Certificate shows marked as trusted for wrong site?

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
snapto.co.uk

I ran this command:
scl enable python27 “./certbot-auto certonly --force-renewal --rsa-key-size 4096 --email hostmaster@snapto.co.uk --agree-tos -w /home/snapto/public_html/ -d snapto.co.uk -d www.snapto.co.uk -d mail.snapto.co.uk -d server.snapto.co.uk --authenticator webroot”

It produced this output:
Failed authorization procedure. server.snapto.co.uk (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://server.snapto.co.uk/.well-known/acme-challenge/TOEUbg0KAPf9UxFipyw8PbGIJHAuHA29ffBTNOgylQU:1

My web server is (include version):
Apache 2.2.15

The operating system my web server runs on is (include version):
CentOS 6.9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Virtualmin 6.02

snapto.co.uk is the main domain name of the server and is set to use server.snapto.co.uk
This has been working fine for over a year, this error only appeared with that laest renewal attempt. The other snapto.co.uk domain can renew fine as well as all other domains on the site. The web root path is the same for all the snapto.co.uk domains and is reachable by http the only difference is that server.snapto.co.uk is set as the FQDN of the server. Sanptoc.o.uk is set as the default virtual server for the server main IP

The cert for gardendesignershertfordshire.co.uk was only added recently after the previous renewal for snapto.co.uk

The details of the cert show correctly see enclosed screenshot and the cert still works. The marked as trusted for gardendesignershertfordshire.co.uk I can only see in Safari.

Questions

  1. What generates the marked as trusted for ? Is this read locally from the cert files ?
  2. If when generating a cert using webroot and the webroot path is wrong will it still gernate a certificate i.e. in case I set the webroot using snapto path when generating the cert for gardendesignershertfordshire.co.uk which is highly unlikely but possible hence the potential reason for that domain showing ?

Solution

  1. Would revoking the snapto.co.uk cert, deleteing then re-obtaining a new cert likely to work ?
  2. Any other ideas ?

13
Screen Shot 2018-01-18 at 16.48.13.png589×1288 114 KB

2

I have no idea what that is in Safari. The only thing I know, your site https://gardendesignershertfordshire.co.uk/ works perfectly here: it shows your gardendesignershertfordshire.co.uk certificate in OpenSSL and CURL on the command line and also in my Chromium browser. No snapto.co.uk certificate in any way.

It shouldn't work, unless Let's Encrypt already has a valid challenge from an authentication before. As far as I know, authentications are valid for 7 days.

I'm almost certain it will not.

If you're having trouble with 404 File not found errors when using the http-01 plugin with a certain webroot path, you should check your webservers access or error log. My Apache logs the path it tries to reach when it can't find a file. For example, if I'd try http://example.com/non-existing-file.txt, my Apache would say something like: "couldn't stat file /path/to/webroot/non-existing-file.txtor whatever fancy error message Linux uses when it can't find something on the filesystem. And you should double, no, triple-check the path from that error message with the webroot path used incertbot`.

3

Thanks. I can reach over http .well-known using any of the snapto.co.uk domains, that’s why I do not understand the error.

The issue is not with gardendesignershertfordshire.co.uk but not being able to renew server.snapto.co.uk

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.