Confused about certs and cert locations

sfgaints · October 20, 2017, 12:39pm

I have set up Let’s Encrypt on a digitalocean droplet on ubutun 16.04.

When I go to www.intks.net I am secure.

However, when I go to intks.net I am not.

I was reading this forum and got the idea to run “sudo certbot renew --allow-subset-of-names”

I get “The following certs are not due for renewal yet:
/etc/letsencrypt/live/intks.net/fullchain.pem(skipped)
/etc/letsencrypt/live/intks.net-001/fullchain.pen (skipped)
/etc/letsencrypt/live/www.intks.net/fullchain.pen (skipped)
No renewals were attempted.”

I know I ran the wrong code but at least it shows me that intks.net is there but it is not working like the www.intks.net is.

Can anyone give me some insight on what is going on?

bytecamp · October 20, 2017, 12:56pm

Do you really mean xxx.net? You have to provide the actual domain name, not an obfuscated one.

sfgaints · October 20, 2017, 1:00pm

There you go fixed…

bytecamp · October 20, 2017, 1:15pm

OK.
The certificate is only valid for www.intks.net, not for intks.net.
You have to specify both domain names (intks.net, www.intks.net) upon issuance to include both names into one certificate.

Looking at https://crt.sh/?q=%intks.net, one can see that three certificates were issued two days ago. The first included both names, the subsequent ones have been issued for intks.net and www.intks.net seperatly.

sfgaints · October 20, 2017, 1:20pm

Ok, so how do I go about fixing that?

bytecamp · October 20, 2017, 1:27pm

You just have to use the right certificate in your webserver. To identify, please run the command certbot certificates and paste the output here.

sfgaints · October 20, 2017, 1:29pm

Found the following certs:
Certificate Name: intks.net
Domains: intks.net,www.intks.net
Expiry Date: 2018-01-16 12:08:28+00:00 (VALID: 87 days)
Certificate Path: /etc/letsencrypt/live/intks.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/intks.net/privkey.pem
Certificate Name: intks.net-0001
Domains: intks.net
Expiry Date: 2018-01-16 12:15:53+00:00 (VALID: 87 days)
Certificate Path: /etc/letsencrypt/live/intks.net-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/intks.net-0001/privkey.pem
Certificate Name: www.intks.net
Domains: www.intks.net
Expiry Date: 2018-01-16 15:39:13+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/www.intks.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.intks.net/privkey.pem

bytecamp · October 20, 2017, 1:34pm

Now it should be obvious which certificate to use in your webserver:

/etc/letsencrypt/live/intks.net/fullchain.pem

because it is valid for both intks.net + www.intks.net.

I would recommend deleting the other certificates with the following commands:

sudo certbot delete --cert-name intks.net-0001
sudo certbot delete --cert-name www.intks.net

as they are obsolete.

sfgaints · October 20, 2017, 1:46pm

Now www.intks.net and intks.net both address have "This site can’t be reached" , "www.intks.net refused to connect."

jared.m · October 20, 2017, 1:51pm

Did you also reconfigure your webserver to point to the correct certificate? That was the first part of @bytecamp’s response and is really important. You then have to reload the webserver to read in that certificate.

sfgaints · October 20, 2017, 1:55pm

No I didn’t, I was looking for a quick fix, and not going through the tutorial I did a few days ago. Can you tell me how to point to that cert, or should I read the tutorial?

bytecamp · October 20, 2017, 1:56pm

Your webserver is misconfigured, since it does not listen on port 443 (https) now.

sfgaints · October 20, 2017, 2:10pm

OK, I give up… So what needs to change for it to listen to 443 AGAIN? Didn’t think deleting two “obsolete” certs would change what ports the server is listening to. Obviously, I was wrong. I came in here asking for help, and the attitude is that I should already know this stuff. However, if I already knew this why would I be here?

bytecamp · October 20, 2017, 2:15pm

Try the following (if you use apache webserver):

sudo certbot --reinstall --apache --cert-name intks.net

Afterwards restart apache:

apachectl restart

And paste the output here.
Your webserver does not listen to port 80, too. I think there is a misconfiguration and it did not start at all.

sfgaints · October 20, 2017, 2:20pm

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 30 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/www.intks.net/fullchain.pem' does not exist or is empty

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apache2ctl configtest.\nAction 'configtest' failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 30 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:\nSSLCertificateFile: file '/etc/letsencrypt/live/www.intks.net/fullchain.pem' does not exist or is empty\n",)

AH00526: Syntax error on line 30 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/www.intks.net/fullchain.pem' does not exist or is empty
Action 'restart' failed.
The Apache error log may have more information.

bytecamp · October 20, 2017, 2:21pm

Please paste the whole file here.

sfgaints · October 20, 2017, 2:24pm

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

SSLCertificateFile /etc/letsencrypt/live/www.intks.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.intks.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName intks.net
ServerAlias www.intks.net

bytecamp · October 20, 2017, 2:27pm

Now change both SSLCertificateFile and SSLCertificateKeyFile to point to the right path:

SSLCertificateFile /etc/letsencrypt/live/intks.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/intks.net/privkey.pem

Afterwards restart Apache and paste the output here.

sfgaints · October 20, 2017, 2:29pm

AH00526: Syntax error on line 30 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/intks.net/fullchain.pem' does not exist or is empty
Action 'restart' failed.
The Apache error log may have more information.

bytecamp · October 20, 2017, 2:31pm

Please run certbot certificates