Certification Error for ServerName but Alias works well


#1

hey Guys,

i hope you can help me. i changed my apache config to a vhost file. After that i used letsencrypt in auto-mode and it created the certificate successfully. My Homepage works fine with SSL.

But the problem is, that it will work only without www before the address.

My homepage is waffelparty.net. SSL works fine
but as www.waffelparty.net comes the error window with NET::ERR_CERT_AUTHORITY_INVALID

what can i do to prevent that?

vhost config:
<VirtualHost *:80> ServerName www.waffelparty.net ServerAlias waffelparty.net ServerAdmin pliskin65@gmail.com DocumentRoot /var/www/html ErrorLog /var/log/apache/waffelparty.net/error.log CustomLog /var/log/apache/waffelparty.net/access.log combined RewriteEngine on RewriteCond %{SERVER_NAME} =waffelparty.net [OR] RewriteCond %{SERVER_NAME} =www.waffelparty.net RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] </VirtualHost>

What kind of information do you need?


#2

Your cert is for waffelparty.net only, if you want www.waffelparty.net as well then you need to ask for both names by using multiple -d flags (also add --expand to replace the existing cert).


#3

Somewhere in your apache configuration is a <VirtualHost> that’s configured to use a self-signed certificate issued on March 10th. Take a look at all files in /etc/apache2/sites-enabled/ and remove that <VirtualHost> if you don’t need it. If you can’t find anything in that directory, take a look at all other config files in /etc/apache2

Make sure that your SSL <VirtualHost> for waffelparty.net has a ServerAlias for www.waffelparty.net too. That’s how apache decides with certificate to use.

Once that is done, you might have to run the client again in order to cover the www subdomain in a new certificate. Every domain and subdomain you want to use has to be included explicitly; www is not magically covered by the “main” domain.


#4

my ssl configuration for my domain was created with the client.

<IfModule mod_ssl.c> <VirtualHost *:443> ServerName www.waffelparty.net:80 ServerAlias waffelparty.net ServerAdmin pliskin65@gmail.com DocumentRoot /var/www/html ErrorLog /var/log/apache/waffelparty.net/error.log CustomLog /var/log/apache/waffelparty.net/access.log combined SSLCertificateFile /etc/letsencrypt/live/waffelparty.net/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/waffelparty.net/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf ServerAlias www.waffelparty.net SSLCertificateChainFile /etc/letsencrypt/live/waffelparty.net/chain.pem </VirtualHost> </IfModule>

the ServerAlias is in the config and the certificate says it was created for both with www and without


#5

There’s definitely another SSL certificate configured somewhere in your configuration. This is not a certificate Let’s Encrypt would issue:

openssl s_client -connect www.waffelparty.net:443
CONNECTED(00000003)
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=waffelparty.net/emailAddress=root@waffelparty.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=waffelparty.net/emailAddress=root@waffelparty.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=waffelparty.net/emailAddress=root@waffelparty.net
   i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=waffelparty.net/emailAddress=root@waffelparty.net
---

Try:

grep -r "VirtualHost" /etc/apache2/

or:

grep -r "SSLCertificate" /etc/apache2/

to find the file.

Note that www.waffelparty.net:80 is not a valid ServerName - you’ll want to get rid of the port here. Do you recall if that’s something the client did? This might be a bug.
(Small correction - not sure if this is invalid per se, but it’s not what you’d want for a SSL VirtualHost.)


#6

nah. forgot to delete the :80 at the end. That was my error.

Could the problem be the pre-configurated SSL Config?

`[root@waffelparty letsencrypt]# grep -r “SSLCertificate” /etc/httpd/
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateChainFile at a file containing the
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/ssl.conf:#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
/etc/httpd/sites-enabled/waffelparty.net-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/waffelparty.net/cert.pem
/etc/httpd/sites-enabled/waffelparty.net-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/waffelparty.net/privkey.pem
/etc/httpd/sites-enabled/waffelparty.net-le-ssl.conf:SSLCertificateChainFile /etc/letsencrypt/live/waffelparty.net/chain.pem


#7

Yep, looks like Fedora/CentOS ships something like that: https://fedoraproject.org/wiki/Apache_HTTP_Server#mod_ssl_configuration

You can probably safely remove the entire <VirtualHost> in /etc/httpd/conf.d/ssl.conf. (Keep a backup just in case.)


#8

thank god. you are my hero. i hope someone can give you a golden cookie. i commented everything from to out and now it works <3

SSL Labs Test gives me an A for waffelparty.net and www.waffelparty.net. Never thought that the default config would hurt me so much xD

ps:

you can close the thread. Problem solved <3


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.