[closed] Cert for 1 domain, sub-sites in sub-URLs thereof, 1 vhosts-file

karlre1 · October 3, 2017, 12:35pm

Hi

I found a similar thread at http://tinyurl.com/yd8ek6pp
but it kinda strays from my what I need.

prerequisites:
I run apache2 on Ubuntu 16.04, self-hosted, port-forwarding to 443.
I’ve got 5 different sites in one vhosts file.
There is one landing page. (https://mysite.com)
All subsites (5 different code bases) are displayed as sub URLs thereof. (https://mysite.com/subsite)
I installed the certificate via sudo certbot --apache -d mysite.com

problem:
The script finished with the hint that ‘multiple vhosts in one vhost-file’ are not allowed.
The install-script didn’t ask for more input (e.g. email-address)
(I remember a thread in this forum saying that this limitation has been overcome as of 2015
and another one saying it’s a persistent bug.)

result:
I got cert-files which I implemented alright,
but they do not provide any valid info about ownership, etc.
Looks like I ended up with a self-signed cert here.

question:

Should I delete the existing cert + request a new one?
What’s the recommended/accurate procedure in my situation?

Thanx 4 any useful hints.
My apologies in case I’ve overlooked sth obvious.

chuck

rg305 · October 3, 2017, 2:24pm

Can you provide the domain name or the public cert?
Either would clarify the situation and allow for real help and direction to be provided.

karlre1 · October 4, 2017, 1:44pm

The domain name is: https://12bfree.com

rg305 · October 4, 2017, 4:15pm

I don’t see a self-signed cert…
I see a regular trusted DV cert that expires on 2017/12/16 at https://12bfree.com:

rg305 · October 4, 2017, 4:17pm

This problem, however, has not been addressed.
If it persists, please show the vhost file in question.

karlre1 · October 5, 2017, 4:48pm

Thank you for your input. -
Unfortunately, browsers will display the warning “Connection not secure” when visiting the site.
That’s why I mentioned ‘self-signed’.
And that is the problem I’m trying to address.

rg305 · October 5, 2017, 4:54pm

I don’t see what you see.
Which browser?
Which URL?
(pictures please)

karlre1 · October 8, 2017, 8:52am

Oddly, the warning messages don’t pop up anymore. - All clear now.
This may look as if I reported a pseudo problem, but other people also used to get the ‘unknown issuer’ warnings:

And on Opera 42.7:

Naive question: could it be that browser updates solved this?

sahsanu · October 8, 2017, 9:16am

Hi @karlre1,

Now it is good for your browser because you have visited another site that provides Let's Encrypt intermediate certificate and your browser is caching it.

Related to above issue, you must configure your web server to serve the intermediate certificate too.

Seems you are using Apache so in your conf for this domain you should have this conf:

From Apache version 2.2.x to 2.4.7 use this conf:

SSLCertificateFile      /etc/letsencrypt/live/12bfree.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/12bfree.com/chain.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/12bfree.com/privkey.pem

From Apache version 2.4.8 use this conf:

SSLCertificateFile      /etc/letsencrypt/live/12bfree.com/fullchain.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/12bfree.com/privkey.pem

Note: change paths according to your real configuration.
Note2: remember to restart or reload your apache every time you made changes to its conf.

Edit:

If you want to check if you are serving the intermediate certificate you can use a web service like ssllabs.com and it will show you whether there are issues with your chain (and more things).

https://www.ssllabs.com/ssltest/analyze.html?d=12bfree.com&hideResults=on

If you want to check it from command line:

echo | openssl s_client -connect 12bfree.com:443 -servername 12bfree.com 2>/dev/null | awk '/Certificate chain/,/---/'

Result when not using the intermediate cert:

Certificate chain
 0 s:/CN=12bfree.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---

Result when using intermediate cert:

Certificate chain
 0 s:/CN=12bfree.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

Cheers,
sahsanu

karlre1 · October 12, 2017, 4:18pm

Excellent!
Many thanks for the thorough information, sahsanu.

The command line check now lists the desired result for the intermediate cert.
After clearing the cache on ssllabs.com, no more chain issues are reported
and the overall rating climbs from B to A.

I reckon this marks the thread as closed.
Thanks again!

system · November 11, 2017, 4:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.