Chrome, Firefox non valid certificates

netito311 · November 12, 2018, 6:40pm

My domain is:
apps.migracion.gob.sv

I ran this command:

It produced this output:

My web server is (include version):

Server version: Apache/2.2.15 (Unix)
Server built: Jun 19 2018 15:45:13

The operating system my web server runs on is (include version):

CentOS release 6.10 (Final)

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Putty full access server

Today have the issue with the non valid certificates. I don’t know why last days was work correctly, someone can help me to resolve this. Thanks.

I renew today again the certificates but does not resolve. I run the ./certbot-auto --apache certonly

https://www.ssllabs.com/ssltest/analyze.html?d=apps.migracion.gob.sv

https://sslanalyzer.comodoca.com/?url=apps.migracion.gob.sv

Google recognize before the certificates buy not now.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:apps.migracion.gob.sv&lu=cert_search

Thanks…

JuergenAuer · November 12, 2018, 6:46pm

Hi @netito311

there is a self signed certificate.

But you have some certificates created today:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:apps.migracion.gob.sv&lu=cert_search

So you may have a new certificate, but it isn't installed.

What command did you use? Please share your apache configuration. You need something like

<VirtualHost *:443>
    ServerName www.example.com
    SSLEngine on
    SSLCertificateFile "/path/to/www.example.com.cert"
    SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost>

https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

netito311 · November 12, 2018, 6:51pm

In the apache configuration I have not touched anything since I installed the cerbot at the beginning of this year, until today that has given me this error.

JuergenAuer · November 12, 2018, 6:58pm

Looks like you have executed this command and generated a new private certificate.

netito311 · November 12, 2018, 7:04pm

How can I resolve with this?? # certificate can be generated using the genkey(1) command.

Thanks

rg305 · November 12, 2018, 7:06pm

Have up updated Apache recently?

Please show:
ls -l /etc/apache2/sites-enabled/
grep -Eri 'servername|serveralias|80|443|virtualhost' /etc/apache2/

netito311 · November 12, 2018, 7:10pm

Few minutes ago update the apache but the issue was before update the apache. Thinking was need it but not.

netito311 · November 12, 2018, 7:23pm

This is centos

ls -l /etc/apache2/sites-enabled/

ls -l /etc/httpd/sites-enabled/
ls: no se puede acceder a /etc/httpd/sites-enabled/: No existe el fichero o el directorio

JuergenAuer · November 12, 2018, 7:26pm

Why do you run certonly? That doesn't install the certificate.

Skip the "certonly-option" and check, if certbot asks if you want to install one of these new certificates.

netito311 · November 12, 2018, 7:29pm

Sorry about that was

./certbot-auto --apache
and then
./certbot-auto --apache certonly

JuergenAuer · November 12, 2018, 7:36pm

There is your configuration file.

Is this configuration file included in your main apache configuration?

netito311 · November 12, 2018, 7:47pm

I ran

./certbot-auto --apache

Option
1
1
2

netito311 · November 12, 2018, 7:56pm

How can I uinstall all and make new fresh install.?

netito311 · November 12, 2018, 7:58pm

letsencrypt.log

2018-11-12 13:30:31,871:DEBUG:certbot.main:certbot version: 0.28.0
2018-11-12 13:30:31,872:DEBUG:certbot.main:Arguments: ['--apache']
2018-11-12 13:30:31,872:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-11-12 13:30:31,898:DEBUG:certbot.log:Root logging level set at 20
2018-11-12 13:30:31,899:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-11-12 13:30:31,902:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2018-11-12 13:30:32,011:DEBUG:certbot_apache.configurator:Apache version is 2.2.15
2018-11-12 13:30:32,234:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_centos.CentOSConfigurator object at 0x7f7409cb3eb8>
Prep: True
2018-11-12 13:30:32,236:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_centos.CentOSConfigurator object at 0x7f7409cb3eb8> and installer <certbot_apache.override_centos.CentOSConfigurator object at 0x7f7409cb3eb8>
2018-11-12 13:30:32,236:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2018-11-12 13:30:32,249:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(uri='https://acme-v01.api.letsencrypt.org/acme/reg/36130960', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', body=Registration(terms_of_service_agreed=None, status='valid', only_return_existing=None, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f7406cad2b0>)>), agreement='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', contact=('mailto:admin@migracion.gob.sv',)), new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz'), 9b93dcceb667c228c41943d9c4bf2d09, Meta(creation_dt=datetime.datetime(2018, 6, 5, 15, 42, 25, tzinfo=), creation_host='apps.migracion.gob.sv'))>
2018-11-12 13:30:32,252:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2018-11-12 13:30:32,260:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2018-11-12 13:30:32,601:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2018-11-12 13:30:32,602:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 12 Nov 2018 19:30:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 12 Nov 2018 19:30:43 GMT
Connection: keep-alive

{
"3wAPjzjgxkY": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2018-11-12 13:30:39,325:INFO:certbot.renewal:Cert not yet due for renewal
2018-11-12 13:30:58,594:INFO:certbot.main:Keeping the existing certificate
2018-11-12 13:30:58,595:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/apps.migracion.gob.sv/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/apps.migracion.gob.sv/privkey.pem
Your cert will expire on 2019-02-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again with the "certonly" option. To non-interactively renew all of your certificates, run "certbot-auto renew"
2018-11-12 13:30:58,662:DEBUG:certbot.reverter:Creating backup of /etc/httpd/conf/httpd-le-ssl.conf
2018-11-12 13:30:58,751:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf
2018-11-12 13:31:01,941:WARNING:certbot.client:Enhancement redirect was already set.
2018-11-12 13:31:02,075:DEBUG:certbot.reporter:Reporting to user: If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

JuergenAuer · November 12, 2018, 8:49pm

Now it works. https://apps.migracion.gob.sv/

PS: Not complete. You have a dns entry www.apps.migracion.gob.sv, but the certificate hasn't this name.

• http://apps.migracion.gob.sv/	301	0.333	A

• http://www.apps.migracion.gob.sv/	200	0.327	A

• https://apps.migracion.gob.sv/	200	0.660	B

• https://www.apps.migracion.gob.sv/	200	0.657	N
Certificate error: RemoteCertificateNameMismatch

So you should

create one certificate with two domain names (non www + www) or
remove the www dns entry

netito311 · November 12, 2018, 8:53pm

*Create one certificate with two domain names (non www + www)

How I do that??

Sorry

Thanks

JuergenAuer · November 12, 2018, 8:54pm

The -d option:

-d example.com -d www.example.com

netito311 · November 12, 2018, 9:00pm

Failed redirect for apps.migracion.gob.sv
Unable to set enhancement redirect for apps.migracion.gob.sv

Chain issues Incomplete

JuergenAuer · November 12, 2018, 9:21pm

Your server doesn’t send the Letsencrypt intermediate certificate.

Please share the content of your

SSLCertificateFile [this file here]

There should be two certificates, not only one.

The Letsencrypt certificate is the same, so you can copy this part in your own file.

netito311 · November 12, 2018, 9:33pm

Ok… I will do it
now

I have B