu-central-1.elasticbeanstalk.com

Your https sends only timeouts ( https://check-your-website.server-daten.de/?q=zaanur-env.qf32bjjbxg.eu-central-1.elasticbeanstalk.com ):

So it’s impossible to check that.

This row

is critical. Is there one certificate or two? Open that file with a text editor or share

cat /etc/letsencrypt/live/xxx.t8pbdyn2eb.eu-central-1.elasticbeanstalk.com/fullchain.pem

Looks like that file contains only the intermediate certificate instead of both certificates.

And use

./certbot-auto --version

to share the version of your certbot.

Then

./certbot-auto certificates

I have change the domain name today. So it is now zaanur-env.qf32bjjbxg.eu-central-1.elasticbeanstalk.com.
[root@ip-xxx zaanur-env.qf32bjjbxg.eu-central-1.elasticbeanstalk.com]# ll
total 20
lrwxrwxrwx 1 root root 79 25. Mai 10:25 cert.pem -> …/…/archive/zaanur-env.qf32bjjbxg.eu-central-1.elasticbeanstalk.com/cert1.pem
lrwxrwxrwx 1 root root 80 25. Mai 10:25 chain.pem -> …/…/archive/zaanur-env.qf32bjjbxg.eu-central-1.elasticbeanstalk.com/chain1.pem
lrwxrwxrwx 1 root root 84 25. Mai 10:25 fullchain.pem -> …/…/archive/zaanur-env.qf32bjjbxg.eu-central-1.elasticbeanstalk.com/fullchain1.pem
lrwxrwxrwx 1 root root 82 25. Mai 10:25 privkey.pem -> …/…/archive/zaanur-env.qf32bjjbxg.eu-central-1.elasticbeanstalk.com/privkey1.pem
-rw-r–r-- 1 root root 692 25. Mai 10:25 README

$ ./certbot-auto --version
Requesting to rerun ./certbot-auto with root privileges…
certbot 0.34.2

You use this fullchain file. Fullchain should have the content of cert.pem and chain.pem. But then you wouldn’t have that error message.

So please: What’s the content of that file?

-----BEGIN CERTIFICATE-----
MIIFpjCCBI6gAwIBAgISAwNaXAc3gc+KC2ezqLGV27nqMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA1MjUwOTI1NDFaFw0x
OTA4MjMwOTI1NDFaMEIxQDA+BgNVBAMTN3phYW51ci1lbnYucWYzMmJqamJ4Zy5l
dS1jZW50cmFsLTEuZWxhc3RpY2JlYW5zdGFsay5jb20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC2uR1gBqw1YpqRwOdggz8PjSdUcKi4XyOKPeDINME4
l0l4vL3U3KT6mcTuv/jZtuqYx/6LR3UJH+EzIX9F9G7bSwkuKn1GVEkifEBnqTx3
99dA+9lnfRslv52/PGME00/k9xkdc2D+S7ofVHmSfSygW4476MA38ZMTD3vX7Tm/
zgtpXgh5G8yOsXDOvtVv0o2qTz+kEv0AeX6jq2x5n+s/WryIvQ8R/8G4B+ZyexyC
Jl6V2WeBaykYmO0faKhAAaeF+NE3a9nguY7SbZENN+6+KgT8vuT2+vRoYf96AuxF
To2wwqRooCPCqjEbsA0DymD0CJ1k58c0XwCzGwiASN3fAgMBAAGjggKMMIICiDAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwG
A1UdEwEB/wQCMAAwHQYDVR0OBBYEFJtLAEFDq8e3MBxty5GnmWYSF3oMMB8GA1Ud
IwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAuBggr
---------------------------------remove-----------------------------------------------------------------------


Gzwul1j1+GYaVh4J0PpdFgJR/e0PIHn8JXgtphOpgOQL6q8HE+s9E26/lxpFFc/0
4esofpain7Rnd9SI5jN829v6U9OtaTbywpYphGctCxUYIFzB/SDXFjSCjxO4D46d
XxyjSVaXQ2wGVo272TaBcTQPAYUIL3I3yZLjspw98xfLOau0F0tFeFJo/TFsqD6r
/jmT1dnRH+UgHhz0W5nof/3TODWF4YTBwDsrqZqi50M8rtGCQpSAcVo/Hpi0IvZC
/MrhycshrN02QA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC

-----------------remove-------------------------------------------------------------------------------------

CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
1,1 Top

If you remove parts, it’s impossible to check the content.

I have check the file fullchain.pem. This file combination of cert.pem and chain.pem.

ServerRoot “/etc/httpd”
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost

AllowOverride none
Require all denied

DocumentRoot “/var/www/html”
<Directory “/var/www”>
AllowOverride None
# Allow open access:
Require all granted


DirectoryIndex index.html

<Files “.ht*”>
Require all denied

ErrorLog “logs/error_log”
LogLevel warn

# # The following directives define some format nicknames for use with # a CustomLog directive (see below). # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
  # You need to enable mod_logio.c to use %I and %O
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>

#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here.  Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common

#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog "logs/access_log" combined
# # Redirect: Allows you to tell clients about documents that used to # exist in your server's namespace, but do not anymore. The client # will make a new request for the document at its new location. # Example: # Redirect permanent /foo http://www.example.com/bar
#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL.  You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.

#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client.  The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
AllowOverride None Options None Require all granted # # The mod_mime_magic module allows the server to use various hints from the # contents of the file itself to determine its type. The MIMEMagicFile # directive tells the module where the hint definitions are located. # MIMEMagicFile conf/magic