[closed] Cert for 1 domain, sub-sites in sub-URLs thereof, 1 vhosts-file

Hi

I found a similar thread at http://tinyurl.com/yd8ek6pp
but it kinda strays from my what I need.

prerequisites:
I run apache2 on Ubuntu 16.04, self-hosted, port-forwarding to 443.
I’ve got 5 different sites in one vhosts file.
There is one landing page. (https://mysite.com)
All subsites (5 different code bases) are displayed as sub URLs thereof. (https://mysite.com/subsite)
I installed the certificate via sudo certbot --apache -d mysite.com

problem:
The script finished with the hint that ‘multiple vhosts in one vhost-file’ are not allowed.
The install-script didn’t ask for more input (e.g. email-address)
(I remember a thread in this forum saying that this limitation has been overcome as of 2015
and another one saying it’s a persistent bug.)

result:
I got cert-files which I implemented alright,
but they do not provide any valid info about ownership, etc.
Looks like I ended up with a self-signed cert here.

question:

  1. Should I delete the existing cert + request a new one?
  2. What’s the recommended/accurate procedure in my situation?

Thanx 4 any useful hints.
My apologies in case I’ve overlooked sth obvious.

chuck

Can you provide the domain name or the public cert?
Either would clarify the situation and allow for real help and direction to be provided.

The domain name is: https://12bfree.com

I don’t see a self-signed cert…
I see a regular trusted DV cert that expires on 2017/12/16 at https://12bfree.com:

This problem, however, has not been addressed.
If it persists, please show the vhost file in question.

Thank you for your input. -
Unfortunately, browsers will display the warning “Connection not secure” when visiting the site.
That’s why I mentioned ‘self-signed’.
And that is the problem I’m trying to address.

I don’t see what you see.
Which browser?
Which URL?
(pictures please)

1 Like

Oddly, the warning messages don’t pop up anymore. - All clear now.
This may look as if I reported a pseudo problem, but other people also used to get the ‘unknown issuer’ warnings:

And on Opera 42.7:

Naive question: could it be that browser updates solved this?

Hi @karlre1,

Now it is good for your browser because you have visited another site that provides Let’s Encrypt intermediate certificate and your browser is caching it.

Related to above issue, you must configure your web server to serve the intermediate certificate too.

Seems you are using Apache so in your conf for this domain you should have this conf:

From Apache version 2.2.x to 2.4.7 use this conf:

SSLCertificateFile      /etc/letsencrypt/live/12bfree.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/12bfree.com/chain.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/12bfree.com/privkey.pem

From Apache version 2.4.8 use this conf:

SSLCertificateFile      /etc/letsencrypt/live/12bfree.com/fullchain.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/12bfree.com/privkey.pem

Note: change paths according to your real configuration.
Note2: remember to restart or reload your apache every time you made changes to its conf.

Edit:

If you want to check if you are serving the intermediate certificate you can use a web service like ssllabs.com and it will show you whether there are issues with your chain (and more things).

https://www.ssllabs.com/ssltest/analyze.html?d=12bfree.com&hideResults=on

If you want to check it from command line:

echo | openssl s_client -connect 12bfree.com:443 -servername 12bfree.com 2>/dev/null | awk '/Certificate chain/,/---/'

Result when not using the intermediate cert:

Certificate chain
 0 s:/CN=12bfree.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---

Result when using intermediate cert:

Certificate chain
 0 s:/CN=12bfree.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

Cheers,
sahsanu

4 Likes

Excellent!
Many thanks for the thorough information, sahsanu.

The command line check now lists the desired result for the intermediate cert.
After clearing the cache on ssllabs.com, no more chain issues are reported
and the overall rating climbs from B to A.

I reckon this marks the thread as closed.
Thanks again!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.