Your server is not actually sending the Let’s Encrypt certificate - it’s sending a self-signed certificate. Can you please post the entire output from the command you attempted, as well as the command itself?
[root@netpacs-dc-java02 ~]# ./certbot-auto --apache
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/netlaudos.netpacs.com.br.conf)
What would you like to do?
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
Deploying Certificate for netlaudos.netpacs.com.br to VirtualHost /etc/httpd/conf.d/netlaudos-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/netlaudos.netpacs.com.br/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/netlaudos.netpacs.com.br/privkey.pem
Your cert will expire on 2017-11-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the “certonly” option. To non-interactively renew all
of your certificates, run “certbot-auto renew”
If you like Certbot, please consider supporting our work by:
/etc/httpd/conf.d/netlaudos-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/netlaudos.netpacs.com.br/cert.pem
/etc/httpd/conf.d/netlaudos-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/netlaudos.netpacs.com.br/privkey.pem
/etc/httpd/conf.d/netlaudos-le-ssl.conf:SSLCertificateChainFile /etc/letsencrypt/live/netlaudos.netpacs.com.br/chain.pem
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateChainFile at a file containing the
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/ssl.conf:#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
OK, I think what’s happening is that netlaudos-le-ssl.conf isn’t being read by Apache as part of your server configuration. (Although the file exists and should be included by a different configuration file, it likely isn’t.) Therefore, your server doesn’t know about the existence of the new certificate, even though the new certificate is present on your system.
@bmw, how can netlaudos-le-ssl.conf end up in /etc/httpd/conf.d instead of sites-available? What systems customarily use conf.d instead of sites-available, and does Certbot handle them correctly in this case?
Could this be a case of a user manually adding an include of a specific virtualhost configuration file rather than putting it in a place where it would be included automatically by a wildcard, and then Certbot assuming that everything in that directory would be auto-included?
I don't think the existence of the self-signed certificate is the biggest problem here. There are many sites that have a self-signed certificate alongside a CA-issued certificate. When the self-signed certificate is the default but the CA certificate is mentioned in a specific virtual host, the web server will prefer the more specific certificate when clients connect and ask to communicate with that virtual host. An explicitly-configured certificate for an individual virtual host will be given higher priority than a default certificate.
So I think the problem is probably just that your Apache doesn't know about your Let's Encrypt certificate at all because it doesn't read netlaudos-le-ssl.conf (for some reason).
I was wondering whether you created an original netlaudos.conf yourself at some point (without the HTTPS directives). If so, did you also add some kind of Include directive to another configuration file to tell Apache to read your netlaudos.conf?
My HTTPD work as reverse proxy protecting an application server running Tomcat. So, to easy management I created some conf files in the conf.d folder with the proxy entries, something like:
In my httpd.conf there’s a “Include conf.d/*conf” that read conf files. When I run the certbot script, after choose what domain to apply the certificate, it creates a netlaudos-le-ssl.conf file.
Do you think that I have to paste the content of that file to httpd.conf to make a test?
sites-available comes from Debian based systems. Usually Red Hat based systems use conf.d. Most other distros have different conventions than both of those. Certbot should do a reasonable job of properly detecting the layout to use.
We should be able to see if the file is being parsed by Apache as well as possibly debug the entire problem by seeing the output of:
sudo apachectl -t -D DUMP_VHOSTS
This should print the parsed virtual host configuration to the terminal.
wildcard NameVirtualHosts and _default_ servers:
*:443 is a NameVirtualHost
default server 127.0.0.1 (/etc/httpd/conf.d/ssl.conf:74)
port 443 namevhost 127.0.0.1 (/etc/httpd/conf.d/ssl.conf:74)
*:80 is a NameVirtualHost
default server app.netpacs.com.br (/etc/httpd/conf.d/app.conf:1)
port 80 namevhost app.netpacs.com.br (/etc/httpd/conf.d/app.conf:1)
port 80 namevhost netlaudos.netpacs.com.br (/etc/httpd/conf.d/netlaudos.conf:1)
port 80 namevhost servimagem.netpacs.com.br (/etc/httpd/conf/httpd.conf:1011)
Syntax OK
For some reason, the conf files doesn’t work. When I past the content of the conf files to /etc/httpd/conf/httpd.conf and restart the httpd daemon, the Let’s Encrypt certification works.
I don’t know why but I will use that configuration