Certificate taking my server hostname

Help
1

Hello friends.

My name is Marcelo, and I am from Brazil. I’m using certbot to apply a certificate in my application.

I have an Apache HTTP reverse proxy with many vHosts. I execute certbot with flag --apache and everything went well.

But when I test the certificate, it show my server hostname intead of domain and I get the error:

“Certificate name mismatch”

https://www.ssllabs.com/ssltest/analyze.html?d=netlaudos.netpacs.com.br

Anyone can help me? Sorry my bad english!

2

Your server is not actually sending the Let’s Encrypt certificate - it’s sending a self-signed certificate. Can you please post the entire output from the command you attempted, as well as the command itself?

2 Likes
3

Thank you Jared

[root@netpacs-dc-java02 ~]# ./certbot-auto --apache
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: netlaudos.netpacs.com.br
2: mydomain2.netpacs.com.br

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/netlaudos.netpacs.com.br.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
Deploying Certificate for netlaudos.netpacs.com.br to VirtualHost /etc/httpd/conf.d/netlaudos-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1

Congratulations! You have successfully enabled https://netlaudos.netpacs.com.br

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=netlaudos.netpacs.com.br

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/netlaudos.netpacs.com.br/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/netlaudos.netpacs.com.br/privkey.pem
    Your cert will expire on 2017-11-27. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again with the “certonly” option. To non-interactively renew all
    of your certificates, run “certbot-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

4

I had an Apache tomcat in the same server that used a certificate… but its not in use anymore… is this information help?

5

I would suggest running

grep -r SSLCert /etc/apache2

to find out what certificates your Apache is configured to refer to and how.

6

Thank you for your reply! My output

/etc/httpd/conf.d/netlaudos-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/netlaudos.netpacs.com.br/cert.pem
/etc/httpd/conf.d/netlaudos-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/netlaudos.netpacs.com.br/privkey.pem
/etc/httpd/conf.d/netlaudos-le-ssl.conf:SSLCertificateChainFile /etc/letsencrypt/live/netlaudos.netpacs.com.br/chain.pem
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateChainFile at a file containing the
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/ssl.conf:#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

7

OK, I think what’s happening is that netlaudos-le-ssl.conf isn’t being read by Apache as part of your server configuration. (Although the file exists and should be included by a different configuration file, it likely isn’t.) Therefore, your server doesn’t know about the existence of the new certificate, even though the new certificate is present on your system.

@bmw, how can netlaudos-le-ssl.conf end up in /etc/httpd/conf.d instead of sites-available? What systems customarily use conf.d instead of sites-available, and does Certbot handle them correctly in this case?

Could this be a case of a user manually adding an include of a specific virtualhost configuration file rather than putting it in a place where it would be included automatically by a wildcard, and then Certbot assuming that everything in that directory would be auto-included?

8

I’m using the httpd daemon from CentOS, that’s why I don’t have sites-available folder.

I’m trying to remove the self-signed certificate generated by java keytool, with no success…

9

I don't think the existence of the self-signed certificate is the biggest problem here. There are many sites that have a self-signed certificate alongside a CA-issued certificate. When the self-signed certificate is the default but the CA certificate is mentioned in a specific virtual host, the web server will prefer the more specific certificate when clients connect and ask to communicate with that virtual host. An explicitly-configured certificate for an individual virtual host will be given higher priority than a default certificate.

So I think the problem is probably just that your Apache doesn't know about your Let's Encrypt certificate at all because it doesn't read netlaudos-le-ssl.conf (for some reason).

I was wondering whether you created an original netlaudos.conf yourself at some point (without the HTTPS directives). If so, did you also add some kind of Include directive to another configuration file to tell Apache to read your netlaudos.conf?

10

Schoen, thank you for your attention.

My HTTPD work as reverse proxy protecting an application server running Tomcat. So, to easy management I created some conf files in the conf.d folder with the proxy entries, something like:

<VirtualHost *:80>

ServerName netlaudos.mydomain.com.br
ErrorLog /var/log/httpd/proxy_error.log

<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all

ProxyPreserveHost on

 ProxyPass /app01 http://ip_of_server/app01
 ProxyPassReverse /app01 http://ip_of_server/app01

In my httpd.conf there’s a “Include conf.d/*conf” that read conf files. When I run the certbot script, after choose what domain to apply the certificate, it creates a netlaudos-le-ssl.conf file.

Do you think that I have to paste the content of that file to httpd.conf to make a test?

11

Well, then I’m a little more confused.

Could you post the contents of the netlaudos-le-ssl.conf file?

12

sites-available comes from Debian based systems. Usually Red Hat based systems use conf.d. Most other distros have different conventions than both of those. Certbot should do a reasonable job of properly detecting the layout to use.

We should be able to see if the file is being parsed by Apache as well as possibly debug the entire problem by seeing the output of:

sudo apachectl -t -D DUMP_VHOSTS

This should print the parsed virtual host configuration to the terminal.

13

I had a /etc/httpd/conf.d/netlaudos.conf

When I run the script, it creates a netlaudos-le-ssl.conf file with the following

<IfModule mod_ssl.c>
<VirtualHost *:443>

   ServerName netlaudos.netpacs.com.br
   ErrorLog /var/log/httpd/proxy_error.log

   <Proxy *>
     AddDefaultCharset Off
     Order deny,allow
     Allow from all
   </Proxy>

   ProxyPreserveHost On

   #Servidor JAVA

   ProxyPass /app01 http://IP_Server/app01
   ProxyPassReverse /app01 http://IP_server/app01

#RewriteEngine on
#RewriteCond %{SERVER_NAME} =netlaudos.netpacs.com.br
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R=permanent]
SSLCertificateFile /etc/letsencrypt/live/netlaudos.netpacs.com.br/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/netlaudos.netpacs.com.br/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/netlaudos.netpacs.com.br/chain.pem
</VirtualHost>
</IfModule>
14

My output of sudo apachectl -t -D DUMP_VHOSTS

wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server 127.0.0.1 (/etc/httpd/conf.d/ssl.conf:74)
         port 443 namevhost 127.0.0.1 (/etc/httpd/conf.d/ssl.conf:74)
*:80                   is a NameVirtualHost
         default server app.netpacs.com.br (/etc/httpd/conf.d/app.conf:1)
         port 80 namevhost app.netpacs.com.br (/etc/httpd/conf.d/app.conf:1)
         port 80 namevhost netlaudos.netpacs.com.br (/etc/httpd/conf.d/netlaudos.conf:1)
         port 80 namevhost servimagem.netpacs.com.br (/etc/httpd/conf/httpd.conf:1011)
Syntax OK
15

@bmw and @schoen Thank you so much

For some reason, the conf files doesn’t work. When I past the content of the conf files to /etc/httpd/conf/httpd.conf and restart the httpd daemon, the Let’s Encrypt certification works.

I don’t know why but I will use that configuration :wink:

Thank you so much for the replies.

16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.