Certificate successfully installed, but it shows invalid?

Hi guys,

My domain is: mesimi.online

I installed and configured certbot using this page: https://www.rosehosting.com/blog/how-to-install-lets-encrypt-with-apache-on-centos-7/

It produced output:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mesimi.online/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mesimi.online/privkey.pem
Your cert will expire on 2020-11-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew all of
your certificates, run “certbot renew”

My web server is (include version): Server version: Apache/2.4.6 (CentOS 7)

I’m getting invalid certificate on browser, but this is happening only for the domain without www.

if you go to: mesimi.online is invalid, if you use www.mesimi.online it is OK?

Could you please someone help me how to troubleshot and fix it?

3 Likes

So it looks like you might have two different configurations serving two different certificates. You should only have one configuration with a permanent (301) redirect from non-www to www (or vice versa should you desire).

The ISSUED BY on the default certificate for the non-www is your own domain and thus is self-signed, making it untrusted (and useless).

https://mesimi.online:

https://www.mesimi.online:

2 Likes

Please use https://mesimi.online, you can see that is invalid.

If you use only mesimi.online I made a redirect rule to add https://www.mesimi.online, so the user will not see the invalid certificate.

Invalid certificate is comming up only at non-www dormain format.

https://mesimi.online/ - this is invalid version.

https://www.mesimi.online/ this is working version

how to make both format non-www and www domain with valid certificate? I tried to reinstall but I’m getting same result!

I would appreciate any help!

3 Likes

I did. It’s invalid because it’s the default (self-signed) certificate being served. See my photos above.

From your response, am I correct in saying that you want http://mesimi.online, http://www.mesimi.online, and https://mesimi.online to all redirect permanently (301) to https://www.mesimi.online? It looks like only http://mesimi.online redirects to https://www.mesimi.online. You need to fix your redirects.

2 Likes

Hi @eminkrasniqi

you need a working port 80 vHost with both domain names.

What says

apachectl -S
httpd -S

(second, if first doesn’t work)

3 Likes

@JuergenAuer:
Any thoughts on why he’s getting served both the default certificate (for non-www) and the Let’s Encrypt certificate (for www)?

2 Likes

See the different content below. It appears that www is correct content while non-www is default content. This problem can be “painted over” by fixing your redirects, but you should not be serving two sets of content.

http://mesimi.online -> https://www.mesimi.online:

http://www.mesimi.online:

https://mesimi.online:

2 Likes

VirtualHost configuration:
*:80 is a NameVirtualHost
default server www.mesimi.online (/etc/httpd/sites-enabled/mesimi.online.conf:1)
port 80 namevhost www.mesimi.online (/etc/httpd/sites-enabled/mesimi.online.conf:1)
alias mesimi.online
port 80 namevhost mesimissl.mesimi.online (/etc/httpd/sites-enabled/mesimissl.mesimi.online.conf:1)
alias mesimissl.mesimi.online
port 80 namevhost www.shkencori.mesimi.online (/etc/httpd/sites-enabled/shkencori.mesimi.online.conf:1)
alias shkencori.mesimi.online
port 80 namevhost www.shoqerori.mesimi.online (/etc/httpd/sites-enabled/shoqerori.mesimi.online.conf:1)
alias shoqerori.mesimi.online
*:443 is a NameVirtualHost
default server mesimi.online (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost mesimi.online (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.mesimi.online (/etc/httpd/sites-available/mesimi.online-le-ssl.conf:2)
alias mesimi.online
port 443 namevhost www.shkencori.mesimi.online (/etc/httpd/sites-available/shkencori.mesimi.online-le-ssl.conf:2)
alias shkencori.mesimi.online
port 443 namevhost www.shoqerori.mesimi.online (/etc/httpd/sites-available/shoqerori.mesimi.online-le-ssl.conf:2)
alias shoqerori.mesimi.online
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

1 Like

what is interesting, that, I have there even two sub-domains, and both it is working with www and non-www.

shkencori.mesimi.online
shoqerori.mesimi.online

www.shkencori.mesimi.online
www.shoqerori.mesimi.online

only the main domain it is working only with www, and it is showing invalid certificate with non-www?

Where is the file I can modify these configuration, it looks like at the main domain non-www the one that is showing invalid certificate “port 443 namevhost mesimi.online (/etc/httpd/conf.d/ssl.conf:56)” have the wrong file, this file does not exist, and this should be the solution.

I have to replace this path, with “port 443 namevhost mesimi.online (/etc/httpd/sites-available/mesimi.online-le-ssl.conf:2)” and it should work then.

There

you see the problem: Two port 443 vHosts with the same domain name. Merge these in one, then create one certificate with both domain names.

Now you have one certificate with 6 domain names, but no matching vHost.

Typical configuration: One port 80 vHost with both domain names per main domain (non-www and www), then a certificate with both domain names and a port 443 vHost.

2 Likes

I’m not finding that configuration file, where I can replace the right path file.

Do you know where is that?

That’s because your new certificate covers those other subdomains as well. The problem is that due to duplicate configurations, as @JuergenAuer has pointed out, you’re not actually serving the same content on https://mesimi.online as https://www.mesimi.online.

You would probably be MUCH better off with a wildcard (*.) certificate that covers EVERY subdomain rather than individually listing each one. The domains you want a certificate for are mesimi.online and *.misimi.online. The only advantages of individually certifying sybdomains are the ability to create individual certificates and the ability to use file-based (http) verifications for Let’s Encrypt rather than dns verifications.

See https://crt.sh/?q=mesimi.online :

@JuergenAuer I found the issue already, but still I’m not finding the location configuration file to change the right file path.

When I hit: httpd -S or httpd -D DUMP_VHOSTS

I can see, that main domain have the wrong file configuration.

port 443 namevhost mesimi.online (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.mesimi.online (/etc/httpd/sites-available/mesimi.online-le-ssl.conf:2)
alias mesimi.online

The first line or the non-www domain should have the same configuration file as the second in order to resolve the issue.

Where is the location of this configuration that is showing up by using command: httpd -S so I can replace the right configuration path to the main domain.

1 Like

@freessltools.com @JuergenAuer

Found the issue:

Just replaced the values on default configuration file:
vi /etc/httpd/conf.d/ssl.conf

by copying from a working vhost config, and replacing to the mentioned default configuration file, as it is described in the link!

2 Likes

Glad it worked out! :grinning:

You really still want to get those redirects fixed though.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.