Chrome, Firefox non valid certificates


#1

My domain is:
apps.migracion.gob.sv

I ran this command:

It produced this output:

My web server is (include version):

Server version: Apache/2.2.15 (Unix)
Server built: Jun 19 2018 15:45:13

The operating system my web server runs on is (include version):

CentOS release 6.10 (Final)

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Putty full access server

Today have the issue with the non valid certificates. I don’t know why last days was work correctly, someone can help me to resolve this. Thanks.

I renew today again the certificates but does not resolve. I run the ./certbot-auto --apache certonly

https://www.ssllabs.com/ssltest/analyze.html?d=apps.migracion.gob.sv

https://sslanalyzer.comodoca.com/?url=apps.migracion.gob.sv

Google recognize before the certificates buy not now.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:apps.migracion.gob.sv&lu=cert_search

Thanks…


#2

Hi @netito311

there is a self signed certificate.

But you have some certificates created today:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:apps.migracion.gob.sv&lu=cert_search

So you may have a new certificate, but it isn’t installed.

What command did you use? Please share your apache configuration. You need something like

<VirtualHost *:443>
    ServerName www.example.com
    SSLEngine on
    SSLCertificateFile "/path/to/www.example.com.cert"
    SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost>

https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html


#3

In the apache configuration I have not touched anything since I installed the cerbot at the beginning of this year, until today that has given me this error.


#5

Looks like you have executed this command and generated a new private certificate.


#7

How can I resolve with this?? # certificate can be generated using the genkey(1) command.

Thanks


#8

Have up updated Apache recently?

Please show:
ls -l /etc/apache2/sites-enabled/
grep -Eri 'servername|serveralias|80|443|virtualhost' /etc/apache2/


#9

Few minutes ago update the apache but the issue was before update the apache. Thinking was need it but not.


#10

This is centos

ls -l /etc/apache2/sites-enabled/

ls -l /etc/httpd/sites-enabled/
ls: no se puede acceder a /etc/httpd/sites-enabled/: No existe el fichero o el directorio


#11

Why do you run certonly? That doesn’t install the certificate.

Skip the “certonly-option” and check, if certbot asks if you want to install one of these new certificates.


#12

Sorry about that was

./certbot-auto --apache
and then
./certbot-auto --apache certonly


#14

There is your configuration file.

Is this configuration file included in your main apache configuration?


#15

I ran

./certbot-auto --apache

Option
1
1
2


#17

How can I uinstall all and make new fresh install.?


#18

letsencrypt.log

2018-11-12 13:30:31,871:DEBUG:certbot.main:certbot version: 0.28.0
2018-11-12 13:30:31,872:DEBUG:certbot.main:Arguments: [’–apache’]
2018-11-12 13:30:31,872:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-11-12 13:30:31,898:DEBUG:certbot.log:Root logging level set at 20
2018-11-12 13:30:31,899:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-11-12 13:30:31,902:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2018-11-12 13:30:32,011:DEBUG:certbot_apache.configurator:Apache version is 2.2.15
2018-11-12 13:30:32,234:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_centos.CentOSConfigurator object at 0x7f7409cb3eb8>
Prep: True
2018-11-12 13:30:32,236:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_centos.CentOSConfigurator object at 0x7f7409cb3eb8> and installer <certbot_apache.override_centos.CentOSConfigurator object at 0x7f7409cb3eb8>
2018-11-12 13:30:32,236:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2018-11-12 13:30:32,249:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(uri=‘https://acme-v01.api.letsencrypt.org/acme/reg/36130960’, terms_of_service=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’, body=Registration(terms_of_service_agreed=None, status=‘valid’, only_return_existing=None, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f7406cad2b0>)>), agreement=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’, contact=(‘mailto:admin@migracion.gob.sv’,)), new_authzr_uri=‘https://acme-v01.api.letsencrypt.org/acme/new-authz’), 9b93dcceb667c228c41943d9c4bf2d09, Meta(creation_dt=datetime.datetime(2018, 6, 5, 15, 42, 25, tzinfo=), creation_host=‘apps.migracion.gob.sv’))>
2018-11-12 13:30:32,252:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2018-11-12 13:30:32,260:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2018-11-12 13:30:32,601:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2018-11-12 13:30:32,602:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 12 Nov 2018 19:30:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 12 Nov 2018 19:30:43 GMT
Connection: keep-alive

{
“3wAPjzjgxkY”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert
}
2018-11-12 13:30:39,325:INFO:certbot.renewal:Cert not yet due for renewal
2018-11-12 13:30:58,594:INFO:certbot.main:Keeping the existing certificate
2018-11-12 13:30:58,595:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/apps.migracion.gob.sv/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/apps.migracion.gob.sv/privkey.pem
Your cert will expire on 2019-02-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again with the “certonly” option. To non-interactively renew all of your certificates, run “certbot-auto renew”
2018-11-12 13:30:58,662:DEBUG:certbot.reverter:Creating backup of /etc/httpd/conf/httpd-le-ssl.conf
2018-11-12 13:30:58,751:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf
2018-11-12 13:31:01,941:WARNING:certbot.client:Enhancement redirect was already set.
2018-11-12 13:31:02,075:DEBUG:certbot.reporter:Reporting to user: If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le


#19

Now it works. https://apps.migracion.gob.sv/

PS: Not complete. You have a dns entry www.apps.migracion.gob.sv, but the certificate hasn’t this name.

http://apps.migracion.gob.sv/ 301 https://apps.migracion.gob.sv/ 0.333 A
http://www.apps.migracion.gob.sv/ 200 0.327 A
https://apps.migracion.gob.sv/ 200 0.660 B
https://www.apps.migracion.gob.sv/ 200 0.657 N
Certificate error: RemoteCertificateNameMismatch

So you should

  • create one certificate with two domain names (non www + www) or
  • remove the www dns entry

#21

*Create one certificate with two domain names (non www + www)

How I do that??

Sorry

Thanks


#22

The -d option:

-d example.com -d www.example.com

#23

Failed redirect for apps.migracion.gob.sv
Unable to set enhancement redirect for apps.migracion.gob.sv

Chain issues Incomplete


#25

Your server doesn’t send the Letsencrypt intermediate certificate.

Please share the content of your

SSLCertificateFile [this file here]

There should be two certificates, not only one.

-----BEGIN CERTIFICATE-----
Your certificate
-----END CERTIFICATE-----


-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

The Letsencrypt certificate is the same, so you can copy this part in your own file.


#26

Ok… I will do it
now

I have B