Certificates renewed but browser still says "Your connection is not private" bad https certificate

ax.falcon · August 3, 2020, 3:12pm

https://crt.sh/?q=feedstadium.com

My domains are:
feedstadium.com and memecreatures.com and www.feedstadium.com and www.memecreatures.com

I ran this command:
certbot renew

It produced this output:

https://ibb.co/JsWgLjM

My web server is (include version):
apache2

The operating system my web server runs on is (include version):
ubuntu 18.04

My hosting provider, if applicable, is:
a vultr.com VPS solution

I can login to a root shell on my machine (yes or no, or I don’t know):
yip

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
I have webmin, froxlor, phpmyadmin, LAMP, etc.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

I’m having trouble with the browser recognition. I have read other posts here pertaining to

an-authentication-script-must-be-provided-with-manual-auth-hook-when-using-the-manual-plugin-non-interactively
and
pluginerror-an-authentication-script-must-be-provided-with-manual-auth-hook-when-using-the-manual-plugin-non-interactively-skipping
and
the-manual-plugin-is-not-working-the-error-was-pluginerror

but they basically say:

turn off apache2 and retry certbot renew
if you manually installed certificates then you must manually renew like so: “certbot certonly --manual -d '*.therightdoctors.com'”
try --dry-run to see errors

and I tried those. The errors in dry-run just say that the certificates don’t need to be renewed.

Also a point to note, when I ran certbot renew it created new certificates under the names feedstadium.com-0001 and memecreatures.com-0001 in:
etc/letsencrypt/renewal and also in
etc/letsencrypt/live

but it doesn’t seem to have updated the certificates, but rather just created new ones.

Also I tried manually renewing by typing in:
certbot certonly --manual -d '*.feedstadium.com'

and it said that it successfully updated the certificate. But then the browser still doesn’t work, even after restarting apache2, and also, a new error popped up when running certbot renew again. This is the new error:

Additionally, the following renewal configurations were invalid: /etc/letsencrypt/renewal/feedstadium.com.conf (parsefail)

How have I messed this up :)?

Also, I have a custom apache conf:

`
DocumentRoot “/var/www/html/feedstadium.com”
ServerName www.feedstadium.com
Redirect permanent / https://www.feedstadium.com

DocumentRoot /var/www/html/feedstadium.com ServerName www.feedstadium.com SSLEngine on SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 SSLCertificateFile server.crt SSLCertificateKeyFile server.key SSLVerifyClient none DocumentRoot "/var/www/html/feedstadium.com" ServerName feedstadium.com Redirect permanent / https://feedstadium.com DocumentRoot /var/www/html/feedstadium.com/ ServerName feedstadium.com SSLEngine on SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 SSLCertificateFile server.crt SSLCertificateKeyFile server.key SSLVerifyClient none `

Thanks.

JuergenAuer · August 3, 2020, 3:22pm

Hi @ax.falcon

why did you create a wildcard certificate? That requires dns validation, that may only work with --manual, that blocks the automatic renew.

Switch to http validation:

ax.falcon · August 3, 2020, 3:34pm

I read that. But how to do I switch to http validation?

I’m guessing certbot renew instantiates an “automatic renew”.

Do I have to rewrite my apache2 config redirects as well?

JuergenAuer · August 3, 2020, 3:49pm

That's correct if you have a working config. But you don't have one.

Start with certbot, certbot should ask.

ax.falcon · August 3, 2020, 5:20pm

Thanks. I did certbot, and it seems to have given me new certificates for feedstadium.com and www.feedstadium.com.

But the browser issue still remains.

I tried restarting apache2, no effect. What else needs to be done?

It reported this:

(It also reported the old certificate underneath this report).

JuergenAuer · August 3, 2020, 5:58pm

If you don't have a working configuration, Certbot can't create working vHosts, that's expected.

But checking your domain - https://check-your-website.server-daten.de/?q=feedstadium.com - you have created two certificates

Issuer	not before	not after	Domain names	LE-Duplicate	next LE
Let's Encrypt Authority X3	2020-08-03	2020-11-01	www.feedstadium.com - 1 entries	duplicate nr. 1
Let's Encrypt Authority X3	2020-08-03	2020-11-01	feedstadium.com - 1 entries	duplicate nr. 1

and both connections are secure.

So there is no problem visible - you have two vHosts, not only one. Untypical, but possible.

ax.falcon · August 4, 2020, 12:16am

Oh. I will later search on how to resolve this down to the www’s only.

Why does it sometimes show up in my browser as “ok” and other times it’s still a non-valid certificate warning?

Rip · August 4, 2020, 2:21am

Clear your browser caches. It looks good from here.
Rip

system · September 3, 2020, 2:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.