Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.sengkanggrand.com.sg
I ran this command:
sudo certbot --apache
It produced this output:
After going through the steps it stated successful creation of certificate

My web server is (include version):
Apache 2.4
The operating system my web server runs on is (include version):
Ubuntu 18.04
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.23.0

More info - the output of openssl s_client -showcerts -connect www.sengkanggrand.com:443 reports an incorrect CN of aba.com.sg

I had previously created a working certificate but chose to delete an old certificate no longer relevant using ```
certbot delete --cert-name old.defunctdomain.com

This is when the problems started. Chrome now reports

This site can’t provide a secure connection

www.sengkanggrand.com.sg sent an invalid response.

ERR_SSL_PROTOCOL_ERROR

Hi @nsimms

there are some errors. Checking your domain there is only a certificate with one domain name - https://check-your-website.server-daten.de/?q=sengkanggrand.com.sg#ct-logs

Both domain names (non-www and www) have a DNS entry, so you should create one certificate with both domain names.

Second - and more critical: Your port 443 sends http content, Grade Q:

https + 443 doesn't work (SendFailure), but http + 443 sends a correct http answer.

So first step: Share your vHost configuration.

apachectl -S

Did you run the command as root / sudo?

If apachectl -S doesn't work, that's critical.

Perhaps disable your port 443 vHost.

Working port 80 vHost -> create the correct certificate -> let Certbot create a vHost.

The first step is missing.

That's good:

One port 80 vHost with both domain names.

So try one time

sudo certbot -d sengkanggrand.com.sg -d www.sengkanggrand.com.sg --apache

Forgive me but i already regenerated the cert with both domain names (www and non-www) after you suggested that in your first reply.

Did you notice my comment about the output of
openssl s_client -showcerts -connect www.sengkanggrand.com:443

It shows Subject=/CN=aba.com.sg

Is this significant?

Other certs i've created have the expected domain here. I would of expected www.sengkanggrand.com.sg

There is a new check of your domain, 20 minutes old - https://check-your-website.server-daten.de/?q=sengkanggrand.com.sg

There is no new certificate visible. And again a Grade Q.

That's another domain name, com, not com.sg.

Check that domain to see, if the certificate has a correct SAN-list.

Oh my so sorry. My bad. That info is irrelevant then but running against the correct domain yields the following output

Does this provide any clue?

ubuntu@VM-0-15-ubuntu:/etc/apache2/sites-available$ openssl s_client -showcerts -connect www.sengkanggrand.com.sg:443
CONNECTED(00000003)
140700083844160:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:…/ssl/record/ssl3_record.c:332:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 5 bytes and written 293 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Resumption PSK:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1571824920
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

It looks as if https is not serving port 443.
Can you show the vhost config file?
/etc/apache2/sites-enabled/sengkang-grand-le-ssl.conf

also:
grep -Ri SSLCertificateFile /etc/apache2/

I see no:
SSLEngine On
[may be included elsewhere - but won’t hurt to state it here]

Also, there is a rewrite to http://…
[that should probably https://…]

can you also show output of:
grep -Ri SSLCertificateFile /etc/apache2/

As already written: Your configuration is buggy, Grade Q, http over port 443.

So:

• create the correct certificate
• let Certbot do the job to create a correct vHost.

By the way, apart from other more important problems (you need to set up the port 443 vhost to use HTTPS instead of HTTP), this method won't show the right certificate with virtual hosting because it doesn't send any SNI field in the HTTPS connection. For that, you need to add the OpenSSL option -servername www.sengkanggand.com.sg; that more closely follows the behavior that a web browser would use in connecting to your site.

In your current situation, this wouldn't initially give a different result, but if you have to debug other things in the future related to certificate mismatches, it might give more relevant debugging information.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.